Hi,
I have 2 Mikrotik routers in 2 different homes in different countries. I set up a L2TP/IPsec client interface from router 1 to router 2 and I also added an IP route to that interface for LAN subnet of router 2. Using the RouterOS ping tool I can ping the router 2 from router 1. I can also ping machines in the LAN behind router 2.
However, I cannot ping machines in LAN behind router 2 from a machine in LAN behind router 1 unless I masquerade traffic on router 1 leaving on l2tp interface.
For the life of me I don’t understand why this is required. I tried adding “accept everything” rules at top of input / forward of router 2 firewall and it still doesn’t work. If I use Torch on the l2tp server binding interface on router 2, I see the icmp packets coming from router 1 with the correct destination IP (say 192.168.88.10) and a source IP of the router 1 LAN (say 192.168.1.155) but where are they getting dropped? If I do the masquerading on router 1, Torch shows the destination IP unchanged of course, but the source IP being from the VPN subnet (say 172.16.88.100) and it now works…
PS: Subnets are:
- router 1 LAN: 192.168.1.0/24
- router 2 LAN: 192.168.88.0/24
- router 2 VPN: 172.16.88.0/24
Thanks in advance for the help!