Hi,
I work for a charity in the Democratic Republic of Congo, Africa and I am having trouble with router networking.
I am really hoping that there is a kind person who can help. It would help many people here to be able to correctly set up remote access to our network.
I have tried many different threads on how to connect my home network “site1” (home router - not Mikrotik, and dynamic IP adddress, internal LAN addresses are 192.168.0.1/24) to my office network “site2” (Mikrotik router and static IP address, internal LAN addresses are 10.30.100.1/24). Essentially, I want to be able to access my office network “site2” from anywhere. This is because we are often out in the field with our charitable activities and we desperately need to access.
So I tried to set up VPN and L2TP on the site2 Mikrotik router. But I am not doing something correctly and I wondered if anyone would be very kind and help me.
The only way I seem to be able to get the VPN working is if I disable my NAT rule for masquerade on site2. But if I do that, then site2 internal LAN doesn’t have internet access. Even if I do that, I can only access the site2 router, not the rest of the LAN despite enabling “proxy-arp” on ether2.
Here is my config and I am really hoping someone will help me.
Kind regards,
Euan
\
apr/27/2017 15:38:29 by RouterOS 6.38.5
software id = U1Y1-HPSY
/interface bridge
add name=bridgeLocal
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=D4:CA:6D:3F:64:AC
set [ find default-name=ether2 ] arp=proxy-arp comment=LAN mac-address=
D4:CA:6D:3F:64:AD
set [ find default-name=ether3 ] mac-address=D4:CA:6D:3F:64:AE master-port=
ether2
set [ find default-name=ether4 ] mac-address=D4:CA:6D:3F:64:AF master-port=
ether2
set [ find default-name=ether5 ] mac-address=D4:CA:6D:3F:64:B0 master-port=
ether2
set [ find default-name=ether6 ] mac-address=D4:CA:6D:3F:64:B1
set [ find default-name=ether7 ] mac-address=D4:CA:6D:3F:64:B2 master-port=
ether6
set [ find default-name=ether8 ] mac-address=D4:CA:6D:3F:64:B3 master-port=
ether6
set [ find default-name=ether9 ] mac-address=D4:CA:6D:3F:64:B4 master-port=
ether6
set [ find default-name=ether10 ] mac-address=D4:CA:6D:3F:64:B5 master-port=
ether6
set [ find default-name=sfp1 ] mac-address=D4:CA:6D:3F:64:AB
/interface wireless
set [ find default-name=wlan1 ] name=wlan2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
/ip pool
add name=pptp-pool ranges=10.30.100.1-10.30.100.100
add name=dhcp_pool1 ranges=10.30.100.100-10.30.100.254
add name=dhcp_pool2 ranges=10.30.100.100-10.30.100.254
add name=dhcp_pool3 ranges=10.30.100.100-10.30.100.254
/ip dhcp-server
add address-pool=dhcp_pool3 disabled=no interface=bridgeLocal name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=pptp-pool name=pptp-profile
remote-address=pptp-pool
/interface bridge port
add bridge=bridgeLocal interface=ether2
add bridge=bridgeLocal interface=ether6
/interface l2tp-server server
set enabled=yes ipsec-secret=redactedpassword use-ipsec=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=site2publicIPredacted*/27 comment="WAN Configuration" interface=ether1
network=site2ISPprovidednetworkIPredacted
add address=10.30.100.1/24 comment="LAN subnet " interface=bridgeLocal
network=10.30.100.0
/ip dhcp-server network
add address=10.30.100.0/24 dns-server=
8.8.8.8,8.8.4.4,site2ISPProvidedDNSIPaddressesredacted gateway=10.30.100.1
/ip dns
set allow-remote-requests=yes servers="site2ISPprovidedIPaddressesredacted,8.8.8.8,8.8.4.4"
/ip firewall address-list
add address=10.30.100.0/24 list=PamojaLAN
/ip firewall filter
add action=accept chain=input comment=
"Allow access to the router from the LAN" log=yes src-address-list=
PamojaLAN
add action=accept chain=forward comment="Allow connections from the LAN"
connection-state=new in-interface=bridgeLocal
add action=accept chain=forward comment="Allow etablished connection"
connection-state=established
add action=accept chain=forward comment="Allow related connection"
connection-state=related
add action=accept chain=input comment=
"Allow established connection to the router" connection-nat-state=""
connection-state=established connection-type=""
add action=accept chain=input comment="Allow related connection tothe router"
connection-state=related
add action=accept chain=input comment="VPN accept on port 1723" dst-port=1723
protocol=tcp
add action=accept chain=input comment="VPN accept on protocol gre" protocol=
gre
add action=accept chain=input connection-state=new dst-port=500 in-interface=
ether1 protocol=udp
add action=accept chain=input connection-state=new dst-port=1701
in-interface=ether1 protocol=udp
add action=accept chain=input connection-state=new dst-port=4500
in-interface=ether1 protocol=udp
add action=drop chain=input comment="Drop all other trrafic to router"
add action=drop chain=forward comment="Drop all other traffic to router "
add action=drop chain=forward comment="Drop invaild connection"
connection-state=""
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des generate-policy=port-override
secret=redactedpassword
/ip route
add distance=1 gateway=ISPProvidedGatewayIPredacted
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2,ether3,ether4,ether5,ether6,ether7,ether8
,ether9,ether10"
/ppp secret
add name=usernameredacted password=redactedpassword profile=pptp-profile service=l2tp
/system clock
set time-zone-name=Africa/Kigali
/system identity
set name=PamojaRouter
/system ntp client
set enabled=yes primary-ntp=196.10.55.57 secondary-ntp=132.163.4.101