VPN Connect but can't ping LAN devices

thecourtenayboy · February 21, 2017, 1:56pm

Hi,

I’ve setup an RB2011 which shares two internet connections on Ether1 & Ether2. There are 5 separate LANs and I want to get VPN users to be able to communicate with the Management LAN (192.168.100.0/24). I have created an IP Pool for VPN users (192.168.150.2-25).

I’ve tried for ages to play around with Firewall Rules and Routes but I can’t seem to figure this out. With the VPN established I occasionally see a few ping responses from the VPN Client to the Device on the Management LAN but hardly any in the scheme of things 93% Loss.

I have pasted my config below, hopefully someone here can help me to finally figure this out!

feb/21/2017 13:40:57 by RouterOS 6.35.1

software id = GE04-R3YV

/interface ethernet
set [ find default-name=ether1 ] comment=“WAN1 - Virgin” name=WAN1
set [ find default-name=ether2 ] comment=“WAN2 - Zen” name=WAN2
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] comment=“Server alternative connection”
name=“ether5 - Management”
set [ find default-name=ether6 ] comment=“Office 1”
set [ find default-name=ether7 ] comment=“Office 2”
set [ find default-name=ether8 ] comment=“Office 3”
set [ find default-name=ether9 ] comment=“Office 4”
set [ find default-name=ether10 ] disabled=yes
/ip neighbor discovery
set WAN1 comment=“WAN1 - Virgin”
set WAN2 comment=“WAN2 - Zen”
set “ether5 - Management” comment=“Server alternative connection”
set ether6 comment=“Office 1”
set ether7 comment=“Office 2”
set ether8 comment=“Office 3”
set ether9 comment=“Office 4”
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=Management ranges=192.168.100.2-192.168.100.25
add name=“Office 1” ranges=172.16.10.2-172.16.10.6
add name=“Office 2” ranges=172.16.20.2-172.16.20.6
add name=“Office 3” ranges=172.16.30.2-172.16.30.6
add name=“Office 4” ranges=172.16.40.2-172.16.40.6
add name=VPN ranges=192.168.150.2-192.168.150.25
/ip dhcp-server
add address-pool=Management disabled=no interface=“ether5 - Management” name=
Management
add address-pool=“Office 1” disabled=no interface=ether6 name=“Office 1”
add address-pool=“Office 2” disabled=no interface=ether7 name=“Office 2”
add address-pool=“Office 3” disabled=no interface=ether8 name=“Office 3”
add address-pool=“Office 4” disabled=no interface=ether9 name=“Office 4”
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.150.1 name=
“L2TP IN Profile” remote-address=VPN use-compression=no use-encryption=
yes use-mpls=no
/interface bridge port
add interface=WAN1
add interface=WAN2
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set default-profile=“L2TP IN Profile” enabled=yes ipsec-secret=********
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=“L2TP IN Profile”
enabled=yes
/ip address
add address=172.16.10.1/24 interface=ether6 network=172.16.10.0
add address=172.16.20.1/24 interface=ether7 network=172.16.20.0
add address=172.16.30.1/24 interface=ether8 network=172.16.30.0
add address=172.16.40.1/24 interface=ether9 network=172.16.40.0
add address=192.168.100.1/24 interface=“ether5 - Management” network=
192.168.100.0
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=WAN2
add add-default-route=no disabled=no interface=WAN1
/ip dhcp-server network
add address=172.16.10.0/24 gateway=172.16.10.1
add address=172.16.20.0/24 gateway=172.16.20.1
add address=172.16.30.0/24 gateway=172.16.30.1
add address=172.16.40.0/24 gateway=172.16.40.1
add address=192.168.100.0/24 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=8192KiB servers=
208.67.222.222,208.67.220.220
/ip firewall address-list
add address=192.168.100.0/24 list=support
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” list=bogons
add address=127.0.0.0/8 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” disabled=yes list=bogons
add address=192.168.0.0/16 comment=“Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it” disabled=yes list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=bogons
add address=172.16.10.0/24 list=support
/ip firewall filter
add chain=input comment=“L2TP Log” in-interface=WAN1 log=yes port=
500,1701,4500 protocol=udp
add chain=input comment=“L2TP Log” in-interface=WAN1 log=yes port=1723,47
protocol=tcp
add chain=input comment=L2TP dst-port=500 in-interface=WAN1 protocol=udp
add chain=input comment=L2TP dst-port=4500 in-interface=WAN1 protocol=udp
add chain=input comment=L2TP dst-port=1701 in-interface=WAN1 protocol=udp
add action=drop chain=forward dst-address=172.16.20.0/30 src-address=
172.16.10.0/30
add action=drop chain=forward dst-address=172.16.30.0/30 src-address=
172.16.10.0/30
add action=drop chain=forward dst-address=172.16.40.0/30 src-address=
172.16.10.0/30
add action=drop chain=forward dst-address=172.16.10.0/30 src-address=
172.16.20.0/30
add action=drop chain=forward dst-address=172.16.30.0/30 src-address=
172.16.20.0/30
add action=drop chain=forward dst-address=172.16.40.0/30 src-address=
172.16.20.0/30
add action=drop chain=forward dst-address=172.16.10.0/30 src-address=
172.16.30.0/30
add action=drop chain=forward dst-address=172.16.20.0/30 src-address=
172.16.30.0/30
add action=drop chain=forward dst-address=172.16.40.0/30 src-address=
172.16.30.0/30
add action=drop chain=forward dst-address=172.16.10.0/30 src-address=
172.16.40.0/30
add action=drop chain=forward dst-address=172.16.20.0/30 src-address=
172.16.40.0/30
add action=drop chain=forward dst-address=172.16.30.0/30 src-address=
172.16.40.0/30
add action=drop chain=output comment=
“Drop pings to 4.2.2.4 if they go through PROVIDER2” dst-address=4.2.2.4
