help with getting wlan access from vpn client

hi all - I’ve been pretty happy with my hap ac2 but i’ve got one issue I’m struggling with. I can connect via L2TP VPN from my laptop when I am traveling but I only can access resources on the LAN. I’d like to have internet access through the VPN, just like I was connected locally. Confusingly, it works properly when I activate the VPN connection while I am on the WLAN. I must be missing a firewall rule for the l2tp subnet (192.168.70.0/24) but I can’t figure it out. A diagram of my LAN topology is attached and here is an export of my config. What am I missing? Thanks!

# nov/19/2019 14:50:38 by RouterOS 6.45.7
# software id = W6AM-FM09
#
# model = RBD52G-5HacD2HnD
# serial number = B4A30861xxxx
/interface bridge
add admin-mac=CC:2D:E0:91:xx:xx auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wifi2 \
    wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=wifi5 \
    wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=sharedkey \
    wpa2-pre-shared-key=sharedkey
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=ike2-pool ranges=192.168.0.77
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add dns-server=192.168.88.1 local-address=192.168.60.1 name=ipsec_vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn enabled=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
    192.168.88.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=192.168.88.23 mac-address=6C:40:08:B1:20:C4 server=defconf
/ip dhcp-server network
add address=192.168.88.0/25 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=input src-address=192.168.60.0/24
add action=fasttrack-connection chain=forward comment=\
    "defconf: fasttrack established,related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment=\
    "defconf: accept established, related,untracked" connection-state=\
    established,related,untracked
/ip firewall mangle
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    out,ipsec new-connection-mark=ipsec
add action=mark-connection chain=forward comment=\
    "mark ipsec connections to exclude them from fasttrack" ipsec-policy=\
    in,ipsec new-connection-mark=ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver secret=sharedsecret
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add distance=1 dst-address=192.168.60.0/24 gateway=bridge pref-src=\
    192.168.88.1 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set www-ssl certificate=webfig disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=admin password="password" profile=\
    ipsec_vpn remote-address=192.168.60.2 service=l2tp
/system clock
set time-zone-name=America/Denver
/system identity
set name=hotbox
/system scheduler
add interval=1m name=dynu-ddns on-event="/system script run dynu-ddns\\r\\n" \
    policy=read,write,test start-time=startup
/system script
add dont-require-permissions=no name=dynu-ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_get the current IP address from the internet\
    \n/tool fetch mode=http address=\"checkip.dynu.com\" src-path=\"/\" dst-pa\
    th=\"/dynu.checkip.html\"\
    \n:local result [/file get dynu.checkip.html contents]\
    \n\
    \n# parse the current IP result\
    \n:local resultLen [:len \$result]\
    \n:local startLoc [:find \$result \": \" -1]\
    \n:set startLoc (\$startLoc + 2)\
    \n:local currentIP [:pick \$result \$startLoc \$resultLen]\
    \n:global ddnsuser mydynu\
    \n:global ddnspass dynupasswd\
    \n:global ddnshost mydynu.dynu.net\
    \n:global ipddns [:resolve \$ddnshost];\
    \n\
    \n#:global ipddns\
    \n\
    \n:if (\$ipddns != \$currentIP) do={\
    \n:log info (\"DynuDDNS: IP-Dynu = \$ipddns\")\
    \n:log info (\"DynuDDNS: IP-Fresh = \$currentIP\")\
    \n:log info \"DynuDDNS: Update IP needed, Sending UPDATE...!\"\
    \n:global str \"/nic/update\?hostname=\$ddnshost&myip=\$currentIP\"\
    \n:log info \"currentIP is \$currentIP\"\
    \n/tool fetch address=api.dynu.com src-path=\$str mode=http user=\$ddnsuse\
    r password=\$ddnspass dst-path=(\"/Dynu.\".\$ddnshost)\
    \n:delay 1\
    \n:global str [/file find name=\"Dynu.\$ddnshost\"];\
    \n/file remove \$str\
    \n:global ipddns \$currentIP\
    \n:log info (\"DynuDDNS: IP updated to \$currentIP!\")\
    \n} else={\
    \n:log info (\"DynuDDNS: No change needed\");\
    \n}"
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none

lan layout.pdf (21.2 KB)

This has to do with your laptop and not with the router…
You should configure your laptop to use as default gateway your VPN connection.

