L2TP VPN setup cannot ping LAN devices

RouterOS Beginner Basics
1

Hello everyone,

I am fairly new to RouterOS and i would like to ask for some advice. I have setup a VPN using L2TP but unfortunately i cannot figure out why i cannot ping the LAN devices. I get connection timeout all the time. Here is my configuration…

# dec/29/2014 02:06:35 by RouterOS 6.23
# software id = VJU8-A9NU
#
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc pfs-group=none

/ip pool
add name=dhcp_pool1 ranges=192.168.1.11-192.168.1.30
add name=dhcp_pool2 ranges=192.168.1.6-192.168.1.30
add name=home-vpn-pool1 ranges=10.0.1.1-10.0.1.10

/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.0.2/28 interface=ether1 network=192.168.0.0

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 always-broadcast=yes disabled=no \
    interface=bridge1 lease-time=1d name=dhcp1

/ip dhcp-server lease
add address=192.168.1.4 mac-address=00:25:00:9F:ED:88 server=dhcp1

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip firewall filter
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=log chain=input comment="Allow L2TP connections" in-interface=\
    ether1
add chain=input connection-state=new dst-port=500 in-interface=ether1 \
    protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=ether1 \
    protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=ether1 \
    protocol=udp
add chain=input comment="Allow Winbox from WAN" dst-port=8291 in-interface=\
    ether1 log=yes protocol=tcp
add chain=services comment="accept localhost" dst-address=127.0.0.1 \
    src-address=127.0.0.1
add chain=input dst-address=192.168.1.1 dst-port=80 protocol=tcp src-port=80
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=services comment="allow DHCP" disabled=yes dst-port=67-68 protocol=\
    udp
add action=drop chain=icmp comment="deny all other types"
add action=drop chain=forward comment="Drop Traceroute" icmp-options=11:0 \
    protocol=icmp
add action=drop chain=forward icmp-options=3:3 protocol=icmp
add action=drop chain=forward comment="Disable ICMP ping" protocol=icmp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=\
    established
add chain=input in-interface=pppoe-out1 src-address=192.168.1.0/24
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=169.254.0.0/16
add action=drop chain=forward dst-address=169.254.0.0/16
add action=drop chain=forward src-address=172.16.0.0/12
add action=drop chain=forward dst-address=172.16.0.0/12
add action=drop chain=forward src-address=192.0.0.0/24
add action=drop chain=forward dst-address=192.0.0.0/24
add action=drop chain=forward src-address=192.0.2.0/24
add action=drop chain=forward dst-address=192.0.2.0/24
add action=drop chain=forward src-address=198.18.0.0/15
add action=drop chain=forward dst-address=198.18.0.0/15
add action=drop chain=forward src-address=198.51.100.0/24
add action=drop chain=forward dst-address=198.51.100.0/24
add action=drop chain=forward src-address=203.0.113.0/24
add action=drop chain=forward dst-address=203.0.113.0/24
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward comment="Make jumps to new chains" jump-target=\
    tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny  BackOriffice" dst-port=3133 \
    protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
add chain=services comment="allow MACwinbox " disabled=yes dst-port=20561 \
    protocol=udp
add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\
    udp
add chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add chain=services comment="Allow BGP" disabled=yes dst-port=179 protocol=tcp
add chain=services comment="allow BGP" disabled=yes dst-port=5000-5100 \
    protocol=udp
add chain=services comment="Allow NTP" disabled=yes dst-port=123 protocol=udp
add chain=services comment="Allow PPTP" disabled=yes dst-port=1723 protocol=\
    tcp
add chain=services comment="allow PPTP and EoIP" disabled=yes protocol=gre
add chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=1900 protocol=udp
add chain=services comment=UPnP disabled=yes dst-port=2828 protocol=tcp
add chain=services comment="allow Web Proxy" disabled=yes dst-port=8080 \
    protocol=tcp
add chain=services comment="allow IPIP" disabled=yes protocol=ipencap
add chain=services comment="allow https for Hotspot" disabled=yes dst-port=\
    443 protocol=tcp
add chain=services comment="allow Socks for Hotspot" disabled=yes dst-port=\
    1080 protocol=tcp
add chain=services comment="allow IPSec connections" disabled=yes dst-port=\
    500 protocol=udp
add chain=services comment="allow RIP" disabled=yes dst-port=520-521 \
    protocol=udp
add chain=services comment="allow OSPF" disabled=yes protocol=ospf

