[UPDATED] Bare IpSec: VPN reaches the local LAN, but not the other way round? Also, is my config sane?

Hello everyone,

(I’ve update this post since I created it because, as it turns out, I didn’t correctly describe the problem. Config at the bottom of the post!)

let me preface this with the fact that I am very much a networking beginner - I come from the world of home routers and plug&play access points and wanted to throw myself in the cold water in order to learn more about the topic, so when our last router gave up I went for the Mikrotik HAP ac! So far I’ve been amazed by just how much functionality you get for that price.

Basically, what I have at home is the following:

• Internet / WAN access through a fibre GPON connected to LAN1 of the Mikrotik (as per instructions)
• Internet connection is established by a PPPoE connection running in VLAN 35 (that’s just what our provider wants)
• it’s a home router, so the network is a bunch of phones, Arduinos, IOT hubs, you name it.
• but it also includes 2 servers, one of which is reachable via HTTPS as it hosts a webserver & a bunch of other ports through port forwarding (192.168.178.35).
• the other server is pi-hole on a Pi (192.168.178.31, basically it’s just an ad-blocking DNS server). So the Mikrotik’s DHCP server tells clients to use the pi-hole server as DNS, and the pi-hole server itself uses the Mikrotik’s DNS server.

I got the basic setup kinda going within 2 days (well, I did want to jump into the cold water …). So I have internet access, wifi, port forwarding, DynDNS with a script courtesy of some other forum user, and IPv6.

There is one issue remaining though, and that is VPN access. The requirement is basically that I want to be able to connect to my internal LAN through my Android phone (but maybe also Windows / Mac / Unix clients) from the internet. I just need a single user, there will be no one else but me, and there will only be one VPN connection at a time. Note, that the Mikrotik has a dynamically allocated IPv4 and IPv6 address on the WAN side and I use a DynDNS service to reach stuff using a hostname.

Back to the VPN: Initially, I went for L2TP/IpSec as that is what most guides seem to suggest. However, that didn’t go well: the connection always breaks down after about 1.5 min - essentially this is the same story: http://forum.mikrotik.com/t/ipsec-l2tp-discconect-after-one-minute/134756/1 (unresolved). So, not being hung up on L2TP/IpSec, I thought I’d try bare IpSec. I basically followed the guide from Mikrotik’s Wiki (Road warrior IpSec with pre-shared key xauth).

So, I can connect fine from my Android phone, and I can access the local LAN as well as the internet through the Mikrotik. However, the other way this is not working: from my local LAN, devices cannot connect to the Android phone (or whatever device) using its DHCP assigned IP (assigned by the Mikrotik). In other words and by way of example: from my Android phone connected via VPN, I can ping devices in my LAN. In turn, these devices cannot ping the Android phone.

I suppose there must be something relatively simple missing here, but my noob-superpowers are not quite there yet …

So, the main question would be:

• what would I need to change to allow the devies in my local LAN to connect to the device connected via IpSec VPN?
  In addition, if you have time, I’d be grateful for answers as regards the following:
• is my setup “sane”? Are the firewall rules sufficient?
• is my IPv6 setup correct?
• what can I do to reach the router’s config interface from the VPN?

Bonus:

• Should I consider restricting the Arduinos’ access to the Internet?

THANKS A LOT for your time - I know I have a lot of quesions and being a total noob I really appreciate your efforts to help!

