I had set up 2 mikrotik router RB 750R2 with L2TP connection with Router A as L2TP server and Router B as L2TP client. L2TP server local addres is 192.168.201.1 and remote address is 192.168.201.2
My LAN IP on Router A is 192.168.100.1 and LAN IP on Router B is 192.168.101.1
I can ping L2TP interface IP address from Router A to B and vice versa but cannot ping from any lan client from Router A or B.
What is the problem here?
Hello,
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
Search for proxy-arp. Maybe that is stopping you.
I tried enabling proxy-arp but not working.
Are LAN gateway and IP routes set for 192.168.100.0/24 and 192.168.101.0/24 in both directions?
The answer has to find it’s way back also.
In detail
- client A has to use Router A as gateway for addresses in LAN B (or as it’s default gateway)
- Router A has to know (ip route) that the subnet of LAN B (192.168.101.0/24) is at router B (192.168.201.2) as gateway
- client B has to use Router B as gateway for the answer to address in LAN A
- Router B has to know that subnet LAN A is at router A
PS: this is not what one expects to set up with a L2TP tunnel. L2 means it is expected to be one subnet , LAN’s bridged via L2TP, no “ip routes” involved for LAN clients, all clients are in the same subnet (eg use LAN A subnet on both sides for the clients , and for Router ethernet ports of that LAN A). RouterA and RouterB are not necessary as IP gateway for the clients in the same subnet. Clients will find the other clients via ARP, if in the same subnet. Proxy-arp can play a role then. ARP is normally not used for the scenario with different subnets A and B.
As I said, main problem is i cannot ping 192.168.201.2 which is remote (Router B) L2TP interface IP from my Router A LAN IP 192.168.100.0/24 but i can ping 192.168.201.1 which is Router A L2TP interface IP address but I can ping 192.168.201.2 from inside Router A.
This is default routing behavior, as I see it from your comments …
Router A a has networks 192.168.100.0/24 and 192.168.201.0/x directly attached to itself, so it knows the path to it.
Router A can ping all of those network devices
Idem for Router B , with networks 192.168.101.0/24 and the common 192.168.201.0/x network
What is not known until added as ip route
- Router A does not know where 192.168.101.0/24 is
- Router B does not know where 192.168.100.0/24 is
Pinging 192.168.201.2 (Router B L2TP IP address) with source address 192.168.100.1 (ethernet address of Router A ) will fail. Not because the path is unknown, but because the return path (from Router B any interface) to (192.168.100.1) is unknown for Router B.
By the way, I was wrong on the L2TP tunnel as being L2 (OSI layer 2) only or mainly. Even if the name suggests layer 2 in L2TP, in MT it acts as just a variant of PPTP. (another one is SSTP), same network functionality https://rickfreyconsulting.com/wp-content/uploads/2015/04/PPTP-L2TP-Tutorial.pdf
For real L2 connection those tunnels use BCP (only documented in the MT wiki for PPTP https://wiki.mikrotik.com/wiki/Manual:BCP_bridging_(PPP_tunnel_bridging) ),
but even OpenVPN can do that BCP just as PPTP, SSTP, L2TP
https://mum.mikrotik.com/presentations/EU16/presentation_2955_1458135277.pdf
Thanks for the explanation. But you are not getting my point. You forget about the different lan segments not pinging each other.
My PC connected to Router A IP is 192.168.100.20 and from PC I can ping 192.168.201.1 which is the local IP address of Router A L2TP interface but I cannot ping 192.168.201.2 from my PC which is remote IP address of Router B L2TP interface. But when I ping from Router A terminal, I can ping 192.168.201.2
This is really starnge.
hello.
My PC connected to Router A IP is 192.168.100.20 and from PC I can ping 192.168.201.1 which is the local IP address of Router A L2TP interface but I cannot ping 192.168.201.2 from my PC which is remote IP address of Router B L2TP interface. But when I ping from Router A terminal, I can ping 192.168.201.2
This is really starnge.
as @ bpwl said,
network 201.0/30 is directly connected network for both routers only, as well as its respective lan only.
but, your both vpn routers don’t know any network beyond that, except to reply any requests using default gateway to internet.
---- edit.
do check your routers and your pc routing tables.
— end edit.
hope this helps.
You forget about the different lan segments not pinging each other.
No , I didn’t. I know explaining in writing can be confusing.
Pinging 192.168.201.2 (Router B L2TP IP address) with source address 192.168.100.1 (ethernet address of Router A ) will fail. Not because the path is unknown, but because the return path (from Router B any interface) to (192.168.100.1) is unknown for Router B.
Means that even the ethernet interface of the router itself on the other LAN is not reachable, so is the whole remote LAN. Because routing has not been defined for those LAN’s.
