Hi -
I have an L2TP / IPSec VPN server configured and working (except for internet access) as per these instructions -
https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
The VPN tunnel works and I can see the assets on the remote networks - as the firewall allows. The VPN network has a nat Masq rule.
Any ideas?
I assume you claim the fact that the client cannot access internet via the L2TP tunnel. If the client cannot access internet at all while the L2TP connection is active, the issue is at Mikrotik side; if it can access internet but bypassing the L2TP tunnel, it is the routing setting at client side which differs depending on client type.
The instructions on the Wiki cover the key subject, but cannot cover all individual environments, so the reader always has to implement the key subject into his local context. And referring to the Wiki doesn’t provide any information on how your actual firewall rules and routing look like. Don’t ask what it might be, post the configuration to let someone else find what it really is, as this is a much easier task.
Ok - good idea
# jun/09/2019 17:49:01 by RouterOS 6.44.3
/interface vlan
add interface=main_bridge name=main-v10 vlan-id=10
/interface list
add name=WAN
add name=LAN
/ip pool
add name=main ranges=192.168.254.50-192.168.254.199
add name=vpn ranges=192.168.50.50-192.168.50.80
/ip dhcp-server
add address-pool=main dhcp-option-set="IP Phones" disabled=no interface=\
main-v10 lease-time=3d name=main_server
/ppp profile
set *FFFFFFFE dns-server=1.1.1.1,8.8.8.8 idle-timeout=15m local-address=\
192.168.50.2 remote-address=vpn use-encryption=required
/interface bridge port2
add bridge=main_bridge comment="Trunk #1" interface=ether2
add bridge=main_bridge comment="Trunk #2" interface=ether3
/ip settings
set rp-filter=strict
/interface bridge vlan
add bridge=main_bridge comment=main_network tagged=main_bridge,ether2,ether3 \
vlan-ids=10
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=ether1 list=WAN
add interface=main-v10 list=LAN
/ip address
add address=192.168.254.1/24 comment="Main Network" interface=main-v10 \
network=192.168.254.0
add address=x.x.x.x comment="Modem" interface=ether1 \
network=x.x.x.x
/ip cloud
set ddns-enabled=yes
/ip dns
set allow-remote-requests=yes servers=\
192.168.254.6,1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4
/ip firewall address-list
add address=192.168.254.0/24 comment=Default list=main
add address=192.168.50.0/24 comment=Default list=vpn
/ip firewall filter
add action=accept chain=input comment="Allow established,related,untracked" \
connection-state=established,related,untracked
add action=drop chain=input comment="Drop invalid input" connection-state=\
invalid
add action=accept chain=input comment="Allow L2TP/IPSec VPN connection" \
dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="Allow L2TP/IPSec VPN connection" \
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment=\
"Allow main list into router" src-address-list=main
add action=drop chain=input comment=\
"drop all else"
add action=fasttrack-connection chain=forward comment=\
"Allow forward fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"Allow Forward established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="Drop invalid forward" \
connection-state=invalid
add action=accept chain=forward comment=\
"Alllow LAN interface-list out wan interface-list" in-interface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment=\
"Allow VPN to main network connections" dst-address-list=main \
src-address-list=vpn
add action=accept chain=forward comment="RFC 6092 - accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="RFC 6092 - accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop packets from LAN interface-list th\
at do not come from the LAN interface-list" in-interface-list=LAN \
out-interface-list=!LAN
add action=drop chain=forward comment="should be out"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade all LAN traffic" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=x.x.x.x
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system ntp client
set enabled=yes server-dns-names="0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org\
,3.pool.ntp.org,time.google.com"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Thanks for you help.
The only rule in the firewall chain of your “drop-all-but-exceptions” firewall which permits outbound connections through WAN is
action=accept chain=forward comment=“Alllow LAN interface-list out wan interface-list” in-interface-list=LAN out-interface-list=WAN,
but as the VPN interfaces are not members of interface list LAN, this rule doesn’t allow packets coming from these interfaces to establish new connections to internet.
Another permissive rule is action=accept chain=forward comment=“Allow VPN to main network connections” dst-address-list=main src-address-list=vpn which refers to src-address-list=vpn but only the LAN subnet 192.168.254.0/24 is listed in the dst-address-list=main so this rule also doesn’t match packets from VPN clients to internet.
And that’s it, the two remaining permissive rules which refer to ipsec-policy are irrelevant because IPsec is only used to encrypt the transport packets of the L2TP, so the payload packets coming in via the L2TP tunnel do not match any IPsec policy.
So either add an interface-list=LAN item to the /ppp profile, so that each dynamically created L2TP server interface would be added as a member to the interface list, or add another rule like action=accept chain=forward comment=“Allow VPN to internet” out-interface-list=WAN src-address-list=vpn before the last action=drop rule, and remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup. The first one permits dst-natted packets which came in via WAN to go further through the chain but the next rule ignores them and the last rule drops them; the second one drops anything from LAN to anywhere else but again, what this rule ignores is dropped by the last one.
