Route all traffic down L2TP VPN

mattltm · September 13, 2017, 8:13pm

I’ve set up a hAP lite as a L2TP VPN client and I can see it’s connected to the VPN server. The VPN server address is 192.168.42.1 and the hAP has 192.168.42.10.

My laptop connected to the hAP via wifi has an ip address of 192.168.88.254 and a gateway of 192.168.88.1 (the hAP).

I can access the internet from my laptop but when I check the external IP address, it shows as my home connection and not the ip address of the VPN server.

I can ping 192.168.88.1 and 192.168.42.10 from the laptop but I can’t ping 192.168.42.1.

If I tick the “Add Default Route” option in the L2TP client config then I can no longer access the internet. I also can not ping 192.168.42.1 still.

I’m sure i’m probably missing some firewall rules or a static route but i’m a Mikrotik newbie so I have no idea!

Can someone point me in the right direction?

ebreyit · September 13, 2017, 9:17pm

It might be how you have srcnat set up and/or whether the server at the other side knows how to route back to your lan IP (192.168.88.254)

If the packets from your local lan (192.168.88.254) are only natted when they leave your router for the internet (0.0.0.0/0 or it’s interface) then your lan IP will remain the same when it arrives at the Server network (192.168.42/24).

The server may not know to route 192.168.88.0/24 addresses back via 192.168.42.10, hence no ping reply.

If your wanting to have all your internet traffic routed via the VPN then you’ll need to add routing marks to traffic that you intend to go via the VPN and add the 0.0.0.0/0 dst route via the VPN there specifying the routing marks

mattltm · September 14, 2017, 11:37am

Thanks ebreyit.

I can handle the server side of things but can you give me a idiots guide on how to do the Mikrotik side?

Thanks.

ebreyit · September 14, 2017, 1:09pm

This is a bit rough and ready and may contain mistakes but should point you in the right direction. This is also not the only way it could be done and may not be the best

Add IP addresses you want to route via the VPN to an address list

/ip firewall address-list
add address=192.168.88.254 list=OutVpn

create a rule to mark packets from your address list for routing

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=VpnRoute passthrough=yes \
src-address-list=OutVpn log=no log-prefix="" dst-address=0.0.0.0/0

NAT the traffic so that traffic tunnelling through the VPN appears to come from 192.168.42.10 (the Hap IP)

/ip firewall nat
add action=src-nat chain=srcnat disabled=yes src-address-list=OutVpn to-addresses=\
    192.168.42.10

Add a Route sending all marked packets/traffic via the VPN

/ip route
add check-gateway=ping distance=1 gateway=YourVpn routing-mark=VpnRoute

mattltm · September 14, 2017, 3:05pm

Thanks ebreyit.

I’ve tried the rules you suggested and had a little play but I still can’t get anything flowing down the VPN. I have checked the server firewall and it is all fine. I can connect to the VPN from my Mac and it all routes fine so there must be something I am missing on the hAP.

Any other suggestions? Is there a log I can view to see where things are going wrong?

Thanks.

ebreyit · September 14, 2017, 3:13pm

Export your config and drop a copy here.

Also do a tracert/traceroute from your PC to the VPN’s IP and post the results here

ebreyit · September 14, 2017, 3:42pm

Also do a trace route to 8.8.8.8 from the pc and post results here

mattltm · September 14, 2017, 3:58pm

Export:

# sep/14/2017 16:47:02 by RouterOS 6.40.3
# software id = AETY-MC9S
#
# model = RouterBOARD 941-2nD
# serial number = XXXXXXXXXXXXX
/interface bridge
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
    MikroTik-XXXXXX wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
/interface l2tp-client
add connect-to=XXX.XXX.XXX.XXX disabled=no ipsec-secret=XXXXXXXXXXXXXXX \
    keepalive-timeout=disabled name=l2tp-out1 password=XXXXXXXXXXXXXXXX \
    use-ipsec=yes user=XXXXXX
/ip neighbor discovery
set ether1 discover=no
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=XXXXXXXXXX wpa2-pre-shared-key=XXXXXXXXXX
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=wlan1
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2-master network=\
    192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.254 list=OutVpn
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=0.0.0.0/0 \
    new-routing-mark=VpnRoute passthrough=yes src-address-list=OutVpn
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat disabled=yes src-address-list=OutVpn \
    to-addresses=192.168.42.10
/ip route
add check-gateway=ping distance=1 gateway=l2tp-out1 routing-mark=VpnRoute
/system clock
set time-zone-name=Europe/London
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge

traceroute to VPN Server:

Matts-iMac:~ matt$ traceroute 192.168.42.1
traceroute to 192.168.42.1 (192.168.42.1), 64 hops max, 52 byte packets
 1  router.lan (192.168.88.1)  1.061 ms  0.663 ms  0.494 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *

traceroute to 8.8.8.8:

Matts-iMac:~ matt$ traceroute 8.8.8.8
traceroute to 8.8.8.8 (8.8.8.8), 64 hops max, 52 byte packets
 1  router.lan (192.168.88.1)  1.057 ms  0.531 ms  0.794 ms
 2  * * *
 3  * * *
 4  * * *
 5  * * *

traceroute to hAP vpn client:

Matts-iMac:~ matt$ traceroute 192.168.42.10
traceroute to 192.168.42.10 (192.168.42.10), 64 hops max, 52 byte packets
 1  192.168.42.10 (192.168.42.10)  1.015 ms  3.396 ms  0.660 ms
Matts-iMac:~ matt$

mattltm · September 15, 2017, 6:11am

Posting the answer…

I had to remove the default “Fasttrack Connection” rule from the firewall. Everything else was left as default. Once the VPN connection was set up, these are the rules I added:

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=no \
src-address=192.168.88.10-192.168.88.254

/ip firewall nat
add action=masquerade chain=srcnat out-interface=VPN-L2TP

/ip route
add distance=1 gateway=VPN-L2TP routing-mark=VPN

Thanks for your help ebreyit. Couldn’t have got there without you!

mattltm · September 15, 2017, 10:13am

My next problem is that I want to be able to access the admin interface of the router from another client on the VPN.

So far, I have both connected up to the VPN (PC - 192.168.42.10 and Mikrotik - 192.168.42.11) but I can’t access the web interface of the Mikrotik at 192.168.42.11 from the PC.

I’m guessing it’s got to be a firewall rule somewhere but I can’t work it out.

I’ve checked the VPN server firewall and that is allowing client to client routing and I can ping the PC at 192.168.42.10 from the Mikrotik but I can’t ping the Mikrotik at 192.168.42.11 from the PC.