Teltonika - Mikrotik VPN

Mor · November 29, 2023, 8:24am

Been trying to set-up AXIS camera controller on a different site but I’ve been running into issues. The AXIS server is on the same network as my mikrotik router, while the controller is on teltonika network.
I have set up an L2TP w/ IPsec VPN on my mikrotik hAP ax3 router and connected to that vpn with a teltonika RUT950 router.
I need to be able to see the local mikrotik network from teltonika router, however I cannot ping or see local mikrotik devices from teltonika router. My guess is some firewall rules but I honestly can’t find which ones.

rbuserdl · November 29, 2023, 10:15pm

Hello!!

Are you sure the VPN is up?
Which router is the L2TP server?
The default rules on Mikrotik only drops packets from WAN and L2TP interfaces are not WAN. Maybe you could see if the L2TP interface is in the interface list “wan”
IMHO, this is too few information to know what is happening, maybe, sharing an export (hidding sensitive information) should help.

Regards,
Damián

patrick7 · November 29, 2023, 10:29pm

Why L2TP? Use wireguard

Mor · November 30, 2023, 12:47pm

Hey,
The VPN is indeed working, teltonika router shows that it is connected and I’ve also tried to connect to it through windows - both work just fine.
L2TP server is Mikrotik, client is teltonika.
This is my config, it has 2 IP address pools, one for vpn another for dhcp, tried putting VPN on both still no dice

