L2TP LAN access problem

grindnoise · November 14, 2020, 7:15am

Hi!

I have two Mikrotik routers, connected via L2TP with IPSec (1st is RouterOS CHR as server with public IP, 2nd is Hap AC2 as client)
The problem is that routers see each other, tunnel is working, but I can’t get access to any device in the client’s subnet.

L2TP server config:

/interface bridge
add arp=proxy-arp disabled=yes name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface l2tp-server
add name=l2tp-in-iphone-se user=iphone_se
add name=l2tp-in-macbook user=macbook
add name=l2tp-in-mikrotik user=mikrotik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add change-tcp-mss=yes name=vpn only-one=no use-compression=yes use-encryption=yes use-mpls=no
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=vpn enabled=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.87.1/24 interface=ether1 network=192.168.87.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp src-port=“”
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.50.0.11 pref-src=10.50.0.10
/ppp secret
add local-address=10.50.0.10 name=macbook profile=vpn remote-address=10.50.0.12 service=l2tp
add local-address=10.50.0.10 name=iphone_se profile=vpn remote-address=10.50.0.13 service=l2tp
add local-address=10.50.0.10 name=mikrotik profile=vpn remote-address=10.50.0.11 service=l2tp
/system identity
set name=somenetname

L2TP client config:

/interface bridge
add admin-mac=B8:69:F4:80:1B:9A arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface l2tp-client
add allow-fast-path=yes connect-to=serverPublicIP disabled=no name=l2tp-aws use-ipsec=yes user=mikrotik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related disabled=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=!LAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=l2tp-aws
/ip route
add distance=1 dst-address=192.168.87.0/24 gateway=10.50.0.10 pref-src=10.50.0.11

I can ping any device in the client subnet from L2TP server. From client terminal I can only ping 10.50.0.10 (L2TP server) and self.
From laptop I get no ping from 10.50.0.11 (client router).
I’ve switched off firewall on the client side, nothing seems to change.
Please help me!

sindy · November 14, 2020, 3:42pm

What’s the “laptop”? The macbook connected as another L2TP client? If so, there’s no wonder that the Mikrotik client and devices behind it don’t respond to pings from that laptop, because there is no route via l2tp-aws or via 10.50.0.10 to the laptop’s IP address (10.50.0.12) at the Mikrotik client, nor there is a masquerade rule for out-interface=l2tp-in-mikrotik at the server.

Switching firewall off is always a bad idea, because the filth from the network is incredibly fast in squatting in.
Worse than that, there is effectively no firewall at the server (unless you have one provided externally by AWS). The firewall chains on Mikrotik accept all packets which haven’t matched any rule, so what is not accepted by any of the three existing rules in /ip firewall filter chain=input is accepted anyway.

So both your devices may be already infected with malware. Unless you use an AWS firewall, and if you haven’t licensed the CHR yet, I’d recommend you to wipe it and create a new one from scratch, and not connect it to the internet until you copy-paste the default firewall filter for chain input rules from the hAP ac² to it:
chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
chain=input action=accept protocol=icmp comment=“defconf: accept ICMP”
chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"chain=input action=drop in-interface-list=!LAN comment=“defconf: drop all not coming from LAN”(on a CHR, the rule in gray would only be necessary if you used the user manager package).

Then you may copy-paste the rest of the configuration, including the permissive rules for L2TP/IPsec (these have to be placed just before the only action=drop one). One way to allow management access to the CHR from the L2TP client(s) is to add the client’s interfaces as /interface list member item(s) for list=LAN.

At the hAP ac² end, a netinstall is the only way to be sure that any eventual malware is wiped.

CZFan · November 14, 2020, 4:12pm

to add to @sindy’s comments, strange @anav has not jumped onto this yet but you should change the below to your bridge interface

/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0

grindnoise · November 16, 2020, 7:42am

Hello everybody!

