Hi all,
So bit of a curious one. I have an L2TP VPN set up for remote support for a network. RB1100 router acting as the L2TP server using 10.10.0.1, also the DHCP server for the network. Several VLANs, with all network hardware on VLAN 10 which uses the 10.10.0.0/16 address range.
So, I can connect in remotely and winbox into 10.10.0.1 no problem.
However discovery doesn’t work. Not the end of the world, however I can’t winbox into any of the RouterOS devices at 10.10.0.101-10.10.0.140, nor can I ping them. I can’t even access webfig on the RouterOS devices.
This is where it gets wierd. I have a number of Switch OS (SwOS) devices at 10.10.0.11-10.10.0.20. I can ping these no problem, and access these over their web interface remotely.
If I’m local to the premises and connected using an access port on VLAN10, I can discover and connect to everything no problem.
But remotely, I can only access the RB1100 and the SwOS devices, but none of other devices from remotely using the VPN, yet they’re all on the same VLAN and subnet.
Really grateful for any thoughts or suggestions here!
Config below:
# jul/17/2024 21:18:26 by RouterOS 6.49.15
# software id = E75X-80RJ
#
# model = RB1100Dx4
# serial number = HEY09AX5MMT
/interface bridge
add arp=proxy-arp name=bridge1 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether5 ] name=OffBridge-5
set [ find default-name=ether1 ] name=WAN1-WF900
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name="WAN3 - not in use"
set [ find default-name=ether4 ] name=WAN4-Future
set [ find default-name=ether6 ] comment=TRNK-REC-18
set [ find default-name=ether7 ] comment=TRNK-REC-21
set [ find default-name=ether8 ] comment=TRNK-REC-34
set [ find default-name=ether9 ] comment=TRNK-SPARE
set [ find default-name=ether10 ] comment=TRNK-REC-SWITCH
set [ find default-name=ether11 ] name=ether11-StaffMGMT
set [ find default-name=ether12 ] name=ether12-StaffMGMT
set [ find default-name=ether13 ] comment=\
"Legacy Interface for Lower Park far end M5 Link. VLAN20." name=\
ether13-Guest
/interface pppoe-client
add disabled=no interface=WAN2 name=WAN2GradwellSoGEA use-peer-dns=yes user=\
HIDDEN
/interface l2tp-server
add name=l2tp-in-VPN user=HIDDEN
/interface vlan
add interface=bridge1 name=vlan10_MGMT vlan-id=10
add interface=bridge1 name=vlan20_Guest vlan-id=20
add interface=bridge1 name=vlan30_Staff vlan-id=30
add interface=bridge1 name=vlan40_CCTV vlan-id=40
add comment="WAN3 - WF 300/300 Fibre Connection" interface=bridge1 name=\
vlan90_WAN3 vlan-id=90
/caps-man datapath
add bridge=bridge1 name=datapath_MGMT vlan-id=10 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Guest vlan-id=20 vlan-mode=use-tag
add bridge=bridge1 name=datapath_Staff vlan-id=30 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Staff
add authentication-types=wpa2-psk encryption=aes-ccm name=security_Guest
add authentication-types=wpa2-psk encryption=aes-ccm name=security_MGMT
add authentication-types=wpa2-psk encryption=aes-ccm name=security_OMHP
/caps-man configuration
add country="united kingdom" datapath=datapath_Guest \
datapath.client-to-client-forwarding=no datapath.vlan-id=20 \
datapath.vlan-mode=use-tag installation=indoor mode=ap name=cfg_GuestWifi \
security=security_Guest ssid=OldMill_GuestWiFi
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
installation=indoor mode=ap name=cfg_Staff security=security_Staff ssid=\
OldMill_Staff
add country="united kingdom" datapath=datapath_MGMT datapath.bridge=bridge1 \
hide-ssid=yes installation=indoor mode=ap name=cfg_MGMT security=\
security_MGMT ssid=OldMill_MGMT
add country="united kingdom" datapath=datapath_Staff datapath.bridge=bridge1 \
installation=indoor mode=ap name=cfg_OMHP security=security_OMHP ssid=\
OMHP
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface list
add name=WAN
add name=LAN
add name=MGMT
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_MGMT ranges=10.10.100.1-10.10.100.254
add name=dhcp_Guest ranges=10.20.100.1-10.20.199.254
add name=dhcp_staff ranges=10.30.100.1-10.30.199.254
add name=dhcp_CCTV ranges=10.40.100.1-10.40.199.254
add name=dhcp_VPN ranges=10.10.200.1-10.10.200.254
/ip dhcp-server
add address-pool=dhcp_MGMT disabled=no interface=vlan10_MGMT lease-time=4w2d \
name=dhcpMGMT
add address-pool=dhcp_Guest disabled=no interface=vlan20_Guest lease-time=1d \
name=dhcpGuest
add address-pool=dhcp_staff disabled=no interface=vlan30_Staff lease-time=\
4w2d10m name=dhcpStaff
add address-pool=dhcp_staff disabled=no interface=vlan40_CCTV lease-time=\
4w2d10m name=dhcpCCTV
/ppp profile
set *0 interface-list=LAN
add address-list=VPN bridge=bridge1 local-address=dhcp_MGMT name=SquibbyVPN \
remote-address=dhcp_VPN
/queue type
add kind=pcq name=pcq-download-guest pcq-classifier=dst-address pcq-rate=10M
add kind=pcq name=pcq-upload-guest pcq-classifier=src-address pcq-rate=5M
/queue simple
add disabled=yes max-limit=900M/900M name=Global queue=\
ethernet-default/ethernet-default target=\
10.10.0.0/16,10.20.0.0/16,10.30.0.0/16,10.40.0.0/16
add limit-at=700M/500M max-limit=700M/500M name=Guest queue=\
pcq-upload-guest/pcq-download-guest target=10.20.0.0/16
/caps-man manager
set enabled=yes package-path=/ upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge1
add disabled=no interface=vlan10_MGMT
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg_Staff name-format=\
identity slave-configurations=cfg_GuestWifi,cfg_MGMT,cfg_OMHP
