Okay, this was the case(in quote, but its long), but i figured out while i was writing this post, that the DNS suffix is the bad boy and i can “workaround” with giving it by hand to the advanced tcp/ipv4 VPN connection in windows, but is there a way, that DNS Suffix will be “transmitted” to the VPN subnet?
Dear MikroTik Community, [Config at the end of the post] UPDATE*
im here agian: i’d like to ask few things about l2tp/ipsec configration.
So, i managed to create for the first try an l2tp/ipsec vpn connection to my mikrotik router and i was really happy, but now i don’t know how to do it correctly.
Because my subnet for VPN is 10.10.10.0/24 (the pool is onyl 2-10) i thought i have to NAT it to my internal subnet (192.168.30.0/24), it was good, i could ping other pc in that subnet, but onyl by IP address, because DNS did not work internally and i had no internet to check out any external dns names. Than i NATted 10.10.10.0/24 to my WAN port, after that i had internet and i could ping my internal devices by PING. (i could ping google.com and 8.8.8.8 too, but not “my-local-pc”).
My question would be, is it the correct way that when i had after the first setup no internet/no internal connection that i NATted my VPN subnet( 10.10.10.0/24) to my internal LAN and the WAN?
What do i have to set up, to be able to get internal name resolution to work?
Can i assign an (internal) fix ip to a username(vpn username)? [because usually i would let VPN users use the internet, only rdp from there, but there is one person, who should have internet, but doesnt need to have to reach internal resources, like the server,etc] → [and maybe i will ask next, how to do that but first ill try few things]UPDATE*: i see, that i put the wrong dns server ip for ppp profile, i changed it, but i still cant ping simply computer name, but if i go “ping -a IPADDRESS” i get the name back(not FQDN, but the computer name [while its an AD server]! But after that pinging the same name is not successfull, only if i choose FQDN! How could i achieve that “reaching” simple name works, not only fqdn?
-my conclusion is that somehow the dns suffix wont come over trough vpn (the dhcp and dns server is a windows server). any idea how to fix that?Thank you in advance!
My config:/interface ethernet
set [ find default-name=ether1 ] mac-address=MYMACADDRESS name=
ether1-wan
set [ find default-name=ether2 ] name=ether2-lan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=vpn_pool ranges=10.10.10.2-10.10.10.10
/ppp profile
add dns-server=192.168.30.253 local-address=10.10.10.1 name=vpn_company_profil
remote-address=vpn_pool
/interface l2tp-server server
set default-profile=vpn_company_profil enabled=yes ipsec-secret=MYIPSECPW
one-session-per-host=yes use-ipsec=yes
/ip address
add address=192.168.30.5/24 interface=ether2-lan network=192.168.30.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-wan
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.30.0/24 comment=
“subnet winbox access list” list=companySupport
/ip firewall filter
add action=drop chain=input comment=“dns nono from outside” dst-port=53
in-interface=ether1-wan protocol=tcp
add action=drop chain=input comment=“dns nono from outside UDP” dst-port=53
in-interface=ether1-wan protocol=udp
add action=accept chain=input comment=
“Accept established and related packets” connection-state=
established,related
add action=accept chain=input comment=“ipsec protocol enabled” in-interface=
ether1-wan protocol=ipsec-esp
add action=accept chain=input comment=“VPN 1701 enabled” dst-port=1701
in-interface=ether1-wan protocol=udp
add action=accept chain=input comment=“VPN 4500 enabled” dst-port=4500
in-interface=ether1-wan protocol=udp
add action=accept chain=input comment=“VPN 500 enabled” dst-port=500
in-interface=ether1-wan protocol=udp
add action=drop chain=input comment=“Drop invalid packets” connection-state=
invalid
add action=drop chain=input comment=
“Drop all packets which are not destined to routes IP address”
dst-address-type=!local
add action=drop chain=input comment=
“Drop all packets which does not have unicast source IP address”
src-address-type=!unicast
add action=accept chain=forward comment=
“Accept established and related packets” connection-state=
established,related
add action=drop chain=forward comment=“Drop invalid packets”
connection-state=invalid
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan
add action=drop chain=forward comment=“Drop all packets from public internet w
hich should not exist in public network” in-interface=ether1-wan
src-address-list=NotPublic
add action=drop chain=forward comment=“Drop all packets from local network to
internet which should not exist in public network” dst-address-list=
NotPublic in-interface=ether2-lan
add action=drop chain=forward comment=“winbox access list” dst-port=8291 in-interface=ether2-lan
protocol=tcp src-address-list=!companySupport
add action=accept chain=forward comment=
" Forward packets which belong to natted connection are accepted"
connection-nat-state=dstnat connection-state=established,related
in-interface=ether1-wan
add action=drop chain=forward comment=
“Drop new connections from internet which are not dst-natted”
connection-nat-state=!dstnat connection-state=new in-interface=ether1-wan
add action=drop chain=input comment=
“drop everything”
/ip firewall nat
add action=masquerade chain=srcnat comment=“192.168.30.0/24 NAT WAN”
out-interface=ether1-wan src-address=192.168.30.0/24
add action=masquerade chain=srcnat comment=
“from VPN subnet to Internal subnet” dst-address=192.168.30.0/24
src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment=“internet access for VPN users” disabled=yes
out-interface=ether1-wan src-address=10.10.10.0/24/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=MYUSERNAME password=MYPASSWORD profile=vpn_company_profil service=l2tp
/system clock
set time-zone-name=Europe/Budapest
/system logging
add disabled=yes topics=firewall
/system package update
set channel=bugfix
/tool bandwidth-server
set enabled=no