L2TP NAT LAN

Hi all, let`s try to explain my problem.
Task:
There is 2 computers, one runs program as a server, other connects to the program as a client to show some data. Client computer sometimes is away but still wants to see data, but also we want to stay safe. For communication between client and server program use ports 1433 and 9933. In LAN everything forks perfect.

What is done:
We are using wAP R-nD LTE router. Made LAN network 192.168.1.0/24 and VPN L2TP over IPsec with network 192.168.5.0/24. Also attaching my config.

# RouterOS 6.42.4
# software id = AJN5-630Y
#
# model = RouterBOARD wAP R-2nD
/interface bridge
add admin-mac=CC:2D:E0:CA:8B:F8 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full mac-address=CC:2D:E0:CA:8B:F8
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=static1.lmt.lv authentication=chap default-route-distance=1 name=apn1 \
    user=omni
/interface lte
set [ find ] apn-profiles=apn1 mac-address=AC:FF:FF:00:00:00 name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
    aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.5.10-192.168.5.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.1.55 remote-address=\
    vpn-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=*2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=\
    192.168.1.0
add address=192.168.5.0/24 disabled=yes interface=lte1 network=192.168.5.0
/ip dhcp-server lease
add address=192.168.1.145 client-id=1:70:4d:7b:6b:79:75 mac-address=\
    70:4D:7B:6B:79:75 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.145 dst-port=5353 \
    protocol=tcp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.1.145 dst-port=5353 \
    protocol=udp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.1.145 dst-port=1434 \
    protocol=udp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.1.145 dst-port=1433 \
    protocol=tcp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.1.145 dst-port=28080 \
    protocol=tcp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.1.145 dst-port=9945 \
    protocol=tcp src-address=192.168.5.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 dst-port=9933 log=\
    yes protocol=tcp src-address=192.168.1.145
add action=accept chain=forward dst-address=192.168.5.0/24 dst-port=1433 log=\
    yes protocol=tcp src-address=192.168.1.145
add action=accept chain=forward dst-address=192.168.5.0/24 dst-port=28080 \
    log=yes protocol=tcp src-address=192.168.1.145
add action=accept chain=forward dst-address=192.168.5.0/24 dst-port=9945 log=\
    yes protocol=tcp src-address=192.168.1.145
add action=accept chain=input in-interface=lte1 protocol=ipsec-esp
add action=accept chain=input dst-port=1701,4500,500 in-interface=lte1 \
    protocol=udp
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=no-mark \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes out-interface=all-ethernet
add action=src-nat chain=srcnat disabled=yes out-interface=ether1 protocol=\
    tcp src-address=192.168.5.0/24 to-addresses=192.168.1.145
add action=dst-nat chain=srcnat disabled=yes dst-address=192.168.1.145 log=\
    yes protocol=tcp to-addresses=192.168.5.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=1433 in-interface=lte1 \
    protocol=tcp to-addresses=192.168.1.145 to-ports=1433
/ip route
add distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.1.0/32 gateway=*F00010
add disabled=yes distance=1 dst-address=192.168.5.0/24 gateway=192.168.1.1
add disabled=yes distance=1 dst-address=192.168.168.0/24 gateway=\
    192.168.168.250
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=vpn profile=default-encryption service=l2tp
/system clock
set time-zone-name=Europe/Riga
/system identity
set name=MikroTikLTE
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-address=192.168.5.251/32

Problem:
Client and server computers cant communicate properly by the program. I can ping the server computer, I can access the network printers, can even print, but the program refuses to work properly. I have made some rules in firewall, and see the traffic going. I think that it`s the problem with my NAT setting, but never understood the NAT thing properly, so maybe you guys can help me to solve this thing.

Hello,

The kind of NAT most used is to Access Internet from internal computer (For example), I Will try to explain you why is it:
Supose the following:
-A machine in your network is trying to access to www.facebook.com
-The machine got the IP address of www.facebook.com from its DNS servers or cache, supouse it is 100.100.100.100
-The machine has 192.168.0.100 as IP
-The machine send an IP packet which has 192.168.0.100 as source address and 100.100.100.100 as destination address
-Because 100.100.100.100 is not in the same network, the machine will send the packet to its default Gateway (I supouse it is the mikrotik router)
-The packet reach Facebook.com
-When Facebook try to reply, it will send a packet using as destination address, what was source address in the previous packet, in this case 192.168.0.100

The reply will never get your machine because Facebook does not know how to reach any internal IP
So, you need to NAT, you need to the router to change source address for all outgoing connection to use the public IP
As I can see, you have just 1 nat rule enabled, which is for local devices can acccess to Internet (I think)
If the connections using those ports you said, are generated from outside using the public IP, you will need to create another nat rule (dst-nat in this case) to send all package received on those ports to the server

So, the problem is when the clients connects from outside with L2TP?
The clients are using private or public IP to access the server?