out-interface=WAN2
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=input comment=
“Add Syn Flood IP to the list” connection-limit=30,32 protocol=tcp
tcp-flags=syn
add action=drop chain=input comment=“Drop to syn flood list”
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=input comment=“Port Scanner Detect”
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment=“Drop to port scan list”
src-address-list=Port_Scanner
add action=jump chain=input comment=“Jump for icmp input flow” jump-target=
ICMP protocol=icmp
add action=drop chain=input comment=“Block all access to the winbox - except t
o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP
PORT ADDRESS LIST” disabled=yes dst-port=8291 protocol=tcp
src-address-list=!support
add action=jump chain=forward comment=“Jump for icmp forward flow”
jump-target=ICMP protocol=icmp
add action=drop chain=forward comment=“Drop to bogon list” dst-address-list=
bogons
add action=drop chain=forward comment=“Avoid spammers action” dst-port=25,587
protocol=tcp src-address-list=spammers
add chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
add chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
add chain=input comment=“Accept to established connections” connection-state=
established
add chain=input comment=“Accept to related connections” connection-state=
related
add chain=input comment=“Full access to SUPPORT address list”
src-address-list=support
add action=drop chain=input comment=“Drop anything else! # DO NOT ENABLE THIS
RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED” disabled=yes
add chain=ICMP comment=“Echo reply” icmp-options=0:0 protocol=icmp
add chain=ICMP comment=“Time Exceeded” icmp-options=11:0 protocol=icmp
add chain=ICMP comment=“Destination unreachable” icmp-options=3:0-1 protocol=
icmp
add chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=jump chain=output comment=“Jump for icmp output” jump-target=ICMP
protocol=icmp
add chain=input comment=L2TP connection-state=established,related
add chain=forward connection-state=established,related
add chain=forward comment=VPN src-address=192.168.150.0/24
add chain=forward disabled=yes in-interface= out-interface=
“ether5 - Management”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add chain=srcnat disabled=yes dst-address=192.168.150.0 src-address=
192.168.100.0/24
add chain=srcnat disabled=yes dst-address=192.168.100.0/24 src-address=
192.168.150.0
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat comment=“SSL VPN” disabled=yes dst-port=443
in-interface=WAN1 protocol=tcp to-addresses=172.16.30.6 to-ports=443
add action=dst-nat chain=dstnat comment=“RDP to Server” disabled=yes
dst-address=192.168.0.10 dst-port=3389 in-interface=WAN1 protocol=tcp
to-addresses=192.168.100.25 to-ports=3389
add action=dst-nat chain=dstnat comment=“RDP to Server” disabled=yes
dst-address=192.168.0.10 dst-port=3389 in-interface=WAN1 protocol=udp
to-addresses=192.168.100.25 to-ports=3389
add action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface=WAN1
protocol=udp to-addresses=172.16.30.6 to-ports=4500
add action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface=WAN1
protocol=udp to-addresses=172.16.30.6 to-ports=500
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des exchange-mode=main-l2tp
generate-policy=port-override secret=********
/ip route
add comment=PROVIDER1 distance=1 gateway=192.168.0.1 scope=11
add comment=PROVIDER2 distance=10 gateway=192.168.1.1
add comment=“Force test pings through PROVIDER1” distance=1 dst-address=
4.2.2.4/32 gateway=192.168.0.1
/ip route rule
add action=lookup-only-in-table dst-address=0.0.0.0/0 routing-mark=Prov1_r
src-address=192.168.0.1/32 table=Prov1
add dst-address=0.0.0.0/0 src-address=192.168.0.1/32 table=Prov1
add action=lookup-only-in-table dst-address=0.0.0.0/0 routing-mark=Prov2_r
src-address=192.168.1.1/32 table=Prov2
add dst-address=0.0.0.0/0 src-address=192.168.1.1/32 table=Prov2
/lcd
set backlight-timeout=5m default-screen=interfaces read-only-mode=yes
touch-screen=disabled
/lcd interface
set sfp1 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
/ppp secret
add name=gary password=******** profile=“L2TP IN Profile”
/system clock
set time-zone-name=Europe/London
/system identity
set name=********
/system logging
add topics=l2tp,pptp
/system routerboard settings
set protected-routerboot=disabled
/tool e-mail
set address=74.125.195.108 from=gary********@gmail.com password=******** port=
587 start-tls=yes user=gary********@gmail.com
/tool netwatch
add comment=CheckCon down-script=“/ip route set [find comment="PROVIDER1"] d
istance=10 disabled=no\r
\n/ip route set [find comment="PROVIDER2"] distance=1 disabled=no\r
\n/tool e-mail send to="gary********@gmail.com" body="ZEN connection D
own, WAN changed to VIRGIN" subject="ZEN Connection Down"\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
udp"]\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
tcp"]\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
icmp"]” host=4.2.2.4 interval=5s timeout=2s up-script=“/ip route set [fin
d comment="PROVIDER1"] distance=1 disabled=no\r
\n/ip route set [find comment="PROVIDER2"] distance=10 disabled=no\r
\n/tool e-mail send to="gary********@gmail.com" body="ZEN Connection r
estored, WAN changed to ZEN" subject="ZEN Connection Restore
d"\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
udp"]\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
tcp"]\r
\n/ip firewall connection remove [/ip firewall connection find protocol="
icmp"]”

janus20 · February 21, 2017, 7:59pm

Hi,

Just a few questions and an idea.

a. did you try with those ICMP rules from firewall disabled ( since you said that there are some replys from management lan device) ?
b. in /ppp profile you defined local-address as “192.168.150.1” but which interface/bridge does have this address defined ?

You could give a try to following:

1. add a bridge for VPN

/interface bridge
add arp=proxy-arp name=bridge-VPN

2. add ether5, Management LAN port to VPN bridge

/interface bridge port
add bridge=bridge-VPN interface=ether5

3. make bridge-VPN default gateway for VPN pool 192.168.150.2-25

/ip address
add address=192.168.150.1/24 interface=bridge-VPN network=192.168.150.0

4. change vpn ppp profile by including bridge created

/ppp profile
add bridge=bridge-VPN change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.150.1 name=\
"L2TP IN Profile" remote-address=VPN use-compression=no use-encryption=\
yes use-mpls=no

5. accept ping from VPn connections

/ip firewall filter
add action=accept chain=input comment="Accept ping from VPN" in-interface=all-ppp log=yes log-prefix=ping protocol=icmp

Hope it helps.

kind regards,

thecourtenayboy · March 4, 2017, 12:39pm

Hi, thanks for the detailed response.

I’ve applied the settings suggested and unfortunately I’m still having problems. I can establish a VPN but I still can’t communicate with the server connected to ether5 once the VPN is established.

Now that the ether5 - Management interface has been added to the VPN Bridge, the DHCP on that interface has stopped working and is highlighted in red. The server connected to that interface loses it’s IP address.

Should I only have the ether5 interface in the VPN Bridge?

thecourtenayboy · March 4, 2017, 2:34pm

It looks as if I’ve now solved this. I set a static IP on the Server and then disabled the Management DHCP Server. I also put the VPN IP Pool and the Management IP Pool in the same range (Management LAN: 192.168.100.1-25 VPN: 192.168.100.26-50)

Everything seems to be ok at the moment but probably needs some thorough testing before I can be certain.