Community discussions

 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

L2TP to remote office

Sun Aug 19, 2018 2:04 pm

I setup a L2TP VPN on a mikrotik LTE device to access my office router Lan.
The tunnel is established and I can ping both sides of the tunnel and reach the office router via the LTE device.

I want to be able to use the office connection as the main internet connect for the mikrotik LTE device, send all traffic from the LTE down the tunnel to the office connection.

LTE Config
Local Network = 192.168.1.0/24

/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=lte1
add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP
add distance=1 dst-address=172.168.1.1 gateway=l2tp-out1 routing-mark= PPTP

/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=PPTP passthrough=yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-out1

/ip dns
set allow-remote-requests=yes


Office Mikrotik Router
Local Network = 192.168.0.0/24

/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat src-address=172.168.1.0/24

/interface l2tp-server server
set default-profile=default enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=yes
/interface l2tp-server
add name=l2tp-in1 user=test
/ppp secret
add name=test password=1234 service=l2tp
/ppp profile
set *0 change-tcp-mss=default local-address=172.168.1.1 remote-address=vpn-l2tp
set *FFFFFFFE use-encryption=required

/ip pool
add name=vpn ranges=172.168.1.10-172.168.1.254

/ip dns
set allow-remote-requests=yes
/ip dns static
add address=8.8.8.8 name=dns1
add address=8.8.4.4 name=dns2

/ip route
add comment="WAN" dst-address=0.0.0.0/0 distance=1 gateway=WAN
add distance=1 dst-address=192.168.0.0/24 gateway=WAN Pref.Source 192.168.0.129 <<< Local IP of Office router is behind main ISP router, ports are opened to allow vpn on ISP router
add distance=1 dst-address=172.168.1.251 gateway=l2tp-in1 Pref.Source 172.168.1.1 <<< This route is not a static 172.168.1.251 is remote LTE router



Routing-mark on LTE device
LTE routing mark is PPTP

Routing-mark on Office,
Office routing mark is VpnRoute


Troubleshooting

I have no internet on LTE device when mangle rule is enabled.
I can see DNS populating on the LTE device when trying to access a website.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Sun Aug 19, 2018 8:54 pm

I can see the traffic going out the L2TP gateway with torch, when the mangle rule is enabled on the LTE device.
On the remote office router dns cache I can see the LTE devices requests in the cache.

Anyone have any input as to how I can get this working?
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Mon Aug 20, 2018 1:40 pm

I can winbox into both routers from each end, Remote office side and LTE side.
When I enable the mangle rule on the LTE device the only thing that I cant do is browse a website or ping 8.8.8.8 from the lan PC
Winbox still works from each side
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Tue Aug 21, 2018 7:36 pm

Is it possible to do this, I must be missing something
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Tue Aug 21, 2018 8:36 pm

Hi,

You're correct, there is a issue with the following route, on the LTE-device
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP
Instead of specifying the gateway-interface (l2tp-out1) you'll need to specify the IP-address of the RB on the other end of the tunnel (from you configuration I've no idea which it should be).

From the Wiki-page (https://wiki.mikrotik.com/wiki/Manual:I ... _a_gateway)
  • Unlike connected routes, routes with interface nexthops are not used for nexthop lookup.
So the traffic will not be forwarded any further than the router on the other end of the tunnel
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Tue Aug 21, 2018 9:28 pm

Hi Bram,

LTE Device Route
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=172.168.1.1 reachable l2tp-out1 routing-mark= PPTP

172.168.1.1 is the address of remote office mikrotik device, it's the private address of the device
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Tue Aug 21, 2018 10:38 pm

That should be it I think, does it work?
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Tue Aug 21, 2018 11:00 pm

I can see the dns populating in the remote office router cache but the websites won't load, I have remote requests turned on for both routers, and the dns on the LTE is 172.168.1.1 which is the private ip of the remote office router
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Wed Aug 22, 2018 12:28 pm

I can reach all devices on the remote office network. I want the LTE device to have its public IP address cloaked as the office network public IP and use the office router as the main gateway for all internet traffic
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 926
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: L2TP to remote office

Wed Aug 22, 2018 2:17 pm

Look at the srcnat rules in your office router. It's probably configured to (srcnat | masquerade) the office address pool only.
and as a side note: 172.168.1.1 is not in the IANA private address space 172.16.0.0/12 which ends at 172.32.255.255

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Wed Aug 22, 2018 2:58 pm

Hi Chris,

Remote office router nat

/firewall filter nat
srcnat scr address 172.168.1.0/24 action masquerade

New below;

I modified pool to 172.16.0.0/12

/firewall filter nat
srcnat scr address 172.16.0.0/12 action masquerade
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 926
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: L2TP to remote office

Wed Aug 22, 2018 3:16 pm

Makes sense now.
But I just read your first post again where you were talking about 192.168.1.0/24 and 192.168.0.0/24 networks.
Whichever networks you are currently running - make sure the remote network range is covered in your office router's srcnat rules.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Wed Aug 22, 2018 8:42 pm

Still no luck with the nat rules. When I enable mangle on the LTE device for the private network, I cannot access websites but I can see dns requests populating on the office router
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 926
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: L2TP to remote office

Wed Aug 22, 2018 10:44 pm

I'd say it'll be the best support for us to help when you post a compact export of both routers.
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Thu Aug 23, 2018 12:01 am

LTE Device
Office Public IP = X.X.X.X

/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
/ip neighbor discovery
set lte1 discover=no
/interface list
add name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
add enc-algorithms=3des name=wifi pfs-group=none

/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254

/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether1 name=defconf

/ppp profile
set *0 change-tcp-mss=default
set *FFFFFFFE change-tcp-mss=default use-encryption=default

/interface l2tp-client
add connect-to=X.X.X.X disabled=no ipsec-secret=wifi max-mru=1460 \
max-mtu=1460 name=l2tp-out1 password=1234 profile=default user=test

/ip settings
set rp-filter=strict tcp-syncookies=yes

/interface list member
add interface=ether1 list=discover
add interface=ether1 list=mactel
add interface=ether1 list=mac-winbox

/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1

/ip dns
set allow-remote-requests=yes servers=172.16.0.1

/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow WinBox" dst-port=8291 protocol=\
tcp
add action=accept chain=input comment="Allow WinBox API" dst-port=8728 \
protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=\
ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="Allow local network" src-address=\
192.168.1.0/24
add action=accept chain=input comment="Allow DNS for trusted network" \
dst-port=53 protocol=udp src-address=192.168.1.0/24
add action=accept chain=input comment="Allow DNS for trusted network" \
dst-port=53 protocol=tcp src-address=192.168.1.0/24
add action=drop chain=input comment="defconf: drop all from WAN" \
in-interface=lte1
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=lte1
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
lte1 protocol=udp
add action=drop chain=input connection-state=new dst-port=53 in-interface=\
lte1 protocol=tcp

/ip firewall mangle
add action=change-mss chain=forward disabled=yes new-mss=1400 out-interface=\
l2tp-out1 passthrough=yes protocol=tcp tcp-flags=syn
add action=mark-routing chain=prerouting new-routing-mark=PPTP passthrough=\
yes src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=l2tp-out1 \
src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=lte1
/ip firewall service-port
set h323 disabled=yes
set sip disabled=yes


/ip route
add disabled=yes distance=1 gateway=172.16.0.1 routing-mark=PPTP
add distance=1 gateway=lte1
add distance=1 dst-address=172.16.0.0/12 gateway=172.16.0.1
add distance=1 dst-address=172.168.1.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.0/24 gateway=172.16.0.1
add distance=1 dst-address=192.168.0.1/32 gateway=172.16.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes


CRS Office

/interface bridge
add name=Wlan
/interface ethernet
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] disabled=yes master-port=ether3
set [ find default-name=ether5 ]
set [ find default-name=ether7 ] master-port=ether1
set [ find default-name=ether9 ] master-port=ether1
set [ find default-name=ether15 ] master-port=ether1
set [ find default-name=ether16 ] comment="Tom Network 16"
set [ find default-name=ether17 ] master-port=ether1
set [ find default-name=ether18 ] master-port=ether1
set [ find default-name=ether19 ] master-port=ether1
set [ find default-name=ether20 ] master-port=ether1
set [ find default-name=ether21 ] master-port=ether1
set [ find default-name=ether22 ] master-port=ether1
set [ find default-name=ether23 ] master-port=ether1
set [ find default-name=ether24 ] master-port=ether1
set [ find default-name=sfp1 ] master-port=ether1
/interface l2tp-server
add name=l2tp-in1 user=test
/ip pool
add name=vpn-l2tp ranges=172.16.0.2-172.32.255.255
/ppp profile
set *0 change-tcp-mss=default local-address=172.16.0.1 remote-address=\
vpn-l2tp
set *FFFFFFFE use-encryption=required
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface l2tp-server server
set default-profile=default enabled=yes keepalive-timeout=60 max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default enabled=\
yes
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=172.16.0.1
/ip dns static
add address=8.8.8.8 name=dns1
add address=8.8.4.4 name=dns2
/ip firewall filter
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1723 \
protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" protocol=ipsec-esp
add action=accept chain=input comment="VPN L2TP AH" protocol=ipsec-ah
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Established, Related" \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=accept chain=input comment="Accept DNS - UDP" dst-port=53 \
protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" dst-port=53 \
protocol=tcp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"Drop incoming from internet which is not public IP" in-interface=Wlan \
log-prefix=!public src-address-list=not_in_internet
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.0.0/12
add action=masquerade chain=srcnat out-interface=Wlan
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=test password=1234 service=l2tp
/system identity
set name=Office
 
User avatar
cdiedrich
Forum Veteran
Forum Veteran
Posts: 926
Joined: Thu Feb 13, 2014 2:03 pm
Location: Basel, Switzerland // Bremen, Germany
Contact:

Re: L2TP to remote office

Thu Aug 23, 2018 10:49 am

In the office router I'm missing a route for the remote network.
Your default masq rule there is already good, you can delete the dedicated one for the remote network.
Your main office DNS config does not make sense.

Both exports are missing ppp profile and ppp secrets.

-Chris
Christopher Diedrich
MTCNA, MTCUME, MTCWE
Basel, Switzerland
Bremen, Germany

There are 10 types of people: Those who understand binary and those who don't.
There are two types of people: Those who can extrapolate from incomplete data
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Thu Aug 23, 2018 11:22 am

Office Router

DNS
/ip dns print
servers: 172.16.0.1
dynamic-servers: 89.101.160.5,89.101.160.4
allow-remote-requests: yes
max-udp-packet-size: 4096
query-server-timeout: 2s
query-total-timeout: 10s
max-concurrent-queries: 100
max-concurrent-tcp-sessions: 20
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 45KiB

ip firewall nat print
chain=srcnat action=masquerade out-interface=Wlan log=no log-prefix=""

ip route print
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 192.168.0.1 1
1 ADC 172.32.255.247/32 172.16.0.1 l2tp-in1 0 <<< Dynamic L2tp
2 ADC 192.168.0.0/24 192.168.0.129 Wlan 0
3 A S 192.168.1.0/24 l2tp-in1 1 <<<Added LTE remote network, reachable via 192.168.1.1 winbox

/ppp profile
set *0 change-tcp-mss=default local-address=172.16.0.1 remote-address=vpn-l2tp
set *FFFFFFFE use-encryption=required
/ppp secret
add name=test password=1234 service=l2tp

ip pool print
# NAME RANGES
0 vpn-l2tp 172.16.0.2-172.32.255.255
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Fri Aug 24, 2018 8:24 am

For the PPP-secret, I use the following configuration on the Main-router:
/ppp secret 
add local-address=192.168.100.6 name=map_bram remote-address=10.9.5.1 routes=10.9.5.0/24 service=pptp
This takes care of the whole Site-to-Site VPN tunnel for me. On the remote end it will use the IP-address I setup for my RouterBoard, on the local end it also uses the IP of the routerboard. When the tunnel is active the route to the remote network 10.9.5.0/24 gets added automatically.

Maybe you could use a similar configuration. Because the main disadvantage of your current setup is that you're not sure that the remote end always gets the same IP-address so it's difficult to configure the route to the remote network. This case, it will be done automatically, even if you have more VPN-tunnels in the future this could work, I have 3 site-to-site tunnels this way.
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Fri Aug 24, 2018 1:38 pm

Hi Bram,

What kind of dns settings do you use?

/ppp secret print
Flags: X - disabled
# NAME SERVICE CALLER-ID PASSWORD PROFILE REMOTE-ADDRESS LOCAL-ADDRESS ROUTES
0 test l2tp 1234 default 172.16.0.10 172.16.0.1 172.16.0.0/12

LTE reachable now via 172.16.0.10
LTE local network 192.168.1.0/24

Office reachable now via 172.16.0.1
Office local network 192.168.0.0/24 reachable via LTE network
Office main internet router 192.168.0.1 reachable via LTE network
All devices are reachable via the LTE network

Once mangle rule on LTE device is active, I cannot access any website but I can still reach the office network

ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=mark-routing new-routing-mark=PPTP passthrough=yes
src-address=192.168.1.0/24 log=no log-prefix=""
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Fri Aug 24, 2018 2:54 pm

Why are you using Mangle anyway?
I want to be able to use the office connection as the main internet connect for the mikrotik LTE device, send all traffic from the LTE down the tunnel to the office connection.
You want to send all traffic through the VPN-tunnel am I right?

It seems to me that you have build an overly complex set-up, which is also hard to troubleshoot. I followed the documentation on the Wiki: https://wiki.mikrotik.com/wiki/Manual:I ... -Site_L2TP.


My setup


Office
/ppp secret 
add local-address=192.168.100.6 name=map_bram remote-address=10.9.5.1 routes=10.9.5.0/24 service=pptp

/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=ISP Gateway IP
My DNS-setup isn't really relevant. It just works, but in my case I have two Windows AD-DNS-servers providing the DNS-services.

Remote end

On the remote end I've created the VPN tunnel as a client, making sure the add default route option is checked:
/interface pptp-client
add add-default-route=yes connect-to=<office router Public IP> name= profile=default user=map_bram
This will add all nessecary routes for your connection and will send all traffic trough the VPN-tunnel
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Fri Aug 24, 2018 3:17 pm

Strange thing happens when I try to use the add default route with the ppp dial out add default route.
The office public ip is added to the ip routes but is unreachable.
It adds a route Dst gateway x.x.x.x Gateway x.x.x.x which is unreachable so the public ip is been used as the dst address and the gateway by default
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Fri Aug 24, 2018 3:51 pm

On the DHCP-client of my WAN-interface (not sure if you can set it on an LTE-device) I changed the default route distance to 10. That way my default route that's get added trough the VPN-connection will always become the more preffered one.

My routing table with active VPN looks like this:

2 ADS 0.0.0.0/0 VPN-Tunnel 1
3 DS 0.0.0.0/0 192.168.178.1 10

So that's a contradiction to my earlier post:
Hi,

You're correct, there is a issue with the following route, on the LTE-device
/ip route
add distance=1 dst-address=0.0.0.0/0 gateway=l2tp-out1 routing-mark= PPTP
Instead of specifying the gateway-interface (l2tp-out1) you'll need to specify the IP-address of the RB on the other end of the tunnel (from you configuration I've no idea which it should be).

From the Wiki-page (https://wiki.mikrotik.com/wiki/Manual:I ... _a_gateway)
  • Unlike connected routes, routes with interface nexthops are not used for nexthop lookup.
So the traffic will not be forwarded any further than the router on the other end of the tunnel
Personally I'm having a hard time understanding the questions you have and verifying your configuration to troubleshoot it. From my point-of-view you made an overcomplicated set-up, but a drawing of what you wanna do might give me a better angle. Could you provide one?
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Fri Aug 24, 2018 7:34 pm

see image
You do not have the required permissions to view the files attached to this post.
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 97
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: L2TP to remote office

Sat Aug 25, 2018 5:54 pm

Hi Flynno,

Thanks for the reply, the drawing you made shines a better light on your case and what you're trying to do.

I'm under the impression you followed some tutorials online to set things up. From my point-of-view it looks crazy difficult.

Based on the drawing, and my experience I have given you the piece of code that should do the trick, if you can: factory reset the device and start from scratch, because adding new things to your configuration could cause weird issues.

Also follow the suggestions on the Wiki-page, https://wiki.mikrotik.com/wiki/Manual:I ... -Site_L2TP.
Bram - MikroTik enthusiast - MTCNA / MTCRE / MTCWE / MTCIPv6E
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
mducharme
Trainer
Trainer
Posts: 871
Joined: Tue Jul 19, 2016 6:45 pm

Re: L2TP to remote office

Sun Aug 26, 2018 2:45 am

Also follow the suggestions on the Wiki-page, https://wiki.mikrotik.com/wiki/Manual:I ... -Site_L2TP.
+1, I agree, it looks like he has used a configuration that was really meant for a public VPN service -- no need even for the mangle rule as long as there is a way to avoid recursive routing.
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Sun Aug 26, 2018 12:34 pm

The issue I'm having is that LTE device is using its own public IP instead of the public IP of the remote office when browsing the internet.
When I visit whatsmyip.net when the vpn is active on the LTE device, the IP is not the IP of the remote office.

0.0.0.0/0 via L2TP gateway or 0.0.0.0/0 via 172.16.0.1 reachable via L2TP is active, I have internet but cannot view any websites only able to reach the office devices.

172.16.0.1 >> Mikrotik Office Device
172.16.0.2 >> Mikrotik LTE Device

192.168.0.0/24 >> Mikrotik Office Device
192.168.1.0/24 >> Mikrotik LTE Device

Mangle rules are disabled
Nat rules masquerade on WAN
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 871
Joined: Tue Jul 19, 2016 6:45 pm

Re: L2TP to remote office

Sun Aug 26, 2018 8:50 pm

OK, so now add a single static route on the LTE router, dst. address the static public IP of the office router, gateway is lte interface

Then, go into your L2TP client settings and check "add default route"

You may have to increase the distance of an existing default route on the lte router for the L2TP one to become active
 
flynno
Member Candidate
Member Candidate
Topic Author
Posts: 241
Joined: Wed Aug 27, 2014 8:11 pm

Re: L2TP to remote office

Sun Aug 26, 2018 10:07 pm

Ok not sure if it's a bug but when I check "add default route" it auto adds route with the office public IP into route list as dst.address x.x.x.x and as gateway x.x.x.x
and is unreachable.
I have to add static route 0.0.0.0/0 gateway l2tp-out1 which is reachable, now the vpn is working correctly.

The LTE device is SXT LTE, not the new sxt lte kit running mipsbe version bugfix 6.40.8

Who is online

Users browsing this forum: No registered users and 13 guests