Readers don’t like repetitions in this forum, but I’ll do it a last time …
In detail
-
Router A has to know (ip route) that the subnet of LAN B (192.168.101.0/24) is at router B (192.168.201.2) which is given as gateway in the “ip route add” command in router A
-
Router B has to know that subnet LAN A (192.168.100.0/24) is at router A , which is given as gateway (192.168.201.1) in the “ip route” command “add” in router B
Without these routes added …
Router A sees its own lan (192.168.100.0/24) , and the SSTP IP addresses of itself (192.168.201.1) and of router B (192.168.201.2). It does not see the LAN interface of router B (192.168.101.1) and also not the whole LAN of router B (192.168.101.0/24) . The same applies for every member on LAN A that uses Router A as gateway.
Router B sees its own lan (192.168.101.0/24) , and the SSTP IP addresses of itself (192.168.201.2) and of router A (192.168.201.1). It does not see the LAN interface of router A (192.168.100.1) and also not the whole LAN of router A (192.168.100.0/24) . The same applies for every member on LAN B that uses Router B as gateway.
In the PING test, the source IP is important, for the return path, that must also be found.
My point is here:-
Since My PC is 192.168.100.20 is directly connected to router A with default route as 192.168.100.1, I still ping to Router A 192.168.201.1 (L2TP Local IP) and I should be able to PING 192.168.201.2 (L2TP IP of Router B) since it is a DAC directly connected network route in Router A routing table but i can’t ping. I already added routes for the LAN segments on both routers, I can ping from Router B the lan address of Router A but cannot ping even L2TP interface IP of Router B from my Router A LAN IP address.
Check your routes please.
Your PC on LAN A can probably find the L2TP interface of Router B (192.168.201.2) via router A , that does not need the ip routes as said, but … , if the routes are not correct in router B, then the answer of RouterB will not find your PC .
Use traceroute to find where the packet is travelling.
traceroute has different names in different OSes (tracert, … https://www.clouddirect.net/knowledge-base/KB0011455/using-traceroute-ping-mtr-and-pathping )
Please provide your config… of Router A and Router B
/export file=anynameyouwish ( minus router serial number and any public WANIP info )
It seems to me that the L2TP connection between Router A and B is set up correctly as you’re able to ping the L2TP interface IP address from both routers.
@ bpwl
Use traceroute to find where the packet is travelling.
well explained 
ip route tables, ping, traceroute, nslookup, arp etc.
the @ op, as network operator, should be familiar with all those basic network trouble shooting tools. and be familiar with top to bottom, bottom to top osi layer or tcp/ip stack trouble shooting techniques.
instead of just asking help to resolve the homework.
just a thought 
Sorry for off topic:
What is so secret about the serial number?
While I can see that public IPs may be a starting point for an attacker - what nasty things can be done with the serial number?
Edit:
Perhaps it is the DDNS service provided by mikrotik, which reveals the IP address when configured.
instead of just asking help to resolve the homework.
But Mikrotik documentation, even if completely correct can be cryptic because it is minimalist in explaining what and why …
and with MT there are so many ways to do it …
Like in https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP , te “site to site L2TP” uses the “ppp secret” entry to set the ip route in the L2TP server router towards the client router LAN.
(But syntax there is somewhat special: routes=“10.1.202.0/24 172.16.1.2 1” )
Then they explictly add the ip route in the L2TP client router, towards the LAN in the L2TP server router.
( [admin@Home] /ip route> add dst-address=10.1.101.0/24 gateway=l2tp-out1 )
Exactly.
Having the serial ID of your device, anyone can try to connect to your device.
If firewall is not setup properly and/or user is left with default or no password, it’s an accident waiting to happen.
And since we are all sensible admins who on first usage of device will remove the admin account and use our own with a proper password, and we all use a decent firewall config, this will never be a problem, uh ? 
Better to be safe then sorry.
@ bpwl
you mean this one?
But syntax there is somewhat special: > routes=“10.1.202.0/24 172.16.1.2 1” )
Then they explictly add the ip route in the L2TP client router, towards the LAN in the L2TP server router.
( [admin@Home] /ip route> add dst-> address=10.1.101.0/24 gateway=l2tp-out1 )
hmm.. maybe we could just use @ anav term
which is… the crystal ball 
no no no kidding maybe the author was referring the left side of the network, and expecting the reader could understand the left and right config.
And since we are all sensible admins who on first usage of device will remove the admin account and use our own with a proper password, and we all use a decent firewall config, this will never be a problem, uh ? >
and… you could imagine that your pop was on rooftop 100 meters above the ground. and you have no phone signal. and you forgot your backup config was on the tftp server on data center
no no no.. kidding
have a good day folks