/dude
set enabled=yes
/interface bridge port
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether6
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether7
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether8
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether9
add bridge=bridge1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
interface=ether10
add bridge=bridge1 ingress-filtering=yes interface=ether11-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether12-StaffMGMT pvid=10
add bridge=bridge1 ingress-filtering=yes interface=ether13-Guest pvid=20
/ip neighbor discovery-settings
set discover-interface-list=MGMT
/ip settings
set route-cache=no
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
untagged=ether11-StaffMGMT,ether12-StaffMGMT,ether13-Guest vlan-ids=10
# port with pvid added to untagged group which might cause problems, consider adding a seperate VLAN entry
add bridge=bridge1 tagged=bridge1,ether6,ether7,ether8,ether9,ether10 \
vlan-ids=20,30,40
add bridge=bridge1 tagged=bridge1,ether6,vlan90_WAN3 vlan-ids=90
/interface l2tp-server server
set default-profile=SquibbyVPN enabled=yes use-ipsec=yes
/interface list member
add interface=WAN1-WF900 list=WAN
add interface=vlan10_MGMT list=LAN
add interface=vlan20_Guest list=LAN
add interface=vlan30_Staff list=LAN
add interface=vlan40_CCTV list=LAN
add interface=vlan10_MGMT list=MGMT
add interface=OffBridge-5 list=MGMT
add interface=WAN2GradwellSoGEA list=WAN
add interface=vlan90_WAN3 list=WAN
add interface=l2tp-in-VPN list=LAN
add interface=l2tp-in-VPN list=MGMT
/interface pppoe-server server
add default-profile=SquibbyVPN disabled=no interface=<l2tp> service-name=\
service1
/ip address
add address=10.30.0.1/16 interface=vlan30_Staff network=10.30.0.0
add address=10.40.0.1/16 interface=vlan40_CCTV network=10.40.0.0
add address=10.10.0.1/16 interface=vlan10_MGMT network=10.10.0.0
add address=10.20.0.1/16 interface=vlan20_Guest network=10.20.0.0
add address=192.168.55.1/24 interface=OffBridge-5 network=192.168.55.0
/ip dhcp-client
add default-route-distance=2 disabled=no interface=vlan90_WAN3 use-peer-dns=\
no
add disabled=no interface=WAN1-WF900 use-peer-dns=no
/ip dhcp-server lease
<LEASES REMOVED HERE>
/ip dhcp-server network
add address=10.10.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.0.1
add address=10.20.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.20.0.1
add address=10.30.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.30.0.1
add address=10.40.0.0/16 dns-server=8.8.8.8,8.8.4.4 gateway=10.40.0.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.100.1-10.20.199.254 list=Guest
add address=10.10.100.0/24 list=local
add address=10.20.100.0/24 list=local
add address=10.30.100.0/24 list=local
add address=10.40.100.0/24 list=local
add address=10.10.0.1-10.10.199.254 list=localLAN
add address=10.10.200.1-10.10.200.254 list=VPN
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=WAN2GradwellSoGEA protocol=\
ipsec-esp
add action=accept chain=input dst-port=500,1701,4500 in-interface=\
WAN2GradwellSoGEA protocol=udp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input in-interface-list=MGMT
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="accept PPP" in-interface=all-ppp
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=\
"fasttrack - disabled to allow queue function" connection-state=\
established,related disabled=yes
add action=accept chain=forward comment=related-establ-untracked \
connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat disabled=yes
add action=accept chain=forward comment="MGMT to all vlans" \
in-interface-list=MGMT out-interface-list=LAN
add action=drop chain=forward comment="drop all else"
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN1 passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=forward comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=no-mark disabled=yes dst-address-type=!local \
in-interface-list=LAN new-connection-mark=viaWAN2 passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN1 disabled=yes new-routing-mark=useWAN1 \
passthrough=no
add action=mark-routing chain=prerouting comment=\
"Disabled as currently set for DUAL WAN not PCC Load Balancing" \
connection-mark=viaWAN2 disabled=yes new-routing-mark=useWAN2 \
passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add comment="Disabled as not load balancing" disabled=yes distance=1 gateway=\
192.168.2.1 routing-mark=useWAN1
add comment="Disabled as not load balancing" disabled=yes distance=1 gateway=\
WAN2GradwellSoGEA routing-mark=useWAN2
add distance=3 gateway=WAN2GradwellSoGEA
/ip service
set telnet address=10.10.0.0/16
set api address=10.10.0.0/16
/ppp secret
add name=HIDDEN profile=SquibbyVPN
/system clock
set time-zone-name=Europe/London
/system identity
set name=RB1100-Reception
/tool graphing interface
add allow-address=10.10.0.0/16 interface=WAN1-WF900
add allow-address=10.10.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.30.0.0/16 interface=WAN1-WF900
add allow-address=10.30.0.0/16 interface=WAN2GradwellSoGEA
add allow-address=10.10.0.0/16 interface=vlan90_WAN3
add allow-address=10.30.0.0/16 interface=vlan90_WAN3
/tool graphing queue
add allow-address=10.10.0.0/16 simple-queue=Guest
add allow-address=10.30.0.0/16 simple-queue=Guest
/tool graphing resource
add allow-address=10.10.0.0/16
add allow-address=10.30.0.0/16