No LAN access from L2TP-VPN connection

solko · August 30, 2023, 7:30pm

Hi all,

I’m very aware, that there are several topics on the forum covering this subject, but I have been trawling around for days now, trying to find the solution.
I have 2 idenditical RB1100, with more or less identical setups. Biggest diffenrence is that the well working remote conf. doesn’t act DHCP-server, however my local RB make me go crazy about this ussue.

Problem: When I succesfully connect to the router from a L2TP client, I can only ping the LAN adress (192.168.4.1) of the router - no other client on this subnet (192.168.4.0/24).
I’m pooling with a different subnet (192.168.5.0/24) for the remote clients. I have tried to disable all drop rules in the firewall in order to discover a firewall blocking. I have tried to ajust the ARP. I have tried different /IP Route settings from the pool subnet. Nothing helps me. Now I have only your expertise to stick to…so I really hope some of you guys can see what wrong.

My conf below: (deleted my public IP’s)

# 2023-08-30 18:46:21 by RouterOS 7.11
# software id = GWV4-RIQA
#
# model = RB1100Dx4
# serial number = 9BD80Axxxxxxx
/interface bridge
add arp=proxy-arp name=LAN-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN-port
/interface l2tp-server
add name=l2tp-VPN user=MA_VPN
/disk
set sata1 type=hardware
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "64 017 353 728" type=partition
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256 \
    hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    G-MA
/ip ipsec peer
add address="remote-public-ip"/32 exchange-mode=ike2 name=G-MA profile=\
    G-MA
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=IKEv2-proposal \
    pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.4.80-192.168.4.199
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 interface=LAN-bridge name=DHCP
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=LAN-bridge local-address=192.168.4.1 name=MA_VPN
/interface bridge port
add bridge=LAN-bridge interface=ether2
add bridge=LAN-bridge interface=ether3
add bridge=LAN-bridge interface=ether4
add bridge=LAN-bridge interface=ether5
add bridge=LAN-bridge interface=ether6
add bridge=LAN-bridge interface=ether7
add bridge=LAN-bridge interface=ether8
add bridge=LAN-bridge interface=ether9
add bridge=LAN-bridge interface=ether10
add bridge=LAN-bridge interface=ether11
add bridge=LAN-bridge interface=ether12
add bridge=LAN-bridge interface=ether13
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=MA_VPN enabled=yes \
    use-ipsec=yes
/interface list member
add interface=ether1_WAN-port list=WAN
add interface=LAN-bridge list=LAN
/ip address
add address=192.168.4.1/24 interface=LAN-bridge network=192.168.4.0
/ip dhcp-client
add interface=ether1_WAN-port use-peer-dns=no
/ip dhcp-server lease
add address=192.168.4.100 mac-address=2C:56:DC:DC:31:BD
add address=192.168.4.99 mac-address=80:A5:89:9E:00:00
add address=192.168.4.101 mac-address=80:A5:89:9E:6C:06
add address=192.168.4.111 allow-dual-stack-queue=no mac-address=\
    2C:56:DC:DD:4B:ED
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 \
    gateway=192.168.4.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.4.0/24 list=MA_LAN
add address=192.168.7.0/24 list=G_LAN
add address=192.168.4.0/24 list=allowed_to_router
add address=192.168.7.0/24 list=allowed_to_router
add address="remote-public-gateway-ip" list=allowed_to_router
add address="local-public-ip" list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.8.0/24 list=allowed_to_router
add address=192.168.5.0/24 list=allowed_to_router
add address=192.168.7.0/24 list=LAN_IP
add address=192.168.4.0/24 list=LAN_IP
add address=192.168.5.0/24 list=LAN_IP
add address=192.168.8.0/24 list=LAN_IP
add address="remote-public-gateway-ip" list=WAN_IP
add address="local-public-ip" list=WAN_IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid packets" \
    connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP (ping)" protocol=\
    icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="VPN - Accept IPsec-esp" \
    in-interface=ether1_WAN-port protocol=ipsec-esp
add action=accept chain=input comment=\
    "VPN - Accept input IPsec, L2TP, VPN" dst-port=500,1701,4500 \
    in-interface=ether1_WAN-port protocol=udp
add action=accept chain=input comment="Accept Local LAN" src-address-list=\
    LAN_IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf: fastrack - establihed, related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=LAN-bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!LAN-bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    ether1_WAN-port log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=LAN-bridge \
    log=yes log-prefix=LAN_!LAN src-address-list=!LAN_IP
add action=drop chain=input
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=accept chain=srcnat dst-address-list=G_LAN src-address-list=\
    MA_LAN
add action=accept chain=dstnat dst-address-list=MA_LAN src-address-list=\
    G_LAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=accept chain=srcnat
add action=dst-nat chain=dstnat comment="CV forward" dst-port=\
    108,1554,8010 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.4.50
/ip ipsec identity
add comment="G-MA key" peer=G-MA
/ip ipsec policy
add dst-address=192.168.7.0/24 peer=G-MA proposal=IKEv2-proposal \
    src-address=192.168.4.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=MA_VPN profile=MA_VPN
/system clock
set time-zone-name=Europe/Copenhagen
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=dk.pool.ntp.org

