Hi.
I am not a newbie to mikrotik, but i am stuck for days with this. I hope someone will help me with this.
I have set up central hq vpn server for remote management and file access. Everything is ok, people can connect to it, but after connection is established nothing works. Pinging is returning “General failure”, cannot access vpn server… nothing
On the other hand, when i connect from my iPhone, i can access everything from phone.
We have 3 branches. On each remote site there is mikrotik connected to HQ through l2tp/ipsec for access to local resources. Problem is only with road warriors
HQ server gives 10.0.1.0/24 adressess for local clients.
10.0.3.0/24 gives to vpn clients(branches and road warriors)
Here is export:
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
frequency=2437 frequency-mode=superchannel ht-basic-mcs="mcs-0,mcs-1,mcs-2,m\
cs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,\
mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" mode=\
ap-bridge ssid="Office - 2.4G" wireless-protocol=802.11 wmm-support=enabled \
wps-mode=disabled
/interface bridge
add admin-mac=64:D1:54:EE:DE:8A arp=proxy-arp auto-mac=no fast-forward=no \
igmp-snooping=yes name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp mac-address=98:DE:D0:5C:0E:85
set [ find default-name=ether2 ] rx-flow-control=auto tx-flow-control=auto
/interface l2tp-server
add name=aleksa user=aleksa
add name=aleksa.sn user=aleksa.sn
add name=jav.beleznik user=jav.beleznik
add name=posejdon.galerija user=posejdon.galerija
add name=posejdon.r user=posejdon.r
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless channels
add band=2ghz-b/g/n extension-channel=Ce frequency=2443 list=1 name=ch1 width=\
20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys \
supplicant-identity=MikroTik unicast-ciphers=tkip,aes-ccm
/ip hotspot profile
set [ find default=yes ] hotspot-address=10.0.1.2 login-by=http-chap
/ip pool
add name=default-dhcp ranges=10.0.1.50-10.0.1.254
add name=pool1 ranges=10.0.3.2-10.0.3.50
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge \
lease-time=1d name=dhcp
add add-arp=yes address-pool=pool1 disabled=no interface=ether3 lease-time=\
1d10m name=server1
/ppp profile
set *0 use-encryption=yes
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 local-address=default-dhcp \
name=l2tp use-encryption=yes
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 local-address=10.0.1.1 name=\
profile1 remote-address=pool1 use-encryption=yes
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=fiber-wan profile=\
default-encryption user=aleksa.sn
/queue type
add kind=pcq name=pcq-down pcq-burst-time=3s pcq-classifier=dst-address \
pcq-dst-address6-mask=64 pcq-src-address6-mask=64
add kind=pcq name=pcq-up pcq-burst-time=3s pcq-classifier=src-address \
pcq-dst-address6-mask=64 pcq-limit=70KiB pcq-src-address6-mask=64
set 7 pcq-burst-time=3s
set 8 pcq-burst-time=3s
/queue simple
add bucket-size=0.5/0.5 disabled=yes name=queue1 queue=pcq-up/pcq-down target=\
10.0.1.0/24
/queue tree
add disabled=yes name=total-traffic parent=global priority=2 queue=\
synchronous-default
add max-limit=12M name=upload packet-mark=client_upload parent=global priority=\
4 queue=pcq-up
add max-limit=100M name=download packet-mark=client_download parent=global \
priority=4 queue=pcq-down
/snmp community
set [ find default=yes ] encryption-protocol=AES security=authorized
/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge disabled=yes interface=wlan1
add bridge=bridge interface=ether4
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=chap,mschap2 default-profile=profile1 \
enabled=yes max-mru=1500 max-mtu=1480 use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=fiber-wan list=WAN
add interface=ether3 list=LAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=profile1 enabled=\
yes
/interface wireless align
set receive-all=yes ssid-all=yes
/ip address
add address=10.0.1.1/24 interface=bridge network=10.0.1.0
add address=192.168.1.200 interface=ether1 network=192.168.1.0
add address=212.69.31.239 disabled=yes interface=fiber-wan network=\
185.157.44.194
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=10.0.1.10 always-broadcast=yes client-id=1:0:21:85:c7:fd:8c \
mac-address=00:21:85:C7:FD:8C server=dhcp
add address=10.0.1.250 client-id=1:98:de:d0:3c:e:89 mac-address=\
98:DE:D0:3C:0E:89 server=dhcp
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.1.1
add address=10.0.3.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.0.3.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=10.0.1.1 name=router.lan
add address=10.0.5.1 name=posejdon-r.lan
add address=10.0.15.1 name=p-galerija.lan
add address=10.0.10.1 name=beleznik.lan
/ip firewall address-list
add address=10.0.1.0/24 list=client_subnets
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=udp
add action=accept chain=input disabled=yes dst-port=161 in-interface=fiber-wan \
protocol=udp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=1701 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input protocol=gre
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input comment="drop all coming from WAN" \
in-interface-list=WAN log=yes log-prefix="fw drop"
/ip firewall mangle
add action=mark-packet chain=forward new-packet-mark=client_upload \
out-interface=fiber-wan passthrough=yes src-address-list=client_subnets
add action=mark-packet chain=forward dst-address-list=client_subnets \
in-interface=fiber-wan new-packet-mark=client_download passthrough=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=accept chain=srcnat src-address=10.0.3.0/24
add action=accept chain=srcnat disabled=yes dst-address=0.0.0.0/0 ipsec-policy=\
out,none src-address=10.0.3.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=\
fiber-wan
/ip ipsec peer
add address=0.0.0.0/0 compatibility-options=skip-peer-id-validation \
enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp \
generate-policy=port-override
/ip proxy
set max-cache-size=none
/ip route
add distance=1 dst-address=10.0.0.0/24 gateway=bridge
add distance=1 dst-address=10.0.3.0/24 gateway=bridge
add distance=2 dst-address=10.0.5.0/24 gateway=10.0.1.21
add distance=2 dst-address=10.0.10.0/24 gateway=10.0.3.101
add distance=2 dst-address=10.0.15.0/24 gateway=10.0.3.115
add distance=2 dst-address=10.0.16.0/24 gateway=posejdon.galerija
add distance=2 dst-address=192.168.2.0/24 gateway=posejdon.galerija
/ip service
set ftp disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
/ppp secret
add name=aleksa.sn profile=l2tp remote-address=10.0.3.99 routes=\
"10.0.0.0/16 10.0.3.0/24 10.0.5.0/24 10.0.10.0/24"
add name=aleksa profile=profile1
add local-address=10.0.1.1 name=jav.beleznik profile=default-encryption \
remote-address=10.0.3.101
add local-address=10.0.1.20 name=posejdon.r profile=default-encryption \
remote-address=10.0.3.102
add name=posejdon.galerija profile=l2tp remote-address=10.0.3.115 routes=\
"10.0.0.0/16 10.0.3.0/24 10.0.5.0/24 10.0.10.0/24 10.0.15.0/24"
/snmp
set contact=public enabled=yes trap-generators=start-trap trap-interfaces=all \
trap-target=0.0.0.0 trap-version=3
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name="hAP Aleksa"
/system leds
add interface=fiber-wan leds=user-led type=interface-activity
/system ntp client
set enabled=yes primary-ntp=94.127.6.166
/system routerboard settings
set auto-upgrade=yes cpu-frequency=750MHz silent-boot=no
/system script
add name=wol owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
"tool wol interface=ether2 mac=00:21:85:C7:FD:8C"
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set authenticate=no enabled=no max-sessions=1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN