Dear,

We’ve 2 sites:

SITE 1, private lan with range 192.168.100.0/24 - port 2,3,4 bridged in bridge called ‘PRIVATE LAN’
SITE 2, private lan with range 192.168.15.0/24 - port 2, wlan1 bridged in bridged called ‘bridge-local’

I’ve created a L2TP tunnel between SITE 1 and SITE 2 as described in http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

The L2TP tunnel is connected and I can succesfully ping 172.16.1.1 and 172.16.1.2 from both sites.

When I logon to the terminal of de RB on SITE 2 I can also succesfully ping devices on the PRIVATE LAN of SITE 2, but as from the moment I start a ping from a device on SITE 2 connected on the bridge-local bridge the ping fails.

On SITE2 I’ve added a route “192.168.100.0/24 with as gateway my L2TP tunnel” but without any succes.

No firewall rules are in place, no mange rules.

Any clues ?

I think you miss some routes :
On site 1: /route add dst=192.168.15.0/24 gateway=172.16.1.2
On site 2: /route add dst=192.168.100.0/24 gateway=172.16.1.1
Your “clients” behind the routers must also have those routes (if their default gateway isn’t the local mikrotik device).

Hi,

Thanks for your reply,

Those routes already exists, clients have the RB as their default gateway.
On a client I can succesfully ping 172.16.1.1 or .2 but not the 192.168.100.0/24 network

How is your firewall setup?

On SITE1: Allow both inbound, outbound en forward traffic
On SITE2: No firewall rules present

Somebody with tips on this issue ?

I can’t get this to work, my setup:

PRIVATE LAN 192.168.100.0/24 <-----|ROUTERBOARD DC|172.16.1.1 ------L2TP VPN ------ 172.16.1.2|ROUTERBOARD HOME|—> PRIVATE LAN 192.168.15.0/24

• From my home router I can ping to 172.16.1.2,172.16.1.1 and also clients on the PRIVATE LAN subnets on both sides

• From my DC router I can ping also to 172.16.1.2,172.16.1.1 and also clients on the PRIVATE LAN subnets on both sides

• From a private lan subnet I can’t ping to 172.16.1.1,172.16.1.2 and also not to the other PRIVATE LAN.

==> L2TP VPN is active and up and running , but routing is not working as expected !

On my DC Router I’ve a /ip route 192.168.15.0/24 172.16.1.2 , on my home router i’ve a /ip route 192.168.100.0/24 172.16.1.1

Help

When I do a traceroute via interface PRIVATE LAN it seems that he’s sending traffic through it’s default gateway instead of using the route I’ve devined for the 192.168.15.0 network.

Can you post the result of
/ip export

from both your routers?

HI,

I’ve made some progress, when I start a ping from a device on the 192.168.100.0/24 network to a device on the 192.168.15.0/24 network, and start a torch on the L2TP interface i see on the 100.0/24 network TX traffic and on the 15.0/24 RX traffic, but the traffic is not going back..



Export from the router on the 192.168.100.0/24 network:

[user@router] > /ip export 
# jun/05/2014 20:57:30 by RouterOS 6.4
# software id = 5E5R-ZA5D
#
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip neighbor discovery
set ETH1 comment="UPLINK "
set ETH2 comment="UPLINK FW PROTECTED"
set ETH3 comment=VIRT1
set ETH4 comment="UPLINKS FW UNPROTECTED"
set ETH9 comment="UPLINK PRIVATE LAN SW 2"
set ETH10 comment="UPLINK PRIVATE LAN SW1"
set ETH3.107 discover=no
/ip pool
add name=dhcp_pool1 ranges=192.168.100.100-192.168.100.110
add name=dhcp_pool2 ranges=192.168.100.110,192.168.100.120
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface="PRIVATE LAN" name=dhcp1
/ip address
add address=192.168.100.254/24 interface=vrrp-PRIVATE_LAN network=192.168.100.0
add address=81.95.x.y/26 interface=Servers network=81.95.x.y
add address=185.18.x.y/32 interface=Servers network=185.18.x.y
add address=192.168.100.252/24 interface="PRIVATE LAN" network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=8.8.8.8 name="Google 1"
add address=8.8.4.4 name=Google2
/ip firewall address-list
add address=80.190.147.92 list=0.ntp.pool.org
........
/ip firewall filter
add chain=forward
add chain=input
add chain=output

