I was trying to setup PPT VPN Server in my Tl-MR3420v2 Router. I have extroot already. Trying to setup PPTP here as I need to keep my Pi always running for this, I thought running PPTPD in Router would be a good choice.

I followed this guide, Point-to-Point Tunneling Protocol (PPTP) Server

This guide works fine with me, but when I add rules in firewall.user, all of my open port got visible in WAN interface. Currently, I use https (LUCI SSL) with port forward to access my router from remote, and I disabled RFC. So I can access like https://wanip:port, also same like ssh, ssh -p port root@wanip.

I checked port scan; I saw all everything is fine without PPTP firewall user rules. But when did I activate, all ports are visible. Is there any way to fix this. One thing I forget to add, I use PPPoE as WAN.

Here is my whole configuration.

config service 'pptpd'
	option 'enabled' '1'
	option 'localip' ''

config 'login'
	option 'username' 'username1'
	option 'password' 'userpass1'
	option 'remoteip' ''

config 'login'
        option 'username' 'useraccess1'
        option 'password' 'useraccess1'
        option 'remoteip' ''


config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option netmask ''
	option ipaddr ''
	option delegate '0'
	option gateway ''
	option broadcast ''
	option ip6ifaceid '::26'
	option dns ''

config interface 'wan'
	option ifname 'eth0'
	option _orig_ifname 'eth0'
	option _orig_bridge 'false'
	option proto 'pppoe'
	option username 'wanaccess'
	option password 'wanpass'
	option delegate '0'
	option peerdns '0'
	option dns ''
	option ipv6 '0'

    config rule
    	option target 'ACCEPT'
    	option src 'wan'
    	option proto 'tcp'
    	option dest_port '1723'
    	option name 'PPTP'
    	option family 'ipv4'

    config rule
    	option name 'VPN GRE'
    	option target 'ACCEPT'
    	option src 'wan'
    	option proto 'gre'

    config zone
    	option name 'lan'
    	option input 'ACCEPT'
    	option output 'ACCEPT'
    	option forward 'ACCEPT'
    	option network 'lan'

    config zone
    	option name 'wan'
    	option input 'REJECT'
    	option output 'ACCEPT'
    	option forward 'REJECT'
    	option masq '1'
    	option mtu_fix '1'
    	option network 'wan'

    config forwarding
    	option src 'lan'
    	option dest 'wan'


speed 115200
stimeout 10
#localip & remoteip are not needed, ip management is done by pppd


#logfile /tmp/pptp-server.log
name "pptp-server"
lcp-echo-failure 3
lcp-echo-interval 60
mtu 1482
mru 1482
#plugin radius.so
#radius-config-file /etc/radius.conf


logfile /dev/null
maxfail 0
lcp-echo-failure 5
lcp-echo-interval 1


username1 pptp-server userpass1

Yes, I too have followed the thread you mention and have run into a problem, when using the Access Control Luci plugin, whereby the rules there are ignored when the PPTP firewall forwards are enabled.

Seems to me that these rules need to be locked down somehow, but I'm reluctant to move my subnet range for VPN/PPTP clients to do this.

I need to find some time to study the forwards, but for now, I've turned of the PPTP server and its rules.

Yeah, the Same situation like you.
I rather looking for setup OpenVPN Server on it. But I need to use OpenVPN client too in it. Don't know how to do this, as I got OpenVPN Server and like to use LAN and WIFI interface as OpenVPN Client and meantime use OpenVPN Server as home IP.