Dear all,
I can’t able to access my local LAN network when I connect through the L2TP Windows client Just only ping Mikrotik Gateway (IP: 192.168.5.1)
When I connect through Wireguard Windows Client I can easily access my all LAN network servers etc
why this is happening???
Please export and post your config.
L2TP windows client does not connect to wireguard, suggest you have to connect to an L2TP server… '=P
As noted, your config is likely wrong and the fact that you havent posted
a.. your complete config
b. network diagrams
Is completely absurd as this is not your fist post.
You know very well that anything you say is opinion and will be ignored UNTIL you provide evidence!!
/interface bridge
add name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1_bridge
set [ find default-name=ether2 ] disabled=yes name=ether2_bridge
set [ find default-name=ether3 ] name=ether3_bridge
set [ find default-name=ether4 ] name=ether4_WAN
set [ find default-name=ether5 ] name=ether5_LAN
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether1_bridge
add bridge=bridge ingress-filtering=no interface=ether2_bridge
add bridge=bridge ingress-filtering=no interface=ether3_bridge
/ip neighbor discovery-settings
set discover-interface-list=all
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=required
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.216.2/32 interface=wireguard1 public-key=\
"rhgyufy+E/Pw5itB5ogyP1ousIJYObhhjvHGU="
/ip address
add address=xx.xx.xx.xx/29 interface=ether4_WAN network=xx.xx.xx.xx
add address=192.168.5.2/24 interface=ether5_LAN network=192.168.5.0
add address=192.168.216.1/24 interface=wireguard1 network=192.168.216.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dns
set cache-size=10000KiB servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=accept chain=input comment="Router Access Remotely" dst-port=\
4477,4478 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
25,53,87,512-515,543,544,7547,8080 protocol=tcp
add action=drop chain=input comment="Block Attack" dst-port=\
53,80,87,161,162,1900,4520-4524,8080 protocol=udp
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"Port Scanners to Address List " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/SYN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-RST/SYN scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-FIN/PSH/URG scan" protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input comment=\
"TCP Flag-NMAP NULL scan" protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping Port Scanners" \
src-address-list="Port Scanners"
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat src-address=192.168.216.0/24
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
xx.xx.xx.xx%ether4_WAN pref-src="" routing-table=main scope=30 \
suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4478
set ssh disabled=yes
set api disabled=yes
set winbox port=4477
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.5.2 name=L2TP profile=default-encryption \
remote-address=192.168.5.3 service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
Any suggestions please
Edit: Please ensure you let folks know your router is behind another router, especially with unsafe configs as per below!! Even still I would only allow VPN to the router and then access config/subnets.
/ip firewall filter
add action=accept chain=input comment="Router Access Remotely" dst-port=
4477,4478 protocol=tcp
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=4478
set ssh disabled=yes
set api disabled=yes
set winbox port=4477
PS. It is not clear why you even have a bridge, you didnt even give the bridge an IP address??? There is no dhcp network, no dhcp network-server settings, nor any IP pools.
Good luck!
Excuse me
For your kind information I have many mikrotik router on different sites. Almost I have set same ports on them for winbox and for web. not using default ports. I creat filter rule some time it’s not access without this rule. So that’s why I apply this rule on my all Mikrotik.Maybe I’m doing mistake here you can tell me.
I only access my LAN network like Windows server through wire guard but on L2TP ipsec I can’t able to ping my Lan servers except Mikrotik Lan gateway.
I have made bridge just for other purposes.
Bridge are not related to this.
My all lan network using static IP that’s why I no need for dhcp server
My apologies, there was no indication that the router was behind another router… Still a good practice to encrypt to the router and then visit the LAN or the config, especially if already using WG.
Good luck with L2TP issue, not an L2TP expert.
Is L2TP will work? or I need to use WG?