I have set up my RB3011 (version 6.47.7) as VPN server based on L2TP/IPsec. The tutorials across the internet did help me a lot. Now its bascially working with one exception:
Whenever I am using my routers hostname (*.mynetname.net) on the android mobile phone (android 11) to connect to my network its not working. The IP cloud service is enabled on the router. All firewall rules are setup. I extended the debug logs regaring IPsec and VPN and in case of using the hostname instead of the public WAN IP no entries appear. Do I use the public WAN IP of my home router the connection is working.
Either the smartphone cannot resolve the hostname or my router is blocking the access somewhere else. Any ideas?
Resolving hostnames to IP addresses is client-side thing, you can’t do much with that. Just make sure that hostname points to correct IP address, i.e. your current public one. I assume that there’s also some application for Android that can resolve hostnames, to test what the device works with.
That’s right I thought the same. But I cannot belive that android is having issues there. Or is it by design?! I tried to find another VPN app which could do this. Up to now I did not find any…
Using the IP address is not an option as it changes every day…
It could be also the network connection it uses, although it doesn’t seem very likely. Do some tests in controlled environment, connect using wifi to router you control and you can sniff traffic and see what’s going on, if it tries to resolve hostname, gets response, tries to connect to server, everything.
I just did an ping to my VPN server hostname and android gave me an IPv6 address as reply. I am connected 5G network in germany (telekom). Thats strange…
It depends. If router has IPv6 connectivity, then DDNS hostname can point to IPv6 address. I’m almost sure that it’s supported, but I don’t remember exact rules when it’s set. It’s possible that it may not be completely polished for all use cases. And if client also has IPv6, it should prefer it. But I never tested if L2TP/IPSec in RouterOS supports IPv6.
Yes that’s the case, it just sees my ipv6 address as this is also reported to mikrotik ddns service. How can I prevent this? Any firewall rule? Well I do not really need IPv6 so I could also disable it.
But I do not really know where to do this?
Edit: I tried a online ping tool http://ipv6now.com.au/pingme.php. This tool tells me that there is only a IPv4 address it does not reply to ipv6.Maybe my mobile provider is blocking something?
According to this post you can set static dns entry on router with only IPv4 address and then router will think that there’s no IPv6 DDNS and will use IPv4 only. Which makes sense.
Problem is, if you use address that the server has now, it can fail any time, if they change it. Linked post says they will try not to, but who know what can happen. It would of course be best if DDNS added also two other IP4/6-only hostnames, which can happen in future, but currently it’s not there.
If we can rely on the fact that the IPv6 AAAA record is updated using IPv6 and the IPv4 A record is updated using IPv4, it is possible to block router’s IPv6 access to cloud2.mikrotik.com by fqdn: /ipv6 address-list add list=mikrotik-cloud address=cloud2.mikrotik.com
/ipv6 firewall filter add chain=output dst-address-list=mikrotik-cloud protocol=udp dst-port=15252 action=drop
The connection must not be active yet of course - if it is, it is necessary to disable ddns update, remove the connection from the connection tracking list, and then re-enable the ddns update.
So now I have blocked updating the info in the IPv6 firewall and disabled / enabled the service. It seems like its still using an IPv6 address. At least ip cloud print tells me this. Any ideas? Do I have to wait some time until the mikrotik guys clear their cache? Or do I need some other blocking…
Did you do it exactly in this order? I don’t know how exactly it works, I can’t get AAAA record at all, even though the router has native IPv6, so I can’t test it. But you probably should first disable DDNS, AAAA record should disappear (A too), then block access to IPv6, and enable DDNS again.
First I disabled DDNS updating, then I added the firewall rule, then I removed all connections from ipv6 firewall and enabled ddns again. But ip cloud print still says active IPv6 address. The counter for the firewall is increasing so its blocking packets. What do you mean with AAAA record?
I tried it but does not help. Ping is working. IP DNS cache print is working and TTL wents down to 0. But when I have a look at the disabled ip cloud print output both v4 and v6 addresses are visible.
Thats strange.
I played with it on another router and it works. After you disable DDNS, wait until records disappear from DNS. They have TTL 60, so it’s just one minute. Don’t believe what router says, try if they can be resolved (you can use regular ping/ping6). When you are sure they are gone, enable DDNS again with active blocking and see if they come back.
Local windows system: ping *.sn.mynetname -4 fails
Local windows system: ping *.sn.mynetname -6 fails
Enabled DDNS
Local windows system: ping *.sn.mynetname -4 works
Local windows system: ping *.sn.mynetname -6 fails still as expected
ip cloud print nevertheless tells me there is a public IPv6 address
ping
Now I tried to connect from my mobile phone and suprise it was working. Ok I disconnected and connected again, not working any more. No log entries appear in the router regarding connection try. Whats going on there?