access systems on LAN via VPN

garymikrotik · September 18, 2021, 7:40pm

Hello,

I have gotten my VPN connection to work. However, I am not able to ping or otherwise access systems connected to the Mikrotik’s ethernet ports.

I think it’s because the l2tp-in1 interface is not part of the LAN list nor connected to the default bridge. I’m not sure how to make that connection.

Based on topic 161454, the “/ppp profile set default-encryption set interface-list=LAN” command was used to make the VPN profile part of the LAN list. However, there was only 1 VPN client. In my case, there maybe a couple of simultaneous connections, and a pool of addresses has been created for the VPN clients. If the “/ppp profile set default-encryption set interface-list=LAN” is not correct, how do I resolve my issue?

Thanks!

My configuration.

# sep/18/2021 14:46:56 by RouterOS 6.48.4
#
# model = RouterBOARD 750G r3

/interface bridge
add admin-mac=64:D1:54:76:76:82 auto-mac=no comment=defconf name=bridge
/interface l2tp-server
add name=l2tp-in1 user=vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp384,ecp521 dpd-interval=\
    disable-dpd enc-algorithm=aes-256,aes-128 lifetime=8h prf-algorithm=sha1
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc lifetime=8h pfs-group=ecp384
/ip pool
add name=dhcp ranges=192.168.88.51-192.168.88.150
add name=vpn ranges=192.168.88.161-192.168.88.190
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=\
    defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.88.1 local-address=192.168.88.1 \
    remote-address=vpn use-encryption=required
/system logging action
set 1 disk-file-count=3 disk-file-name=disk1/log disk-lines-per-file=10000
/dude
set data-directory=disk1/dude-data enabled=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 domain=\
    router.lan gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow L2TP-VPN (ipsec-esp)" \
    in-interface=ether1 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP-VPN (500,1701,4500/udp)" \
    dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip service
set telnet address=10.10.1.0/24,192.168.88.0/24 disabled=yes
set ftp address=10.10.1.0/24,192.168.88.0/24 disabled=yes
set www address=10.10.1.0/24,192.168.88.0/24
set ssh address=10.10.1.0/24,192.168.88.0/24
set www-ssl address=10.10.1.0/24,192.168.88.0/24 disabled=no
set api address=10.10.1.0/24,192.168.88.0/24 disabled=yes
set winbox address=10.10.1.0/24,192.168.88.0/24
set api-ssl address=10.10.1.0/24,192.168.88.0/24 disabled=yes
/ip smb
set allow-guests=no domain=HOME
/ip socks
set auth-method=password
/ip traffic-flow
set enabled=yes
/ip upnp
set enabled=yes
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=America/New_York
/system logging
add action=disk disabled=yes topics=ipsec,!packet
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool mac-server ping
set enabled=no

sindy · September 19, 2021, 10:58am

Either use an /ip pool for the VPN clients that doesn’t fit into the LAN subnet (a preferred solution), or set arp=proxy-arp at the bridge interface. Only do that if the Windows clients use the VPN tunnel only to access the devices in Mikrotik’s LAN, not as a default gateway.

garymikrotik · September 19, 2021, 7:18pm

Thanks for the response. Changing the pool to be outside of the DHCP worked. Unfortunately, I don’t understand why. I will need to do some research to gain a better understanding. I’m guessing it’s how IPsec works.

I’m now able to access the LAN systems after a couple of additional steps.

/ip firewall filter add chain=input protocol=tcp dst-port= in-interface= action=accept
updating the allowed IP addresses for the needed services
updating the allowed IP addresses for the users that need access to the router itself

sindy · September 19, 2021, 8:24pm

There are at least two posts from myself, and countless ones from others, on this forum, explaining why you need to use proxy-arp or out-of-LAN subnet addresses.

IPsec has nothing to do with that, it’s the L2TP, or any other PPP-based tunneling protocol.