Thanks for your time. It seems I’ve solved my problem, here is the solution:

L2TP server:

add arp=proxy-arp disabled=yes name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/interface l2tp-server
add name=l2tp-in-iphone-se user=iphone_se
add name=l2tp-in-macbook user=macbook
add name=l2tp-in-mikrotik user=mikrotik
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add change-tcp-mss=yes name=vpn only-one=no use-compression=yes use-encryption=yes use-mpls=no
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=vpn enabled=yes keepalive-timeout=60 max-mru=1300 max-mtu=1300 use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add list=LAN
/ip address
add address=192.168.87.1/24 interface=ether1 network=192.168.87.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1
/ip firewall filter
add action=accept chain=input dst-port=1701,500,4500 protocol=udp src-port=“”
add action=accept chain=input in-interface-list=all protocol=ipsec-esp
add action=accept chain=input in-interface-list=all protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.87.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat out-interface=all-ppp
add action=accept chain=dstnat disabled=yes in-interface=l2tp-in-iphone-se
add action=accept chain=dstnat disabled=yes in-interface=l2tp-in-mikrotik
/ip route
add distance=1 dst-address=192.168.88.0/24 gateway=10.50.0.11 pref-src=10.50.0.10
/ppp secret
add local-address=10.50.0.10 name=macbook profile=vpn remote-address=10.50.0.12 service=l2tp
add local-address=10.50.0.10 name=iphone_se profile=vpn remote-address=10.50.0.13 service=l2tp
add local-address=10.50.0.10 name=mikrotik profile=vpn remote-address=10.50.0.11 service=l2tp

L2TP client:

/interface bridge
add admin-mac=B8:69:F4:80:1B:9A arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface l2tp-client
add connect-to=aws_elastic_ip disabled=no keepalive-timeout=300 name=l2tp-aws use-ipsec=yes user=mikrotik
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment=“defconf: accept in ipsec policy” disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related disabled=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid disabled=yes
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new disabled=yes
in-interface-list=WAN
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward disabled=yes dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward disabled=yes protocol=ipsec-esp
add action=accept chain=forward disabled=yes protocol=ipsec-ah
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-ppp
add action=accept chain=srcnat disabled=yes dst-address=192.168.88.0/24 src-address=192.168.87.0/24
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 dst-address=192.168.87.0/24 gateway=10.50.0.10 pref-src=10.50.0.11

VPN is working, but I’ve another question: it’s too slow and sometimes client disconnects.
I know that RouterOS CHR has some restrictions on free license (1Mbps).
But I don’t even get that speed.
I’ve decreased MTU/MRU from 1450 → 1300, but nothing changed, what are your suggestions for that?
And also disconnections issue, I don’t know why does this happen.

sindy · November 16, 2020, 8:22am

Whilst it is necessary to post full configurations when asking for analysis, it is better to show just the important parts of it when informing about the solution (in this case, the /ip firewall nat rules). And using [code]and [/code] tags around each configuration really helps readability of the post.

As you use IPsec encryption, I’d set use-encryption on the /ppp profile row to no. While the hAP ac² supports hardware encryption for IPsec, the MPPE (enabled by use-encryption=yes) is done in software. But the ARM CPU of the hAP ac² is powerful enough so it may not actually help.

Maybe it’s just packet loss causing both the disconnections and the low speed? Is the tunnel between the hAP ac² and the CHR disconnecting or the tunnel between the MAC and the CHR?

Also, when testing, does the MAC talk to the CHR via the hAP ac² or it uses some other internet connection?

grindnoise · November 16, 2020, 8:37am

From laptop I get no ping from 10.50.0.11 (client router).

What’s the “laptop”? The macbook connected as another L2TP client? If so, there’s no wonder that the Mikrotik client and devices behind it don’t respond to pings from that laptop, because there is no route via l2tp-aws or via 10.50.0.10 to the laptop’s IP address (10.50.0.12) at the Mikrotik client, nor there is a masquerade rule for out-interface=l2tp-in-mikrotik at the server.