/ip firewall mangle
add action=mark-packet chain=postrouting comment=\
    "Link-critical traffic (DHCP)" dst-port=67 new-packet-mark=link_critical \
    out-interface=bridge1 passthrough=no protocol=udp src-port=68
add action=mark-packet chain=postrouting comment=\
    "IPSec VPN (same priority as link critical)" new-packet-mark=\
    link_critical out-interface=bridge1 passthrough=no protocol=ipsec-esp
add action=mark-packet chain=postrouting comment="Time-critical traffic (DNS, \
    TCP control packets, certain ACK packets, new connections)" dst-port=53 \
    new-packet-mark=time_critical out-interface=bridge1 passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting new-packet-mark=time_critical \
    out-interface=bridge1 passthrough=no protocol=tcp tcp-flags=fin,syn,rst
add action=mark-packet chain=postrouting new-packet-mark=time_critical \
    out-interface=bridge1 packet-size=40-89 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting connection-state=new \
    new-packet-mark=time_critical out-interface=bridge1 passthrough=no \
    protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "Critical traffic (just some ACK packets)" new-packet-mark=critical \
    out-interface=bridge1 packet-size=90-159 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "High-priority interactive traffic (SSH, WinBox, certain ACK packets)" \
    new-packet-mark=high_pri_interactive out-interface=bridge1 passthrough=no \
    port=22,2200 protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=high_pri_interactive \
    out-interface=ether1 passthrough=no port=8291 protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=high_pri_interactive \
    out-interface=ether1 packet-size=160-249 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "Low-priority interactive traffic (HTTP, HTTPS)" new-packet-mark=\
    low_pri_interactive out-interface=bridge1 passthrough=no port=80,443,8112 \
    protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=low_pri_interactive \
    out-interface=bridge1 packet-size=250-359 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "Low-priority non-interactive traffic (POP, SMTP)" new-packet-mark=\
    low_pri_non_interactive out-interface=bridge1 passthrough=no port=25,110 \
    protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=\
    low_pri_non_interactive out-interface=bridge1 packet-size=490-639 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="Non-critical traffic (P2P)" \
    new-packet-mark=non_critical out-interface=bridge1 packet-size=640-809 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=non_critical \
    out-interface=bridge1 passthrough=no protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat src-address=10.0.1.0/24

/ip ipsec peer
add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-strict \
    secret=x

Thank you in advance

Cannot access Lan devices over vpn client
2

L2TP Site to site vpn setup with example https://www.youtube.com/watch?v=of2lPs4qYrc

3

L2TP VPN for remote windows 7 https://www.youtube.com/watch?v=DabumC8T_Kc

4

Thank you for your answer Tania. The first video seems more compatible with my configuration except the fact that the second router is not connected to WAN but behind router 1. Is there any way that i can modify the settings of the first video to apply in my configuration..?

Thank you in advance

5

Make sure you have “proxy-arp” enabled on the relevant interfaces. That will make you able to ping other devices

6

Thank you for your answer but proxy-arp is enabled..!

In router 1:

/interface bridge
add arp=proxy-arp comment=WAN-LAN-Wireless name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=sfp1 ] disabled=yes
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=3 arp=proxy-arp band=2ghz-b/g/n \
    channel-width=20/40mhz-ht-above country=greece disabled=no distance=\
    indoors frequency=2437 l2mtu=2290 max-station-count=30 mode=ap-bridge \
    wireless-protocol=802.11

and in router 2:

/interface bridge
add admin-mac=4C:5E:0C:E7:AD:F8 arp=proxy-arp auto-mac=no name=bridge-local
7

You state that you cannot ping the hosts.
Your firewall is definitely blocking this.

