Hi there

I am fairly new to MT, but am learning fast.
I have a RB750 (server) and a RB951-2n (client) where a L2TP / IPSec tunnel has been configured and is working. Both MT has dynamic public IPs, am running a DYNDNS update script to map dynamic IP address to DyndDNS hostname.
Both sides has internet access.
No firewall rules has been configured.
I can ping the L2TP tunnel address from either side and connection is established.
Every MT has a EoIP dial-up interface to the ISP, every MT is connected to a Tenda ADSL router which is in bridged mode.

However, I cannot ping from server LAN to client LAN and vice versa.

What am I overlooking or why cannot I get LAN to LAN connectivity?

Any help is much appreciated.

Do you have static routes setup? Try pinging from the router to the LAN server.

If both sites are behind NAT, then you need a bypass rule for your remote network.

Change “local network” and “remote network” to your sites actual IP network.

Site 1
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=“local network” dst-address="remote network"Site 2
/ip firewall nat
add chain=srcnat action=accept place-before=0
src-address=“local network” dst-address=“remote network”

Post your export.

Sent from my SCH-I545 using Tapatalk

I can ping from MT router to the remote LAN, I receive a reply when I ping from ANY or the L2TP interface.

Hi There

Thank you for the reply.

I have exported /ip firewall nat, /interface and /ip addresses for both routers.

First the server side router's export.

IP addresses Server side

dec/20/2013 15:54:06 by RouterOS 4.11

software id = WSN9-LLT5

/ip address
add address=10.0.1.4/24 broadcast=10.0.1.255 comment="" disabled=no
interface=ether1 network=10.0.1.0
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no
interface=LAN network=192.168.0.0

\

Interfaces server side

dec/20/2013 15:52:59 by RouterOS 4.11

software id = WSN9-LLT5

/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes
l2mtu=1526 mac-address=00:0C:42:87:34:63 mtu=1500 name=ether1 speed=
100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:64
master-port=none mtu=1500 name=LAN speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:65
master-port=LAN mtu=1500 name=ether3-local-slave speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:66
master-port=LAN mtu=1500 name=ether4-local-slave speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:67
master-port=LAN mtu=1500 name=ether5-local-slave speed=100Mbps
/interface pptp-client
add add-default-route=no allow=mschap2 comment="" connect-to=196.44.151.8
dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=disabled
name=pptp-out1 password=Emotion123 profile=default-encryption user=nxit
/interface l2tp-server
add comment="" disabled=no name=l2tpuser user=l2tpuser
add comment="" disabled=no name=l2tpuser2 user=l2tpuser2
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=
"" dial-on-demand=no disabled=no interface=ether1 max-mru=1480 max-mtu=
1480 mrru=disabled name=pppoe-out1 password=MHOSOL profile=default
service-name="" use-peer-dns=yes user=a61232825@adsl.telecom.na
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers=""
group-key-update=5m interim-update=0s management-protection=disabled
mode=none name=default radius-eap-accounting=no radius-mac-accounting=no
radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=
none static-sta-private-algo=none static-transmit-key=key-0
supplicant-identity=MikroTik tls-certificate=none tls-mode=
no-certificates unicast-ciphers=""
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:26:35:02:C9:83
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

NAT Server side

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=
192.168.0.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=
192.168.2.0/24 src-address=192.168.0.0/24

Now client side router's export

Remote / client side NAT

dec/20/2013 15:55:10 by RouterOS 5.26

software id = DB5B-R5RR

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=
yes src-address=192.168.2.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1
to-addresses=0.0.0.0
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24
src-address=192.168.2.0/24

IP addresses remote / client side

dec/20/2013 15:50:08 by RouterOS 5.26

software id = DB5B-R5RR

IP address on ether 5 not used

/ip address
add address=192.168.100.3/24 disabled=no interface=ether5-slave-local
network=192.168.100.0
add address=192.168.2.1/24 disabled=no interface=wlan1 network=192.168.2.0