# nov/30/2023 14:41:07 by RouterOS 7.8
# software id = 11DN-3JX7
#
# model = C53UiG+5HPaxD2HPaxD
# serial number = 
/interface bridge
add admin-mac=78:9A:XX:XX:XX arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=MikroTik-2C9921 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac \
    configuration.mode=ap .ssid=MikroTik-2C9922 disabled=no \
    security.authentication-types=wpa2-psk,wpa3-psk
add configuration.ssid="PK Sveciai" disabled=no mac-address=7A:9A:XX:XX:XX  \
    master-interface=wifi1 name=wifi3
add configuration.ssid="PK Sveciai" disabled=no mac-address=7A:9A:XX:XX:XX  \
    master-interface=wifi2 name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.1.105-192.168.1.248
add name=vpn ranges=192.168.1.20-192.168.1.30
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=9h10m name=defconf
/ppp profile
set *0 local-address=192.168.1.2 remote-address=dhcp
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0
add address=81.7.XX:XX:XX /24 interface=ether1 network=81.XX:XX:XX 
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server lease
add address=192.168.1.198 comment=KAMERUSRV mac-address=1C:6F:65:53:72:BA
add address=192.168.1.208 comment=NEW mac-address=E0:3F:49:16:6A:B3
add address=192.168.1.139 comment=AND mac-address=E0:3F:49:16:6B:09
add address=192.168.1.140 comment=W10 mac-address=04:D9:F5:80:91:83
add address=192.168.1.132 comment=KAM_SERVER mac-address=C0:25:A5:8F:CB:C5
add address=192.168.1.175 comment=AXIS mac-address=B8:A4:4F:08:F3:41
add address=192.168.1.104 comment=PRINTER mac-address=00:17:C8:0D:BD:B7
add address=192.168.1.108 client-id=1:a8:48:fa:58:86:4 comment="4 stotele" \
    lease-time=1d mac-address=A8:48:FA:58:86:04 server=defconf
add address=192.168.1.126 client-id=1:18:31:bf:7:aa:62 comment=k2 \
    mac-address=18:31:BF:07:AA:62 server=defconf
add address=192.168.1.106 client-id=1:34:ab:95:74:e7:94 comment="3 stotele" \
    lease-time=1d mac-address=34:AB:95:74:E7:94 server=defconf
add address=192.168.1.127 client-id=1:30:83:98:5c:dd:f0 comment="2 stotele" \
    lease-time=1d mac-address=30:83:98:5C:DD:F0 server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=212.59.1.1,212.59.2.2 \
    gateway=192.168.1.1 netmask=24
/ip dns
set servers=212.59.1.1,212.59.2.2
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=drop chain=input comment="vpn block" src-address=88.119.232.171
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
    protocol=udp
add action=accept chain=input comment="VPN UDP" dst-address=81.7.XX:XX:XX \
    dst-port=1701,500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="VPN IPSEC" dst-address=81.7.XX:XX:XX  \
    in-interface-list=WAN protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=kasa dst-address=81.7.XX:XX:XX  \
    dst-port=10097 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.126 to-ports=10097
add action=dst-nat chain=dstnat comment=rdp dst-address=81.7.XX:XX:XX  dst-port=\
    3389 in-interface-list=all protocol=tcp to-addresses=192.168.1.198 \
    to-ports=3389
add action=dst-nat chain=dstnat comment="cam web" dst-address=81.7.XX:XX:XX  \
    dst-port=81 in-interface-list=all protocol=tcp to-addresses=192.168.1.198 \
    to-ports=81
add action=dst-nat chain=dstnat comment="cam 8000" dst-address=81.7.XX:XX:XX  \
    dst-port=8000 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.198 to-ports=8000
add action=dst-nat chain=dstnat comment=ftp dst-address=81.7.XX:XX:XX  dst-port=\
    3298 in-interface-list=all protocol=tcp to-addresses=192.168.1.140 \
    to-ports=3298
add action=dst-nat chain=dstnat comment="kameros 554" dst-address=81.7.XX:XX:XX  \
    dst-port=554 in-interface-list=all protocol=tcp to-addresses=192.168.1.10 \
    to-ports=554
add action=dst-nat chain=dstnat comment=http dst-address=81.7.XX:XX:XX  \
    dst-port=80 in-interface-list=all protocol=tcp to-addresses=192.168.1.175 \
    to-ports=8002
add action=dst-nat chain=dstnat comment="rnd new" dst-address=81.7.XX:XX:XX  \
    dst-port=3359 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.208 to-ports=3359
add action=dst-nat chain=dstnat comment="rnd qh" dst-address=81.7.XX:XX:XX  \
    dst-port=3349 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.139 to-ports=3349
add action=dst-nat chain=dstnat comment="kameros 8000" dst-address=\
    81.7.XX:XX:XX  dst-port=8001 in-interface-list=all protocol=tcp \
    to-addresses=192.168.1.10 to-ports=8000
add action=dst-nat chain=dstnat comment=kam_sercer dst-address=81.7.XX:XX:XX  \
    dst-port=250 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.132 to-ports=55752
add action=dst-nat chain=dstnat comment=kam_server1 dst-address=81.7.XX:XX:XX  \
    dst-port=251 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.132 to-ports=55754
add action=dst-nat chain=dstnat comment=kam_server2 dst-address=81.7.XX:XX:XX  \
    dst-port=252 in-interface-list=all protocol=tcp to-addresses=\
    192.168.1.132 to-ports=55759
add action=accept chain=input comment=vpn disabled=yes dst-address=\
    81.7.XX:XX:XX  dst-port=1701,500,4500 in-interface-list=all protocol=udp
add action=accept chain=input disabled=yes dst-address=81.7.XX:XX:XX  \
    in-interface-list=all protocol=ipsec-esp
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes \
    src-address=192.168.89.0/24
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/ppp secret
add name=turgus service=l2tp
add disabled=yes name=test service=l2tp
/system clock
set time-zone-name=Europe/Vilnius
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Mor · November 30, 2023, 12:51pm

Simply put, I don’t know what wireguard is . I just knew that mikrotik and teltonika both support L2TP so I just went with that without much research.
Would wireguard be a better option? If so, what’s the differance between the two?

Mor · November 30, 2023, 1:00pm

Oh I should also mention - when I connected to the VPN through windows, I could ping and access the local network.