L2TP routing issue - SOLVED

RouterOS General
1

Hello everybody.
I am new in this forum and new with handeling mikrotik materials.

The requirements are : I have an office with many access controllers linked to an access control server, everything is alright inside the internal LAN. The office needs to add more access controller far the office in other cities. For this, we have already one RB3011 ARM and many little Routers access points which support L2TP clients to be set in other cities.
I set Up a L2TP server without ipsec in th RB3011:


The Constat is :
Incoming connexions :

I can ping from 10.20.30.40 to 10.10.0.40
I can ping from 10.20.30.40 to 172.17.98.2 & 172.10.98.1 & 10.100.200.1 & 10.100.200.2
bref, I can ping from 10.20.30.40 to everywhere.

outcoming
I can ping from 10.10.0.40 to 172.17.98.1 & 172.17.98.2
I can NOT ping from 10.10.0.40 to 10.20.30.40 or to 10.100.200.2

from the mikrotik itself using tools–>ping

I can ping from IT to 10.10.0.40 & 172.17.98.2
I can ping from IT to 10.100.200.1 and 10.100.200.2
BUT when I ping from mikrotik to 10.20.30.40 I have response succesful from 10.100.200.2 !!!



I doubt the Firewall of the office is the cause but when I did an experience by disconnecting the firewall cable and plug it to my laptop and put 172.17.98.2 inside my NIC I had the same issue and constats!!.

Please help to solve this issue and thank you very much in advance for your responses (sorry for my bad english)

the topologie :

2

You should post your router configuration with an

/export hide-sensitve

We than can walk trough it and guide you towards a solution.

Are the L2TP-clients also MikroTik, if so please post the config of it as well

3

[quote=atmane post_id=683471 time=1535850405 user_id=127930]
when I ping from mikrotik to 10.20.30.40 I have response succesful from 172.17.98.253



(sorry for my bad english)
[/quote]
Please do the ping command above from the command line (press the [Terminal] button in Winbox or Webfig or log in using ssh to get a command line window, write ping 10.20.30.40 there and press [Enter]) and copy-paste here the output. I hesitate to believe what I read regarding the result :slight_smile:

4

[admin@MikroTik] > export hide-sensitive

sep/04/2018 19:07:51 by RouterOS 6.42.7

software id = 1EBQXXXX

model = RouterBOARD 3011UiAS

serial number = 8EED0XXXXXXX

/interface bridge
add fast-forward=no name=sahcom protocol-mode=none
add admin-mac=CC:2D:E0:XX:XX:XX auto-mac=no comment=defconf name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full loop-protect=off
set [ find default-name=ether2 ] advertise=100M-full loop-protect=off
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether6 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bridge=sahcom comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes keepalive-timeout=disabled
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=172.17.98.1/24 interface=sahcom network=172.17.98.0
add address=81.192.X.Y/28 interface=ether1 network=81.192.X.Y
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=172.17.98.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.17.98.1
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input
add action=accept chain=forward
add action=accept chain=output
/ip route
add distance=2 gateway=81.192.X.Y
add distance=1 dst-address=10.10.0.0/16 gateway=172.17.98.2
add distance=1 dst-address=10.20.30.0/24 gateway=10.100.200.2
/lcd
set time-interval=hour
/ppp secret
add local-address=10.100.200.1 name=sahcom01 remote-address=10.100.200.2 routes=10.20.30.0/24
add name=sahcom02 service=l2tp
add name=sahcom03 service=l2tp
add name=sahcom04 service=l2tp
add name=sahcom05 service=l2tp
/system clock
set time-zone-name=Africa/Casablanca
/system routerboard settings
set silent-boot=no
/system scheduler
add interval=2h name="auto reboot" on-event="/system reboot" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=sep/04/2018 start-time=
18:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >

5

[quote=sindy post_id=683564 time=1535910460 user_id=110692]
[quote=atmane post_id=683471 time=1535850405 user_id=127930]
when I ping from mikrotik to 10.20.30.40 I have response succesful from 172.17.98.253



(sorry for my bad english)
[/quote]
Please do the ping command above from the command line (press the [Terminal] button in Winbox or Webfig or log in using ssh to get a command line window, write ping 10.20.30.40 there and press [Enter]) and copy-paste here the output. I hesitate to believe what I read regarding the result :slight_smile:
[/quote]
I CHANGED the 172.17.98.253 with 10.100.200.2

6

I found the problem myself, The Issue was in the client side.

I used a PLANET VDR301n client and has the NAPT enabled by default. When I disabled it the issue disappeared.