If you don’t want to read this essay I’m about to write, skip to the summary at the end.
I assume that you found this list of suggested firewall rules and put it on your system. It’s quite complicated and doesn’t look like something a Mikrotik newbie would create.

First big question:
Have you tried anything other than pings across the VPN, such as accessing file shares, web admin pages on devices, etc? I assume that you couldn’t ping, and haven’t tried any of the services.

I’m looking at your forwarding chain rules in the filter table.
(If you didn’t know, you can filter the view to just a specific chain with the drop-down at the top-right corner of the firewall screen)

The very third rule is #19, which has the comment “Disable ICMP ping” - but in fact, it throws away ALL icmp, regardless of type. Almost certainly this rule is why you can’t ping your VPN endpoints.

Notice rule 55: jump to chain “icmp” for icmp packets. This is a special filter for just icmp packets. You don’t need to block pings, traceroute, etc at the beginning of the master forwarding chain because ICMP is going to get filtered in its due place, so remove rules 17-19. That will probably fix the problem for you right there.

Your forward chain’s first rules should now be:

  • drop traffic from IPs that were detected doing port scans
  • drop packets with invalid connection tracking state
  • allow established connections
  • allow related connections
    (you can combine these two - it probably runs just a touch faster to do so, but I’m not sure)

Okay - when you get here in the forward chain, at this point, you are dealing with a packet that is a new connection, it is not to the Mikrotik itself, but to be forwarded. Anything here and below is a filter against what sort of new connections you will permit.

Now, I would insert two rules here
chain=forward action=accept dst-address-list=InternalNetworks
chain=forward action=accept src-address-list=InternalNetworks

Now go into the address lists tab and add each of your private IP ranges (e.g. 192.168.1.0/24 and 10.0.1.0/24)

So now that you have these two rules here right after allow established / allow related, you should be able to completely access everything across the VPN.

Now you can tighten up the rest of the rules to work faster and be a touch easier to read:

The next several rules exist to throw away traffic to/from well-known ‘fake’ IP ranges
This can be condensed to just two rules if you use an address list.
Create another address list called ‘bogons’ and add every one of the prefixes here.
In addition to the ones shown in this list, add 10.0.0.0/8 and 192.168.0.0/16

Now replace all of the rules that drop src-address=127.0.0.0/8 — drop dst-address=224.0.0.0/3
Replace them with these two rules:
chain=forward action=drop src-address-list=bogons in-interface=wan (put the wan interface here, not littlerally “wan”)
chain=forward action=drop dst-address-list=bogons out-interface=wan

Finally, if you want to block certain tcp/udp ports, or icmp types, add those rules to the tcp, udp, or icmp chains.

The list of blocked ports / allowed ICMP in those chains is pretty reasonable in my opinion. I don’t recommend blocking pings, etc. Being “unpingable” doesn’t help against being scanned. This firewall rule list is already chock full of scan detection anyway, and will auto-block those hosts. So let pings live!


Summary
Remove the first several rules in the forwarding chain that drop all ICMP
Create an address list for all of your private IP ranges that you use
Create two rules that explicitly allow all traffic to/from anything in those lists

  • put these rules right after allow established / related rules.
    ---- your VPN should work now
    Convert the 18 rules that drop traffic to/from “fake” IP addresses into an address list called ‘bogons’
    Remove those 18 rules, and replace them with two rules that drop all traffic to/from those address-lists.
    The existing ICMP blocking is accomplished by the icmp chain - it currently permits several types and discards anything else. Just disable a rule here if you want a certain type dropped.
8

Hello ZeroByte, Thank you for your very detailed explanation and for the time that it took to write it.

Yes i am a MikroTik newbie and i found this firewall rules from reading various forums. Before adding them i tried to understand each one first with my limited knowledge as i am self-learning. The rule that disables ICMP is not active(i think that the disables=yes statement might have been deleted by mistake when i was editing the file).

I have applied your suggestions and i admit that my firewall looks nicer now..! :smiley: :smiley: I have also cleaned up some rules that were not used. So now my firewall configuration is the one below. If you have time take a look or any other suggestions please let me know.

