I have a Master Mikrotik and others Mikrotiks Client.
All Client have VPN server (L2TP) with same configuration:
VPN Local address: 192.168.30.1
VPN Remote address: 192.168.30.2
Internal LAN: 192.168.20.0/24
WAN (client domestic router): 192.168.1.0/24
When I want to connect to those clients I activate an VPN tunnel to this client (this tunel get default route) and I have access to all networks from mikrotik (192.168.20.0/24, 192.168.1.0/24 and internet) but from my LAN (Master Mikrotik LAN: 192.168.2.0/24) i only have access to 192.168.20.0/24 and not to 192.168.1.0/24 or internet).
Yes, my clients are servers and my mikrotik is the client. The purpose of this configuration is to connect to my clients routers when I need it and to be the same configuration in all client mikrotik.
Here my configuration:
In this configuration you can see VPN client and VPN server. I’m asking for VPN client.
/interface bridge
add admin-mac=AA:4D:AA:89:VF:11 auto-mac=no comment=defconf name=LAN-Bridge
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface l2tp-client
add add-default-route=yes allow=mschap2 connect-to=xxxxxxxxxx.sn.mynetname.net
name=Cliente1 use-ipsec=yes user=Administrador
add add-default-route=yes allow=mschap2 connect-to=xxxxxxxxxxx.sn.mynetname.net
name=Cliente2 use-ipsec=yes user=Administrador
/interface vlan
add interface=ether1 name=INTERNET vlan-id=100
/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=INTERNET
name=PPPoE-out1 user=xxxxxxxxxxxx@vodafone
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=LAN-Pool ranges=192.168.2.20-192.168.2.150
add name=vpn ranges=10.10.1.1-10.10.1.200
add name=VPN-Pool ranges=192.168.10.200-192.168.10.250
/ip dhcp-server
add address-pool=LAN-Pool disabled=no interface=LAN-Bridge name=DHCP-LAN
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=
profile-acceso-router remote-address=VPN-Pool use-encryption=yes
add change-tcp-mss=yes local-address=192.168.10.1 name=profile-clientes-Shelly
use-encryption=yes
/user group
set full policy=“local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password
,web,sniff,sensitive,api,romon,dude,tikapp”
/interface bridge port
add bridge=LAN-Bridge comment=defconf interface=ether2
add bridge=LAN-Bridge comment=defconf interface=ether3
add bridge=LAN-Bridge comment=defconf interface=ether4
add bridge=LAN-Bridge comment=defconf interface=ether5
add bridge=LAN-Bridge comment=defconf interface=ether6
add bridge=LAN-Bridge comment=defconf interface=ether7
add bridge=LAN-Bridge comment=defconf interface=ether8
add bridge=LAN-Bridge comment=defconf interface=ether9
add bridge=LAN-Bridge comment=defconf interface=sfp-sfpplus1
add bridge=LAN-Bridge hw=no interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=LAN-Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=PPPoE-out1 list=WAN
add list=LAN
/interface sstp-server server
set authentication=mschap2 certificate=vpn-server force-aes=yes pfs=yes port=3443
tls-version=only-1.2
/ip address
add address=192.168.2.1/24 comment=defconf interface=LAN-Bridge network=
192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
add address=b8f60a38c7a4.sn.mynetname.net list=public-ip
add address=4ac704c13b00.sn.mynetname.net list=ip-aitas
add address=192.168.2.151-192.168.2.155 list=Internet_Bloqueado
/ip firewall filter
add action=accept chain=input comment=
“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=accept chain=input comment=“allow IPsec NAT” dst-port=4500 protocol=udp
add action=accept chain=input comment=“allow IKE” dst-port=500 protocol=udp
add action=accept chain=input comment=“allow l2tp” dst-port=1701 protocol=udp
add action=drop chain=input comment=“defconf: drop invalid” connection-state=
invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=
“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN”
in-interface-list=!LAN
add action=reject chain=forward comment=“Block Internet” reject-with=
icmp-network-unreachable src-address-list=Internet_Bloqueado
add action=accept chain=forward comment=“defconf: accept in ipsec policy”
ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy”
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=
“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=
invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed”
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=
“Todas las IP que esten en la lista Internet_Bloqueado no tendran internet”
new-routing-mark=sin_internet passthrough=yes src-address-list=
Internet_Bloqueado
add action=set-priority chain=postrouting new-priority=0 out-interface=PPPoE-out1
/ip firewall nat
add action=masquerade chain=srcnat comment=“Para llegar a la red del cliente VPN”
dst-address=192.168.20.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=192.168.2.0/24
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=“masq. vpn traffic” src-address=
192.168.10.0/24
/ip route
add comment=“Red Aitas” disabled=yes distance=1 dst-address=192.168.1.0/24
gateway=192.168.10.2
add comment=“Para tener acceso a la red interna del cliente” disabled=yes
distance=1 dst-address=192.168.1.0/24 gateway=192.168.30.1
add comment=“Para tener acceso a la red interna del mikrotik del cliente”
disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=192.168.30.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.2.205/32
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=profile-acceso-router service=l2tp
add name=Cliente_2 profile=profile-clientes-Shelly remote-address=192.168.10.2
service=l2tp
add name=Cliente_3 profile=profile-clientes-Shelly remote-address=192.168.10.3
service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
