L2TP to remote office

flynno · August 19, 2018, 11:04am

I setup a L2TP VPN on a mikrotik LTE device to access my office router Lan.
The tunnel is established and I can ping both sides of the tunnel and reach the office router via the LTE device.

I want to be able to use the office connection as the main internet connect for the mikrotik LTE device, send all traffic from the LTE down the tunnel to the office connection.

LTE Config
Local Network = 192.168.1.0/24

/ip firewall filter
add action=accept chain=input comment=“allow L2TP VPN (ipsec-esp)” protocol=ipsec-esp
add action=accept chain=input comment=“allow L2TP VPN (500,4500,1701/udp)” dst-port=500,1701,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=lte1
add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP
add distance=1 dst-address=172.168.1.1 gateway=l2tp-out1 routing-mark= PPTP

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PPTP passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-out1

/ip dns
set allow-remote-requests=yes

Office Mikrotik Router
Local Network = 192.168.0.0/24

/ip firewall filter
add action=accept chain=input comment=“allow L2TP VPN (ipsec-esp)” protocol=ipsec-esp
add action=accept chain=input comment=“allow L2TP VPN (500,4500,1701/udp)” dst-port=500,1701,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept established,related” connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat src-address=172.168.1.0/24

/interface l2tp-server server
set default-profile=default enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=yes
/interface l2tp-server
add name=l2tp-in1 user=test
/ppp secret
add name=test password=1234 service=l2tp
/ppp profile
set *0 change-tcp-mss=default local-address=172.168.1.1 remote-address=vpn-l2tp
set *FFFFFFFE use-encryption=required

/ip pool
add name=vpn ranges=172.168.1.10-172.168.1.254

/ip dns
set allow-remote-requests=yes
/ip dns static
add address=8.8.8.8 name=dns1
add address=8.8.4.4 name=dns2

/ip route
add comment=“WAN” dst-address=0.0.0.0/0 distance=1 gateway=WAN
add distance=1 dst-address=192.168.0.0/24 gateway=WAN Pref.Source 192.168.0.129 <<< Local IP of Office router is behind main ISP router, ports are opened to allow vpn on ISP router
add distance=1 dst-address=172.168.1.251 gateway=l2tp-in1 Pref.Source 172.168.1.1 <<< This route is not a static 172.168.1.251 is remote LTE router

Routing-mark on LTE device
LTE routing mark is PPTP

Routing-mark on Office,
Office routing mark is VpnRoute

Troubleshooting

I have no internet on LTE device when mangle rule is enabled.
I can see DNS populating on the LTE device when trying to access a website.

flynno · August 19, 2018, 5:54pm

I can see the traffic going out the L2TP gateway with torch, when the mangle rule is enabled on the LTE device.
On the remote office router dns cache I can see the LTE devices requests in the cache.

Anyone have any input as to how I can get this working?

flynno · August 20, 2018, 10:40am

I can winbox into both routers from each end, Remote office side and LTE side.
When I enable the mangle rule on the LTE device the only thing that I cant do is browse a website or ping 8.8.8.8 from the lan PC
Winbox still works from each side

flynno · August 21, 2018, 4:36pm

Is it possible to do this, I must be missing something

bramwittendorp · August 21, 2018, 5:36pm

Hi,

You’re correct, there is a issue with the following route, on the LTE-device

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP

Instead of specifying the gateway-interface (l2tp-out1) you’ll need to specify the IP-address of the RB on the other end of the tunnel (from you configuration I’ve no idea which it should be).

From the Wiki-page (https://wiki.mikrotik.com/wiki/Manual:IP/Route#Routes_with_interface_as_a_gateway)

Unlike connected routes, routes with interface nexthops are not used for nexthop lookup.

So the traffic will not be forwarded any further than the router on the other end of the tunnel

flynno · August 21, 2018, 6:28pm

Hi Bram,

LTE Device Route
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=172.168.1.1 reachable l2tp-out1 routing-mark= PPTP

172.168.1.1 is the address of remote office mikrotik device, it’s the private address of the device

bramwittendorp · August 21, 2018, 7:38pm

That should be it I think, does it work?