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark="PRIVATE LAN" \
    src-address=192.168.100.0/24
add action=mark-connection chain=prerouting dst-address=192.168.100.0/24 \
    new-connection-mark="PRIVATE LAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade voor PRIVATE LAN" \
    disabled=yes dst-limit=0,100,dst-address limit=0,100 src-address=\
    192.168.100.0/24 to-addresses=81.95.x.y
add action=masquerade chain=srcnat dst-address=!192.168.15.0/24 src-address=\
    192.168.100.0/24
add action=dst-nat chain=dstnat comment="Port Forwards" dst-address=\
    81.95.x.y dst-port=21 protocol=tcp to-addresses=192.168.100.1 to-ports=\
    21
....
/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=81.95.x.y
add distance=2 gateway=185.18.x.y
/ip service
set telnet disabled=yes
set api disabled=yes
/ip traffic-flow
set cache-entries=4k interfaces=ETH1
/ip traffic-flow target
add address=192.168.100.5:2055 version=5

Export from the router on the 192.168.15.0/24 network:

[admin@GW01] > /ip export 
# apr/10/1970 21:37:15 by RouterOS 6.7
# software id = ZSI5-M3C9
#
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.200
/ip address
add address=192.168.15.1/24 interface=wlan1 network=192.168.15.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/ip dhcp-server lease
add address=192.168.15.130 client-id=1:d8:9d:67:57:71:a1 mac-address=\
    D8:9D:67:57:71:A1 server=default
/ip dhcp-server network
add address=192.168.15.0/24 comment="default configuration" dns-server=\
    8.8.8.8,8.8.4.4 gateway=192.168.15.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add address=81.95.x.y/32 port=5000 secret=test
/ip ipsec policy
add dst-address=192.168.100.0/24 sa-dst-address=81.95.x.y sa-src-address=\
    81.82.146.151 src-address=192.168.15.0/24 tunnel=yes
/ip route
add distance=10 gateway=192.168.0.1
/ip service
set api disabled=yes

I don’t see those routes in your script, did you remove them?

Firstly I agree to noib not seeing the routes.
Second, try adding these NAT rules on the two routers on top position (before your masquerade rule kicks in):
#site1
/ip firewall nat
add chain=srcnat dst-address=192.168.15.0/24 src-address=192.168.100.0/24

#site2
/ip firewall nat
add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.15.0/24This will prevent the routers from sending the VPN traffic through their default gateways.

-Chris

Following routes are active on Site 1:
[admin@router] > /ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DIST

0 A S 0.0.0.0/0 192.168.0.1
1 ADC 172.16.1.1/32 172.16.1.2 VPN-HOME-DCO
2 ADC 192.168.0.0/24 192.168.0.200 ETH1
3 ADC 192.168.15.0/24 192.168.15.1 bridge-local
4 A S 192.168.100.0/24 172.16.1.1on site 2:
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 A S 0.0.0.0/0 81.95.x.y 1
2 ADC 81.95.x.y/26 81.95.x.y Servers 0
3 ADC 172.16.1.2/32 172.16.1.1 <l2tp-VPN-DCO-H... 0
4 ADC 185.18.x.y/32 185.18.x.y Servers 0
5 A S 192.168.15.0/24 172.16.1.2 1
6 ADC 192.168.100.0/24 192.168.100.252 PRIVATE LAN 0
vrrp-PRIVATE_LAN
7 ADC 192.168.100.107/32 81.95.x.y 0I've added the 2 nat rules as described but isn't working.. /helpless !