I setup the Mikrotik Routerboard as a ipsec/l2tp VPN server by following a couple blog posts I found online. I can successfully connect to my VPN remotely, but I cannot access any resources on the Mikrotik’s LAN other than the router itself. The Mikrotik IP is 10.1.11.1 and I can access this remotely just fine with Winbox. My vpn connection is assigned an IP from the VPN pool, e.g. 10.1.11.11. Then, for example, I cannot ping a server located at 10.1.11.91. Screen shots attached show my VPN connection and Winbox configuration. Notice that my subnet mask is assigned as 255.255.255.255 with default gateway 0.0.0.0, but why?
config.txt (3.21 KB)
Can you post your config please /export
and hide any public IP numbers (wanip, gateway info etc.)
see attachment config.txt
As the VPN client uses an address from the LAN you have to enable proxy ARP on that interface (bridge1). This is so the Mikrotik can answer ARP requests from devices connected to the local LAN ethernet on behalf of the VPN client.
You may wish to change your IPsec secret not having redacted it, and pick something with suitable complexity - search for ipsec shared secret length or ipsec shared secret entropy.
Hopefully you have more firewall rules than just those shown, otherwise the device is open to attack. Depending on what there are you may have to add rules allow traffic from the VPN interface.
Thanks. I changed the ARP setting from “enabled” to “proxy-arp” but it didn’t seem to help. Still can’t ping IP’s of servers on the LAN?
/interface bridge
add arp=proxy-arp name=bridge1
The gateway and subnet mask I’m getting from ipconfig on my client seem suspect?
PPP adapter AUP:
Connection-specific DNS Suffix . :
IPv4 Address. . . . . . . . . . . : 10.1.11.11
Subnet Mask . . . . . . . . . . . : 255.255.255.255
Default Gateway . . . . . . . . . : 0.0.0.0
Do you have to have a VPN pool, dont you just set an IP address somewhere in vpn settings…
In any case set it different FROM THE LAN.
Then make firewall rules allow VPN IP to LANIP etc…
Wireguard for me is much easier… made for the brain dead. 
anav, Can you elaborate further on these firewall rules I may need? I don’t quite follow. My VPN pool is 10.1.11.10-29 because I want to allow multiple clients. My LAN DHCP is 10.1.11.100-250, and I have some reserved IPs on the LAN between 10.1.11.30-99. Why can’t my VPN clients ping the hosts on the rest of the LAN? Why is my VPN client getting a subnet mask of 255.255.255.255 and gateway of 0.0.0.0?
Sorry I cannot as I would never use the same pool for vpn and my LAN, I dont have the networking skillset to parse that out.
Further one probably cannot separate that traffic being in the same pool.
There’s nothing to it, you just need proxy ARP as suggested. On client, mask 255.255.255.255 is normal, it gets only single address. Route to remote subnet is Windows “magic” that works with long-dead subnet classes. But you don’t need to worry about that when you have VPN configured as default gateway, which it seems you do, because there’s gateway 0.0.0.0 (it shows like that). So yeah, it should work.
But what I find really really weird, you posted config with non-existent firewall, and it didn’t trigger @anav at all, as if he didn’t see it. Could simple overlapping subnets confuse him so much? 
proxy-arp didn’t solve my problem though. Sigh. After setting it, I still couldn’t ping any other hosts in the LAN. Maybe I set it up wrong? Can you post the command-line I should use?
Problem solved! My bad. It turns out the windows server on the LAN that I was trying to ping had ping responses disabled in Windows Firewall! Argh!
As usual…
Should be some sort of sticky on a couple of forums.
WHEN PING FAILS TO A WINDOWS MACHINE, IT COULD BE NORMAL.
CHECK WINDOWS FIREWALL FIRST BEFORE POINTING AT YOUR ROUTER.
There are even worse situations…
A user of mine signed up with us to have Netfilx on the TV.
Up to here everything is normal…
Then he wanted us to configure the television for him…
Look, he didn’t buy it from us, it’s not our job, we only provide the connection…
And up to here… well imagine…
But then…
“I pay the subscription to see Netflix, but I can not reach to see it”…
Too bad that the subscription you pay us is only for the Internet,
If you want see Netflix you has to pay also one extra subscription to Netflix… not pay more us…
I let you imagine the sequel …
@tophermiller: Since @anav is still scared away, I’ll mention it once more myself, you don’t have any firewall, everything is wide open. It’s probably good idea to do something with that. See e.g. this for some inspiration: https://forum.mikrotik.com/viewtopic.php?t=180838
@Sob Thank you and yes, I want to do something about that, but kinda clueless what is required. I’ll read the link you suggested, and also I spoke with the guy who sold me on this mikotik and he recommended the following…what do you think?
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
That’s almost like default config, which looks like this:
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
Yours is missing the last drop rule in input chain, so it doesn’t prevent connections from internet to router (that’s not good). And default one has fasttrack, which can improve throughput, but also has some side-effects. Both use “block unwanted things and allow the rest”, while the linked thread works with “allow wanted things and block the rest”. I like the latter, but it’s not like the former is wrong, just different way.
Hello,
VPN connection is working properly but I cannot ping local servers. When I make a VPN connection, I can get an IP from the pool I reserved for the VPN, but I cannot ping the servers or other devices. I made my Bridge connection “Proxy_ARP”. I added the firewall rules you recommended, but it still didn’t work. I am sharing my backup file attached, could you please be interested?
Thank you so much.
backup.txt.rsc (12.8 KB)
I recommend not using proxy arp, it seems like a dirty trick sob conjured making people think that using the same pool of addresses for two different things is a good idea !!!
I personally dont like such tricks… What is proxy arp anyway, probably some way of monkeying with traffic at the mac address level…