Community discussions

 
gipfelgoas
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

L2TP+IPSec with LAN Access

Wed Oct 12, 2016 5:31 pm

Hello,
I wanted to configure something like this with L2TP+IPsec:
Image
/interface l2tp-server server set enabled=yes ipsec-secret=123 max-mru=1500 max-mtu=1500 mrru=1600 use-ipsec=yes
/ppp secret add local-address=192.168.0.1 name=123 password=123 profile=default-encryption remote-address=192.168.1.2 service=l2tp
/ip firewall address-list
add action=accept chain=input dst-port=500,4500,1701 log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input in-interface=l2tp-in1
Connecting a remote device worked. But I cant navigate in internet or access stuff like 192.168.0.2.
Explained simply: I would like having configured it like it was attached physically to my router and being part of my bridge 192.168.0.0/24.
Is this possible?
Thanks
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: L2TP+IPSec with LAN Access

Wed Oct 12, 2016 6:58 pm

You may need to update the L2TP profile you are using (profile=default-encryption in your case) and select the bridge you would like this client to be attached to, based on the below being part of the same network subnet.

Example:
/ppp profile
add bridge=VPN-Bridge comment="Default L2TP Profile" name=L2TP-profile
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
gipfelgoas
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: L2TP+IPSec with LAN Access

Thu Oct 13, 2016 6:35 pm

You may need to update the L2TP profile you are using (profile=default-encryption in your case) and select the bridge you would like this client to be attached to, based on the below being part of the same network subnet.

Example:
/ppp profile
add bridge=VPN-Bridge comment="Default L2TP Profile" name=L2TP-profile
Thanks, but still not working. Can't ping nor access LAN and WAN
 
User avatar
Splash
Member Candidate
Member Candidate
Posts: 151
Joined: Fri Oct 16, 2015 10:09 am
Location: Johannesburg, South Africa

Re: L2TP+IPSec with LAN Access

Fri Oct 14, 2016 4:30 pm

to confirm...

1. You have a bridge created eg bridge1
2. You have added the LAN port to this Bridge (bridge1)
3. You have set the "bridge1" within the active PPP Profile Bridge setting
MTCNA, MTCRE, MTCINE, MTCTCE, MTCIPv6E, MTCUME
 
gipfelgoas
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: L2TP+IPSec with LAN Access

Fri Oct 14, 2016 5:12 pm

Rb3011
PPPoE on eth1 (WAN)
Bridge LAN (eth2-10) 192.168.0.0/24 Dhcp server
NAT to eth1
Some firewalls
 
kujo
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine

Re: L2TP+IPSec with LAN Access

Fri Oct 14, 2016 5:31 pm

You need correct routing table, correct firewall filter(not address list). Export this two things. And Your scheme is not displayed, repeat please))


Sent from my iPhone using Tapatalk
 
gipfelgoas
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: L2TP+IPSec with LAN Access

Fri Oct 14, 2016 6:25 pm

[admin@router.dh] > export
# oct/14/2016 17:17:28 by RouterOS 6.37.1
# 
/interface l2tp-server
add name=l2tp-in1 user=user1
/interface bridge
add name=bridge_lan
/interface ethernet
set [ find default-name=ether2 ] name=sw1-eth2-master
set [ find default-name=ether3 ] master-port=sw1-eth2-master name=sw1-eth3
set [ find default-name=ether4 ] master-port=sw1-eth2-master name=sw1-eth4
set [ find default-name=ether5 ] master-port=sw1-eth2-master name=sw1-eth5
set [ find default-name=ether6 ] name=sw2-eth6-master
set [ find default-name=ether7 ] master-port=sw2-eth6-master name=sw2-eth7
set [ find default-name=ether8 ] master-port=sw2-eth6-master name=sw2-eth8
set [ find default-name=ether9 ] master-port=sw2-eth6-master name=sw2-eth9
set [ find default-name=ether10 ] master-port=sw2-eth6-master name=sw2-eth10
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=ether1 name=Eolo_eth1 password=123 user=123

/ip pool
add name=dhcp_pool1 ranges=192.168.0.100-192.168.0.200
add name=L2TP-Pool ranges=192.168.0.201-192.168.0.250
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge_lan lease-time=1d12h10m name=192.168.0.0_dhcp-server
/ppp profile
set *0 use-encryption=no
add bridge=bridge_lan dns-server=192.168.0.1 local-address=192.168.0.1 name=L2TP remote-address=L2TP-Pool use-encryption=yes

/interface bridge port
add bridge=bridge_lan interface=sw1-eth2-master
add bridge=bridge_lan interface=sw2-eth6-master
/interface l2tp-server server
set default-profile=L2TP enabled=yes ipsec-secret=123 max-mru=1500 max-mtu=1500 mrru=1600 use-ipsec=yes

/ip address
add address=192.168.0.1/24 interface=bridge_lan network=192.168.0.0

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,81.91.162.5,8.8.4.4,208.67.222.222


/ip firewall filter
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=\
    30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=jump chain=forward comment="DDoS detection" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward comment="DDoS detection" connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=forward comment=PING dst-address=!192.168.0.0/24 in-interface=bridge_lan protocol=icmp
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=accept chain=input comment="Accept all connections from local network" in-interface=bridge_lan
add action=accept chain=forward comment="Forward all established and related packets" connection-state=established,related
add action=accept chain=forward comment=\
    "Forward various ports 995 (POP3), 465, 25,587 SMTP, 8443 nperf.com,8000 OE3, 8080,110,5060 speedtest-pingtest, 5938 teamviewer" dst-address=\
    !192.168.0.0/24 dst-port=80,443,995,465,25,587,8443,389,8000,8081,53,8080,110,5060,5938 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment="Forward various ports 123 (ntp), 3544,3074 Microsoft, 15252 mikrotik" dst-address=!192.168.0.0/24 dst-port=\
    123,3544,3074,389,53,1194,15252 in-interface=bridge_lan protocol=udp
add action=accept chain=forward comment=Torrent dst-address=!192.168.0.0/24 in-interface=bridge_lan protocol=udp src-port=57667,38517
add action=accept chain=forward comment="Oscam Samsung TV" dst-address=!192.168.0.0/24 dst-port=6500 in-interface=bridge_lan protocol=tcp
add action=accept chain=forward comment="forward my personal domain name xx.mydomain.com" dst-port=443,4000,4001,4002,4003,4004,4005\
    out-interface=bridge_lan protocol=tcp src-address=!192.168.0.0/24
add action=accept chain=forward comment="forward my personal domain name xx.mydomain.com" dst-address=192.168.0.0/24 dst-port=443,4000,4002,4003,4004,4001,4005,22 \
    in-interface=bridge_lan protocol=tcp
add action=accept chain=input comment=L2TP+IPsec dst-port=500,4500,1701 log=yes protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input log=yes
add action=drop chain=forward log=yes
/ip firewall mangle
add action=change-ttl chain=prerouting new-ttl=increment:1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eolo_eth1
add action=masquerade chain=srcnat dst-address=192.168.0.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat comment="WebAccess DS216+II" dst-address-type=local dst-port=443,4003 protocol=tcp to-addresses=192.168.0.192
/ip service
set telnet disabled=yes
set ftp address=192.168.0.200/32
set www disabled=yes port=4000
set ssh disabled=yes
set www-ssl certificate=home.dh disabled=no port=4001
set api-ssl certificate=home.dh

/ppp secret
add name=user1 password=123 profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=router.dh

[admin@router.dh] > 
 
kujo
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine

Re: L2TP+IPSec with LAN Access

Sat Oct 15, 2016 12:41 am

You don't need second masquerade rule. Do you accept on client option for create a default route to l2tp server? Remove l2tp interface from bridge(option in ppp profile), change network for l2tp server and client like 192.168.1.0/24(l2tp-pool). Add accept forward filter rule where incoming interface is l2tp-in1.


Sent from my iPhone using Tapatalk
 
gipfelgoas
just joined
Topic Author
Posts: 12
Joined: Wed Aug 31, 2016 1:10 pm

Re: L2TP+IPSec with LAN Access

Sat Oct 15, 2016 10:38 am

You don't need second masquerade rule. Do you accept on client option for create a default route to l2tp server? Remove l2tp interface from bridge(option in ppp profile), change network for l2tp server and client like 192.168.1.0/24(l2tp-pool). Add accept forward filter rule where incoming interface is l2tp-in1.


Sent from my iPhone using Tapatalk
For second masquerade rule read here: http://forum.mikrotik.com/viewtopic.php ... 78#p557378
on client I can't configure default route option.. there are mobile phones...

Added
/ip firewall filter 
add chain=forward action=accept in-interface=l2tp-in1 log=yes log-prefix="forward rule" 
add chain=input action=accept in-interface=l2tp-in1 log=yes log-prefix="forward rule" 

/ppp profile
add name="L2TP" local-address=L2TP-Pool remote-address=L2TP-Pool use-mpls=default use-compression=default use-encryption=yes only-one=default change-tcp-mss=default use-upnp=default address-list="" on-up="" on-down=""

/ip pool
add name=L2TP-Pool   addresses=192.168.1.201-192.168.1.250  

still not working
 
kujo
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine

Re: L2TP+IPSec with LAN Access

Sat Oct 15, 2016 11:04 am

Do you change l2tp server address to 192.168.1.1?


Sent from my iPhone using Tapatalk
 
kujo
Member Candidate
Member Candidate
Posts: 158
Joined: Sat Jun 18, 2016 10:17 am
Location: Ukraine

L2TP+IPSec with LAN Access

Sat Oct 15, 2016 12:23 pm

Maybe some log export can help ? Trace route from l2tp client? Routing table from router and from warrior!?

Who is online

Users browsing this forum: No registered users and 65 guests