flynno · August 21, 2018, 8:00pm

I can see the dns populating in the remote office router cache but the websites won’t load, I have remote requests turned on for both routers, and the dns on the LTE is 172.168.1.1 which is the private ip of the remote office router

flynno · August 22, 2018, 9:28am

I can reach all devices on the remote office network. I want the LTE device to have its public IP address cloaked as the office network public IP and use the office router as the main gateway for all internet traffic

cdiedrich · August 22, 2018, 11:17am

Look at the srcnat rules in your office router. It’s probably configured to (srcnat | masquerade) the office address pool only.
and as a side note: 172.168.1.1 is not in the IANA private address space 172.16.0.0/12 which ends at 172.32.255.255

-Chris

flynno · August 22, 2018, 11:58am

Hi Chris,

Remote office router nat

/firewall filter nat
srcnat scr address 172.168.1.0/24 action masquerade

New below;

I modified pool to 172.16.0.0/12

/firewall filter nat
srcnat scr address 172.16.0.0/12 action masquerade

cdiedrich · August 22, 2018, 12:16pm

Makes sense now.
But I just read your first post again where you were talking about 192.168.1.0/24 and 192.168.0.0/24 networks.
Whichever networks you are currently running - make sure the remote network range is covered in your office router’s srcnat rules.

-Chris

flynno · August 22, 2018, 5:42pm

Still no luck with the nat rules. When I enable mangle on the LTE device for the private network, I cannot access websites but I can see dns requests populating on the office router

cdiedrich · August 22, 2018, 7:44pm

I’d say it’ll be the best support for us to help when you post a compact export of both routers.

flynno · August 22, 2018, 9:01pm

LTE Device
Office Public IP = X.X.X.X

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/ip neighbor discovery
set lte1 discover=no
/interface list
add name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add enc-algorithms=3des name=wifi pfs-group=none

/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether1 name=defconf

/ppp profile
set *0 change-tcp-mss=default
set *FFFFFFFE change-tcp-mss=default use-encryption=default

/interface l2tp-client
add connect-to=X.X.X.X disabled=no ipsec-secret=wifi max-mru=1460
max-mtu=1460 name=l2tp-out1 password=1234 profile=default user=test

/ip settings
set rp-filter=strict tcp-syncookies=yes

/interface list member
add interface=ether1 list=discover
add interface=ether1 list=mactel
add interface=ether1 list=mac-winbox

/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=
192.168.1.0
/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes servers=172.16.0.1

/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“Allow WinBox” dst-port=8291 protocol=
tcp
add action=accept chain=input comment=“Allow WinBox API” dst-port=8728
protocol=tcp
add action=accept chain=input comment=“allow L2TP VPN (ipsec-esp)” protocol=
ipsec-esp
add action=accept chain=input comment=“allow L2TP VPN (500,4500,1701/udp)”
dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=accept chain=input comment=“Allow local network” src-address=
192.168.1.0/24
add action=accept chain=input comment=“Allow DNS for trusted network”
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=input comment=“Allow DNS for trusted network”
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=lte1
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=lte1
add action=drop chain=input connection-state=new dst-port=53 in-interface=
lte1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=
lte1 protocol=tcp

/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1400 out-interface=
l2tp-out1 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=PPTP passthrough=
yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-out1
src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=lte1
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes

/ip route
add disabled=yes distance=1 gateway=172.16.0.1 routing-mark=PPTP
add distance=1 gateway=lte1
add distance=1 dst-address=172.16.0.0/12 gateway=172.16.0.1
add distance=1 dst-address=172.168.1.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.1/32 gateway=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes

CRS Office

/interface bridge
add name=Wlan
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] disabled=yes master-port=ether3
set [ find default-name=ether5 ]
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] comment=“Tom Network 16”
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] master-port=ether1
set [ find default-name=ether24 ] master-port=ether1
set [ find default-name=sfp1 ] master-port=ether1
/interface l2tp-server
add name=l2tp-in1 user=test
/ip pool
add name=vpn-l2tp ranges=172.16.0.2-172.32.255.255
/ppp profile
set *0 change-tcp-mss=default local-address=172.16.0.1 remote-address=
vpn-l2tp
set *FFFFFFFE use-encryption=required
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface l2tp-server server
set default-profile=default enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=
yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip dns static
add address=8.8.8.8 name=dns1
add address=8.8.4.4 name=dns2
/ip firewall filter
add action=accept chain=input comment=“VPN L2TP UDP 500” dst-port=500
protocol=udp
add action=accept chain=input comment=“VPN L2TP 4500” dst-port=4500 protocol=
udp
add action=accept chain=input comment=“VPN L2TP UDP 1701” dst-port=1701
protocol=udp
add action=accept chain=input comment=“VPN L2TP UDP 1701” dst-port=1723
protocol=udp
add action=accept chain=input comment=“VPN L2TP ESP” protocol=ipsec-esp
add action=accept chain=input comment=“VPN L2TP AH” protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=accept chain=input comment=“Established, Related”
connection-state=established,related
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=accept chain=input comment=“Accept DNS - UDP” dst-port=53
protocol=udp
add action=accept chain=input comment=“Accept DNS - TCP” dst-port=53
protocol=tcp
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
log=yes log-prefix=invalid
add action=drop chain=forward comment=
“Drop incoming from internet which is not public IP” in-interface=Wlan
log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=Wlan
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=test password=1234 service=l2tp
/system identity
set name=Office

