Read about 50 threads and all the wikis on L2TP-ipsec VPN. I can get my win 7 stater PC to connect using the basic examples, but when I enable my last input rule, which drops everything that isn’t specifically allowed, it won’t connect.
I added input, output and forwarding chain rules to accept udp 500, 1701 and 4500, and ipsec- ah and -esp.
I ran packet sniffer on the public NIC with the drop rule disabled to see if I could figure out what packets / protocols I block that prevents win 7 from connecting, but all I see are the ports and protocols I already have opened.
I’m using a routerboard 133 with 5.4, the PC is on a broadband card with a public IP, no NAT.
Once I’m connected I can re-enable the drop rule in the input chain and remain connected to the LAN.
Is the GRE Protocol 47 open?
I do have GRE open, I had been using PPTP and wanted to move up to something more secure for public Wifi use.
/ip firewall filter
add action=drop chain=input comment=“drop invalid packets” connection-state=
invalid disabled=no
add action=accept chain=input comment=“established connections”
connection-state=established disabled=no
add action=accept chain=input comment=“Accept related connections”
connection-state=related disabled=no
add action=log chain=input comment=“log invalid " connection-state=invalid
disabled=no log-prefix=“INVALID **”
add action=drop chain=input comment=“Drop invalid connections”
connection-state=invalid disabled=no
add action=jump chain=input comment=“viurs check” disabled=no jump-target=
virus
add action=accept chain=forward comment=“allow established connections”
connection-state=established disabled=yes
add action=accept chain=forward comment=“allow related connections”
connection-state=related disabled=yes
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid disabled=no
add action=jump chain=forward comment=“jump to the virus chain” disabled=no
jump-target=virus
add action=drop chain=input comment=ssh disabled=no dst-port=22 protocol=tcp
add action=drop chain=input comment=ssh disabled=no dst-port=22 protocol=udp
add action=accept chain=input comment=“From private LAN” disabled=no
src-address=192.168.1.0/24
add action=accept chain=input disabled=yes src-address-list=safe
add action=accept chain=input comment=“pp2p tunnel” disabled=no protocol=gre
add action=accept chain=input comment=“pp2p tunnel” disabled=no dst-port=1723
protocol=tcp
add action=drop chain=input comment=“drop pings” disabled=yes limit=1/1m,1
protocol=icmp
add action=drop chain=input comment=“Drop excess pings” disabled=yes
protocol=icmp
add action=drop chain=input comment=“detect and drop port scan connections”
disabled=yes protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment=“suppress DoS attack” connection-limit=
3,32 disabled=yes protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list
address-list-timeout=1d chain=input comment=“detect DoS attack”
connection-limit=10,32 disabled=yes protocol=tcp
add action=jump chain=input comment=“jump to chain ICMP” disabled=no
jump-target=ICMP protocol=icmp
add action=jump chain=input comment=“jump to chain services” disabled=yes
jump-target=services
add action=accept chain=input comment=“Allow Broadcast Traffic” disabled=no
dst-address-type=broadcast
add action=accept chain=input comment=ntp connection-type=”" disabled=no
protocol=udp src-port=123
add action=accept chain=input comment=DNS connection-type=“” disabled=no
protocol=tcp src-port=53
add action=accept chain=input comment=l2tp connection-type=“” disabled=no
dst-port=500 protocol=udp
add action=accept chain=input comment=l2tp connection-type=“” disabled=no
dst-port=4500 protocol=udp
add action=accept chain=input comment=“l2tp tunnel” disabled=no protocol=
ipsec-esp
add action=accept chain=input comment=“l2tp tunnel” disabled=no dst-port=1701
protocol=udp
add action=accept chain=ICMP disabled=no src-address=66.220.2.74
add action=accept chain=ICMP comment=“0:0 and limit for 5pac/s” disabled=no
icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“3:3 and limit for 5pac/s” disabled=no
icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“3:4 and limit for 5pac/s” disabled=no
icmp-options=3:4 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment=“8:0 and limit for 5pac/s” disabled=no
icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment=“11:0 and limit for 5pac/s” disabled=no
icmp-options=11:0-255 limit=5,5 protocol=icmp
add action=accept chain=forward comment=“allow ping” disabled=no protocol=
icmp
add action=accept chain=forward comment=“allow udp” disabled=no protocol=udp
add action=drop chain=forward comment=“drop everything else” disabled=yes
add action=accept chain=forward comment=“pp2p tunnel” disabled=no protocol=
gre
add action=accept chain=forward comment=“pp2p tunnel” disabled=no dst-port=
1723 protocol=tcp
add action=passthrough chain=output disabled=no protocol=gre
add action=passthrough chain=output disabled=no dst-port=1723 protocol=tcp
add action=accept chain=output disabled=no protocol=ipsec-esp
add action=accept chain=forward comment=“l2tp tunnel” disabled=no dst-port=
500 protocol=udp
add action=accept chain=forward comment=“l2tp tunnel” disabled=no dst-port=
4500 protocol=udp
add action=log chain=input disabled=no ipv4-options=strict-source-routing
log-prefix=“input rule 60”
add action=accept chain=input comment=“l2tp tunnel” disabled=no protocol=
ipsec-ah
add action=drop chain=input comment=“Drop everything else” disabled=no
add action=accept chain=forward comment=“pp2p tunnel” disabled=no protocol=
ipsec-esp
add action=accept chain=output disabled=no dst-port=500 protocol=udp
add action=accept chain=output disabled=no dst-port=4500 protocol=udp
add action=accept chain=forward comment=“pp2p tunnel” disabled=no dst-port=
1701 protocol=udp
add action=accept chain=forward comment=“pp2p tunnel” disabled=no protocol=
ipsec-ah
add action=accept chain=output disabled=no protocol=ipsec-ah
add action=accept chain=output disabled=no dst-port=1701 protocol=udp
I can’t see what’s wrong in that list, but
You could add some firewall rules to log everything, maybe that could point something else than packet sniffer would.
/ip firewall filter
add action=log chain=forward comment="" disabled=no log-prefix=forward:
add action=log chain=input comment="" disabled=no log-prefix=input:
add action=log chain=output comment="" disabled=no log-prefix=output:
I disabled the pptp interface and changed the ‘Type of VPN’ setting in the client to auto from L2TP and it’s working.