Bridge not routing traffic to L2TP

bibawa · Fri May 30, 2014 11:10 am

Dear,

We've 2 sites:

SITE 1, private lan with range 192.168.100.0/24 - port 2,3,4 bridged in bridge called 'PRIVATE LAN'
SITE 2, private lan with range 192.168.15.0/24 - port 2, wlan1 bridged in bridged called 'bridge-local'

I've created a L2TP tunnel between SITE 1 and SITE 2 as described in http://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

The L2TP tunnel is connected and I can succesfully ping 172.16.1.1 and 172.16.1.2 from both sites.

When I logon to the terminal of de RB on SITE 2 I can also succesfully ping devices on the PRIVATE LAN of SITE 2, but as from the moment I start a ping from a device on SITE 2 connected on the bridge-local bridge the ping fails.

On SITE2 I've added a route "192.168.100.0/24 with as gateway my L2TP tunnel" but without any succes.

No firewall rules are in place, no mange rules.

Any clues ?

noib · Fri May 30, 2014 12:31 pm

I think you miss some routes :
On site 1: /route add dst=192.168.15.0/24 gateway=172.16.1.2
On site 2: /route add dst=192.168.100.0/24 gateway=172.16.1.1
Your "clients" behind the routers must also have those routes (if their default gateway isn't the local mikrotik device).

bibawa · Fri May 30, 2014 4:34 pm

Hi,

Thanks for your reply,

Those routes already exists, clients have the RB as their default gateway.
On a client I can succesfully ping 172.16.1.1 or .2 but not the 192.168.100.0/24 network

Rudios · Fri May 30, 2014 4:38 pm

How is your firewall setup?

bibawa · Fri May 30, 2014 4:54 pm

On SITE1: Allow both inbound, outbound en forward traffic
On SITE2: No firewall rules present

bibawa · Sun Jun 01, 2014 12:08 pm

Somebody with tips on this issue ?

bibawa · Tue Jun 03, 2014 3:19 pm

I can't get this to work, my setup:

PRIVATE LAN 192.168.100.0/24 <-----|ROUTERBOARD DC|172.16.1.1 ------L2TP VPN ------ 172.16.1.2|ROUTERBOARD HOME|---> PRIVATE LAN 192.168.15.0/24

- From my home router I can ping to 172.16.1.2,172.16.1.1 and also clients on the PRIVATE LAN subnets on both sides
- From my DC router I can ping also to 172.16.1.2,172.16.1.1 and also clients on the PRIVATE LAN subnets on both sides

- From a private lan subnet I can't ping to 172.16.1.1,172.16.1.2 and also not to the other PRIVATE LAN.

==> L2TP VPN is active and up and running , but routing is not working as expected !

On my DC Router I've a /ip route 192.168.15.0/24 172.16.1.2 , on my home router i've a /ip route 192.168.100.0/24 172.16.1.1

Help

bibawa · Tue Jun 03, 2014 4:27 pm

When I do a traceroute via interface PRIVATE LAN it seems that he's sending traffic through it's default gateway instead of using the route I've devined for the 192.168.15.0 network.

noib · Wed Jun 04, 2014 4:34 pm

Can you post the result of
/ip export

from both your routers?

bibawa · Thu Jun 05, 2014 10:02 pm

HI,

I've made some progress, when I start a ping from a device on the 192.168.100.0/24 network to a device on the 192.168.15.0/24 network, and start a torch on the L2TP interface i see on the 100.0/24 network TX traffic and on the 15.0/24 RX traffic, but the traffic is not going back..

Export from the router on the 192.168.100.0/24 network:

[user@router] > /ip export 
# jun/05/2014 20:57:30 by RouterOS 6.4
# software id = 5E5R-ZA5D
#
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip neighbor discovery
set ETH1 comment="UPLINK "
set ETH2 comment="UPLINK FW PROTECTED"
set ETH3 comment=VIRT1
set ETH4 comment="UPLINKS FW UNPROTECTED"
set ETH9 comment="UPLINK PRIVATE LAN SW 2"
set ETH10 comment="UPLINK PRIVATE LAN SW1"
set ETH3.107 discover=no
/ip pool
add name=dhcp_pool1 ranges=192.168.100.100-192.168.100.110
add name=dhcp_pool2 ranges=192.168.100.110,192.168.100.120
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface="PRIVATE LAN" name=dhcp1
/ip address
add address=192.168.100.254/24 interface=vrrp-PRIVATE_LAN network=192.168.100.0
add address=81.95.x.y/26 interface=Servers network=81.95.x.y
add address=185.18.x.y/32 interface=Servers network=185.18.x.y
add address=192.168.100.252/24 interface="PRIVATE LAN" network=192.168.100.0
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.100.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=8.8.8.8 name="Google 1"
add address=8.8.4.4 name=Google2
/ip firewall address-list
add address=80.190.147.92 list=0.ntp.pool.org
........
/ip firewall filter
add chain=forward
add chain=input
add chain=output

/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark="PRIVATE LAN" \
    src-address=192.168.100.0/24
add action=mark-connection chain=prerouting dst-address=192.168.100.0/24 \
    new-connection-mark="PRIVATE LAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade voor PRIVATE LAN" \
    disabled=yes dst-limit=0,100,dst-address limit=0,100 src-address=\
    192.168.100.0/24 to-addresses=81.95.x.y
add action=masquerade chain=srcnat dst-address=!192.168.15.0/24 src-address=\
    192.168.100.0/24
add action=dst-nat chain=dstnat comment="Port Forwards" dst-address=\
    81.95.x.y dst-port=21 protocol=tcp to-addresses=192.168.100.1 to-ports=\
    21
....
/ip proxy
set max-cache-size=none parent-proxy=0.0.0.0
/ip route
add distance=1 gateway=81.95.x.y
add distance=2 gateway=185.18.x.y
/ip service
set telnet disabled=yes
set api disabled=yes
/ip traffic-flow
set cache-entries=4k interfaces=ETH1
/ip traffic-flow target
add address=192.168.100.5:2055 version=5

Export from the router on the 192.168.15.0/24 network:

[admin@GW01] > /ip export 
# apr/10/1970 21:37:15 by RouterOS 6.7
# software id = ZSI5-M3C9
#
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.15.100-192.168.15.200
/ip address
add address=192.168.15.1/24 interface=wlan1 network=192.168.15.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/ip dhcp-server lease
add address=192.168.15.130 client-id=1:d8:9d:67:57:71:a1 mac-address=\
    D8:9D:67:57:71:A1 server=default
/ip dhcp-server network
add address=192.168.15.0/24 comment="default configuration" dns-server=\
    8.8.8.8,8.8.4.4 gateway=192.168.15.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add address=81.95.x.y/32 port=5000 secret=test
/ip ipsec policy
add dst-address=192.168.100.0/24 sa-dst-address=81.95.x.y sa-src-address=\
    81.82.146.151 src-address=192.168.15.0/24 tunnel=yes
/ip route
add distance=10 gateway=192.168.0.1
/ip service
set api disabled=yes

noib · Fri Jun 06, 2014 11:43 am

I think you miss some routes :
On site 1: /route add dst=192.168.15.0/24 gateway=172.16.1.2
On site 2: /route add dst=192.168.100.0/24 gateway=172.16.1.1
Your "clients" behind the routers must also have those routes (if their default gateway isn't the local mikrotik device).

I don't see those routes in your script, did you remove them?

cdiedrich · Fri Jun 06, 2014 12:09 pm

Firstly I agree to noib not seeing the routes.
Second, try adding these NAT rules on the two routers on top position (before your masquerade rule kicks in):

ros code

#site1
/ip firewall nat
add chain=srcnat dst-address=192.168.15.0/24 src-address=192.168.100.0/24

#site2
/ip firewall nat
add chain=srcnat dst-address=192.168.100.0/24 src-address=192.168.15.0/24

This will prevent the routers from sending the VPN traffic through their default gateways.

-Chris

bibawa · Fri Jun 06, 2014 2:18 pm

Following routes are active on Site 1:

ros code

[admin@router] > /ip route print
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DIST
 0 A S  0.0.0.0/0                          192.168.0.1            
 1 ADC  172.16.1.1/32      172.16.1.2      VPN-HOME-DCO           
 2 ADC  192.168.0.0/24     192.168.0.200   ETH1                   
 3 ADC  192.168.15.0/24    192.168.15.1    bridge-local           
 4 A S  192.168.100.0/24                   172.16.1.1

on site 2:

ros code

Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          81.95.x.y             1
 2 ADC  81.95.x.y/26   81.95.x.y   Servers                   0
 3 ADC  172.16.1.2/32      172.16.1.1      <l2tp-VPN-DCO-H...        0
 4 ADC  185.18.x.y/32  185.18.x.y  Servers                   0
 5 A S  192.168.15.0/24                    172.16.1.2                1
 6 ADC  192.168.100.0/24   192.168.100.252 PRIVATE LAN               0
                                           vrrp-PRIVATE_LAN  
 7 ADC  192.168.100.107/32 81.95.x.y   <pptp-xenius>             0

I've added the 2 nat rules as described but isn't working.. /helpless !