L2TP+IPSec with LAN Access

gipfelgoas · October 12, 2016, 2:31pm

Hello,
I wanted to configure something like this with L2TP+IPsec:

/interface l2tp-server server set enabled=yes ipsec-secret=123 max-mru=1500 max-mtu=1500 mrru=1600 use-ipsec=yes
/ppp secret add local-address=192.168.0.1 name=123 password=123 profile=default-encryption remote-address=192.168.1.2 service=l2tp
/ip firewall address-list
add action=accept chain=input dst-port=500,4500,1701 log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input in-interface=l2tp-in1

Connecting a remote device worked. But I cant navigate in internet or access stuff like 192.168.0.2.
Explained simply: I would like having configured it like it was attached physically to my router and being part of my bridge 192.168.0.0/24.
Is this possible?
Thanks

Splash · October 12, 2016, 3:58pm

You may need to update the L2TP profile you are using (profile=default-encryption in your case) and select the bridge you would like this client to be attached to, based on the below being part of the same network subnet.

Example:

/ppp profile
add bridge=VPN-Bridge comment="Default L2TP Profile" name=L2TP-profile

gipfelgoas · October 13, 2016, 3:35pm

Splash:

You may need to update the L2TP profile you are using (profile=default-encryption in your case) and select the bridge you would like this client to be attached to, based on the below being part of the same network subnet.

Example:
/ppp profile
add bridge=VPN-Bridge comment="Default L2TP Profile" name=L2TP-profile

Thanks, but still not working. Can’t ping nor access LAN and WAN

Splash · October 14, 2016, 1:30pm

to confirm…

You have a bridge created eg bridge1
You have added the LAN port to this Bridge (bridge1)
You have set the “bridge1” within the active PPP Profile Bridge setting

gipfelgoas · October 14, 2016, 2:12pm

Rb3011
PPPoE on eth1 (WAN)
Bridge LAN (eth2-10) 192.168.0.0/24 Dhcp server
NAT to eth1
Some firewalls

kujo · October 14, 2016, 2:31pm

You need correct routing table, correct firewall filter(not address list). Export this two things. And Your scheme is not displayed, repeat please))

Sent from my iPhone using Tapatalk

gipfelgoas · October 14, 2016, 3:25pm

[admin@router.dh] > export
# oct/14/2016 17:17:28 by RouterOS 6.37.1
# 
/interface l2tp-server
add name=l2tp-in1 user=user1
/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] name=sw1-eth2-master
set [ find default-name=ether3 ] master-port=sw1-eth2-master name=sw1-eth3
set [ find default-name=ether4 ] master-port=sw1-eth2-master name=sw1-eth4
set [ find default-name=ether5 ] master-port=sw1-eth2-master name=sw1-eth5
set [ find default-name=ether6 ] name=sw2-eth6-master
set [ find default-name=ether7 ] master-port=sw2-eth6-master name=sw2-eth7
set [ find default-name=ether8 ] master-port=sw2-eth6-master name=sw2-eth8
set [ find default-name=ether9 ] master-port=sw2-eth6-master name=sw2-eth9
set [ find default-name=ether10 ] master-port=sw2-eth6-master name=sw2-eth10
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 name=Eolo_eth1 password=123 user=123

/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.200
add name=L2TP-Pool ranges=192.168.0.201-192.168.0.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge_lan lease-time=1d12h10m name=192.168.0.0_dhcp-server
/ppp profile
set *0 use-encryption=no
add bridge=bridge_lan dns-server=192.168.0.1 local-address=192.168.0.1 name=L2TP remote-address=L2TP-Pool use-encryption=yes

/interface bridge port
add bridge=bridge_lan interface=sw1-eth2-master
add bridge=bridge_lan interface=sw2-eth6-master
/interface l2tp-server server
set default-profile=L2TP enabled=yes ipsec-secret=123 max-mru=1500 max-mtu=1500 mrru=1600 use-ipsec=yes

