Hi,

I am unable to access any kind of management while connected to the router via ipsec vpn. I thought I added the access rule that should allow this to work however it did not. Here is the rule I added. add action=accept chain=input comment="VPN MGMT" in-interface=ether1 ipsec-policy=in,ipsec

I should also add that everything else is working while connected via the VPN. I am able to access my local network.

Thanks for the advise in advance.

\

apr/20/2018 10:46:31 by RouterOS 6.41.3

software id = 4S6E-7VCB

model = 750

serial number = 467802215213

/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz name=2.4
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=eCee name=
5
/interface bridge
add fast-forward=no name=GuestNetwork
add admin-mac=D4:CA:6D:F3:F3:3E auto-mac=no comment=defconf name=HomeNet
/interface ethernet
set [ find default-name=ether1 ] comment="Wan Interface"
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
/caps-man datapath
add bridge=HomeNet name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment="" encryption=
aes-ccm,tkip name=security1 passphrase=
/caps-man configuration
add channel=2.4 country="united states3" datapath=datapath1 mode=ap name=
homenet security=security1 ssid=myster24
add channel=5 country="united states3" datapath=datapath1 mode=ap name=
homenet2 rx-chains=0,1,2 security=security1 ssid=mystery5 tx-chains=0,1,2
/caps-man interface
add configuration=homenet disabled=no l2mtu=1600 mac-address=
CC:2D:E0:1D:6A:BB master-interface=none name=cap12 radio-mac=
CC:2D:E0:1D:6A:BB
add configuration=homenet2 disabled=no l2mtu=1600 mac-address=
CC:2D:E0:1D:6A:BA master-interface=none name=cap13 radio-mac=
CC:2D:E0:1D:6A:BA
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.2.60-192.168.2.80
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=HomeNet lease-time=8h name=
bridge1
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=
homenet
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=
homenet2
/interface bridge port
add bridge=HomeNet comment=defconf interface=ether2
add bridge=HomeNet comment=defconf interface=ether3
add bridge=HomeNet comment=defconf interface=ether4
add bridge=HomeNet comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes ipsec-secret= use-ipsec=
yes
/interface list member
add comment=defconf interface=HomeNet list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 comment=defconf interface=ether2 network=
192.168.2.0
add address=192.168.10.1/24 interface=GuestNetwork network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
ether1
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip dns static
add address=192.168.2.1 name=router.lan
add address=192.168.2.7 name=cloud.warllo.org
add address=192.168.2.7 name=office.warllo.org
add address=192.168.2.11 name=tv.warllo.org
/ip firewall filter
add action=accept chain=input comment=
"defconf: accept established,related,untracked" connection-state=
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="VPN MGMT" in-interface=ether1
ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop invalid" connection-state=
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN"
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy"
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy"
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
connection-state=established,related
add action=accept chain=forward comment=
"defconf: accept established,related, untracked" connection-state=
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid"
connection-state=invalid
add action=drop chain=forward comment=
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade"
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Nas Login" dst-port=8080
in-interface=ether1 protocol=tcp to-addresses=192.168.2.4 to-ports=8080
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=20500
in-interface=ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=20500
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=1194
in-interface=ether1 protocol=udp to-addresses=192.168.2.2 to-ports=1194
add action=dst-nat chain=dstnat comment=Next-cloud-https dst-port=443
in-interface=ether1 protocol=tcp to-addresses=192.168.2.7 to-ports=443
add action=dst-nat chain=dstnat comment="Collabra office " dst-port=9980
in-interface=ether1 protocol=tcp to-addresses=192.168.2.7 to-ports=9980
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=
ether1 protocol=tcp to-addresses=192.168.2.11 to-ports=32400
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=
192.168.89.0/24
/ip service
set www port=81
/ip upnp
set enabled=yes
/ppp secret
add name=vpn password= service=l2tp
/system clock
set time-zone-name=America/Chicago
/system leds
add interface=ether1 leds=user-led type=interface-transmit
/system scheduler
add comment="Update No-IP DDNS" interval=5m name=no-ip_ddns_update on-event=
no-ip_ddns_update policy=read,write,test start-date=mar/17/2018
start-time=16:11:01
/system script
add name=no-ip_ddns_update owner=admin policy=read,write,test source="# No-IP
automatic Dynamic DNS update\r
\n\r
\n#--------------- Change Values in this section to match your setup -----
-------------\r
\n\r
\n# No-IP User account info\r
\n:local noipuser ""\r
\n:local noippass ""\r
\n\r
\n# Set the hostname or label of network to be updated.\r
\n# Hostnames with spaces are unsupported. Replace the value in the quotat
ions below with your host names.\r
\n# To specify multiple hosts, separate them with commas.\r
\n:local noiphost "office.warllo.org,ftp.warllo.org,cloud.warllo.org,tv.w
arllo.org"\r
\n\r
\n# Change to the name of interface that gets the dynamic IP address\r
\n:local inetinterface "ether1"\r
\n\r
\n#-----------------------------------------------------------------------
-------------\r
\n# No more changes need\r
\n\r
\n:global previousIP\r
\n\r
\n:if ([/interface get $inetinterface value-name=running]) do={\r
\n# Get the current IP on the interface\r
\n :local currentIP [/ip address get [find interface="$inetinterface"
_disabled=no] address]\r
\n\r
\n# Strip the net mask off the IP address\r
\n :for i from=( [:len $currentIP] - 1) to=0 do={\r
\n :if ( [:pick $currentIP $i] = "/") do={ \r
\n :set currentIP [:pick $currentIP 0 $i]\r
\n } \r
\n }\r
\n\r
\n :if ($currentIP != $previousIP) do={\r
\n :log info "No-IP: Current IP $currentIP is not equal to previou
s IP, update needed"\r
\n :set previousIP $currentIP\r
\n\r
\n# The update URL. Note the "\3F" is hex for question mark (?). Requi
red since ? is a special character in commands.\r
\n :local url "http://dynupdate.no-ip.com/nic/update\3Fmyip=$curr
entIP"\r
\n :local noiphostarray\r
\n :set noiphostarray [:toarray $noiphost]\r
\n :foreach host in=$noiphostarray do={\r
\n :log info "No-IP: Sending update for $host"\r
\n /tool fetch url=($url . "&hostname=$host") user=$noipuse
r password=$noippass mode=http dst-path=("no-ip_ddns_update-" . $host
. ".txt")\r
\n :log info "No-IP: Host $host updated on No-IP with IP $cur
rentIP"\r
\n }\r
\n } else={\r
\n :log info "No-IP: Previous IP $previousIP is equal to current I
P, no update needed"\r
\n }\r
\n} else={\r
\n :log info "No-IP: $inetinterface is not currently running, so there
fore will not update."\r
\n}\r
\n\r
\n"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Your configuration export reveals that you actually do not use “IPsec VPN” but “L2TP over IPsec VPN” which is not the same.thing. Therefore, the packets from the VPN client appear as if coming in via an interface called ****