As far as the VPN is concerned i mainly used it for remote desktop in order to access my PCs at home. It was working flawlessly but recently i bought an another Mikrotik router because wireless signal was not good everywhere. So i bought a Mikrotik hAP. I attached it the LAN with IP address 192.168.1.2/24 and then i created the 192.168.88.0/24 subnet which was on the wireless interface of the hAP.

When i am connected to the VPN i could ping 192.168.88.1 but i could not ping the 192.168.88.5 PC which was the one i want to connect with remote desktop of VNC.

Thank you again

/ip firewall address-list
add address=172.16.0.0/12 list=bogons
add address=192.168.1.0/24 list=InternalNetworks
add address=10.0.1.0/24 list=InternalNetworks
add address=169.254.0.0/16 list=bogons
add address=127.0.0.0/8 list=bogons
add address=192.0.0.0/24 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=224.0.0.0/3 list=bogons
add address=10.0.0.0/8 list=bogons
/ip firewall filter
add chain=input comment="Allow Ping from LAN" protocol=icmp
add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add chain=input comment="Allow PPTP" dst-port=1723 in-interface=bridge1 \
    protocol=tcp
add action=log chain=input comment="Allow L2TP connections" disabled=yes \
    in-interface=bridge1
add chain=input connection-state=new dst-port=500 in-interface=bridge1 \
    protocol=udp
add chain=input connection-state=new dst-port=4500 in-interface=bridge1 \
    protocol=udp
add chain=input connection-state=new dst-port=1701 in-interface=bridge1 \
    protocol=udp
add chain=input comment="Allow Winbox from WAN" disabled=yes dst-port=8291 \
    in-interface=ether1 log=yes protocol=tcp
add chain=services comment="accept localhost" dst-address=127.0.0.1 \
    src-address=127.0.0.1
add chain=input dst-address=192.168.1.1 dst-port=80 protocol=tcp src-port=80
add chain=services comment="allow IPSec" protocol=ipsec-esp
add chain=services comment="allow IPSec" protocol=ipsec-ah
add chain=services comment="allow DHCP" dst-port=67-68 protocol=udp
add chain=services comment="Bandwidth server" dst-port=2000 protocol=tcp
add chain=services comment=" MT Discovery Protocol" dst-port=5678 protocol=\
    udp
add chain=services comment="allow SNMP" dst-port=161 protocol=tcp
add chain=services comment="allow DNS request" dst-port=53 protocol=tcp
add chain=services comment="Allow DNS request" dst-port=53 protocol=udp
add chain=input comment="Allow Established connections" connection-state=\
    established
add chain=input in-interface=pppoe-out1 src-address=192.168.1.0/24
add chain=forward comment=\
    "allow related connections and established connections" connection-state=\
    established,related
add chain=forward dst-address-list=InternalNetworksLAN,InternalNetworksVPN
add chain=forward src-address-list=InternalNetworksLAN,InternalNetworksVPN
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list" \
    protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=10h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=forward comment="dropping port scanners" \
    src-address-list="port scanners"
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add action=drop chain=forward comment="drop fake IP addresses" in-interface=\
    ether1 src-address-list=bogons
add action=drop chain=forward dst-address-list=bogons in-interface=ether1
add action=jump chain=forward comment="Make jumps to new chains" jump-target=\
    tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny  BackOriffice" dst-port=3133 \
    protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
/ip firewall mangle
add action=mark-packet chain=postrouting comment=\
    "Link-critical traffic (DHCP)" dst-port=67 new-packet-mark=link_critical \
    out-interface=bridge1 passthrough=no protocol=udp src-port=68
add action=mark-packet chain=postrouting comment=\
    "IPSec VPN (same priority as link critical)" new-packet-mark=\
    link_critical out-interface=ether1 passthrough=no protocol=ipsec-esp
add action=mark-packet chain=postrouting comment="Time-critical traffic (DNS, \
    TCP control packets, certain ACK packets, new connections)" dst-port=53 \
    new-packet-mark=time_critical out-interface=bridge1 passthrough=no \
    protocol=udp
add action=mark-packet chain=postrouting new-packet-mark=time_critical \
    out-interface=bridge1 passthrough=no protocol=tcp tcp-flags=fin,syn,rst
add action=mark-packet chain=postrouting new-packet-mark=time_critical \
    out-interface=bridge1 packet-size=40-89 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting connection-state=new \
    new-packet-mark=time_critical out-interface=bridge1 passthrough=no \
    protocol=tcp
add action=mark-packet chain=postrouting comment=\
    "Critical traffic (just some ACK packets)" new-packet-mark=critical \
    out-interface=bridge1 packet-size=90-159 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "High-priority interactive traffic (SSH, WinBox, certain ACK packets)" \
    new-packet-mark=high_pri_interactive out-interface=ether1 passthrough=no \
    port=22,2200 protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=high_pri_interactive \
    out-interface=ether1 passthrough=no port=8291 protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=high_pri_interactive \
    out-interface=ether1 packet-size=160-249 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "Low-priority interactive traffic (HTTP, HTTPS)" new-packet-mark=\
    low_pri_interactive out-interface=bridge1 passthrough=no port=80,443,8112 \
    protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=low_pri_interactive \
    out-interface=bridge1 packet-size=250-359 passthrough=no protocol=tcp \
    tcp-flags=ack
add action=mark-packet chain=postrouting comment=\
    "Low-priority non-interactive traffic (POP, SMTP)" new-packet-mark=\
    low_pri_non_interactive out-interface=bridge1 passthrough=no port=25,110 \
    protocol=tcp
add action=mark-packet chain=postrouting new-packet-mark=\
    low_pri_non_interactive out-interface=bridge1 packet-size=490-639 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting comment="Non-critical traffic (P2P)" \
    new-packet-mark=non_critical out-interface=bridge1 packet-size=640-809 \
    passthrough=no protocol=tcp tcp-flags=ack
add action=mark-packet chain=postrouting new-packet-mark=non_critical \
    out-interface=bridge1 passthrough=no protocol=tcp
add action=mark-routing chain=prerouting new-routing-mark=l2tp-vpn \
    src-address=10.0.1.2-10.0.1.10
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat log=yes src-address=10.0.1.0/24
add action=masquerade chain=srcnat src-address=192.168.88.0/24
9

