DHCP Client brige l2tp tunnel

un7known · February 8, 2019, 6:19am

Hello. I can not make the following scheme work.

Mikrotik CHR ether1 - internet

Mikrotik AP ether1 - internet

DHCP SERVER —> CHR.ether2 —> l2tp server → INTERNET —> NAT —> l2tp client —> AP.wlan1 —> DHCP Client

it is necessary that the access point which is behind nat gave dhcp from the server which is connected to ether2 mikrotik chr. I am use https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)

Access point config

/interface bridge
add admin-mac=CC:2D:E0:5A:C3:3E auto-mac=no fast-forward=no name=bridge-remote
/interface wireless
set [ find default-name=wlan1 ] disabled=no frequency=auto mode=ap-bridge ssid=test_2
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=test_5
/interface wireless security-profiles
set [ find default=yes ] eap-methods="" supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ppp profile
add bridge=bridge-remote change-tcp-mss=no name=profile1 use-encryption=yes
set *FFFFFFFE use-encryption=default
/interface l2tp-client
add connect-to=80.xxx.xxx.173 disabled=no max-mru=1600 name=l2tp-out1 password=ppp123 profile=profile1 user=ppp1
/interface bridge port
add bridge=bridge-remote interface=wlan1
/ip address
add address=192.168.88.10/24 interface=bridge-remote network=192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=bridge-remote use-peer-dns=no use-peer-ntp=no
/ip firewall service-port
set pptp disabled=yes ports=1723
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system identity
set name=AP

CHR config

/interface bridge
add admin-mac=00:15:5D:C2:07:16 auto-mac=no fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] comment=Internet disable-running-check=no
set [ find default-name=ether2 ] comment="vlan 45" disable-running-check=no
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer profile
set [ find default=yes ] enc-algorithm=aes-256,aes-192,aes-128,3des
/ppp profile
add bridge=bridge-local name=l2tp-profile1
/interface bridge port
add bridge=bridge-local interface=ether2
/interface l2tp-server server
set authentication=mschap2 default-profile=default enabled=yes ipsec-secret=Im2aF1OnKO mrru=1600
/interface list member
add interface=ether1 list=WAN
/ip address
add address=80.xxx.xxx.173/29 interface=ether1 network=80.xxx.xxx.xxx
add address=192.168.88.1/24 interface=bridge-local network=192.168.88.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid interface=bridge-local use-peer-dns=no use-peer-ntp=no
/ip dns
set allow-remote-requests=yes servers=80.xxx.xxx.xxx,80.xxx.xxx.xx
/ip firewall filter
add action=passthrough chain=forward
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address=80.xxx.xxx.xxx/25
add action=drop chain=input comment="defconf: drop all coming from WAN" in-interface-list=WAN
add action=accept chain=forward
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=80.xxx.xxx.174
/ppp secret
add name=ppp1 password=ppp123 profile=l2tp-profile1 service=l2tp
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system identity
set name=CHR

If i am enable dhcp client on bridge remote on AP it not works. DHCP client on bridge on CHR work
Sorry for bad English.

idlemind · February 9, 2019, 5:19pm

Use EoIP to bridge layer 2 cleanly between both locations. If the EoIP by hostname wrapped in IPSEC proves unreliable I’ve used L2TP in a road warrior fashion and ran EoIP inside of the L2TP. If you wrap the L2TP in IPSEC then just plain EoIP is fine underneath.

Alternatively you can use BCP to do the bridging as part of PPP in L2TP but I’m guessing that’s giving you problems if you’re here already.

un7known · February 11, 2019, 3:55am

I tried using eoip + l2tp before using bcp. This did not solve my problem. Using wireshark and tcpdump on the dhcp server, I see that requests appear in bridge-local, but I don’t have these requests in tcpdump on dhcp. as if the broadcast traffic does not pass from bridge to ether2

mistry7 · February 11, 2019, 6:18am

https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging)

Put the WiFi Interface in the Bridge and you got what you want

un7known · February 11, 2019, 7:04am

/interface bridge port
add bridge=bridge-remote interface=wlan1

idlemind · February 11, 2019, 6:15pm

That works if everything is in the same place. I assumed we had 2 separate Internet connections in play. Is this not the case?

CZFan · February 11, 2019, 9:14pm

You need to remove WLAn from bridge and add L2TP interface to bridge on L2TP client side, i.e. on your AP, the server side should be done dynamically of configured correctly.
You DHCP client should also be bound to L2TP client interface

un7known · February 12, 2019, 4:50am

i need wifi clients to get ip from dhcp server from ether2

un7known · February 12, 2019, 4:51am

AP and CHR work through the Internet of different providers

vecernik87 · February 12, 2019, 6:34am

This is very long-shot guess but based on the comment in config, I understand your Ether2 might have something to do with VLAN .. can you confirm/deny whether Ether2 receives (and passes to the bridge) tagged frames? If there are VLAN tags involved, where do you add/strip tags?
I think that might change the situation a lot: Firstly, AP is not configured for VLANs, secondly, I recently identified situation, when CHR does not bridge VLAN tagged frames correctly and despite internal packet sniffer saying it see the packet, it does not actually pass from bridge into virtual ethernet adapter. This might be similar case…

un7known · February 12, 2019, 7:17am

This is very long-shot guess but based on the comment in config, I understand your Ether2 might have something to do with VLAN .. can you confirm/deny whether Ether2 receives (and passes to the bridge) tagged frames? If there are VLAN tags involved, where do you add/strip tags?
I think that might change the situation a lot: Firstly, AP is not configured for VLANs, secondly, I recently identified situation, when CHR does not bridge VLAN tagged frames correctly and despite internal packet sniffer saying it see the packet, it does not actually pass from bridge into virtual ethernet adapter. This might be similar case…

vlan are not used in my situation

CZFan · February 12, 2019, 4:42pm

Ok, then ignore DHCP client on L2TP interface, add ether2 and L2TP client in the bridge, and to manage the device, add IP or DHCP client on the bridge

un7known · February 27, 2019, 5:41am

the problem was solved by turning on mac address spoofing on hyperv