Interfaces remote / client side

dec/20/2013 15:51:23 by RouterOS 5.26

software id = DB5B-R5RR

/interface bridge
add admin-mac=D4:CA:6D:B6:E0:55 ageing-time=5m arp=enabled auto-mac=no
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500
name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=
6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600
mac-address=D4:CA:6D:B6:E0:54 mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:55
master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:56
master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=
100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:57
master-port=ether2-master-local mtu=1500 name=ether4-slave-local speed=
100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:58
master-port=ether2-master-local mtu=1500 name=ether5-slave-local speed=
100Mbps
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2
dial-on-demand=no disabled=no interface=ether1-gateway max-mru=1480
max-mtu=1480 mrru=disabled name=pppoe-out1 password=mhosol profile=
default service-name="" use-peer-dns=yes user=a61226850@adsl.telecom.na
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=
41.182.68.57 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460
mrru=disabled name=l2tp-out1 password=M@chu1207 profile=
default-encryption user=l2tpuser2
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods=""
group-ciphers=aes-ccm group-key-update=5m interim-update=0s
management-protection=disabled mode=dynamic-keys name=default
radius-eap-accounting=no radius-mac-accounting=no
radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=
none static-sta-private-algo=none static-transmit-key=key-0
supplicant-identity=MikroTik tls-certificate=none tls-mode=
no-certificates unicast-ciphers=aes-ccm
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area=""
arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=1Mbps
bridge-mode=disabled channel-width=20/40mhz-ht-above compression=no
country=no_country_set default-ap-tx-limit=0 default-authentication=yes
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none
disable-running-check=no disabled=no disconnect-timeout=3s distance=
indoors frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower
frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192
ht-amsdu-threshold=8192 ht-basic-mcs=
mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any
ht-rxchains=0 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,
mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,
mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0
hw-fragmentation-threshold=disabled hw-protection-mode=none
hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=
D4:CA:6D:B6:E0:59 max-station-count=2007 mode=ap-bridge mtu=1500
multicast-helper=default name=wlan1 noise-floor-threshold=default
nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-qos=default
nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms
periodic-calibration=default periodic-calibration-interval=60
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=
D4CA6DB6E059 rate-selection=advanced rate-set=default scan-list=default
security-profile=default ssid=clumsy station-bridge-clone-mac=
00:00:00:00:00:00 supported-rates-a/g=
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=
1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power-mode=default
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled
wireless-protocol=any wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M
bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:
17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H
T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-
7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=
3200 framer-policy=none
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=ether2-master-local path-cost=10 point-to-point=auto priority=
0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none
interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=
1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:6B:F1:3C:7C:64
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=
disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

Yes

IP Route on server MT 750

[admin@Smurf8] > ip
[admin@Smurf8] /ip> routes
bad command name routes (line 1 column 1)
[admin@Smurf8] /ip> route
[admin@Smurf8] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 41.205.152.96 1
1 ADC 10.0.1.0/24 10.0.1.4 ether1 0
2 ADC 10.0.15.10/32 10.0.15.9 l2tpuser2 0
3 ADC 41.205.152.96/32 41.182.68.57 pppoe-out1 0
4 ADC 192.168.0.0/24 192.168.0.1 LAN 0
5 S 192.168.1.0/24 10.0.16.10 1
6 A S 192.168.2.0/24 10.0.15.10 1
7 ADC 192.168.10.150/32 192.168.10.149 pptp-out1 0
8 ADC 192.168.100.0/24 192.168.100.1 LAN 0
[admin@Smurf8] /ip route>

IP Route on client RB951-2n


[admin@Smurf10] > ip route
[admin@Smurf10] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 41.205.152.97 1
1 ADC 10.0.15.9/32 10.0.15.10 l2tp-out1 0
2 ADC 41.205.152.97/32 41.182.88.177 pppoe-out1 0
3 A S 192.168.0.0/24 10.0.15.9 1
4 ADC 192.168.2.0/24 192.168.2.1 bridge-local 0
5 ADC 192.168.100.0/24 192.168.100.3 bridge-local 0
[admin@Smurf10] /ip route>

Wrong order of your rules, NAT bypass rules must be placed before the masquerade rules.


Rearrange the following NAT rules and ensure that they are placed first of all the rules.
add action=accept chain=srcnat comment=“” disabled=no dst-address=
192.168.2.0/24 src-address=192.168.0.0/24add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24
src-address=192.168.2.0/24

You have to set up proxy-arp on local interface. Read this: http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP#Connecting_Remote_Client
This part: