Need to access LAN via L2TP VPN - please help

RouterOS Beginner Basics
1

Hello there,

I’ve setup an L2TP on the subnet 192.168.5.0, the one client I’ve setup has an IP of 192.168.5.21 and mikrotik has the IP 192.168.5.20

I can access mikrotik at 192.168.5.20 when connecting on VPN but none of the other IPs on any other LAN subnet ( at the range of 192.168.0.0/16 - i have a few subnets).

What do I need to do to allow my vpn client access the rest of the LAN subnets?

Here’s my /export hide-sensitive:

# jul/12/2022 23:11:07 by RouterOS 7.0.4
# software id = 122G-66AK
#
# model = CCR2004-16G-2S+
# serial number = HAV072JXDKM
/interface bridge
add name=bridge1-LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Cosmote
set [ find default-name=ether2 ] disabled=yes name=ether2-5G-Modem
set [ find default-name=ether10 ] name=ether10-udm
set [ find default-name=ether13 ] name=ether13-reolink
set [ find default-name=ether15 ] name=ether15-LAN
/interface l2tp-server
add name=l2tp-in-polas user=thanpolas-pptp
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1-Cosmote name=pppoe-out-cosmote use-peer-dns=yes user=\
    ozxph6@otenet.gr
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.50-192.168.0.254
add name=pptp-clients-polas ranges=192.168.5.10-192.168.5.100
/ip dhcp-server
add address-pool=dhcp_pool0 interface=bridge1-LAN lease-time=4d4h40m39s name=dhcp1
/ppp profile
add bridge=bridge1-LAN local-address=192.168.5.20 name=polas-l2tp remote-address=pptp-clients-polas
/routing table
add disabled=no name="Cosmote Routes"
add disabled=no name="5G Routes"
add disabled=no name=to_WAN1_cosmote
add disabled=no name=to_WAN2_5G
add disabled=no name="prefer aDSL"
/interface bridge port
add bridge=bridge1-LAN interface=ether15-LAN
add bridge=bridge1-LAN interface=ether14
add bridge=bridge1-LAN interface=ether13-reolink
add bridge=bridge1-LAN interface=ether12
add bridge=bridge1-LAN interface=ether11
add bridge=bridge1-LAN interface=ether10-udm
add bridge=bridge1-LAN interface=ether9
add bridge=bridge1-LAN interface=ether8
add bridge=bridge1-LAN interface=ether7
add bridge=bridge1-LAN interface=ether6
add bridge=bridge1-LAN interface=ether5
add bridge=bridge1-LAN interface=ether4
add bridge=bridge1-LAN interface=ether16
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add disabled=yes interface=ether1-Cosmote list=WAN
add interface=ether15-LAN list=LAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge1-LAN network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add add-default-route=no interface=ether2-5G-Modem use-peer-ntp=no
add add-default-route=no comment="internet detect" interface=ether1-Cosmote use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.0.251 client-id=1:ec:71:db:43:89:ca mac-address=EC:71:DB:43:89:CA server=dhcp1
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=1.1.1.1 gateway=192.168.0.1 netmask=24
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1-Cosmote protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether2-5G-Modem protocol=udp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether1-Cosmote protocol=tcp
add action=drop chain=input disabled=yes dst-port=53 in-interface=ether2-5G-Modem protocol=tcp
/ip firewall mangle
add action=mark-connection chain=input in-interface=pppoe-out-cosmote new-connection-mark=cosmote_connection passthrough=\
    yes
add action=mark-connection chain=input in-interface=ether2-5G-Modem new-connection-mark=G5_connection passthrough=yes
add action=mark-routing chain=prerouting disabled=yes in-interface=bridge1-LAN passthrough=yes protocol=icmp
add action=mark-routing chain=output connection-mark=cosmote_connection passthrough=yes
add action=mark-routing chain=output connection-mark=G5_connection passthrough=yes
add action=accept chain=prerouting dst-address=87.203.215.225 in-interface=pppoe-out-cosmote
add action=accept chain=prerouting dst-address=192.168.88.0/24 in-interface=bridge1-LAN
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=\
    WAN1_cosmote passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=WAN2_5G \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-routing chain=prerouting connection-mark=WAN1_cosmote in-interface=bridge1-LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_5G in-interface=bridge1-LAN passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out-cosmote
add action=masquerade chain=srcnat out-interface=ether2-5G-Modem
add action=masquerade chain=srcnat out-interface=ether1-Cosmote
add action=masquerade chain=srcnat out-interface=bridge1-LAN
# no interface
add action=masquerade chain=srcnat out-interface=*F0001B
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.88.1 pref-src="" routing-table=\
    to_WAN2_5G scope=30 suppress-hw-offload=no target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.88.1 pref-src="" routing-table=main \
    scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-cosmote pref-src="" routing-table=to_WAN1_cosmote scope=\
    30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out-cosmote pref-src="" routing-table="prefer aDSL" scope=\
    30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.5.0/24 gateway=192.168.0.2 pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.20.0/24 gateway=ether10-udm pref-src="" routing-table=main scope=30 \
    suppress-hw-offload=no target-scope=10
/ppp secret
add local-address=192.168.5.20 name=thanpolas-pptp profile=polas-l2tp remote-address=192.168.5.21
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="Polas Core"
2

Hello Thanpolas!

How did you configured the client?
I dont remember in Linux, but if your Client is Windows, if you disable the option to use the remote gateway you should need to add a route for remote subnets.

First you could check if there is a route for your remote networks (“route print” in Windows)
Then, you should check if your client is using internet through VPN, for example with a trace route to any site in Internet (Example: “tracert -d 8.8.8.8” in Windows)
If you are using from the client, the default gateway 192.168.5.20 to access Internet, you won’t need any route, if not, you will need it
All filter rules I see in the code, are disabled, so, Mikrotik should not drop anything
When you connect the client, Mikrotik should add a dinamyc route to reach it.
Maybe these mangle rules for PCC, are marking traffic comming from LAN to VPN Client to use a WAN interface, maybe you could check by disabling routes with routing marks.

/ip firewall mangle
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=\
    WAN1_cosmote passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=bridge1-LAN new-connection-mark=WAN2_5G \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0

Anyway, let me know.
Regards,
Damián

3

Hey Damian,

thank you for your response.

I managed to set my default gateway to the VPN by following this SO link and changing the order of my interfaces - I’ve put VPN on top ( https://apple.stackexchange.com/questions/33097/how-to-change-the-default-gateway-of-a-mac-osx-machine )

now all my traffic is routed through my VPN.

I can now also access the 192.168.0.x network.

However, I am not able to access the 192.168.2.x network, which is my goal. I am getting “Network unreachable” errors…

I’ve disabled the mark-routing mangle rules as you suggested but it’s still unreachable.

4

Hello Thanpolas,

I can not tell which is the problem yet.
Maybe you could try to keep running a ping to some IP in 192.168.2.0/24 network from a computer with the VPN client connected. So in a new terminal, you could run

"tool sniffer quick ip-protocol=icmp ip-address=192.168.2.2"

Change 192.168.2.2 for an existent IP address, and make it sure, the destination has the same mikrotik as default gateway and it is answering the pings (By default Windows 10 does not respond pings)
After some seconds press “q” to stop the command and paste here the results.

Regards,
Damián

5

Hey Damian,

Just wanted to update that I finally managed to get the pings through.

I had to manually add a static route to the 192.168.2.x network as it is not directly attached on the mikrotik but goes through my UDM-Pro-2 machine, which I always forget I have in the middle…

I use it to manage my WiFi and have created a few networks there, which I now understand I need to add static routes from Mikrotik to UDM.

Thank you so much for helping

6

Nice!!
This kind of issues are difficult to see from here!

Regards!
Damián