VPN SERVER with L2 Vlan...

Jimmy · November 5, 2019, 12:39pm

Hello everyone
I have a challenge that I have to give up a bit.
I have a CCR 1036 I need to be a VPN Server.
This is a bit spechael as I have to hit more L2 Vlan.

Domain Vlan (VLAN3) SSPT SERVER with radius and all ..
DISP1Net (VLAN 17) L2TP VPN setup with profile user in the router.
DISP2Net (VLAN 40) also L2TP and if it can then PPTP VPN setup with profile user in the router.

I have my VLAN config:
/ interface vlan
add name = vlan3-sfp1 interface = sfp1 vlan-id = 3
add name = vlan17-sfp1 interface = sfp1 vlan-id = 17
add name = vlan40-sfp1 interface = sfp1 vlan-id = 40

add name = vlan3-sfp2 interface = sfp2 vlan-id = 3
add name = vlan17-sfp2 interface = sfp2 vlan-id = 17
add name = vlan40-sfp2 interface = sfp2 vlan-id = 40
add name = vlan999-sfp2 interface = sfp2 vlan-id = 999

add name = vlan3-sfp3 interface = sfp3 vlan-id = 3
add name = vlan17-sfp3 interface = sfp3 vlan-id = 17
add name = vlan40-sfp3 interface = sfp3 vlan-id = 40
add name = vlan999-sfp3 interface = sfp3 vlan-id = 999

add name = vlan3-sfp4 interface = sfp4 vlan-id = 3
add name = vlan17-sfp4 interface = sfp4 vlan-id = 17
add name = vlan40-sfp4 interface = sfp4 vlan-id = 40
add name = vlan999-sfp4 interface = sfp4 vlan-id = 999

/ interface brige
add name = bridge-vlan3
add name = bridge-vlan17
add name = bridge-vlan40
add name = bridge-vlan999

/ interface bridge port
add bridge = bridge-vlan3 interface = vlan3-sfp1
add bridge = bridge-vlan3 interface = vlan3-sfp2
add bridge = bridge-vlan3 interface = vlan3-sfp3
add bridge = bridge-vlan3 interface = vlan3-sfp4
add bridge = bridge-vlan3 interface = ether2
add bridge = bridge-vlan3 interface = ether3
add bridge = bridge-vlan3 interface = ether4
add bridge = bridge-vlan3 interface = ether5
add bridge = bridge-vlan17 interface = vlan17-sfp1
add bridge = bridge-vlan17 interface = vlan17-sfp2
add bridge = bridge-vlan17 interface = vlan17-sfp3
add bridge = bridge-vlan17 interface = vlan17-sfp4
add bridge = bridge-vlan17 interface = ether12
add bridge = bridge-vlan40 interface = vlan40-sfp1
add bridge = bridge-vlan40 interface = vlan40-sfp2
add bridge = bridge-vlan40 interface = vlan40-sfp3
add bridge = bridge-vlan40 interface = vlan40-sfp4
add bridge = bridge-vlan40 interface = ether6
add bridge = bridge-vlan40 interface = ether7
add bridge = bridge-vlan40 interface = ether8
add bridge = bridge-vlan40 interface = ether9
add bridge = bridge-vlan40 interface = ether10
add bridge = bridge-vlan40 interface = ether11

Ether1 is my wan out on public ip. This is not my Gateway cuss I am running Cisco ASA as my default gateway.

I am running trunk to cisco switch and that is also why i have VLAN999 as i am using this as native vlan on cisco.

i have try to setup only sspt server with out vlan and only to my domain with no problem but i need more users in everly vlan.

I am stuk and hopping for help

Cheers
Jimmy

Jimmy · November 6, 2019, 2:02pm

Hi LewisH95
Yes i no about IEEE802… and my VLAN also work and all, but i need somthing there can tel me about how do i set this VPN server up?
I have no problem with setting up normal VPN server to my domain and all, but how do i set up so wend i login to another VLAN then my domain with user group in mikrotik and be sure to get the right VLAN?
som guid og code to start up maybe?
I am sure that mikrotik can do this or?

cheers
Jimmy

sindy · November 7, 2019, 10:35pm

LewisH95’s posts seem to me like preparing grounds (collecting karma) for some advertising or alike, throuh posting texts copied from the web which contain the keywords related to the topics but are not really relevant to what people ask.

So forget about SoftEther in Mikrotik context.

What is not clear from your post is whether you really need L2 transparency for some of the clients to the VLANs you have listed (i.e. to extend the L2 segment all the way to the client) or whether you, like many, use “VLAN” as a synonym to “IP subnet” because the best common practice is to have a dedicated VLAN for each IP subnet.

In the Mikrotik implementation, all PPP-based protocols (L2TP, SSTP, PPTP) support BCP, which means you can provide L2 transparency between the client and the server, but it’s unfortunately rarely the case for the clients. So there is no problem to extend L2 to another Mikrotik using one of those protocols, but there is no way to extend the L2 to e.g. a Windows embedded VPN client, neither using L2TP nor using SSTP.

So if you don’t mind that the SSTP and L2TP clients won’t get L2 transparency (i.e. won’t be able to send broadcast traffic to the VLANs), you can use L3 firewall rules to permit them access only to some subnets (which reside in particular VLANs so you can use out-interface=vlanX rather than dst-address=subnetX in the firewall rules).

Tik allows to set up up to one server for each PPP-based VPN protocol, so you cannot have two independent L2TP servers on the same Tik, but there is no need for two servers as the /ppp profile item attached to each /ppp secret representing the user account determines the behaviour of the connection (whether it supports L3 tunneling, L2 tunneling or both, to which interface list the virtual L3 interface will be added, to which bridge the virtual L2 interface will be added, to which address list the IP address assigned to the client will be added).

Although SSTP can do L2 tunneling, I’d not recommend it as it uses TCP as transport, which should be avoided for VPNs wherever possible. L2TP uses UDP as transport (so no TCP-in-TCP situation can happen) and PPTP uses GRE so it’s also fine from this point of view, however PPTP’s encryption is not considered safe since years so it should not be used except where better encryption is prohibited by law.