Hi everyone
I have an office mikrotik routeros v7.15.3(Office B) where I have created a l2tp profiles for the remote users. I can successfully connect to the office network using l2tp credentials and access the subnet 192.168.150.x/24 defined in the office router.
We also have a SSTP client configured in this router connecting us with office A where we have 192.168.0.0/16 subnet. Users in office B can access everything in office A as we have a static route in place.
The problem is when a user connects to the office B network via L2TP then the user is not able to access the subnet of the office A.
I have tried various firewall filter and nat rules but those didn’t help either. I would be grateful if any expert can look into it and guide me. The config is quite simple and small.
# 2024-09-11 08:35:32 by RouterOS 7.15.3
#
# model = RB3011UiAS
/interface bridge
add name=bridge1 port-cost-mode=short
add disabled=yes name=test
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.150.2-192.168.150.254
add name=VPN ranges=192.168.240.2-192.168.240.250
/ip dhcp-server
add address-pool=dhcp_pool1 interface=bridge1 name=dhcp1
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.240.1 name=xyz remote-address=VPN
/interface sstp-client
add authentication=mschap2 connect-to=public-ip disabled=no name=\
sstp-out-office-A port=543 profile=default-encryption proxy-port=\
543 user=MT-Office-B
/interface bridge port
add bridge=bridge1 interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether6 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether7 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether8 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether9 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=ether10 internal-path-cost=10 path-cost=10
add bridge=bridge1 interface=sfp1 internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set accept-proto-version=l2tpv2 authentication=mschap2 enabled=yes use-ipsec=\
yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.150.1/24 interface=bridge1 network=192.168.150.0
/ip dhcp-client
add interface=ether1
/ip dhcp-server lease
add address=192.168.150.9 client-id=1:1c:c3:16:a:43:7e comment=NVR \
mac-address=1C:C3:16:0A:43:7E server=dhcp1
/ip dhcp-server network
add address=192.168.150.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.150.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.150.0/24 list=Camera
add address=192.168.0.0/16 list="Office A"
add address=192.168.240.0/24 list=VPN
/ip firewall filter
add action=accept chain=forward
add action=accept chain=forward dst-port=554 protocol=tcp
add action=accept chain=forward dst-port=554 protocol=udp
add action=accept chain=forward dst-address-list="Office A" src-address-list=\
VPN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat comment=NVR dst-port=80 protocol=tcp \
to-addresses=192.168.150.9 to-ports=80
add action=dst-nat chain=dstnat dst-port=80 protocol=udp to-addresses=\
192.168.150.9 to-ports=80
add action=dst-nat chain=dstnat dst-port=554 protocol=tcp to-addresses=\
192.168.150.9 to-ports=554
add action=dst-nat chain=dstnat dst-port=554 protocol=udp to-addresses=\
192.168.150.9 to-ports=554
/ip firewall service-port
set rtsp disabled=no
/ip route
add disabled=no dst-address=192.168.0.0/16 gateway=192.168.254.1 \
routing-table=main suppress-hw-offload=no
add disabled=no dst-address=10.20.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.30.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
add disabled=no dst-address=10.40.0.0/16 gateway=192.168.254.1 routing-table=\
main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes port=15236
set api-ssl disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=xyz profile=xyz service=l2tp
/system clock
set time-zone-name=xyz
/system identity
set name=Office-B
/system logging
add topics=firewall
/system note
set show-at-login=no
/system package update
set channel=development
/user group
add name=admin policy="local,ftp,reboot,read,write,test,winbox,password,web,sn\
iff,sensitive,romon,rest-api,!telnet,!ssh,!policy,!api"