Hi all, I am often connecting to my router from the remote site via L2TP with IPsec VPN. I can connect access everything on my network except the router, so I looked into firewall rules to troubleshoot.
Initially I added my l2tp connection to LAN address list and it worked fine-I could access the router; however it is dynamic interface so when I disconnect from the VPN it changes to “unknown” and the problem starts all over again.
Earlier I created a rule to accept traffic dst port 500, 4500 and 1701 which allows me to connect via L2TP, but there is a rule “drop all not coming from LAN” that is preventing me from accessing the router remotely. I don’t really understand why? default gateway IP 192.168.1.1, remote IP when connected via VPN 192.168.1.2. It’s /24 network so I am on the same subset.
So to resolve a problem I placed another rule above to accept all PPP connections, which also works fine - I can access the router now but I don’t see an option to change “ppp” conections to “l2tp” only. So my question is, how to modify my firewall to allow only l2tp VPN connections without losing an ability to access the router remotely?
firewall:
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=accept chain=input comment=“ACCEPT ALL PPP CONNECTIONS” in-interface=all-ppp
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Using the same subnet for L2TP connections as the LAN does not make the connection part of the same network.
You could either:
use an L2TP server binding to give you a static interface name which can be added to the LAN interface list,
or:
add interface-list=LAN to the L2TP server PPP profile which will dynamically add/remove any L2TP interfaces to/from the interface list.
Thanks for your help, problem resolved! Could you please elaborate on why using the same subnet for L2TP as LAN does not make the connection part of the same network? Any explanation would be much appreciated as I am trying to understand more concepts of networking. Thanks!
An easy mistake to make is thinking the RJ45 on a PC/laptop is a IP connection. It isn’t, layer 3 IP packets are encapsulated in layer 2 ethernet frames sent with layer 1 signalling/coding, e.g. 10BASE-T/100BASE-TX/1000BASE-T.
The IP addressing is straightforward - if the destination IP address is within the senders subnet it is sent directly to that IP address, otherwise it is sent to the gateway IP address.
The IP-over-Ethernet encapsulation also requires a mechanism to associate IP addresses with ethernet addresses. A sender broadcasts an ARP request, which will reach all devices within that layer 2 network, asking for the ethernet address for a particular IP address, e.g. who has 192.168.1.1? When any device receives a request matching its IP address it replies with its ethernet address, e.g. 00:11:22:33:44:55 has 192.168.1.1. The sender can then send the encapsulated IP to that ethernet address.
Your L2TP connection is not part of that layer 2 network, it is a completely independent point-to-point link using PPP - hence its own interface on the Mikrotik. PPP was originally designed for serial lines but various encapsulations were evolved so the PPP frames could be transported over other networks, the name of this particular encapsulation can be misleading as the L2 part refers to transporting PPP, not the final payload. The PPP protocol itself can transport IP, IPv6 plus legacy protocols such as AppleTalk, IPX, NetBEUI.
Wikipedia is as good a starting place as any for background information, and the definitive information on the protocols is in their RFCs.
Okay so I was testing it at home by connecting my laptop to the hotspot, then L2TP VPN to my router and I could access the router with no problems, I thought it is resolved by today I tried to access the router from the remote site and again It is not accessible. To be precise, I am successfully connecting via VPN, I can access proxmox on my LAN and all VMs that I am running on proxmox, but I cannot access the router, I tried webfix 80 and 443, and winbox but nothing works.