ok - so if I understand you correctly, there is a network 192.168.88.0/24 at the home network and you wish to reach 192.168.88.5, and you wish to do so from the office, going across the VPN.

Is the hAP connected behind another mikrotik at your house?

In your posted configs, there’s nothing about the VPN - From the sound of things, you’ll need to route 192.168.88.0/24 across the VPN. You can do that in the ppp profile - there is a field called “routes” - put this there:
192.168.88.0/24 0.0.0.0 1

This makes sure the route to your 88 network gets installed in the routing table whenever the VPN is active.

The Mikrotik at the house will need to create routes for your office’s networks. These will have to be static routes with gateway=l2tp interface (no next hop IP)

10

Hello again..!

Yes the hAP is connected behind an another mikrotik router. I added the route but still..! It is strange though because i can ping 192.168.88.1 which is the hAP address in its wireless interface. I have attached the configurations of both routers. From a computer in the 192.168.88.0/24 subnet i can ping the 192.168.88.5

Thank you again..!

11

You should just let the hAP be a bridge and have no DHCP server, no extra IP network for the wlan, etc.
Making it a router adds extra complexity that doesn’t need to be there.

It should have wireless configs, and a bridge that connects wlan1 and ether1 (ether2-4 = slave-local)
Then put dhcp client on bridge-local interface in stead.

Remove all firewall and nat rules. This should just be a “dumb” access point.

12

Hello ZeroBulyte..!

Thanks for your suggestion..! That’s what I did and everything now is back to normal..!!

Thank you

13

It could definitely have worked as a router, but the explanation would have been longer, and a simple AP is much better for your installation, anyway. Don;t you like it when the right solution is easier?
:smiley:

14

Yes of course…! Actually I am a fan of the KISS rule..!!!

Thank you for your suggestions and interest.!