L2TP VPN Client SaferVPN connection no internet access

HristoRaykov · October 20, 2020, 3:37pm

Hi, friends,
I hope you doin well! I am trying to setup SaferVPN on my MikroTik router. I succeed to set it up and I see the traffic. Unfortunately my internet access disappear and I have not internet connection on my PCs. I post my settings and you could see where I do wrong.

\

oct/20/2020 18:13:33 by RouterOS 6.47.4

software id = VHAS-MF1D

model = RB2011UiAS-2HnD

serial number = BE450B5F1B81

/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN1
set [ find default-name=ether3 ] comment=LAN2
/interface l2tp-client
add add-default-route=yes connect-to=de1.safervpn.com disabled=no mrru=1600
name="SaferVPN L2TP" password="" user=******
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=bulgaria disabled=no
hide-ssid=yes mode=ap-bridge ssid=MikroTik
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=
dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=
"***"
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=
myProfile supplicant-identity="" wpa2-pre-shared-key=""
/ip pool
add name=dhcp_pool0 ranges=
192.168.11.1-192.168.11.9,192.168.11.11-192.168.11.254
add name=dhcp_pool1 ranges=
192.168.12.1-192.168.12.9,192.168.12.11-192.168.12.254
add name=dhcp_pool2 ranges=
192.168.13.1-192.168.13.9,192.168.13.11-192.168.13.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether2 name=dhcp_LAN1
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp_LAN2
add address-pool=dhcp_pool2 disabled=no interface=wlan1 name=dhcp_WIFI
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set tcp-syncookies=yes
/ip address
add address=192.168.11.10/24 interface=ether2 network=192.168.11.0
add address=192.168.12.10/24 interface=ether3 network=192.168.12.0
add address=192.168.13.10/24 interface=wlan1 network=192.168.13.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.11.0/24 gateway=192.168.11.10
add address=192.168.12.0/24 gateway=192.168.12.10
add address=192.168.13.0/24 gateway=192.168.13.10
/ip dns static
add address=208.67.222.222 name=OpenDNS
add address=208.67.220.220 name=OpenDNS1
add address=8.8.8.8 name=Google
add address=8.8.4.4 name=Google1
/ip firewall address-list
add list=ddos-attackers
add list=ddos-target
add list=ddos-targets
/ip firewall filter
add action=fasttrack-connection chain=forward comment=
"fast-track for established,related" connection-state=established,related
add action=accept chain=forward comment="accept established,related"
connection-state=established,related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment=
"drop access to clients behind NAT form WAN" connection-nat-state=!dstnat
connection-state=new in-interface=ether1
add action=accept chain=input comment="accept established,related"
connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1
protocol=icmp
add action=accept chain=input comment="allow Winbox" in-interface=ether1 port=
8291 protocol=tcp
add action=accept chain=input comment="allow SSH" in-interface=ether1 port=22
protocol=tcp
add action=drop chain=input comment="block everything else" in-interface=ether1
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-target
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers
address-list-timeout=10m chain=detect-ddos
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
protocol=tcp tcp-flags=syn,ack
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=yes
src-address=192.168.11.10-192.168.11.254
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=yes
src-address=192.168.12.10-192.168.12.254
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=yes
src-address=192.168.13.10-192.168.13.254
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface="SaferVPN L2TP"
/ip firewall raw
add action=drop chain=prerouting dst-address-list=ddos-target src-address-list=
ddos-attackers
add action=drop chain=prerouting dst-address-list=dddos-targets
src-address-list=ddos-attackers
/ip route
add distance=1 gateway="SaferVPN L2TP" routing-mark=L2TP
add distance=1 gateway=89.40.123.10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Sofia
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
[Hristo@MikroTik] >

Thank you in advance for your time and great support!