Hi there

I am fairly new to MT, but am learning fast.
I have a RB750 (server) and a RB951-2n (client) where a L2TP / IPSec tunnel has been configured and is working. Both MT has dynamic public IPs, am running a DYNDNS update script to map dynamic IP address to DyndDNS hostname.
Both sides has internet access.
No firewall rules has been configured.
I can ping the L2TP tunnel address from either side and connection is established.
Every MT has a EoIP dial-up interface to the ISP, every MT is connected to a Tenda ADSL router which is in bridged mode.

However, I cannot ping from server LAN to client LAN and vice versa.

What am I overlooking or why cannot I get LAN to LAN connectivity?

Any help is much appreciated.

Do you have static routes setup? Try pinging from the router to the LAN server.

What am I overlooking or why cannot I get LAN to LAN connectivity?

If both sites are behind NAT, then you need a bypass rule for your remote network.

Change "local network" and "remote network" to your sites actual IP network.

Site 1

ros code

/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address="local network" dst-address="remote network"

Site 2

ros code

/ip firewall nat
add chain=srcnat action=accept  place-before=0 \
 src-address="local network" dst-address="remote network"

Post your export.

Sent from my SCH-I545 using Tapatalk

Do you have static routes setup? Try pinging from the router to the LAN server.

I can ping from MT router to the remote LAN, I receive a reply when I ping from ANY or the L2TP interface.

Post your export.

Sent from my SCH-I545 using Tapatalk

Hi There

Thank you for the reply.

I have exported /ip firewall nat, /interface and /ip addresses for both routers.

First the server side router's export.

# IP addresses Server side

# dec/20/2013 15:54:06 by RouterOS 4.11
# software id = WSN9-LLT5
#
/ip address
add address=10.0.1.4/24 broadcast=10.0.1.255 comment="" disabled=no \
interface=ether1 network=10.0.1.0
add address=192.168.0.1/24 broadcast=192.168.0.255 comment="" disabled=no \
interface=LAN network=192.168.0.0


# Interfaces server side

# dec/20/2013 15:52:59 by RouterOS 4.11
# software id = WSN9-LLT5
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
l2mtu=1526 mac-address=00:0C:42:87:34:63 mtu=1500 name=ether1 speed=\
100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:64 \
master-port=none mtu=1500 name=LAN speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:65 \
master-port=LAN mtu=1500 name=ether3-local-slave speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:66 \
master-port=LAN mtu=1500 name=ether4-local-slave speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:87:34:67 \
master-port=LAN mtu=1500 name=ether5-local-slave speed=100Mbps
/interface pptp-client
add add-default-route=no allow=mschap2 comment="" connect-to=196.44.151.8 \
dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=disabled \
name=pptp-out1 password=Emotion123 profile=default-encryption user=nxit
/interface l2tp-server
add comment="" disabled=no name=l2tpuser user=l2tpuser
add comment="" disabled=no name=l2tpuser2 user=l2tpuser2
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 comment=\
"" dial-on-demand=no disabled=no interface=ether1 max-mru=1480 max-mtu=\
1480 mrru=disabled name=pppoe-out1 password=MHOSOL profile=default \
service-name="" use-peer-dns=yes user=a61232825@adsl.telecom.na
/interface ethernet switch
set switch1 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s management-protection=disabled \
mode=none name=default radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-sta-private-algo=none static-transmit-key=key-0 \
supplicant-identity=MikroTik tls-certificate=none tls-mode=\
no-certificates unicast-ciphers=""
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet switch port
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
set (unknown) vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=yes max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:26:35:02:C9:83 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

# NAT Server side

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no src-address=\
192.168.0.0/24
add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.2.0/24 src-address=192.168.0.0/24

Now client side router's export

# Remote / client side NAT
# dec/20/2013 15:55:10 by RouterOS 5.26
# software id = DB5B-R5RR
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes src-address=192.168.2.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 \
to-addresses=0.0.0.0
add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 \
src-address=192.168.2.0/24

# IP addresses remote / client side
# dec/20/2013 15:50:08 by RouterOS 5.26
# software id = DB5B-R5RR
# IP address on ether 5 not used
/ip address
add address=192.168.100.3/24 disabled=no interface=ether5-slave-local \
network=192.168.100.0
add address=192.168.2.1/24 disabled=no interface=wlan1 network=192.168.2.0

