Unable to connect Local LAN devices from VPN without default -GW

johnson73 · November 30, 2023, 12:35pm

Hello,
Perhaps someone has a good idea why it is not possible connect to local LAN devices with mikrotik ipsec+L2tp if I remove the option “Use default gateway” on a Windows computer? If this option is used, you can connect and everything works. Maybe I specified something wrong?
Standard “Default rules” with extensions. I have created 2 Bridge. One is for ‘‘Local-Lan’’, the other for ‘‘vpn’’. Proxy-arp is not enabled.
/ip firewall address-list
add address=192.168.88.0/24 list=Local-LAN
add address=192.168.89.10-192.168.89.20 list=VPN
Could it be that an additional route needs to be created? I tried everything but to no avail.
Thank you!

/interface bridge
add name=bridge1
add name=bridge2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=test11 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa2-pre-shared-key=...
/ip ipsec peer
add name=peer-vpn passive=yes
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=pool-vpn ranges=192.168.89.10-192.168.89.20
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp disabled=no interface=bridge1 \
    lease-time=1d10m name=server1
add add-arp=yes address-pool=pool-vpn disabled=no interface=bridge2 lease-time=\
    1d10m name=server2
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.88.1 name=\
    profile-vpn remote-address=pool-vpn use-encryption=yes use-mpls=no
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=pwr-line1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether2
add bridge=bridge2 interface=VPN
/ip firewall connection tracking
set tcp-established-timeout=50m
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=profile-vpn enabled=yes \
    ipsec-secret=..
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
add interface=bridge2 list=VPN
/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.89.1/24 interface=bridge2 network=192.168.89.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
add address=192.168.89.0/24 dns-server=192.168.89.1 gateway=192.168.89.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=Local-LAN
add address=192.168.89.10-192.168.89.20 list=VPN
/ip firewall filter
add action=accept chain=input comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid packets" connection-state=\
    invalid
add action=accept chain=input comment=ICMP protocol=icmp
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
    protocol=ipsec-esp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=Local-LAN
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=LAN \
    src-address-list=VPN
add action=log chain=input comment="Log Everything Else" disabled=yes \
    log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop all else"
add action=fasttrack-connection chain=forward comment=Fatsttrack \
    connection-state=established,related
add action=accept chain=forward comment="Allow Established,Related" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="Drop Invalid Connections" \
    connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
    in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Access Internet From LAN" disabled=yes \
    in-interface-list=VPN out-interface-list=WAN
add action=accept chain=forward comment=ICMP protocol=icmp
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
    src-address-list=VPN
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat
add action=drop chain=forward comment="Drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
/ip ipsec identity
add generate-policy=port-strict peer=peer-vpn secret=
/ppp secret
add name=vpn password= profile=profile-vpn service=l2tp

LdB · November 30, 2023, 3:33pm

You need to explain the IPs and topology of the network on the remote end of VPN connection.

You put both what would be the normal .1 gateway “your end” in the bridges with this

/ip address
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
add address=192.168.89.1/24 interface=bridge2 network=192.168.89.0

That leads us to know that if the far end network works at all it either has a different gateway or a different IP range.
Either way obviously you wont be able to connect to devices in that network unless you told windows when it connects to use the remote gateway
BECAUSE
neither us or the router have any clue what the gateway is in the remote network and where to send traffic because your setup is DORKED.

Fixing it may be as simple as a static route but no idea what that needs to be because we don’t know enough about remote network.

johnson73 · November 30, 2023, 5:36pm

thanks for the reply!
=‘’ That leads us to know that if the far end network works at all it either has a different gateway or a different IP range.
Either way obviously you wont be able to connect to devices in that network unless you told windows when it connects to use the remote gateway..‘’=

if I use a range of IP addresses in the vpn configuration that are the same in the same subnet, then by turning on Proxy-arp I can establish a connection both using “use default GW” and without it. Everything works.
This problem occurred precisely when different IP address ranges are used in the vpn configuration.
If I create a vpn connection with two different subnets, then I must specify ‘‘use default GW’’ ? I also tried Bridge mode for these two subnets, but to no avail.

‘’= Fixing it may be as simple as a static route but no idea what that needs to be because we don’t know enough about remote network.‘’=
The remote network is a public dynamic ip address.

After reading the recommendations of forum members to use different subnets of IP addresses for vpn L2tp connections, I have created a remote vnp ipsec l2tp connection for several office workers.
Everything works correctly, but there are several problems with the fact that the Home connection speeds of the employees are quite slow in some places. And so there is a need to remove the “use default GW” option for the Windows vpn connection so that all Internet traffic does not load a slow Internet connection. Except for this option, the remote connection works much faster and more stable.

What exactly is good practice? Use different ip subnets for VPN connections or still use the same ip subnet?