Connexion established but no access to LAN devices from an L2TP/IPSEC roadwarrior.

ronmik · December 15, 2023, 8:18am

A manage to establish a connexion as an L2TP/IPSEC roadwarrior to ROS. But that is all.

From the roadwarrior, I can ping the router 192.168.31.1 but no other devices on the same LAN. I can’t ssh admin@192.168.31.1.

I suspect there is a bridge issue but i am a newbie.

That is my /export hide-sensitive:

# 2023-12-15 09:12:56 by RouterOS 7.12.1
# software id = WANN-95DJ
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add admin-mac=2C:C8:1B:A0:48:86 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
/interface wireless
set [ find default-name=wlan1 ] disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-A0488A wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-A0488B wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.31.10-192.168.31.192
add name=vpn-pool ranges=192.168.31.193-192.168.31.224
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
add local-address=192.168.31.1 name=L2TP/IPSEC remote-address=vpn-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1-wan list=WAN
/ip address
add address=192.168.31.1/24 comment=defconf interface=bridge network=192.168.31.0
/ip dhcp-client
add comment=defconf interface=ether1-wan
/ip dhcp-server lease
add address=192.168.31.8 client-id=1:24:f5:a2:f1:82:65 mac-address=24:F5:A2:F1:82:65 server=defconf
/ip dhcp-server network
add address=192.168.31.0/24 comment=defconf dns-server=192.168.31.1 gateway=192.168.31.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.31.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=L2TP-IPSEC dst-port=1701,500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment=L2TP-IPSEC in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ppp secret
add name=ronll-mik profile=L2TP/IPSEC service=l2tp
/system clock
set time-zone-name=Europe/Paris
/system logging
add disabled=yes topics=l2tp
add disabled=yes topics=ppp
add topics=dhcp,!debug
add topics=interface
add disabled=yes topics=ipsec
add topics=firewall
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

gotsprings · December 15, 2023, 1:23pm

Turn on proxy-arp on the bridge.

That should pass your traffic.

anav · December 15, 2023, 1:33pm

Why?
To allow access to LAn or config, isnt the use of firewall rules the way to go.
What is with this proxy ARP stuff

gotsprings · December 15, 2023, 1:36pm

He had his VPN address pool as the same IP scope as his LAN.

Would I do it this way… NO.

But… If he ticks that proxy-arp… His traffic to the LAN will probably start working.

ronmik · December 15, 2023, 3:04pm

Yes indeed. /interface bridge set bridge arp="proxy-arp" is the way to go to ping other devices.
I had already tested it as I read it somewhere and understand more or less what it does. But I tested only by trying to establish ssh admin@192.168.31.1 to the router and not pinging other devices on the LAN. . That kind of mistakes is quite common for newbies that have to deal with many new knowledges at once.

Now the situation is I can ping devices on the LAN. But I that is all. Other traffics don’t go for any devices. I tested ssh, www, rdp, winbox. There is onther kind of issue in my setup.

ronmik · December 15, 2023, 3:14pm

Why wouldn’t you use the same scope?

gotsprings · December 15, 2023, 4:17pm

you are not getting broadcast traffic anyways. And proxy arp has been known to stall the whole network if you make enough mistakes.

VPN in on a different subnet and use Firewall and routing rules.

ronmik · December 15, 2023, 5:37pm

On that kind of stuff, I think I will have hard times. Any advised ressources on that subject?