/ip address
add address=192.168.0.1/24 interface=bridge_lan network=192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,81.91.162.5,8.8.4.4,208.67.222.222


/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=\
    30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=jump chain=forward comment="DDoS detection" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward comment="DDoS detection" connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=forward comment=PING dst-address=!192.168.0.0/24 in-interface=bridge_lan protocol=icmp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept all connections from local network" in-interface=bridge_lan
add action=accept chain=forward comment="Forward all established and related packets" connection-state=established,related
add action=accept chain=forward comment=\
    "Forward various ports 995 (POP3), 465, 25,587 SMTP, 8443 nperf.com,8000 OE3, 8080,110,5060 speedtest-pingtest, 5938 teamviewer" dst-address=\
    !192.168.0.0/24 dst-port=80,443,995,465,25,587,8443,389,8000,8081,53,8080,110,5060,5938 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment="Forward various ports 123 (ntp), 3544,3074 Microsoft, 15252 mikrotik" dst-address=!192.168.0.0/24 dst-port=\
    123,3544,3074,389,53,1194,15252 in-interface=bridge_lan protocol=udp
add action=accept chain=forward comment=Torrent dst-address=!192.168.0.0/24 in-interface=bridge_lan protocol=udp src-port=57667,38517
add action=accept chain=forward comment="Oscam Samsung TV" dst-address=!192.168.0.0/24 dst-port=6500 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment="forward my personal domain name xx.mydomain.com" dst-port=443,4000,4001,4002,4003,4004,4005\
    out-interface=bridge_lan protocol=tcp src-address=!192.168.0.0/24
add action=accept chain=forward comment="forward my personal domain name xx.mydomain.com" dst-address=192.168.0.0/24 dst-port=443,4000,4002,4003,4004,4001,4005,22 \
    in-interface=bridge_lan protocol=tcp
add action=accept chain=input comment=L2TP+IPsec dst-port=500,4500,1701 log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input log=yes
add action=drop chain=forward log=yes
/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=increment:1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eolo_eth1
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="WebAccess DS216+II" dst-address-type=local dst-port=443,4003 protocol=tcp to-addresses=192.168.0.192
/ip service
set telnet disabled=yes
set ftp address=192.168.0.200/32
set www disabled=yes port=4000
set ssh disabled=yes
set www-ssl certificate=home.dh disabled=no port=4001
set api-ssl certificate=home.dh

/ppp secret
add name=user1 password=123 profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=router.dh

[admin@router.dh] >

kujo · October 14, 2016, 9:41pm

You don’t need second masquerade rule. Do you accept on client option for create a default route to l2tp server? Remove l2tp interface from bridge(option in ppp profile), change network for l2tp server and client like 192.168.1.0/24(l2tp-pool). Add accept forward filter rule where incoming interface is l2tp-in1.

Sent from my iPhone using Tapatalk

gipfelgoas · October 15, 2016, 7:38am

For second masquerade rule read here: http://forum.mikrotik.com/t/solved-nat-and-internal-webserver-access-from-internal-ip-with-domainname/101528/5
on client I can’t configure default route option.. there are mobile phones…

Added

/ip firewall filter 
add chain=forward action=accept in-interface=l2tp-in1 log=yes log-prefix="forward rule" 
add chain=input action=accept in-interface=l2tp-in1 log=yes log-prefix="forward rule" 

/ppp profile
add name="L2TP" local-address=L2TP-Pool remote-address=L2TP-Pool use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""

/ip pool
add name=L2TP-Pool   addresses=192.168.1.201-192.168.1.250

still not working

kujo · October 15, 2016, 8:04am

Do you change l2tp server address to 192.168.1.1?

Sent from my iPhone using Tapatalk

kujo · October 15, 2016, 9:23am

Maybe some log export can help ? Trace route from l2tp client? Routing table from router and from warrior!?

radzaman · January 10, 2021, 8:45am

Hello gipfelgoas et al.

Did you manage to get that working with access to LAN resources ?

Thanks
/Radek