L2TP with Ipsec cannot connect from outside LAN

djboxny · July 5, 2016, 2:52am

[djboxny@DJbox Home AP ] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; Allow access thru the router from lan usning a adress list
      chain=input action=accept src-address-list=OurLocalLan log=no 
      log-prefix="" 

 1    ;;; L2TP/IPSEC RULE 1701
      chain=input action=accept protocol=udp 
      src-address-list=L2TP-IPSEC allow list dst-port=1701 log=no log-prefix="" 

 2    ;;; L2TP/IPSEC RULE 1701
      chain=input action=accept protocol=tcp 
      src-address-list=L2TP-IPSEC allow list dst-port=1701 log=no log-prefix="" 

 3    ;;; L2TP/IPSEC RULE
      chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 4    ;;; L2TP/IPSEC RULE 4500
      chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 5    ;;; l2tp ipsec protocal 50
      chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 6    ;;; ipsec AH l2tp
      chain=input action=accept protocol=ipsec-ah log=no log-prefix="" 

 7    ;;; PPTP Gre allow
      chain=input action=accept protocol=gre log=no log-prefix="" 

 8    ;;; Allow establish connections to the router
      chain=input action=accept connection-state=established log=no 
      log-prefix="" 

 9    ;;; Allow related connections to the router
      chain=input action=accept connection-state=related log=no log-prefix="" 

10    ;;; Aloow connectons from the LAN
      chain=forward action=accept connection-state=new in-interface=bridge1 
      log=no log-prefix="" 

11    ;;; Aloow establisshed connections on LAN
      chain=forward action=accept connection-state=established log=no 
      log-prefix="" 

12    ;;; Allow Related connections on LAN
      chain=forward action=accept connection-state=related log=no log-prefix="" 

13    ;;; 5060 3cx
      chain=forward action=accept protocol=tcp dst-address=192.168.1.9 
      dst-port=5060 log=no log-prefix="" 

14    ;;; 5060 3cx
      chain=forward action=accept protocol=udp dst-address=192.168.1.9 
      dst-port=5060 log=no log-prefix="" 

15    ;;; 3cx external ports
      chain=forward action=accept protocol=udp dst-address=192.168.1.9 
      dst-port=40000-40200 log=no log-prefix="" 

16    ;;; 3cx external ports
      chain=forward action=accept protocol=tcp dst-address=192.168.1.9 
      dst-port=40000-40200 log=no log-prefix="" 

17    ;;; 3cx tunnel 5090
      chain=forward action=accept protocol=tcp dst-address=192.168.1.9 
      dst-port=5090 log=no log-prefix="" 

18    ;;; 3cx tunnel 5090
      chain=forward action=accept protocol=udp dst-address=192.168.1.9 
      dst-port=5090 log=no log-prefix="" 

19    ;;; Plex 
      chain=forward action=accept protocol=tcp dst-address=192.168.1.9 
      dst-port=32400 log=no log-prefix="" 

20    ;;; Drop Invalid connections thru the router
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

21    ;;; Drop all other traffic to the router
      chain=input action=drop log=no log-prefix="" 

22    ;;; Drop all other connection states
      chain=forward action=drop log=no log-prefix=""

Hi, I can’t seem to get my l2tp with ipsec setup to work. If i disable all Firewall Filter rules it works fine. Here are my filter fules

jebz · July 5, 2016, 11:38am

Open Winbox and look at the Firewall filter rules on the router as you attempt to log in. The counters will show you what rule effecting the connection.

loveman · July 5, 2016, 12:14pm

Upolad photos for ip firewall
Regardless you upolad external code

djboxny · July 5, 2016, 8:01pm

Cant you see the rules i posted as code? The firewall rules. Its getting block by the last 2 rules

pe1chl · July 5, 2016, 8:16pm

Temporarily enable Log on the rule that blocks it and see what the traffic is that does not match.

djboxny · July 6, 2016, 3:32am

this is what i got after logging the Foward Chain, DROP everything rule. it shows me this
(this is the last rule protecting my router)

jul/05 23:30:45 firewall,info Drop All other traffic to the r: in:ether1 out:(none), src-mac f4:5f:d4:b7:60:95, proto UDP, 172.58.217.202:38319->XXX.XX.WAN.IP:1701, len 70 
jul/05 23:30:47 firewall,info Drop All other traffic to the r: in:ether1 out:(none), src-mac f4:5f:d4:b7:60:95, proto UDP, 172.58.217.202:38319->XXX.XX.WAN.IP:1701, len 70 
jul/05 23:30:48 firewall,info Drop All other traffic to the r: in:ether1 out:(none), proto UDP, XXX.XX.WAN.IP:55005->255.255.255.255:5678, len 165 
jul/05 23:30:48 firewall,info Drop All other traffic to the r: in:ether1 out:(none), src-mac f4:5f:d4:b7:60:95, proto TCP (SYN), 103.207.36.187:45911->XXX.XX.WAN.IP:22, len 40 
jul/05 23:30:50 firewall,info Drop All other traffic to the r: in:ether1 out:(none), proto UDP, 172.58.217.202:53945->XXX.XX.WAN.IP:1701, len 98 
jul/05 23:30:50 firewall,info Drop All other traffic to the r: in:ether1 out:(none), proto UDP, 172.58.217.202:53945->XXX.XX.WAN.IP:1701, len 98 
jul/05 23:30:52 firewall,info Drop All other traffic to the r: in:ether1 out:(none), src-mac f4:5f:d4:b7:60:95, proto UDP, 172.58.217.202:38319->XXX.XX.WAN.IP:1701, len 70 
jul/05 23:30:53 firewall,info Drop All other traffic to the r: in:ether1 out:(none), proto UDP, 172.58.217.202:53945->XXX.XX.WAN.IP:1701, len 98

djboxny · July 10, 2016, 3:57pm

Anyone please