Thanks for the response. I’m having trouble reconciling that thesis with the behavior I’m seeing though. Or it could be that macOS has hidden some options from me. Screenshot attached of the laptops VPN settings. I’ve got the vpn client on the laptop set to manual IPv4 using the vpn (192.168.60.2) as the ‘gateway’ (ie ‘Router’ in MacOS-speak). (By the way this is also how PPP automatically configures and behaves correctly through the hapAC2’s 5Ghz wlan).

Have tried a few different configurations but still, I’ve got no WAN access when connecting laptop->VPN->wifi hotspot->hapAC2 vs. correct behavior when laptop->VPN->5Ghz wlan->hapAC2

So, no chance I’ve screwed up the firewall rules, NAT, or routing on the mikrotik? And of course I could be misinterpreting your guidance - to say my understanding of network engineering is limited would be a generous compliment.

To be honest i don’t know about MAC computers.
In windows you would just enable the “Use default gateway on remote network” option inside the VPN client interface.

OK, thanks. So I’ve toggled the option in the vpn client configuration called ‘send all traffic over VPN connection’ that apparently does the same thing - setting the default gateway. With that option unchecked I do get WAN access. Trouble is, now I lose all the local access to the 192.168.88.x network. Can’t understand why this is an either/or thing; there must be a way to VPN into the LAN and get local access to resources on the 88 pool while still getting out to the WAN. I am not trying to use two simultaneous connections - rather I’d like to send all network traffic through the VPN, whether it’s for a local resource or out to the internet.

I have not tested but it sounds normal. It just routes out all the traffic to the WAN.
In windows again, i would create additionally a route for the local network.
Am not sure if there is a better way to implement this.

I had already created a route from 192.168.60.x to 192.168.88.0/24 in order to get to the LAN from the VPN connection. Could you give an example of the command that would create the additional route you’re suggesting?

Why did you create that route? There is no need to create a route manually to the computer when you setup your VPN client.

You want an example of adding a route in windows OS ?

Apparently what I am trying to do is called ‘split tunneling’ which is not considered a best practice in corporate scenarios. However since this is my personal LAN I am comfortable with the security risks of having my personal device simultaneously enjoying full access to the LAN as well as full internet access through VPN connection. I added this route to the hap ac2 to join the 60 and 88 subnets so that the VPN client computer could access the LAN resources:
add distance=1 dst-address=192.168.60.0/24 gateway=bridge pref-src=
192.168.88.1 scope=10

I think what I’m understanding is that I need to add a route to the vpn client computer so it has visibility to the gateway for WAN access and also the whole 88 subnet for LAN resources (RDP, samba and afp shares, etc). And as it’s MacOS this would be a BSD Unix command.

OK I think I am most of the way there.

1. I added the WAN DNS servers manually into my VPN client DNS table so it seems like it’s using those to resolve internet addresses and my LAN gateway to resolve LAN addresses. That way I can get to my NAS and my home workstation RDP with IP addresses and still have full internet access. 2) I also added the VPN subnet 192.168.60.0/24 range to the mikrotik DHCP server->networks table, but not sure if that was necessary in addition to change #1 above.

It feels like I am still missing some NAT config or a route that will fully enable all LAN services since AFP and SAMBA still aren’t working right. Those are ‘nice to have’ but would great if someone could make a recommendation.
Hopefully this forum thread helps someone else. I don’t feel like this is some kind of fringe use-case. There must be other people who travel with a Mac laptop and want to access their home workstation and NAS from the road and still have the security of encrypting internet traffic through IPsec.