Problem when trying to acess Shared Folder over L2TP IPsec VPN

greccobruno · November 20, 2023, 5:19pm

Good morning!

I need a little help. We change our firewall to Mikrotiks and i created a tunel from our company to our branch and it’s work like a charm, i can ping the other side no problem but, i can’t acess our file server. i will post our configuraton here, someone could help me with this?

Main:

Local IP: 10.10.12.0

Firewall:

nov/20/2023 14:12:43 by RouterOS 6.49.10

software id = F1IT-3YV7

model = RB3011UiAS

serial number = HEC08S0VTDE

/ip firewall address-list
add address=10.10.12.254 list=rede-suporte
/ip firewall filter
add action=accept chain=input comment=Ipu src-address=206.42.41.168
add action=accept chain=output dst-address=206.42.41.168
add action=accept chain=input src-address=201.131.176.66
add action=accept chain=output dst-address=201.131.176.66
add action=accept chain=forward src-address=10.10.13.0/24
add action=accept chain=forward dst-address=10.10.13.0/24
add action=accept chain=input comment=“Liberar WinBox” connection-state=
established,related connection-type=“” dst-port=2288 protocol=tcp
add action=accept chain=input comment=“ICMP - 10/sec” limit=10,5:packet
protocol=icmp
add action=accept chain=input comment=“Estabelecidas e Relacionadas”
connection-state=established,related
add action=drop chain=input comment=Invalidos connection-state=invalid
add action=drop chain=input comment=“DROP GERAL” disabled=yes
in-interface-list=LINKs
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.13.0/24 src-address=
10.10.12.0/24
add action=masquerade chain=srcnat out-interface-list=LINKs

Branch:

Local IP: 10.10.13.0

Firewall:

nov/20/2023 14:17:18 by RouterOS 6.49.10

software id = EU20-D8GH

model = RB3011UiAS

serial number = HEC08YHDQZH

/ip firewall filter
add action=accept chain=input comment=Itapipoca src-address=45.178.179.242
add action=accept chain=output dst-address=45.178.179.242
add action=accept chain=input src-address=170.79.200.82
add action=accept chain=output dst-address=170.79.200.82
add action=accept chain=forward src-address=10.10.12.0/24
add action=accept chain=forward dst-address=10.10.12.0/24
add action=accept chain=input comment=“Libera WinBox” limit=5,5:packet
protocol=icmp
add action=accept chain=input comment=ICMP connection-state=
established,related disabled=yes
add action=accept chain=input dst-port=2288 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=drop chain=input disabled=yes in-interface=redeInterna
/ip firewall nat
add action=accept chain=srcnat dst-address=10.10.12.0/24 src-address=
10.10.13.0/24
add action=masquerade chain=srcnat out-interface=“Ether 2 - IpuNET”
add action=masquerade chain=srcnat out-interface=PPPOE-Brisanet

Thans in advantage!

Grecco"

johnson73 · November 20, 2023, 7:40pm

Hello greccobruno,
You have an incorrect firewall configuration. In order for the traffic to work correctly, the basis is always “default rules” and its plugins as needed.
Firewall usually consists of 2 parts - Input (incoming traffic) and “Fowrard” (traffic passing through the router). These 2 parts are needed for everything to work correctly.
After that, you can already look at the ipSec configuration, etc.

/interface list
add name=WAN
add name=LAN
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN

/ip firewall address-list
add address=10.10.12.0/24 list=rede-suporte

/ip firewall filter
(Input Chain)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=rede-suporte comment="Config Access"
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
(forward chain)
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN