Community discussions

MikroTik App
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

L2TP/Ipsec into Single VLAN

Sat Jun 05, 2021 4:53 pm

I recently upgraded our Mikrotik equipment to RB4011's and With the help of @anav, @mkx and @erlinden. I was able to setup some VLANS.
When I connect to the office over L2TP/IPSEC I can ping the Mikrotik but nothing else.Do I need to set up a different type of connection? EOIP? I tried enabling proxy-arp to no avail. I don't see how to add the Connection to the Bridge or tag it to a Vlan. Thanks in advance for the help.

Learning as fast as I can :)

Office
# may/12/2021 10:20:55 by RouterOS 6.45.9
# software id = 
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] frequency=auto mode=ap-bridge ssid=Office
/interface ethernet
set [ find default-name=ether1 ] mac-address=bb:73:6a:ec:33:a0
/interface l2tp-server
add name=Frank_L2TP user=John
add name=Gary_L2TP user=Sally
add name=Walter_L2TP user=Stephan
/interface vlan
add interface=BR1 name=Guest_VLAN vlan-id=45
add arp=proxy-arp interface=BR1 name=Office_VLAN vlan-id=44
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] mode=ap-bridge security-profile=guest ssid=\
    Office_Guest
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add enc-algorithms=aes-256-cbc name=Home1
add enc-algorithms=aes-256-cbc name=Home
add enc-algorithms=aes-256-cbc name=Office
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=L2TP/IpSec
/ip pool
add name=Office_POOL ranges=192.168.44.1-192.168.44.100
add name=Guest_POOL ranges=10.0.20.2-10.0.20.254
add name=L2TP-Pool ranges=192.168.44.180-192.168.44.189
add name=SSTP_Server_Pool ranges=10.0.0.1-10.0.0.5
add name="SSTP Remote Pool" ranges=10.0.0.10-10.0.0.15
add name=DMZ-Pool ranges=172.16.15.2-172.16.15.6
/ip dhcp-server
add address-pool=Office_POOL interface=Office_VLAN name=Office_DHCP
add address-pool=Guest_POOL disabled=no interface=Guest_VLAN name=Guest_DHCP
/ppp profile
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
    local-address=192.168.44.254 name=L2TP remote-address=L2TP-Pool \
    use-encryption=yes
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
    local-address=192.168.44.254 name=SSTP-Profile remote-address=L2TP-Pool \
    use-encryption=yes
add local-address=SSTP_Server_Pool name=SSTP-VPN remote-address=\
    "SSTP Remote Pool" use-encryption=yes
add change-tcp-mss=yes local-address=10.0.0.1 name=SSTP-Video remote-address=\
    10.0.0.2 use-encryption=yes
add bridge=BR1 change-tcp-mss=yes local-address=10.0.0.1 name=profile1 \
    remote-address=10.0.0.4 use-encryption=yes
/system logging action
add disk-file-name=Attack disk-lines-per-file=50000 name=AttackLog target=\
    disk
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=45
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=45
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=44
add bridge=BR1 tagged=BR1 untagged=ether4,wlan2 vlan-ids=45
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=VLAN
add interface=Guest_VLAN list=VLAN
/interface sstp-server server
set authentication=mschap2 default-profile=SSTP-Video enabled=yes port=4443
/ip address
add address=192.168.44.254/24 interface=Office_VLAN network=192.168.44.0
add address=10.0.20.1/24 interface=Guest_VLAN network=10.0.20.0
add address=12.34.167.189/30 interface=ether1 network=12.34.167.188/30
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=192.168.44.254 gateway=10.0.20.1
add address=192.168.44.0/24 dns-server=192.168.44.254 gateway=192.168.44.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=119.60.5.37 list="Port Scanner"
add address=45.129.136.15 list="Port Scanner"
add address=89.248.165.6 list="Port Scanner"
/ip firewall filter
add action=log chain=forward log=yes log-prefix=Attack src-address=\
    89.187.171.246
add action=drop chain=forward src-address=89.187.171.246
add action=drop chain=forward disabled=yes src-address=75.143.105.46
add action=drop chain=input src-address=89.187.171.246
add action=drop chain=input in-interface-list=WAN src-address-list=\
    "Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Port scanners to block List" in-interface-list=WAN protocol=tcp psd=\
    20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=\
    tcp psd=20,3s,3,1 tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Block TCP Xmas scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="Drop TCP RST" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" \
    in-interface-list=WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping \
    in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="\"drop all else\""
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow port forwarding - optional rule\
    \_can be disabled if no port forwarding is used" connection-nat-state=\
    dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new disabled=yes in-interface-list=VLAN src-address=\
    192.168.254.100
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward disabled=yes out-interface-list=WAN protocol=\
    tcp src-address=192.168.9.2
add action=drop chain=forward comment=\
    "Drop all traffic that goes to multicast or broadcast addresses" \
    dst-address-type=broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 proposal=L2TP/IpSec
/ip route
add distance=1 gateway=12.34.167.188
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=Walter profile=L2TP service=l2tp
add name=Frank profile=L2TP service=l2tp
add name=SSTP profile=SSTP-Profile service=sstp
add name=User1 profile=profile1 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=Office
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=AttackLog prefix=Attack topics=firewall
Last edited by Pisanisavich on Sun Jun 06, 2021 5:54 am, edited 1 time in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: L2TP/Ipsec into Single VLAN

