Community discussions

MikroTik App
 
User avatar
KitMikro
newbie
Topic Author
Posts: 43
Joined: Thu Apr 30, 2015 11:52 am

Working L2TP iPsec VPN but no Ping to computer?

Thu Feb 01, 2018 3:56 pm

Hi All,
I've been reading many topic today but none of them fixed my problem.
I have a working l2tp ipse vpn connection.
I can connect to the webfig, I can also connect to the web configuration of the printers and access points. I can also ping the router and access points but I can't ping to any of the computers in the network.

So I'm trying to ping 192.168.1.100. This is a windows 10 computer with a static IP. After changing some firewall options I can successfully Ping to this computer from the local network. But I cannot when I'm connected from behind the VPN.

Now I suspect this is a windows configuration problem, because I can access printers and access points without trouble.

anybody any idea?
 
pacmen
newbie
Posts: 36
Joined: Wed Dec 13, 2017 6:55 pm

Re: Working L2TP iPsec VPN but no Ping to computer?

Thu Feb 01, 2018 7:45 pm

Hey,
first
share with us you router firewall configuration.

second
are you able to send and receive pings from windows 10 to windows 10 on your LAN?

thrid
windows 10 firewall is trying to be extensive one, and icmp replays is disabled, for example: winddow 10 pc -> router. will work but: router -> windows 10, won't work
just for test purposes please completely disable your windows 10 firewall, and try to ping from you vpn.
 
User avatar
KitMikro
newbie
Topic Author
Posts: 43
Joined: Thu Apr 30, 2015 11:52 am

Re: Working L2TP iPsec VPN but no Ping to computer?

Thu Feb 01, 2018 9:44 pm

Thanks for your reply!
are you able to send and receive pings from windows 10 to windows 10 on your LAN?
Yes I can if I allow so in the firewall
please completely disable your windows 10 firewall
Yes I already did

Sorry for not posting my configuration earlier, I just had to leave my computer for a bit, have been staring at this for way to long.
# feb/01/2018 20:23:04 by RouterOS 6.40.4
# software id = WBEK-44BB
#
# model = CCR1009-8G-1S-1S+

/interface bridge
add arp=proxy-arp fast-forward=no name=bridge-LAN

/interface ethernet
set [ find default-name=ether1 ] name=ether1
set [ find default-name=ether8 ] arp=proxy-arp l2mtu=1598 name=ether8-gateway \
    speed=1Gbps

/ip neighbor discovery
set ether8-gateway discover=no

/interface vlan
add interface=ether8-gateway name=vlan8.6 vlan-id=6
/interface pppoe-client
add add-default-route=yes allow=pap,mschap2 disabled=no interface=vlan8.6 \
    keepalive-timeout=20 max-mru=1480 max-mtu=1480 name=pppoe password=*** \
    user=***

/ip neighbor discovery
set pppoe discover=no
set vlan8.6 discover=no

/ip ipsec proposal
add enc-algorithms=aes-256-cbc,3des name=L2TP-Proposal pfs-group=none

/ip pool
add name=VPN-Pool ranges=192.168.100.1-192.168.100.40
add name=pool-LAN ranges=192.168.1.30-192.168.1.200

/ip dhcp-server
add address-pool=pool-LAN disabled=no interface=bridge-LAN lease-time=16h name=\
    dhcp-LAN

/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=VPN-Pool name=\
    l2tp-profile remote-address=VPN-Pool

/routing bgp instance
set default disabled=yes

/interface bridge port
add bridge=bridge-LAN interface=ether1

/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=l2tp-profile \
    enabled=yes ipsec-secret=*** max-mru=1460 max-mtu=1460 use-ipsec=yes

/interface pptp-server server
set authentication=mschap2 enabled=yes

/ip address
add address=192.168.1.1/24 interface=bridge-LAN network=192.168.1.0

/ip dhcp-client
add add-default-route=special-classless default-route-distance=254 \
    dhcp-options=option60-vendorclass,hostname,clientid disabled=no interface=\
    vlan8.4 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server config
set store-leases-disk=15m

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=kitmikro.lan \
    gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    208.67.222.222,208.67.220.220

/ip firewall filter

add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="Drop input   invalid connection packets" \
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow related Established connections" \
    connection-state=established,related
add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
add action=reject chain=input in-interface=pppoe protocol=tcp reject-with=\
    icmp-port-unreachable
add action=reject chain=input in-interface=pppoe protocol=udp reject-with=\
    icmp-port-unreachable
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=pppoe
add action=accept chain=forward comment=\
    "Allow forward established,related connections" connection-state=\
    established,related,new
add action=drop chain=forward comment="All other forwards drop"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=pppoe src-address=\
    192.168.100.0/24
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp1024 enc-algorithm=aes-256,3des \
    exchange-mode=main-l2tp generate-policy=port-override secret=***
/ip ipsec policy
set 0 proposal=L2TP-Proposal
add proposal=L2TP-Proposal template=yes
/ip traffic-flow
set cache-entries=4k interfaces=bridge-LAN
/ppp secret
add name=USER password=*** profile=l2tp-profile service=l2tp
 
pacmen
newbie
Posts: 36
Joined: Wed Dec 13, 2017 6:55 pm

Re: Working L2TP iPsec VPN but no Ping to computer?

Fri Feb 02, 2018 8:33 am

Can you please print by the following command
 ip firewall filter print
its let you better vision of how the rules are listed.
 
User avatar
KitMikro
newbie
Topic Author
Posts: 43
Joined: Thu Apr 30, 2015 11:52 am

Re: Working L2TP iPsec VPN but no Ping to computer?

Fri Feb 02, 2018 9:26 am

I've minimized my firewall already, I was thinking it's something with the route?
 
 0   ;;; accept 
      chain=input action=accept protocol=udp dst-port=500,1701,4500 log=no 
      log-prefix="" 

 1    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 2    ;;; Drop input   invalid connection packets
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 3    ;;; Allow ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 4    ;;; Allow related Established connections
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 5    ;;; Drop Invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 6    chain=input action=reject reject-with=icmp-port-unreachable protocol=tcp 
      in-interface=pppoe log=no log-prefix="" 

 7    chain=input action=reject reject-with=icmp-port-unreachable protocol=udp 
      in-interface=pppoe log=no log-prefix="" 

 8    ;;; drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 9    ;;; default configuration
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=pppoe log=no log-prefix="" 

10    ;;; Allow forward established,related connections
      chain=forward action=accept connection-state=established,related,new 
      log=no log-prefix="" 

11    ;;; All other forwards drop
      chain=forward action=drop log=no log-prefix="" 
     
 
pacmen
newbie
Posts: 36
Joined: Wed Dec 13, 2017 6:55 pm

Re: Working L2TP iPsec VPN but no Ping to computer?

Fri Feb 02, 2018 2:52 pm

try to locate rule 10 on the 2th place, then try to ping from your vpn.
the firewall is work like instruction sets, one by one and the first match is the one that catches.

if you can please share with us your mikrotick route list.
 
User avatar
KitMikro
newbie
Topic Author
Posts: 43
Joined: Thu Apr 30, 2015 11:52 am

Re: Working L2TP iPsec VPN but no Ping to computer?

Fri Feb 02, 2018 5:02 pm

try to locate rule 10 on the 2th place, then try to ping from your vpn.
the firewall is work like instruction sets, one by one and the first match is the one that catches.
Nope still nothing.

you mean /ip route print?

I was thinking to add to NAT

chain=srcnat action=accept src-address=192.168.100.0/24
      dst-address=192.168.1.0/24 log=no log-prefix="" 

  chain=srcnat action=accept src-address=192.168.1.0/24 
      dst-address=192.168.100.0/24 log=no log-prefix="" 
  
I can see the traffic when I ping being added to the first rule, but still nothing
 
tholderbaum
newbie
Posts: 38
Joined: Thu Jan 23, 2014 3:34 am
Location: Tampa, Florida
Contact:

Re: Working L2TP iPsec VPN but no Ping to computer?

Fri Feb 02, 2018 10:11 pm

try to locate rule 10 on the 2th place, then try to ping from your vpn.
the firewall is work like instruction sets, one by one and the first match is the one that catches.
Nope still nothing.

you mean /ip route print?

I was thinking to add to NAT

chain=srcnat action=accept src-address=192.168.100.0/24
      dst-address=192.168.1.0/24 log=no log-prefix="" 

  chain=srcnat action=accept src-address=192.168.1.0/24 
      dst-address=192.168.100.0/24 log=no log-prefix="" 
 
I can see the traffic when I ping being added to the first rule, but still nothing
Add a rule on your forward chain that allows 192.168.100.0/24 to talk to 192.168.1.0/24 and place that at the top of the forward chain.
 
User avatar
KitMikro
newbie
Topic Author
Posts: 43
Joined: Thu Apr 30, 2015 11:52 am

Re: Working L2TP iPsec VPN but no Ping to computer?

Thu Feb 15, 2018 10:11 am


Add a rule on your forward chain that allows 192.168.100.0/24 to talk to 192.168.1.0/24 and place that at the top of the forward chain.
So I did, and now I see traffic counter going up when trying to connect to a VNC, but the connection times out. When trying to connect via the local network everything works just fine.

anymore suggestions?

Upon rereading the thread, I noticed I missed some rules in my export. These rule send address list "location2BRIDGE" through a VPN. The computer I try to reach is on this list.

/ip firewall mangle print
 0    chain=prerouting action=mark-routing new-routing-mark=VPNbridge
      passthrough=yes src-address-list=location2BRIDGE
      dst-address-list=!NoMangleMark log=no log-prefix="MANGLE"
NoMangleMark list contains 192.168.1.0/24

/ip firewall nat print
  ;;; VPN bridge
      chain=srcnat action=masquerade src-address=192.168.1.0/24 
      out-interface=location2BRIDGE log=no log-prefix=""
When I tried to make a NAT rule to portforward to the specific computer, I still could not connect from the outside, because the computer's outgoing traffic is marked to go through the "location2BRIDGE" and not through PPPOE.
chain=dstnat action=dst-nat to-addresses=192.168.10.35 to-ports=5900 
      protocol=tcp dst-address=WAN-IP in-interface=pppoe packet-mark="" 
      dst-port=5900 log=yes log-prefix=""
So maybe this is related to the VPN problem.

I need the local computer to be able to reach the other network via VPN, but I also need this computer to be accessible from the outside. preferably also through a VPN

Who is online

Users browsing this forum: BioMax, mszru, shadarim and 39 guests