cdiedrich · August 23, 2018, 7:49am

In the office router I’m missing a route for the remote network.
Your default masq rule there is already good, you can delete the dedicated one for the remote network.
Your main office DNS config does not make sense.

Both exports are missing ppp profile and ppp secrets.

-Chris

flynno · August 23, 2018, 8:22am

Office Router

DNS
/ip dns print
servers: 172.16.0.1
dynamic-servers: 89.101.160.5,89.101.160.4
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 45KiB

ip firewall nat print
chain=srcnat action=masquerade out-interface=Wlan log=no log-prefix=""

ip route print

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 192.168.0.1 1
1 ADC 172.32.255.247/32 172.16.0.1 l2tp-in1 0 <<< Dynamic L2tp
2 ADC 192.168.0.0/24 192.168.0.129 Wlan 0
3 A S 192.168.1.0/24 l2tp-in1 1 <<<Added LTE remote network, reachable via 192.168.1.1 winbox

/ppp profile
set *0 change-tcp-mss=default local-address=172.16.0.1 remote-address=vpn-l2tp
set *FFFFFFFE use-encryption=required
/ppp secret
add name=test password=1234 service=l2tp

ip pool print

NAME RANGES

0 vpn-l2tp 172.16.0.2-172.32.255.255

bramwittendorp · August 24, 2018, 5:24am

For the PPP-secret, I use the following configuration on the Main-router:

/ppp secret 
add local-address=192.168.100.6 name=map_bram remote-address=10.9.5.1 routes=10.9.5.0/24 service=pptp

This takes care of the whole Site-to-Site VPN tunnel for me. On the remote end it will use the IP-address I setup for my RouterBoard, on the local end it also uses the IP of the routerboard. When the tunnel is active the route to the remote network 10.9.5.0/24 gets added automatically.

Maybe you could use a similar configuration. Because the main disadvantage of your current setup is that you’re not sure that the remote end always gets the same IP-address so it’s difficult to configure the route to the remote network. This case, it will be done automatically, even if you have more VPN-tunnels in the future this could work, I have 3 site-to-site tunnels this way.

flynno · August 24, 2018, 10:38am

Hi Bram,

What kind of dns settings do you use?

/ppp secret print
Flags: X - disabled

NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS LOCAL-ADDRESS ROUTES

0 test l2tp 1234 default 172.16.0.10 172.16.0.1 172.16.0.0/12

LTE reachable now via 172.16.0.10
LTE local network 192.168.1.0/24

Office reachable now via 172.16.0.1
Office local network 192.168.0.0/24 reachable via LTE network
Office main internet router 192.168.0.1 reachable via LTE network
All devices are reachable via the LTE network

Once mangle rule on LTE device is active, I cannot access any website but I can still reach the office network

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=PPTP passthrough=yes
src-address=192.168.1.0/24 log=no log-prefix=""

bramwittendorp · August 24, 2018, 11:54am

Why are you using Mangle anyway?

You want to send all traffic through the VPN-tunnel am I right?

It seems to me that you have build an overly complex set-up, which is also hard to troubleshoot. I followed the documentation on the Wiki: https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Site-to-Site_L2TP.

My setup

Office

/ppp secret 
add local-address=192.168.100.6 name=map_bram remote-address=10.9.5.1 routes=10.9.5.0/24 service=pptp

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=ISP Gateway IP

My DNS-setup isn’t really relevant. It just works, but in my case I have two Windows AD-DNS-servers providing the DNS-services.

Remote end

On the remote end I’ve created the VPN tunnel as a client, making sure the add default route option is checked:

/interface pptp-client
add add-default-route=yes connect-to=<office router Public IP> name= profile=default user=map_bram

This will add all nessecary routes for your connection and will send all traffic trough the VPN-tunnel