Sat Jun 05, 2021 9:00 pm

You only require proxy-arp when remote VPN client addresses overlap with a subnet on an ethernet interface, so required for Office_VLAN to communicate with VPN clients using addresses from L2TP-Pool.

Adding bridge settings to entries under /ppp profile is not necessary - this enables BCP for remote devices which support it, and it doesn't work with vlan-aware bridges on Mikrotiks.

Your firewall is blocking pretty much everything from VPN connections as you make no reference to them before the drop rules, the only thing permitted is ICMP.
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

Re: L2TP/Ipsec into Single VLAN

Sun Jun 06, 2021 4:31 am

@tdw Thanks for the help and the quick reply!

I turned on Proxy-Arp on the BR1 interface. It is turned on, on the Vlan interface. Do I need it on the bridge (BR1) or on the VLAN Interface or both? I added firewall rules for UDP 500,1701,4500 after the accept icmp rule. I am able to connect and can ping the router I cannot ping any other devices on the network.
/ip firewall filter
add action=log chain=forward log=yes log-prefix=Attack src-address=\
    89.187.171.246
add action=drop chain=forward src-address=89.187.171.246
add action=drop chain=forward disabled=yes src-address=75.143.105.46
add action=drop chain=input src-address=89.187.171.246
add action=drop chain=input in-interface-list=WAN src-address-list=\
    "Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Port scanners to block List" in-interface-list=WAN protocol=tcp psd=\
    20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=tcp \
    psd=20,3s,3,1 tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="Block TCP Xmas scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="Drop TCP RST" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" in-interface-list=\
    WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping \
    in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="L2TP UDP" dst-port=500 protocol=udp
add action=accept chain=input comment="L2TP UDP" dst-port=1701 protocol=udp
add action=accept chain=input comment="L2TP UDP" dst-port=4500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment="(only provide access to lan users for spe\
    cific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="(only provide access to lan users for spe\
    cific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="(only provide access to lan users for spe\
    cific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="\"drop all else\""
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment="allow port forwarding - optional rule c\
    an be disabled if no port forwarding is used" connection-nat-state=dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new disabled=yes in-interface-list=VLAN src-address=\
    192.168.254.100
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward disabled=yes out-interface-list=WAN protocol=tcp \
    src-address=192.168.9.2
add action=drop chain=forward comment=\
    "Drop all traffic that goes to multicast or broadcast addresses" \
    dst-address-type=broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: L2TP/Ipsec into Single VLAN

Sun Jun 06, 2021 10:06 pm

I'm not sure how you managed to successfully connect to the VPN server at all if you did not permit UDP 500 & 4500 (for IKE & NAT-T), IPsec-ESP protocol for the IPsec traffic and UDP 1701 (ideally with IPsec policy in:ipsec so only accessible over IPsec) beforehand.

That aside, the point I was making is that you have no rules to permit input or forward traffic from the dynamic L2TP interfaces (which have the form <l2tp-vpnclientusername>) which are created when you establish a VPN connection. If you enable logging on your drop input and drop forward rules you'll see what is happening.
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

Re: L2TP/Ipsec into Single VLAN

Sun Jun 06, 2021 10:07 pm

@tdw From reading your correspondence with simonefil. I have turned on proxy-arp on the BR1 Interface. I also added ppp > secret > routes 192.168.44.0/24 0.0.0.1 ?? for user John *The current account I am trying to get to work. I am still unable to ping or connect to any of the computers on the network. I can only ping the gateway Mikrotik. Still plugging away... Thanks again for the help!
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

Re: L2TP/Ipsec into Single VLAN

Sun Jun 06, 2021 10:18 pm

I had a rule at the beginning of Firewall > Filter allowing all input from my house... Tethering through my phone to test VPN so I don't lock myself out.
Do I also need to add add action=accept chain=input comment="L2TP UDP" protocol=ipsec-esp to Firewall Filter? I will take a look at input rules and turning on logging.
Thanks!

Who is online

Users browsing this forum: No registered users and 18 guests