Hello Everybody
I need help. I have setup the following.
Test
Problem
L2TP client doesnt want to connect from internet
myconfig.rsc (4.61 KB)
firewall.rsc (2.02 KB)
The router’s DMZ feature isn’t going to help if the LTE connection uses a CGNAT (which is typically for consumer LTE SIMs). You can check this by seeing if the LTE router is getting a private address (10.x, 192.x) or 100.64.0.0-100.127.255.255 from the LTE WAN connection.
(or 172.16…)
LTE Router is getting public(WAN) IP address, internet is working…
Is there a way to enable “passthrough” on your LTE router so the Mikrotik get the public IP?
Otherwise, your Mikrotik config looks pretty standard/correct at first glance, so looks like issue may be how the DMZ works on the Huawei…
Also, don’t know if you’re running V7, but if LTE is a real public IP, you might want to try Wireguard. That might work better with the DMZ since Wiregard just needs one port through to work, not the complex dance the L2TP/IPSec needs. If the Mikrotik is ARM or ARM64, ZeroTier be another option that get you Layer2/Ethernet like L2TP.
/interface bridge
add admin-mac=18:FD:74:BA:A0:36 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX
country="south africa" disabled=no distance=indoors frequency=auto
installation=indoor mode=ap-bridge ssid=Office wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=
wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.199
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.1.1 local-address=192.168.89.1
remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret= one-session-per-host=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=
192.168.1.0
add address=192.168.8.5/24 interface=ether1 network=192.168.8.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip route
add distance=1 gateway=192.168.8.1
/ppp secret
add name=vpn password= profile=default-encryption service=l2tp
add name=jaco password= profile=default-encryption service=l2tp
add name=mari password= profile=default-encryption service=l2tp
add name=mariette password= profile=default-encryption service=l2tp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
\
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
Maybe I explained wrong. Mikrotik is getting public IP. DMZ is pushing internet traffic to Mikrotik…
Ah, so the public IP is coming via DHCP client on ether1…
In that case, I’d change your /ip route to use a distance=2, so the DHCP one with a public is one used for outbound traffic. Otherwise, it will load balance (ECMP) between using the public IP and 192.168.8.5 as the src address to LTE…
e.g. /ip route add distance=1 gateway=192.168.8.1
should be
/ip route add distance=2 gateway=192.168.8.1
I have resolved the problem
Telkom Incoming Ports blocked - use ‘unrestricted’ APN
https://mybroadband.co.za/forum/threads/telkom-incoming-ports-blocked-use-unrestricted-apn.952185/page-3
https://archie22is.medium.com/how-to-set-up-unrestricted-apn-on-telkom-lte-3g-4634ef53af00