I’ve switched off firewall on the client side, nothing seems to change.

Switching firewall off is always a bad idea, because the filth from the network is incredibly fast in squatting in.
Worse than that, there is effectively no firewall at the server (unless you have one provided externally by AWS). The firewall chains on Mikrotik accept all packets which haven’t matched any rule, so what is not accepted by any of the three existing rules in /ip firewall filter chain=input is accepted anyway.

So both your devices may be already infected with malware. Unless you use an AWS firewall, and if you haven’t licensed the CHR yet, I’d recommend you to wipe it and create a new one from scratch, and not connect it to the internet until you copy-paste the default firewall filter for chain input rules from the hAP ac² to it:
chain=input action=accept connection-state=established,related,untracked comment=“defconf: accept established,related,untracked”
chain=input action=drop connection-state=invalid comment=“defconf: drop invalid”
chain=input action=accept protocol=icmp comment=“defconf: accept ICMP”
chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"chain=input action=drop in-interface-list=!LAN comment=“defconf: drop all not coming from LAN”(on a CHR, the rule in gray would only be necessary if you used the user manager package).

Then you may copy-paste the rest of the configuration, including the permissive rules for L2TP/IPsec (these have to be placed just before the only action=drop one). One way to allow management access to the CHR from the L2TP client(s) is to add the client’s interfaces as /interface list member item(s) for list=LAN.

At the hAP ac² end, a netinstall is the only way to be sure that any eventual malware is wiped.

After setting this rule:
chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"I’m unable to ssh CHR when I’m in VPN.

sindy · November 16, 2020, 9:00am

Quoting myself from that same post where I’ve suggested to add the rules:

I had in mind the L2TP static interface bindings:
/interface l2tp-server
add name=l2tp-in-iphone-se user=iphone_se
add name=l2tp-in-macbook user=macbook
add name=l2tp-in-mikrotik user=mikrotik

So to allow the laptop to manage the CHR via the VPN, use /interface list member add list=LAN interface=l2tp-in-macbook

grindnoise · November 16, 2020, 9:56am

After setting this rule:
chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
I’m unable to ssh CHR when I’m in VPN.
Quoting myself from that same post where I’ve suggested to add the rules:

One way to allow management access to the CHR from the L2TP client(s) is to add the client’s interfaces as /interface list member item(s) for list=LAN.

I had in mind the L2TP static interface bindings:
/interface l2tp-server
add name=l2tp-in-iphone-se user=iphone_se
add name=l2tp-in-macbook user=macbook
add name=l2tp-in-mikrotik user=mikrotik

So to allow the laptop to manage the CHR via the VPN, use /interface list member add list=LAN interface=l2tp-in-macbook

Thanks a lot, sindy!
I’m a careless reader.

What are your suggestions about firewall settings in hap ac2 (client), those were on by default:

/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes \
in-interface-list=WAN
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input disabled=yes in-interface-list=!LAN
add action=accept chain=forward disabled=yes dst-port=1701,500,4500 protocol=udp
add action=accept chain=forward disabled=yes protocol=ipsec-esp
add action=accept chain=forward disabled=yes protocol=ipsec-ah

sindy · November 16, 2020, 10:18am

At the L2TP/IPsec client side, nothing needs to be added to the default rules to allow the tunnel to establish. The default rules allow response packets for any locally initiated connections to pass through. To allow management of the device via the tunnel, the same change like at the CHR is sufficient - add l2tp-aws as a member of interface list LAN.

So just re-enable the disabled rules and add that interface list member if you need the management access via VPN.

The rules you’ve added,
action=accept chain=forward disabled=yes dst-port=1701,500,4500 protocol=udp
action=accept chain=forward disabled=yes protocol=ipsec-esp
action=accept chain=forward disabled=yes protocol=ipsec-ah,
would allow IPsec traffic and bare L2TP traffic (UDP port 1701) to transit between a device in hAP ac²’s LAN and a device in the internet (accessible via WAN), as they are in chain=forward.