Community discussions

MikroTik App
 
BeeKeeper
just joined
Topic Author
Posts: 10
Joined: Tue Aug 31, 2021 4:56 pm

L2TP ipsec connect okay but no access to LAN

Tue Mar 07, 2023 4:57 pm

The connection from my Iphone to my router using L2TP ipsec is okay. Iphone gets configured IP address and ping from router to iphone
and ping from iPhone to router is working without problems.

The ip address of the iPhone is out of one vlan ( 192.168.76.0/24) and the bridge and VLAN is using Proxy-arp.
The iPhone can't reach any resources inside 192.168.76.0.

I removed the scripts from export file because they are only setting dynamic hostnames and are running correctly.
# mar/07/2023 15:31:16 by RouterOS 6.49.7
# 
#
# model = RB4011iGS+
# 
/interface bridge
add arp=proxy-arp igmp-snooping=yes igmp-version=3 name=BR1 protocol-mode=\
    none vlan-filtering=yes
/interface vlan
add interface=BR1 name=AQUA_VLAN vlan-id=30
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=111
add arp=proxy-arp interface=BR1 name=GREEN_VLAN vlan-id=20
add interface=BR1 name=LIME_VLAN vlan-id=60
add interface=BR1 name=RED_VLAN vlan-id=10
add interface=ether1 name=vlan-07-fiber vlan-id=7
add disabled=yes interface=ether10 name=vlan-07-telekom vlan-id=7
/interface pppoe-client
add comment="Magenta 100" interface=vlan-07-telekom max-mtu=1480 name=\
    pppoe-Magenta
add comment="fiber 500 telekom" disabled=no interface=vlan-07-fiber max-mtu=\
    1500 name=pppoe-fiber
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment="contains all WAN interfaces" name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=BLUE_POOL ranges=192.168.111.100-192.168.111.200
add name=GREEN_POOL ranges=192.168.76.100-192.168.76.200
add name=RED_POOL ranges=192.168.222.100-192.168.222.200
add name=LIME_POOL ranges=192.168.10.100-192.168.10.200
add name=BASE_POOL ranges=192.168.1.102-192.168.1.199
add name=AQUA_POOL ranges=192.168.33.100-192.168.33.200
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=RED_POOL disabled=no interface=RED_VLAN name=RED_DHCP
add address-pool=LIME_POOL disabled=no interface=LIME_VLAN name=LIME_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
add address-pool=AQUA_POOL disabled=no interface=AQUA_VLAN lease-script=\
    dhcp-leases-to-dns name=AQUA_DHCP
/ppp profile
set *0 dns-server=192.168.76.135
set *FFFFFFFE comment="default mit DNS 192.168.76.135" dns-server=\
    192.168.76.135 local-address=192.168.76.254
/system logging action
set 3 remote=192.168.76.187
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=sfp-sfpplus1 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether5 multicast-router=disabled
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether4 multicast-router=disabled
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether3,ether4,ether5,sfp-sfpplus1,ether2 vlan-ids=\
    99
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
    111
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether5,ether4,ether3,ether2 vlan-ids=\
    10
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
    20
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether4,ether5,ether3,ether2 vlan-ids=\
    60
add bridge=BR1 tagged=BR1,sfp-sfpplus1,ether3,ether4,ether5,ether2 vlan-ids=\
    30
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add disabled=yes interface=pppoe-Magenta list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=RED_VLAN list=VLAN
add interface=LIME_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
add interface=AQUA_VLAN list=VLAN
add interface=pppoe-fiber list=WAN
/interface pptp-server server
set default-profile=default
/ip address
add address=192.168.1.254/24 interface=BASE_VLAN network=192.168.1.0
add address=192.168.111.254/24 interface=BLUE_VLAN network=192.168.111.0
add address=192.168.76.254/24 interface=GREEN_VLAN network=192.168.76.0
add address=192.168.222.254/24 interface=RED_VLAN network=192.168.222.0
add address=192.168.10.254/24 interface=LIME_VLAN network=192.168.10.0
add address=192.168.30.9/24 disabled=yes interface=ether1 network=\
    192.168.30.0
add address=192.168.33.254/24 interface=AQUA_VLAN network=192.168.33.0
add address=192.168.100.100/24 interface=ether1 network=192.168.100.0
/ip dhcp-relay
add dhcp-server=192.168.76.187 disabled=no interface=GREEN_VLAN name=\
    GREEN_RELAY
/ip dhcp-server lease
add address=192.168.1.243 client-id=1:8:55:31:a0:e8:1b mac-address=\
    08:55:31:A0:E8:1B server=BASE_DHCP
add address=192.168.222.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=RED_DHCP
add address=192.168.10.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=LIME_DHCP
add address=192.168.1.199 client-id=1:b8:27:eb:12:a1:71 mac-address=\
    B8:27:EB:12:A1:71 server=BASE_DHCP
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.10.0/24 dns-server=192.168.1.254 gateway=192.168.10.254
add address=192.168.33.0/24 dns-server=192.168.1.254 domain=<removed> \
    gateway=192.168.33.254
add address=192.168.76.0/24 dns-server=192.168.1.254 gateway=192.168.76.254
add address=192.168.111.0/24 dns-server=192.168.1.254 gateway=192.168.111.254
add address=192.168.222.0/24 dns-server=192.168.1.254 gateway=192.168.222.254
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,9.9.9.9
/ip firewall address-list
add address=232.0.0.0/16 list=iptv_destination
add address=239.35.0.0/16 list=iptv_destination
add address=224.0.0.0/4 list=iptv_destination
add address=<fqdn> list=Dyndns_haj
/ip firewall filter
