I've recently configured my RB3011 to allow remote administration over an L2TP-IPsec VPN. I can VPN in to the router, and get the 'connection successful' response, but I cannot access the router via WinBox. I can access and manage the router when connected locally. I have a feeling I've made a stupid mistake and am missing something basic. Hours of work and I can't find my error. Hide-sensitive configuration is below, and any help will be appreciated.
Regards,
Dave
\
mar/10/2021 23:06:47 by RouterOS 6.47.9
software id = 1TN6-HQF0
model = RouterBOARD 3011UiAS
serial number = 71A00666BD75
/caps-man configuration
add country="united states3" datapath.client-to-client-forwarding=yes
datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=
use-tag mode=ap name=cfg_Free ssid=IFC-Free
/interface bridge
add admin-mac=6C:3B:6B:38:3E:2B auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=bridge name=vlan_Free vlan-id=10
/caps-man configuration
add channel.band=2ghz-onlyn country="united states3" datapath.bridge=bridge
datapath.client-to-client-forwarding=yes datapath.local-forwarding=yes
max-sta-count=30 mode=ap name=cfg_Main security.authentication-types=
wpa2-psk security.encryption=aes-ccm ssid=IFC
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=IntlFellowship.net hotspot-address=
10.10.1.254 http-cookie-lifetime=3h
add dns-name=IFC-portal.net hotspot-address=10.10.1.1 name=hsprof1
rate-limit=1M/2M
/ip pool
add name=dhcp ranges=192.168.70.10-192.168.70.200
add name=pool_Free ranges=10.10.1.10-10.10.1.20
add name=pool_VPN ranges=192.168.70.201-192.168.70.210
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=1d10m name=
defconf
add address-pool=pool_Free disabled=no interface=vlan_Free lease-time=3h10m
name=server_Free
/ip hotspot
add address-pool=pool_Free disabled=no interface=vlan_Free name=hotspot1
profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=pool_Free mac-cookie-timeout=3h name=
UserFree rate-limit=1M/2M shared-users=30
/ppp profile
set *0 dns-server=8.8.8.8,8.8.4.4 local-address=192.168.70.199
remote-address=pool_VPN
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=
cfg_Main slave-configurations=cfg_Free
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.70.1/24 comment=defconf interface=ether2 network=
192.168.70.0
add address=96.35.166.166/30 interface=ether1 network=96.35.166.164
add address=10.10.1.1/24 interface=vlan_Free network=10.10.1.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=10.10.1.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=10.10.1.1
add address=192.168.70.0/24 comment=defconf dns-server=1.1.1.1,1.0.0.1
gateway=192.168.70.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.70.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.70.0/24 list=fuladmin
/ip firewall filter
add action=drop chain=forward comment="Prevent Guest access to main network"
dst-address=192.168.70.0/24 src-address=10.10.1.0/24
add action=accept chain=input comment="L2TP-IPSec VPN access" port=
1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip hotspot user
add name=KBC server=hotspot1
/ip route
add distance=1 gateway=96.35.166.165
/ppp secret
add name=XXXXXXX
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN