Have a good day to all experienced microtik users !
We have CCR1009-7G-1C-1S+ router acting as L2TP/Ipsec vpn gateway for remote users can join “main office” network.
37.213.241.55/24 on combo interface see to ISP. Local network 192.168.10.0/24 on br1-lan with proxy-arp
dhcp pool for local clients 192.168.10.50-99, vpn gateway 192.168.10.100, vpn 192.168.10.101-199 i.e. local and remote clients share same addess space.
Remote clients easily connect, have smb / rdp access to the server. Can ping vpn-gateway, main gateway, server and hosts. But not visible from the local network and do not see each other so we can’t have a smb/rdp access between remote clients and even local and remote clients. For example remote receive 192.168.10.199 address and it can’t be pinged from server, hosts and even microtik terminal. We think some problem in firewall rules presumably in the forward chain but can’t understand there exactly… and already many time rewrite rules with no visible result
If someone have experience with this - please help us to solve this problem !
Here is a main parts of config
sep/04/2018 06:58:48 by RouterOS 6.42.7
software id = 3R4P-DLDB
model = CCR1009-7G-1C-1S+
Interfaces
/interface bridge
add arp=proxy-arp name=br1-lan
/interface ethernet
set [ find default-name=combo1 ] comment=“WAN port” name=combo
set [ find default-name=ether1 ] name=eth1
set [ find default-name=ether2 ] name=eth2
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
set [ find default-name=ether6 ] name=eth6
set [ find default-name=ether7 ] name=eth7
set [ find default-name=sfp-sfpplus1 ] name=sfpplus
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=br1-lan interface=eth2
add bridge=br1-lan interface=eth3
add bridge=br1-lan interface=eth4
add bridge=br1-lan interface=eth1
add bridge=br1-lan interface=eth5
/interface detect-internet
set internet-interface-list=all wan-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=“L2TP C2S” enabled=yes ipsec-secret=xxxxx use-ipsec=yes
IP address
/ip address
add address=192.168.10.1/24 comment=“lan gateway” interface=br1-lan network=192.168.10.0
add address=37.213.241.55/24 comment=“wan gateway” interface=combo network=37.213.241.0
add address=192.168.1.1/24 comment=“kbserver ikvm” disabled=yes interface=eth7 network=192.168.1.0
/ip pool
add comment=“local clients” name=dhcp-lan ranges=192.168.10.50-192.168.10.99
add comment=“remote clients” name=dhcp-vpn ranges=192.168.10.101-192.168.10.199
#Firewall filters
/ip firewall filter
add action=accept chain=input comment=“emergency remote access” src-address-list=remote_access
add action=accept chain=input comment=“local access to winbox, webfig” in-interface=!combo src-address=192.168.10.0/24
add action=drop chain=input comment=“block external dns requests” disabled=yes dst-port=53 in-interface=combo protocol=udp
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1h chain=input comment=“add ssh attempts to ssh_blacklist for 60 min” dst-port=22 protocol=tcp
add action=drop chain=input comment=“block ssh brute forcers” dst-port=22 log=yes log-prefix=" — SSH ATTEMPT — " protocol=tcp src-address-list=ssh_blacklist
add action=accept chain=input comment=“allow established/related connections” connection-state=established,related
add action=drop chain=input comment=“drop invalid connections” connection-state=invalid
add action=accept chain=input comment=“accept ping from remote_access” connection-state=new protocol=icmp src-address-list=remote_access
add action=accept chain=input comment=“accept ike” connection-state=new dst-port=500 protocol=udp
add action=accept chain=input comment=“accept ipsec-esp” connection-state=new protocol=ipsec-esp
add action=accept chain=input comment=“accept ipsec-ah” connection-state=new protocol=ipsec-ah
add action=accept chain=input comment=“accept l2tp” connection-state=new dst-port=1701,4500 protocol=udp
add action=drop chain=input comment=“drop everything else”
add action=accept chain=output comment=“allow only non-invalid connections” connection-state=!invalid
add action=drop chain=output comment=“drop everything else”
add action=accept chain=forward comment=“allow established/related connections” connection-state=established,related
add action=drop chain=forward comment=“drop invalid connections” connection-state=invalid
add action=accept chain=forward comment=“accept from lan to wan” in-interface=!combo out-interface=combo
add action=drop chain=forward comment=“drop everything else” disabled=yes
L2TP / IPSec
/ppp profile
add change-tcp-mss=yes comment=“Remote VPN clients-to-site with complete lan access” dns-server=192.168.10.1 local-address=192.168.10.100 name=“L2TP C2S”
remote-address=dhcp-vpn wins-server=192.168.10.1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
add disabled=yes enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=C2S
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=port-strict secret=
XXXXXXXXXXXXXXXXX send-initial-contact=no
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0