Many thanks in advance for helping me out - I’m truly gratefull

anav · August 31, 2023, 12:23am

Do any of the two routers get a public facing WANIP address? and if not can one of them have ports forwarded to it by the upstream ISP router?
If so, then perhaps try wireguard vice L2TP for remote access from outside mobile users and for router to router vpn traffic.

solko · August 31, 2023, 1:13pm

Yes both routers has connection to the Internet through WANIP and a WAN gatway IP. I hid and replaced them in this thread with “local-public-ip” and “remote-public-ip” as well as “local-public-gateway-ip” and “remote-public-gateway-ip”

The failing router aquires the WAN IP-settings from DHCP and the other one has a static WAN IP.

Further info to this setup. The IPsec tunnel between the 2 routers (local and remote) is well functioning. There are no problems accessing the local LAN( 192.168.4.0/24) from the remote local Lan (192.168.7.0/24) throught the tunnel. Only from third party through the L2TP VPN makes trouples.

solko · August 31, 2023, 3:35pm

I’m so, so sorry to waste everybody’s time on my stupid question…I solved it myself.

I also lied to you since i wrote:

I’m pooling with a different subnet (192.168.5.0/24) for the remote clients.

So I was not!!!

At least I thougt I was, but that was the issue, no pool remote ip was set to the client… Anyway - I’m glas this issue introduced me to this forum.

Thanks to all of you for doing a good job with some great posts and solutions.

solko · August 31, 2023, 6:45pm

Too fast to determine problem sovled

OK I did miss an important setting, but that might be caused by the fooling around on this conf. I have corrected my conf. (see below) and added the pool-range, and now a very interesting thing happens…

Once I change my the /PPP Profiles or /PPP interface L2TP Server settings, the next dial in session through VPN works perfectly, but the following sesions only connects, and local LAN access is lost.

Can anyone give me clue here? I’m I fighting a setup failure or do I fight a bug in the Router OS .7.11.1?

# 2023-08-31 20:25:35 by RouterOS 7.11.1
# software id = GWV4-RIQA
#
# model = RB1100Dx4
# serial number = 9BD80Axxxxxx
/interface bridge
add arp=proxy-arp name=LAN-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN-port
/interface l2tp-server
add name=MA-L2TP-VPN user=MA_VPN
/disk
set sata1 type=hardware
add parent=sata1 partition-number=1 partition-offset=512 partition-size=\
    "64 017 353 728" type=partition
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128 \
    hash-algorithm=sha256
add dh-group=modp2048 enc-algorithm=aes-256 hash-algorithm=sha512 name=\
    G-MA
/ip ipsec peer
add address=767.676.776.667/32 exchange-mode=ike2 name=G-MA profile=\
    G-MA
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=\
    aes-256-cbc,aes-128-cbc
add auth-algorithms=sha512 enc-algorithms=aes-256-cbc name=IKEv2-proposal \
    pfs-group=none
/ip pool
add name=dhcp_pool1 ranges=192.168.4.80-192.168.4.199
add name=MA-VPN-Pool ranges=192.168.5.100-192.168.5.150
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 interface=LAN-bridge name=DHCP
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add bridge=LAN-bridge local-address=192.168.4.1 name=MA_VPN \
    remote-address=MA-VPN-Pool
/interface bridge port
add bridge=LAN-bridge interface=ether2
add bridge=LAN-bridge interface=ether3
add bridge=LAN-bridge interface=ether4
add bridge=LAN-bridge interface=ether5
add bridge=LAN-bridge interface=ether6
add bridge=LAN-bridge interface=ether7
add bridge=LAN-bridge interface=ether8
add bridge=LAN-bridge interface=ether9
add bridge=LAN-bridge interface=ether10
add bridge=LAN-bridge interface=ether11
add bridge=LAN-bridge interface=ether12
add bridge=LAN-bridge interface=ether13
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=\
    LAN wan-interface-list=WAN
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=MA_VPN \
    enabled=yes use-ipsec=yes
/interface list member
add interface=ether1_WAN-port list=WAN
add interface=LAN-bridge list=LAN
/ip address
add address=192.168.4.1/24 interface=LAN-bridge network=192.168.4.0
/ip dhcp-client
add interface=ether1_WAN-port use-peer-dns=no
/ip dhcp-server lease
add address=192.168.4.100 mac-address=2C:56:DC:DC:31:BD
add address=192.168.4.99 mac-address=80:A5:89:9E:00:00
add address=192.168.4.101 mac-address=80:A5:89:9E:6C:06
add address=192.168.4.111 allow-dual-stack-queue=no mac-address=\
    2C:56:DC:DD:4B:ED
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1 \
    gateway=192.168.4.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,1.1.1.1,1.0.0.1
/ip firewall address-list
add address=192.168.4.0/24 list=MA_LAN
add address=192.168.7.0/24 list=G_LAN
add address=192.168.4.0/24 list=allowed_to_router
add address=192.168.7.0/24 list=allowed_to_router
add address=767.676.776.666 list=allowed_to_router
add address=434.343.443.334 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=\
    not_in_internet
add address=192.168.8.0/24 list=allowed_to_router
add address=192.168.5.0/24 list=allowed_to_router
add address=192.168.7.0/24 list=LAN_IP
add address=192.168.4.0/24 list=LAN_IP
add address=192.168.5.0/24 list=LAN_IP
add address=192.168.8.0/24 list=LAN_IP
add address=767.676.776.666 list=WAN_IP
add address=434.343.443.334 list=WAN_IP
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid packets" \
    connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP (ping)" protocol=\
    icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Vigtig VPN - Accept IPsec-esp" \
    in-interface=ether1_WAN-port protocol=ipsec-esp
add action=accept chain=input comment=\
    "Vigtig til VPN - Accept input IPsec, L2TP, VPN" dst-port=500,1701,4500 \
    in-interface=ether1_WAN-port protocol=udp
add action=accept chain=input comment="Accept Local LAN" src-address-list=\
    LAN_IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment=test
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=\
    "defconf: fastrack - establihed, related" connection-state=\
    established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "Drop tries to reach not public addresses from LAN" dst-address-list=\
    not_in_internet in-interface=LAN-bridge log=yes log-prefix=\
    !public_from_LAN out-interface=!LAN-bridge
add action=drop chain=forward comment=\
    "Drop incoming packets that are not NAT`ted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
add action=jump chain=forward comment="jump to ICMP filters" jump-target=icmp \
    protocol=icmp
add action=drop chain=forward comment=\
    "Drop incoming from internet which is not public IP" in-interface=\
    ether1_WAN-port log=yes log-prefix=!public src-address-list=\
    not_in_internet
add action=drop chain=forward comment=\
    "Drop packets from LAN that do not have LAN IP" in-interface=LAN-bridge \
    log=yes log-prefix=LAN_!LAN src-address-list=!LAN_IP
add action=drop chain=input
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"
/ip firewall nat
add action=accept chain=srcnat dst-address-list=G_LAN src-address-list=\
    MA_LAN
add action=accept chain=dstnat dst-address-list=MA_LAN src-address-list=\
    G_LAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
    WAN
add action=accept chain=srcnat
add action=dst-nat chain=dstnat comment="Camvision forward" dst-port=\
    108,1554,8010 in-interface-list=WAN protocol=tcp to-addresses=\
    192.168.4.50
/ip ipsec identity
add comment="G-MA key" peer=G-MA
/ip ipsec policy
add dst-address=192.168.7.0/24 peer=G-MA proposal=IKEv2-proposal \
    src-address=192.168.4.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=MA_VPN profile=MA_VPN
/system clock
set time-zone-name=Europe/Copenhagen
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=dk.pool.ntp.org

anav · September 1, 2023, 5:05pm

skål
When you want to use the simpler wireguard let me know… even if its just for remote mobile users coming into either the Routers LAN subents (users), OR you as the admin to configure either router.