# Interfaces remote / client side
# dec/20/2013 15:51:23 by RouterOS 5.26
# software id = DB5B-R5RR
#
/interface bridge
add admin-mac=D4:CA:6D:B6:E0:55 ageing-time=5m arp=enabled auto-mac=no \
disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 \
name=bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=\
6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes disabled=no full-duplex=yes l2mtu=1600 \
mac-address=D4:CA:6D:B6:E0:54 mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:55 \
master-port=none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:56 \
master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=\
100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:57 \
master-port=ether2-master-local mtu=1500 name=ether4-slave-local speed=\
100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited \
disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:B6:E0:58 \
master-port=ether2-master-local mtu=1500 name=ether5-slave-local speed=\
100Mbps
/interface pppoe-client
add ac-name="" add-default-route=yes allow=pap,chap,mschap1,mschap2 \
dial-on-demand=no disabled=no interface=ether1-gateway max-mru=1480 \
max-mtu=1480 mrru=disabled name=pppoe-out1 password=mhosol profile=\
default service-name="" use-peer-dns=yes user=a61226850@adsl.telecom.na
/interface l2tp-client
add add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=\
41.182.68.57 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 \
mrru=disabled name=l2tp-out1 password=M@chu1207 profile=\
default-encryption user=l2tpuser2
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
management-protection=disabled mode=dynamic-keys name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-sta-private-algo=none static-transmit-key=key-0 \
supplicant-identity=MikroTik tls-certificate=none tls-mode=\
no-certificates unicast-ciphers=aes-ccm
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" \
arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=1Mbps \
bridge-mode=disabled channel-width=20/40mhz-ht-above compression=no \
country=no_country_set default-ap-tx-limit=0 default-authentication=yes \
default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
disable-running-check=no disabled=no disconnect-timeout=3s distance=\
indoors frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower \
frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 \
ht-amsdu-threshold=8192 ht-basic-mcs=\
mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any \
ht-rxchains=0 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,\
mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,\
mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0 \
hw-fragmentation-threshold=disabled hw-protection-mode=none \
hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=\
D4:CA:6D:B6:E0:59 max-station-count=2007 mode=ap-bridge mtu=1500 \
multicast-helper=default name=wlan1 noise-floor-threshold=default \
nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-qos=default \
nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
D4CA6DB6E059 rate-selection=advanced rate-set=default scan-list=default \
security-profile=default ssid=clumsy station-bridge-clone-mac=\
00:00:00:00:00:00 supported-rates-a/g=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wireless-protocol=any wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9M\
bps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:\
17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-\
7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=\
3200 framer-policy=none
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
interface=ether2-master-local path-cost=10 point-to-point=auto priority=\
0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none \
interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=fallback
set 1 vlan-header=leave-as-is vlan-mode=fallback
set 2 vlan-header=leave-as-is vlan-mode=fallback
set 3 vlan-header=leave-as-is vlan-mode=fallback
set 4 vlan-header=leave-as-is vlan-mode=fallback
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=\
1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:6B:F1:3C:7C:64 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no

Do you have static routes setup? Try pinging from the router to the LAN server.

Yes

IP Route on server MT 750

[admin@Smurf8] > ip
[admin@Smurf8] /ip> routes
bad command name routes (line 1 column 1)
[admin@Smurf8] /ip> route
[admin@Smurf8] /ip route> print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 41.205.152.96 1
1 ADC 10.0.1.0/24 10.0.1.4 ether1 0
2 ADC 10.0.15.10/32 10.0.15.9 l2tpuser2 0
3 ADC 41.205.152.96/32 41.182.68.57 pppoe-out1 0
4 ADC 192.168.0.0/24 192.168.0.1 LAN 0
5 S 192.168.1.0/24 10.0.16.10 1
6 A S 192.168.2.0/24 10.0.15.10 1
7 ADC 192.168.10.150/32 192.168.10.149 pptp-out1 0
8 ADC 192.168.100.0/24 192.168.100.1 LAN 0
[admin@Smurf8] /ip route>

IP Route on client RB951-2n


[admin@Smurf10] > ip route
[admin@Smurf10] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 41.205.152.97 1
1 ADC 10.0.15.9/32 10.0.15.10 l2tp-out1 0
2 ADC 41.205.152.97/32 41.182.88.177 pppoe-out1 0
3 A S 192.168.0.0/24 10.0.15.9 1
4 ADC 192.168.2.0/24 192.168.2.1 bridge-local 0
5 ADC 192.168.100.0/24 192.168.100.3 bridge-local 0
[admin@Smurf10] /ip route>

Wrong order of your rules, NAT bypass rules must be placed before the masquerade rules.


Rearrange the following NAT rules and ensure that they are placed first of all the rules.

ros code

add action=accept chain=srcnat comment="" disabled=no dst-address=\
192.168.2.0/24 src-address=192.168.0.0/24

ros code

add action=accept chain=srcnat disabled=no dst-address=192.168.0.0/24 \
src-address=192.168.2.0/24

You have to set up proxy-arp on local interface. Read this: http://wiki.mikrotik.com/wiki/Manual:In ... ote_Client
This part: