Cannot access Lan devices over vpn client

I’m trying to setup a vpn connection over L2TP/IPSEC for vpn client access to my local network. (Road warrior)

I can connect from my vpn client to the vpn-server running on mikrotik , but cant get access to the home network.

Can someone take a look at this to help me?

See my config below:

# RouterOS 6.42.12

/interface bridge
add admin-mac=B8:69:F4:8E:04:17 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=hap_wpa \
    supplicant-identity="" wpa-pre-shared-key=wifipass \
    wpa2-pre-shared-key=wifipass
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=belgium disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=hap_wpa \
    ssid=Hap tx-power=15 tx-power-mode=all-rates-fixed wireless-protocol=\
    802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.99
add name=vpn ranges=10.0.0.200-10.0.0.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=10.0.0.200 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=vpnsecret use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet address=10.0.0.0/24 disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set ssh address=10.0.0.0/24
set api address=10.0.0.0/24
set winbox address=10.0.0.0/24
set api-ssl address=10.0.0.0/24
/ppp secret
add name=vpn password=vpnpass service=l2tp
/system clock
set time-zone-name=Europe/Brussels
/system package update
set channel=long-term
/tool graphing resource
add allow-address=10.0.0.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Anyone that can take a look at my config?

Maybe you can try set ip address of your lan to bridge not to ether2 and your local address for VPN user should be ip address of the bridge https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

But in my config above the vpn user has same subnet as my Lan and Lan is already in the bridge

/interface list member
add comment=defconf interface=bridge list=LAN

Every ip address should be on top interface in your case bridge that for your config. For l2tp cannot access lan →
http://forum.mikrotik.com/t/l2tp-vpn-setup-cannot-ping-lan-devices/84068/1

I’ve read the links you provided but I’m still clueless.
Can you help me what I need to change in my config?

Change ip address 10.0.0.1/24 to bridge interface, and for ppp user local address to 10.0.0.1. and test, for me is working that way with same config as yours

Don’t change anything else

# Change to bridge below
/ip address
add address=10.0.0.1/24 comment=defconf interface=[b]bridge[/b] network=10.0.0.0

# Is this ok?
/ppp profile
set *FFFFFFFE local-address=10.0.0.1 remote-address=vpn

Remote-address is the IP address for user and you already defined them with DHCP lease from 10.0.0.200 to 220

Now is ok

Please test now

still no access , no ping reply

Post config

# RouterOS 6.42.12

/interface bridge
add admin-mac=B8:69:F4:8E:04:17 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    management-protection=allowed mode=dynamic-keys name=hap_wpa \
    supplicant-identity="" wpa-pre-shared-key=wifipass \
    wpa2-pre-shared-key=wifipass
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=belgium disabled=no distance=indoors frequency=auto \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=hap_wpa \
    ssid=Hap tx-power=15 tx-power-mode=all-rates-fixed wireless-protocol=\
    802.11 wps-mode=disabled
/ip pool
add name=dhcp ranges=10.0.0.10-10.0.0.99
add name=vpn ranges=10.0.0.200-10.0.0.220
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=10.0.0.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret=vpnsecret use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=10.0.0.1/24 comment=defconf interface=bridge network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip service
set telnet address=10.0.0.0/24 disabled=yes
set ftp disabled=yes
set www address=10.0.0.0/24
set ssh address=10.0.0.0/24
set api address=10.0.0.0/24
set winbox address=10.0.0.0/24
set api-ssl address=10.0.0.0/24
/ppp secret
add name=vpn password=vpnpass service=l2tp
/system clock
set time-zone-name=Europe/Brussels
/system package update
set channel=long-term
/tool graphing resource
add allow-address=10.0.0.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Everything look ok, maybe firewall ? Can you disable all drop rules and test? And if work start enable them one by one. Only that cane to my mind

Because your VPN addresses overlap with the LAN IP addressing you need to enable Proxy-ARP on the LAN bridge.

Alternatively give your VPN clients a different IP range and change the PPP local address. This would be the preferred option. Proxy-ARP comes with some security issues.

• In my current config (see above) proxy-arp is enabled on the bridge but i still can’t ping other devices in my lan from my vpn client
• The reason i chose to get them in the same range was to avoid adding routing to be able to ping from subnet A to subnet B.
• How can I change my config for that?

did you solve the problem bro? i have the same problem

you should add this

/interface list
add include=dynamic name=LAN
add name=WAN