running webfig v6.34.3
This is our first MikroTik router. we have a server sitting at 192.168.1.50 that has l2tp/ipsec setup on it to accept VPN connections. We have configured the NAT tab of firewall like this…
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-esp \
to-addresses=192.168.1.50
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.50 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.50 to-ports=500
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-ah \
to-addresses=192.168.1.50
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
it doesn’t seem to be connecting properly still though. Am I missing something?
thanks
realmx2:
running webfig v6.34.3
This is our first MikroTik router. we have a server sitting at 192.168.1.50 that has l2tp/ipsec setup on it to accept VPN connections. We have configured the NAT tab of firewall like this…
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-esp \
to-addresses=192.168.1.50
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.50 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.50 to-ports=500
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-ah \
to-addresses=192.168.1.50
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
ether1
it doesn’t seem to be connecting properly still though. Am I missing something?
thanks
Hello,
Try to dst-nat the port 1701 udp too.
yeah I added 1701, and also added all the pptp ports too and can’t connect through pptp either. If I add 3389 (remote desktop) I can, so I know it’s working to an extent.
I did test locally and within the network I can pptp and l2tp into the server. So it points to the mikrotik as the issue.
Here’s the current config…
/ip firewall filter
add chain=input comment="defconf: accept ICMP" protocol=icmp
add chain=input comment="defconf: accept establieshed,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-esp \
to-addresses=192.168.1.50
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.50 to-ports=4500
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp \
to-addresses=192.168.1.50 to-ports=500
add action=dst-nat chain=dstnat in-interface=ether1 protocol=ipsec-ah \
to-addresses=192.168.1.50
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.50 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1701 in-interface=ether1 protocol=\
udp to-addresses=192.168.1.50 to-ports=1701
add action=dst-nat chain=dstnat in-interface=ether1 protocol=gre \
to-addresses=192.168.1.50
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether1
/ip firewall service-port
any other ideas?