Community discussions

MikroTik App
 
prvul
just joined
Topic Author
Posts: 4
Joined: Sat Aug 31, 2019 3:14 pm

L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Thu Sep 09, 2021 9:56 pm

So i have two Mikrotik routers, "main" hap ac lite with default settings - connects to the internet(VDSL) with pppoe on ether1 - no problem here.
ether2-5 are bridged and have default dhcp server. All pluged in devices function properly except my second mikrotik who is my l2tp/IPSEC client.
It won't connect to my remote server(also mikrotik) when default firewall rule "drop all from WAN not DSTNATed" is enabled. It seems that incoming packets from server do not pass trough main router. When i deactivate "drop all from WAN not DSTNATed" vpn works corectly.
Before hap ac lite i had Fritzbox and same vpn worked without any extra firewall settings. Fritzbox has some "invisible" settings from factory that enables vpn to function without visible ports forwarding etc.

https://en.avm.de/service/knowledge-bas ... e-network/
If you want to establish VPN connections to remote VPN servers, you do not have to configure any settings in the FRITZ!Box. By default, VPN passthrough is enabled for the VPN protocols IPsec and PPTP in the FRITZ!Box; no further settings are necessary.

What do i need to do so that vpn connects when "drop all from WAN not DSTNATed" is enabled?
Thanks!
Last edited by prvul on Mon Sep 13, 2021 6:17 pm, edited 3 times in total.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Fri Sep 10, 2021 4:17 pm

Ok., so if i understand correctly you have 3 MikroTIK routers... A network diagram would help...
Add an accept rule, Forward Chain, when in interface your L2TP client and out interface the remote server, place that rule before the " Drop all from WAN not dstNated"
 
prvul
just joined
Topic Author
Posts: 4
Joined: Sat Aug 31, 2019 3:14 pm

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Sat Sep 11, 2021 12:21 am

Hello Zacharias, thanks for your help.
Here ist my "diagram":

Image

Yes, the are 3 mikrotiks but i can edit only "Main" - Router 2 which is hap ac lite. I also think there is no need to edit conf on Router 1 or Router 3 because if i just place my old Fritzbox in place of Router 2 everything works. Here is some config from Router 2:
/interface bridge
add admin-mac=CC:2D:E0:FD:83:FA auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-FD83FF wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX distance=indoors frequency=auto \
    installation=indoor mode=ap-bridge ssid=MikroTik-FD83FE wireless-protocol=802.11
/interface vlan
add interface=ether1 name=vlan7 vlan-id=7
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan7 name=o2-vdsl use-peer-dns=yes user=DSLXYZ@s93.bbi-o2.de
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/interface detect-internet
set detect-interface-list=all internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
    in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
I guess i need some forward rule but i can't set as you suggested because L2TP is on Router 3. I have tried to set forward accept for in-interface ether4 and out-interface ether1 on Router 2 but it is red because ether4 is slave/bridged to ether2-5
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Sat Sep 11, 2021 12:44 am

I also think there is no need to edit conf on Router 1 or Router 3 because if i just place my old Fritzbox in place of Router 2 everything works.

As i already suggested in my previous post, you should allow traffic to flow from your L2TP client to your L2TP server on the forward chain...
On your Router 3 i guess you have a NAT rule on your WAN ether1 interface that has an address of 192.168.88.x/24, so if you allow that src-address to reach your L2TP server ( on Forward Chain ) and place it before the drop rule everything will work ...

On your Main Router:
/ip firewall filter add src-address=192.168.88.x/24 dst-address=RemoteMikroTIK chain=forward action=accept
 
 
prvul
just joined
Topic Author
Posts: 4
Joined: Sat Aug 31, 2019 3:14 pm

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Sun Sep 12, 2021 3:00 pm

I am totally baffled.
Wanted to try your suggestion, messed filters up and did a complete reset of Router 2 with default conf, no "keep user data". PPPoE connected, i could ping google.com from Router 2 terminal but all dhcp clients did not have internet access. Did a "detect internet" on all interfaces and internet started working on all connected devices. Even L2TP/IPSEC on Router 3 could connect with default firewall rules, "drop all from WAN not DSTNATed" included?!?
Sorry for your trouble, could "detect internet" activation solved the problem without any additional firewall rules?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router  [SOLVED]

Sun Sep 12, 2021 4:47 pm

If the new configuration is like the previous one nothing would have internet access without using /interface detect-internet as the WAN PPPoE interface o2-vdsl has not been added to the WAN interface list.

I would suggest
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=o2-vdsl list=WAN

and disable /interface detect-internet as it can have odd side-effects.

It doesn't explain why it didn't work previously - router 3 will first establish a UDP connection on port 500, work out NAT is involved, then switch to NAT-T on port 4500 instead of using plain ESP. As far as router 2 is convened it is just outbound traffic which will be handled by the masquerade rule.

Note that due to the limitations of IPsec and NAT you can't successfully establish more than one connection from your WAN to the Office Mikrotik - if the Job PC was connected to the Home AP WIFi and used a VPN client to connect to the Office Mikrotik then trying to connect router 3 to the office would fail.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Sun Sep 12, 2021 8:07 pm

I am totally baffled.
Wanted to try your suggestion, messed filters up and did a complete reset of Router 2 with default conf, no "keep user data". PPPoE connected, i could ping google.com from Router 2 terminal but all dhcp clients did not have internet access. Did a "detect internet" on all interfaces and internet started working on all connected devices. Even L2TP/IPSEC on Router 3 could connect with default firewall rules, "drop all from WAN not DSTNATed" included?!?
Sorry for your trouble, could "detect internet" activation solved the problem without any additional firewall rules?
You had no internet ( on your Client devices ) because you did not add the PPPoE on your WAN list... Enabling Detect internet did exactly that...
It doesn't explain why it didn't work previously
Because Router 3 traffic to Router1 was being dropped by the Main Router... That is why disabling the Drop Forward on the Main Router allowed the connection to Router1...
Certainly a lot of info are missing to answer to why it works now but not before since the config is the same...

@tdw,
I think this is fixed...
Note that due to the limitations of IPsec and NAT you can't successfully establish more than one connection from your WAN to the Office Mikrotik
*) l2tp - fixed multiple tunnel establishment from the same remote IP address (introduced in v6.47);
https://mikrotik.com/download/changelogs
 
prvul
just joined
Topic Author
Posts: 4
Joined: Sat Aug 31, 2019 3:14 pm

Re: L2TP/IPSEC Mikrotik Client behind main Mikrotik Router

Mon Sep 13, 2021 6:12 pm

Thanks to both of you for your support.
Problem is solved and i should pay more attention to "detect internet" / "interface list" in the future.

Who is online

Users browsing this forum: No registered users and 30 guests