“So either add an interface-list=LAN item to the /ppp profile”
This looks like a cleaner way to do it. Should I add the interface-list=LAN to both the default and default-encryption profile? To test, I added it to the default-encryption profile and it worked. I did not realize you could dynamically add to an interface list - even thought it was right in front of me… Very neat feature.
“ipsec-policy are irrelevant because IPsec is only used to encrypt the transport packets of the L2TP”
To be honest I left these rules as they came in MTs default firewall rules. I did not have a clear understanding of when they would match. Now I mostly do… 
.
“remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup.”
The last drop rule needs to stay - it is these two that are useless?
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Drop packets from LAN interface-list th\
at do not come from the LAN interface-list" in-interface-list=LAN \
out-interface-list=!LAN
Would the first rule be more effective (match) earlier in the chain? I assume it simply does not matter as it will hit the last rule and drop anyway. So perhaps there is no advantage to it.
Last Question - Is it a best practice to have one catch all Masq rule, or to use multiple Masq rules for each network? I can be more granular with a rule for each, but is not as clean. What is your preference?
Thank you again for all your help.
It depends on which profile your /interface l2tp-server server, or your /ppp secret refer (the latter, if set, supersedes the former)
Correct.
Exactly. That rule (drop what comes in via WAN unless dst-nated) remained there from the default firewall settings, and its effect in the default firewall settings is “accept any connection initiated from LAN side, accept any connection initiated from WAN side if dst-nated, drop the rest” because what is not dropped by that rule is accepted as it is the last rule in the forward chain and the default handling if no rule matches is hardcoded to “accept” (unlike in naked linux iptables where you can set default handling for each chain).
First of all, action=masquerade should only be used with interfaces whose address dynamically changes, because each change of address or interface going down causes all masqueraded connections to be dropped. Other than that, there is no actual preference - whereas in the mangle chain every packet is handled so you it is important to make the number of rules a packet has to pass through as low as possible, the nat chains only handle the initial packet of each connection so it is not so critical to have one rule per WAN interface. So after all it is the readability what matters most if you plan to modify your firewall now and then.
Thank you again.
Hello,
I am have been trying to use the internet while connected to L2TP connection but cannot figure it out.
Please advise
Thanks
Remove the .rsc file immediately, I’ll explain why in the next post.
Hello
I am trying to access the internet while connected to L2tp tunnel from windows client
1)Masq setup:
2)Here are nat rules:
0 ;;; Customer_Nat_sector_2
chain=srcnat action=src-nat to-addresses=x.x.x.79 to-ports=0-65535
protocol=tcp src-address=10.10.1.0/28 log=no log-prefix=“”
1 chain=srcnat action=masquerade out-interface=ether1_Upstream_Calix_Wan
log=no log-prefix=“”
2 chain=srcnat action=src-nat to-addresses=x.x.x.79 to-ports=0-65535
protocol=udp src-address=10.10.1.0/28
3 X chain=dstnat action=dst-nat to-addresses=10.254.254.1 protocol=tcp
in-interface=ether1_Upstream_Calix_Wan log=no log-prefix=“”
4 ;;; Customer_Nat_sector_2
chain=srcnat action=src-nat to-addresses=x.x.x.79 to-ports=0-65535
protocol=tcp src-address=10.10.2.0/24
5 chain=srcnat action=src-nat to-addresses=x.x.x.79 to-ports=0-65535
protocol=tcp src-address=100.29.12.0/24
6 chain=srcnat action=src-nat to-addresses=x.x.x.79 to-ports=0-65535
protocol=udp src-address=100.29.12.0/24
filer rules
0 chain=forward action=accept src-address=100.64.0.0/10 log=no log-prefix=“”
1 chain=input action=accept src-address=100.64.0.0/10 log=no log-prefix=“”
2 ;;; Allow L2tp_Vpn(ipsec_ESP)
chain=input action=accept protocol=ipsec-esp
in-interface=ether1_Upstream_Calix_Wan log=no log-prefix=“”
3 chain=input action=accept protocol=tcp dst-port=8728 log=no log-prefix=“”
4 ;;; Allow_L2tp_VPN_(1701/UDP)
chain=input action=accept protocol=udp
in-interface=ether1_Upstream_Calix_Wan dst-port=1701 log=no log-prefix=“”
5 ;;; Allow_L2tp _VPN _(500/udp)
chain=input action=accept protocol=udp
in-interface=ether1_Upstream_Calix_Wan dst-port=500 log=no log-prefix=“”
6 ;;; Allow_L2tp_Vpn_(4500/UDP)
chain=input action=accept protocol=udp
in-interface=ether1_Upstream_Calix_Wan dst-port=4500 log=no log-prefix=“”
I am beginner and looking to find out how to allow internet through l2tp connection
Thanks
I’ve promised to explain why you should have removed the export file. You’ve left the public IP in the file you’ve posted, you’ve left the complete /ppp secret row there, and your firewall is non-existent as you’ve missed the fact that the default handling is accept, i.e. if a packet doesn’t match any of your action=accept rules, it is accepted anyway because there is no “drop the rest” rule.