<l2tp-username>

of type

l2tp-in

which is created dynamically when the client is connected, or exists statically if you create a static

/interface l2tp-server

binding assigning a static interface name to the ppp username.

So the rule you’ve added, ****

action=accept chain=input comment="VPN MGMT" in-interface=ether1 ipsec-policy=in,ipsec

does not match that traffic. The first rule to match it is the

action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN

• because the dynamically created

<l2tp-vpn>

interface is not on the interface-list

LAN

.

So one possibility is to replace ****

interface-list=!LAN

by

interface-list=WAN

, the other possibility is to create a static interface for each user in

/interface l2tp-server

and add these interfaces as members of interface list

LAN

.

If you used a plain IPsec, the situation would be different - in that case, packets decrypted and decapsulated from IPsec transport packets appear as coming in through the same interface through which the transport packets come in, which is ****

ether1

in your case, so the rule you have added (

comment="VPN MGMT"

) would be helpful.

Plus there is one more issue in your configuration, you’ve set ****

use-ipsec=yes

in

/interface l2tp-server server

. This means that plaintext L2TP connections are accepted as well. To fix this, either change that setting to

use-ipsec=required

, or add “ipsec-policy=in,ipsec” to the match list of the firewall rule

action=accept protocol=udp dst-port=1701

.

Excellent response. Thank you this was very helpful.