# jan/21/2020 20:46:08 by RouterOS 6.46.2
# software id = 75A8-UWJH
#
# model = RB962UiGS-5HacT2HnT
/interface bridge
add admin-mac=74:4D:28:CD:FA:B8 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=***** disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=myssid wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=***** disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=myssid wireless-protocol=802.11
/interface vlan
add interface=ether1 name="VO VLAN" vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface="VO VLAN" max-mru=1500 max-mtu=1500 name="VO PPPoE" use-peer-dns=yes user=hidden@hidden.hidden
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=road-warrior passive=yes
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.178.10-192.168.178.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ip ipsec mode-config
add address-pool=dhcp name=road-warrior
/ipv6 dhcp-server
add interface=bridge name=ipv6dhcp
/ppp profile
set *0 use-mpls=no
add bridge=bridge change-tcp-mss=yes dns-server=192.168.178.31 name=ipsec_vpn use-encryption=yes use-ipv6=default
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ipsec_vpn max-mru=1500 max-mtu=1500 use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface="VO PPPoE" list=WAN
/ip address
add address=192.168.178.1/16 comment=defconf interface=ether2 network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.178.35 client-id=ff:f8:3:89:63:0:2:0:0:ab:11:55:a2:d7:a9:73:40:35:be mac-address=10:F0:05:92:DE:F2 server=defconf
add address=192.168.178.251 mac-address=B4:E6:2D:7D:AD:18 server=defconf
add address=192.168.178.250 mac-address=BC:DD:C2:95:A7:BD server=defconf
add address=192.168.178.249 mac-address=60:01:94:4C:11:C3 server=defconf
add address=192.168.178.247 mac-address=F4:F5:D8:F7:74:FA server=defconf
add address=192.168.178.21 client-id=1:68:5b:35:7f:d0:fd mac-address=68:5B:35:7F:D0:FD server=defconf
add address=192.168.178.82 mac-address=00:17:88:46:11:1B server=defconf
add address=192.168.178.252 mac-address=B4:E6:2D:9E:9D:45 server=defconf
add address=192.168.178.254 mac-address=DC:4F:22:19:95:51 server=defconf
/ip dhcp-server network
add address=192.168.0.0/16 comment=defconf dns-server=192.168.178.31 domain=my.domain gateway=192.168.178.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.178.1 name=router.my.domain
add address=192.168.178.35 name=udoo.my.domain
add address=192.168.178.31 name=pi.my.domain
/ip firewall filter
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=!192.168.178.1 protocol=tcp src-address=192.168.178.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=443 log=yes protocol=tcp to-addresses=192.168.178.35 to-ports=443
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.178.35 to-ports=80
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=8883 protocol=tcp to-addresses=192.168.178.35 to-ports=8883
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=3478 protocol=tcp to-addresses=192.168.178.35 to-ports=3478
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=3478 protocol=udp to-addresses=192.168.178.35 to-ports=3478
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=9002 protocol=tcp to-addresses=192.168.178.35 to-ports=9002
add action=dst-nat chain=dstnat dst-address=!192.168.178.1 dst-address-type=local dst-port=1883 protocol=tcp to-addresses=192.168.178.35 to-ports=1883
/ip ipsec identity
add auth-method=pre-shared-key-xauth generate-policy=port-strict mode-config=road-warrior peer=road-warrior username=myIPSECuser
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface="VO PPPoE" type=external
/ipv6 address
add from-pool=vo-ipv6-pool interface=bridge
/ipv6 dhcp-client
add add-default-route=yes interface="VO PPPoE" pool-name=vo-ipv6-pool pool-prefix-length=48 request=prefix
/ipv6 firewall address-list
add address=fe80::/16 list=allowed
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp secret
add local-address=192.168.178.1 name=myIPSECuser profile=ipsec_vpn remote-address=192.168.178.99 service=l2tp
/system clock
set time-zone-name=Europe/Luxembourg
/system logging
add prefix="L2TPDBG===>" topics=l2tp
add prefix="IPSECDBG===>" topics=ipsec
/system scheduler
add interval=1m name="DynDNS Scheduler" on-event="EuroDNS DynDNS" policy=read,write,test start-date=jan/17/2020 start-time=23:22:25
/system script
add dont-require-permissions=no name="EuroDNS DynDNS" owner=admin policy=read,write,test source="..."
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

A side comment that does not address your main question…

No need to script/pay for third-party DynDNS service; RouterOS offers /ip cloud on all routers, that does the same thing on free MikroTik nameserver, two clicks to set up and use.

Thanks a bunch for the information, I’ll have a look and possibly switch after the current issue(s) have been resolved!

(Just a small comment to say I’ve updated the original post as I failed to accurately describe the problem. It was not a UDP connection issue. But simply, devices in my local LAN cannot reach the device on the other end of the VPN)

Are you missing your routes? (/ip route)

Hey, thanks a lot for taking the time to answer!

My very unprofessional answer would be ... "I don't know". Sorry - I'm actually a bit clueless. Here is a printout of the routes:

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          VO PPPoE                  1
 1 ADC  80.90.46.143/32    85.93.206.91    VO PPPoE                  0
 2 ADC  192.168.0.0/16     192.168.178.1   bridge                    0

Can you detect anything odd?

Thanks a lot!

I only see one /ip address command in your configuration. You assign 192.168.178.1/16 to ether2… but ether2 is part of bridge, and bridge is your gateway. If an interface is in a bridge, any address must be assigned to the bridge, not the interface.

I’m a bit thrown by DHCP having issued you an address with netmask of /32 and a totally unrelated pref-src, but I’m assuming this is a PPPoE artifact and I’m not familiar with PPPoE. I’d give that a quick second glance just in case my unease is justified.

Thanks for your answer!

I changed it from ether2 to the bridge, and (so far) I have not noticed any change in behaviour, everything works as before.

I tried to look up why that would be a problem but I admit it’s a bit over my head. Could you please explain why you think this is a problem? And which address attributed by the DHCP do you mean?

Thanks again for your effort!

Line 1 in your routes. It says to me, “If I ever want to contact 80.90.46.143 (and ONLY that one device), ship the message out VO PPPoE and tell him it came from 85.93.206.91 (which isn’t even anywhere near his network range, and he couldn’t answer back if he tried).”

To me, who knows nothing about PPPoE, this looks like a hack misconfiguration… but it’s marked Dynamic and doesn’t appear in your configuration script, so I have to assume it’s been created by a DHCP interaction captured by your DHCP client, and initiated outside your own equipment, presumably by something that knows what it’s doing, but I sure can’t figure it out.

Thanks again for your answer. I think indeed it’s a normal artefact of the PPPoE connection.

Unfortunately I also haven’t come closer to my problem with the VPN connection - I assume it must be a firewall thing …

Your 2nd masquerade line, for IPSEC traffic, only permits TCP. Try deleting the protocol reference.

Thanks a lot - that practically solved the issue!

I can now open a Mosh session from my Android phone to a server in the LAN, which in general terms requires the server to be able to send UDP packets to the client (Android phone)!

Curiously, I can not ping the Android phone from devices in my LAN (no route to host). It works from the router’s shell. This is actually not a problem at all for me, but I’m curious why that would be?

Again, thanks a lot for your time and help!