L2TP VPN cannot access LAN devices

DemetriusCZ · December 11, 2020, 7:35pm

Hello everyone,

I’am quite new to Mikrotik and I’ve found some tutorials and forum posts to setup something I have now. So basicly I have 2 ISPs and they’re connected to ether1 and ether2. Then I created an L2TP VPN with DDNS and did some firewall rules. Now I can connect to my Mikrotik but I cannot ping or access any devices behind it. For example I have Synology NAS with static IP 192.168.88.2, from LAN I can easily access it but from VPN I cannot. Any help would be appreciated.

This is my /export hide-sensitive

/interface bridge
add arp=proxy-arp name=bridge1-lan
/interface ethernet
set [ find default-name=ether1 ] mac-address=74:D0:2B:42:0C:F0 name=ether1-wan1
set [ find default-name=ether2 ] name=ether2-wan2
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.3-192.168.88.230
add name=vpn ranges=192.168.89.231-192.168.89.240
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge1-lan name=dhcp1
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.89.1 name=L2TP \
    remote-address=vpn
/queue simple
add max-limit=20M/100M name="All Bandwidth" priority=1/1 queue=\
    pcq-upload-default/pcq-download-default target=""
/interface bridge port
add bridge=bridge1-lan interface=ether3
add bridge=bridge1-lan interface=ether4
add bridge=bridge1-lan interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes one-session-per-host=yes use-ipsec=\
    required
/interface list member
add interface=bridge1-lan list=LAN
add interface=ether1-wan1 list=WAN
add interface=ether2-wan2 list=WAN
/ip address
add address=192.168.88.1/24 interface=bridge1-lan network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=ether1-wan1
add add-default-route=no disabled=no interface=ether2-wan2
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set servers=192.168.8.1,88.81.92.1
/ip firewall filter
add action=accept chain=input comment=Config connection-state=\
    established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="VPN: allow IKE" dst-port=500 in-interface-list=WAN \
    protocol=udp
add action=accept chain=input comment="VPN: allow L2TP" dst-port=1701 in-interface-list=\
    WAN protocol=udp
add action=accept chain=input comment="VPN: allow IPsec NAT-T" dst-port=4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=drop chain=input in-interface-list=!LAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.8.0/24 in-interface=bridge1-lan
add action=accept chain=prerouting dst-address=88.81.72.0/24 in-interface=bridge1-lan
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=\
    ether1-wan1 new-connection-mark=wan1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=\
    ether2-wan2 new-connection-mark=wan2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge1-lan new-connection-mark=wan1_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/1
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=\
    !local in-interface=bridge1-lan new-connection-mark=wan2_conn passthrough=yes \
    per-connection-classifier=both-addresses:2/0
add action=mark-routing chain=prerouting connection-mark=wan1_conn in-interface=\
    bridge1-lan new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn in-interface=\
    bridge1-lan new-routing-mark=to_wan2 passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn new-routing-mark=to_wan1 \
    passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn new-routing-mark=to_wan2 \
    passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-wan1
add action=masquerade chain=srcnat out-interface=ether2-wan2
/ip route
add check-gateway=ping distance=1 gateway=88.81.72.97 routing-mark=to_wan1
add check-gateway=ping distance=2 gateway=192.168.8.1 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=88.81.72.97
add check-gateway=ping distance=2 gateway=192.168.8.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=vojta profile=L2TP routes=192.168.88.0/24 service=l2tp

Thanks in advance.

tdw · December 16, 2020, 11:43am

The proxy-arp setting is only required if the VPN clients and a local network share addresses from the same subnet, it should only be on the parent interface bridge1-lan, not the child interfaces ether3/4/5. If you are using different subnets it is not required.

The routes=192.168.88.0/24 under /ppp secret is incorrect, these specify additional route to the client, not from the client. If you are not selecting ‘Use default gateway on remote network’ on the client you have to add a route on the client, there is no mechanism to push routes to clients for PPP-like VPNs. So in your case on a Windows client route add 192.168.88.0/24 192.168.89.1 once the VPN connection is established, or there are powershell command to permanently add static routes.

romakov · January 14, 2021, 2:31pm

As tdw said, you can run the PS script on the Windows:

$name = “your vpn connection name”
Add-VpnConnectionRoute -ConnectionName $name -DestinationPrefix 192.168.88.0/24 -PassThru