add action=accept chain=input comment="Allow L2TP VPN" dst-port=500 \
    in-interface-list=WAN protocol=udp src-port=""
add action=accept chain=input dst-port=1701 in-interface-list=WAN protocol=\
    udp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=\
    udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow Base_Vlan Full Access" \
    in-interface=BASE_VLAN
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="Allow IGMP-MagentaTV" \
    dst-address-list=iptv_destination
add action=drop chain=input comment=Drop log-prefix=DropLast-INP
add action=accept chain=forward comment="Accept Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="Allow Mgt<-> Green_VLAN" \
    connection-state=new in-interface=BASE_VLAN log-prefix=MgtGreen \
    out-interface=GREEN_VLAN
add action=accept chain=forward connection-state=new in-interface=GREEN_VLAN \
    out-interface=BASE_VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment=IGMP-Magenta dst-address-list=\
    iptv_destination
add action=accept chain=forward comment="Allow Port Forwarding" \
    connection-nat-state=dstnat log-prefix=log-Accept-dstnat
add action=accept chain=forward comment="Allow LAN<->cable modem" \
    dst-address=192.168.100.1 in-interface-list=VLAN out-interface=ether1 \
    src-address=192.168.0.0/16
add action=drop chain=forward comment="drop not destination" \
    connection-nat-state=!dstnat connection-state=new connection-type="" \
    in-interface=pppoe-fiber log=yes log-prefix=fwd-drop
add action=drop chain=forward comment="Drop state invalid" connection-state=\
    invalid log-prefix=drop-invalid
add action=drop chain=forward comment=\
    "Should be DROP but too much arriving here" log-prefix=DropLast-FWD
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade LAN->cable modem" \
    dst-address=192.168.100.1 out-interface=ether1 src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
add action=dst-nat chain=dstnat comment="VoIP Auerswald" dst-port=30000-31000 \
    in-interface=pppoe-fiber protocol=udp to-addresses=192.168.111.111 \
    to-ports=30000-31000
add action=dst-nat chain=dstnat dst-address=0.0.0.0 dst-port=40000-41000 \
    in-interface=pppoe-fiber protocol=udp to-addresses=192.168.111.111 \
    to-ports=40000-41000
add action=dst-nat chain=dstnat dst-port=5070-5080 in-interface=pppoe-fiber \
    protocol=udp to-addresses=192.168.111.111 to-ports=5070-5080
add action=dst-nat chain=dstnat comment=WWW-DSTNAT-SSL dst-address-list=\
    Dyndns_haj dst-port=443 protocol=tcp to-addresses=192.168.76.187 \
    to-ports=443
add action=dst-nat chain=dstnat comment=WWW-DSTNAT dst-address-list=\
    Dyndns_haj dst-port=80 protocol=tcp to-addresses=192.168.76.187 to-ports=\
    80
/ip firewall raw
add action=drop chain=prerouting comment=\
    "TCP invalid combination of flags attack (7 rules)" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" \
    protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" \
    protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes \
    protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment="IP option loose-source-routing" \
    ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
    ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
    ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
    ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
    timestamp
add action=drop chain=prerouting comment=\
    "IP options left, except IP Stream used by the IGMP protocol" \
    ipv4-options=any protocol=!igmp
/ip firewall service-port
set sip disabled=yes
/ip route
add comment="All traffic fiber 500" distance=10 gateway=pppoe-fiber
/ip service
set www port=8080
set www-ssl port=4433
/ip ssh
set always-allow-password-login=yes
/ppp secret
add local-address=192.168.76.254 name=testuser remote-address=192.168.76.41 \
    service=l2tp
add local-address=192.168.76.254 name=ipadM remote-address=192.168.76.42 \
    service=l2tp
add local-address=192.168.76.254 name=iphoneM remote-address=192.168.76.43 \
    service=l2tp
add local-address=192.168.76.254 name=mpischke remote-address=192.168.76.44 \
    service=l2tp
/routing igmp-proxy interface
add alternative-subnets=87.141.215.251/32 interface=pppoe-fiber upstream=yes
add interface=BLUE_VLAN
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=haydn
/system logging
add disabled=yes prefix=ipsec topics=ipsec,debug
add action=remote prefix=Mikrotik topics=system
add action=remote prefix=fw topics=firewall
/tool graphing interface
add interface=ether5
add interface=pppoe-Magenta
add interface=ether4
add interface=ether3
add interface=sfp-sfpplus1
add interface=GREEN_VLAN
add interface=pppoe-fiber
add interface=BLUE_VLAN
/tool graphing resource
add
/tool sniffer
set file-limit=1000000KiB file-name=sniffer.pcap filter-interface=GREEN_VLAN \
    memory-limit=1024KiB memory-scroll=no
/tool traffic-monitor
add interface=pppoe-fiber name=Above50M on-event=\
    ":log info \"WAN above 50Mbit\"" threshold=50000000 traffic=received
 
BeeKeeper
just joined
Topic Author
Posts: 10
Joined: Tue Aug 31, 2021 4:56 pm

Re: L2TP ipsec connect okay but no access to LAN  [SOLVED]

Tue Mar 14, 2023 2:09 pm

Some further analysis of this problem gives a workaround / solution . Setting up up an address list for the remote ip addresses
and enabling this address list in the forward chain of firewall solved the problem.
Maybe not the most elegant way.

Who is online

Users browsing this forum: abdullanetworking, holvoetn, jaclaz, uxertxo and 52 guests