In “/ip firewall connection” add the “reply src address” and “reply dst address” columns and filter to only see when “Dst. Address/Port” is 1433 or 9933
Copy here the result, changing IP addresses with generic ones

Regards

Hello,

The kind of NAT most used is to Access Internet from internal computer (For example), I Will try to explain you why is it:
Supose the following:
-A machine in your network is trying to access to > www.facebook.com
-The machine got the IP address of > www.facebook.com > from its DNS servers or cache, supouse it is 100.100.100.100
-The machine has 192.168.0.100 as IP
-The machine send an IP packet which has 192.168.0.100 as source address and 100.100.100.100 as destination address
-Because 100.100.100.100 is not in the same network, the machine will send the packet to its default Gateway (I supouse it is the mikrotik router)
-The packet reach Facebook.com
-When Facebook try to reply, it will send a packet using as destination address, what was source address in the previous packet, in this case 192.168.0.100

The reply will never get your machine because Facebook does not know how to reach any internal IP
So, you need to NAT, you need to the router to change source address for all outgoing connection to use the public IP

That`s very nice explanation! Thank you!

As I can see, you have just 1 nat rule enabled, which is for local devices can acccess to Internet (I think)
If the connections using those ports you said, are generated from outside using the public IP, you will need to create another nat rule (dst-nat in this case) to send all package received on those ports to the server

So, the problem is when the clients connects from outside with L2TP?
The clients are using private or public IP to access the server?

Yes, the problem is when the clients connects from outside with L2TP.
Clients uses private IP to access the server. 192.168.5.0/24 connects to 192.168.1.145.

In “/ip firewall connection” add the “reply src address” and “reply dst address” columns and filter to only see when “Dst. Address/Port” is 1433 or 9933
Copy here the result, changing IP addresses with generic ones

Attaching the foto.
If I try to switch “reply src address” with “reply dst address” otherwise than in photo, no data appears.

You are wellcome!
I wanted to see if “Reply src. Address” is the same than “Destination address” and “Reply dst. Address” is the same than “Source Address”
You can add these columns, with a right click on any ítem on the list → Show columns → Reply dst. Address
As I think, the router should not nat these connections, so I think the issue is other.
These connections appear like established, dont seems to has any problem.
Hmmmmm, not sure
Is it possible that the server try to open a new connection with the client and this new connection are not accepted on filter rules?
Is it possible to acept temporarily all connection to those ports for test purpose?

Maybe someone with more knowledge than me is required here

What do you mean “accept all connections”, like not only tcp but also udp?

Sorry,

I just see the filter rules.
It seems you have allowed for “192.168.1.145 → 192.168.5.0/24” ports 1433 and 993
But for “192.168.5.0/24 → 192.168.1.145” you dont have allowed the port 993
As I can see in the photo, there are connections on with the port 993, with 192.168.1.145 as dst-address
Did you try to add the following?

/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.145 dst-port=9933 protocol=tcp src-address=192.168.5.0/24

Move the rule close to the one for 1433 port.
Are you sure the program just use these 2 ports with tcp protocol?

Regards

Hello, I have already did it Here is the SS, but it doesn`t work anyways.

Hello,

I think maybe you speak in spanish, because the word “foto” is in spanish, I do
I have not so much knowledge about l2tp, but this does not seems to me an issue related to l2tp, because ping and other staff worked as you said.
When the client are in the same network, the connection with the server should not through the router, so I still want to check if it is related to filter rules:
You have 1 interface for l2tp, right?
Could you temporarily accept all traffic on l2tp interface for test purpose? (both ways, in and out)
Just créate the rule, test and delete the rule

Regards

Just contacted the software support, and they said that program wont support such thing like client and server communication in different subnets. So thank you very much!

Ok, just another question, is it possible somehow set up VPN, that its network would be in same subnet? Or maybe, I could trick the system communication with NAT? When I set up the VPN, I have to write remote and local addresses, so maybe its possible to make the system to think that I`m in same LAN?

Anyone? If I make the VPN client computer appear in the same network 192.168.1.0/24 it wont let me ping the 192.168.1.0/24 devices
EDIT: Ok, I have made it work in internal ip with NAT rule to masquarade,
Chain: srcnat
Src. Address: 192.168.1.0/24
Dst. Address: !192.168.1.254
Action: masquerade
But program still not working properly, I can ping now lan devices, access cameras NVR web GUI, etc, but program is not working… Any ideas?

Guys, any ideas? There is no Mikrotik geeks with muscular brains?

Use proxy-arp instead of NAT.

The VPN connection is still not really on the same network even though it is part of the same subnet, you might have to use L2 VPN such as OpenVPN TAP or EoIP.