You must first have 'Input' 'rules, then' Output 'and' Forward '.

... Finally, "drop All" 'forward' is specified. Agree?

• either the RouterOS evaluates all the rules top to bottom, which means that "forward rule 3" is evaluated as the 5th one in both cases, so where exactly the two input rules were located among the previous four rules has no effect to the throughput,
• or the RouterOS actually converts the configuration into internal lists of rules which are built separately for each chain, and in such case the forward rule 3 is always evaluated as the 3rd one because, for a packet coming from outside the RB and routed outside the RB again, the rule evaluation starts from forward rule 1 and the input rules are not evaluated at all for that packet, so again the position of the two input rules in the configuration script has no effect on the throughput.

• make sure that ssh service is enabled on a test RouterBoard and that you can connect to it from your PC.
• next, disconnect that RouterBoard from internet to stay secure and configure its firewall with only the two following rules (just disable the rest for a moment):
  Code: Select all

  /ip firewall filter
  add chain=input dst-address=LAN-IP-of-the-RB dst-port=80 action=accept
  add chain=forward action=drop
  

• despite the "drop everything" rule in the forward chain - because packets to RB's own addresses are not handled by "forward" chain, only by "input", and
• despite the fact that ssh listens at port 22 while you have only accepted packets to port 80 in the "input" chain - because packets not matching to any rule in their chain are accepted by default.

Can't do because you don't know how to do that from Winbox or can't do because it is administratively prohibited?

Whatever, the configuration export you've provided earlier contains a static peer configuration with "address=0.0.0.0/0". The L2TP server with IPsec set to "yes" or "required" (the latter should be used to prevent L2TP connections without IPsec from being set up unless you really want to support them too) creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with "address=0.0.0.0/0" setting.

Now as the statically configured peer is the first one in the list, it is used to handle the incoming requests from unknown-in-advance IP addresses rather than the dynamically configured one, because among all peers whose "address" parameter matches the source IP of the request, the one with longest mask is chosen; if the mask length is the same for several peers, their order decides.

So please disable the statically configured peer with "address=0.0.0.0/0" (unless that would cut your management connection) and try to connect the client again.

/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps country=italy distance=indoors frequency=2422 \
    mode=ap-bridge name=Miko rate-set=configured ssid=Miko wireless-protocol=\
    802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    use-peer-dns=yes user=@alicebiz.routed
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
    tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
    unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des lifetime=0s
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP \
    pfs-group=none
/ip pool
add name=dhcp ranges=192.168.98.150-192.168.98.190
add name=VPN_Pool ranges=192.168.98.70-192.168.98.85
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.98.4 name=\
    L2TP-IN-Profile remote-address=VPN_Pool
add name=profile1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=Miko
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=mactel
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-IN-Profile enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=Miko list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=\
    192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
    192.168.98.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 \
    priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related \
    dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=\
    192.168.5.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=\
    192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 \
    src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
    pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 \
    dst-address-list=2XX src-address=192.168.98.0/24 \
    src-address-list=XX
/ip ipsec peer
add address=XX/32 comment=VPN_Tivoli dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=XX2/32 comment=VPN_Velletri dh-group=modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=\
    aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=\
    port-override local-address=192.168.98.4
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=XX \
    sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio profile=L2TP-IN-Profile service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel

Well, in your today's export I can see, at the peer in question, "disabled=yes" which was not there in your first export, so I guess you've found how to disable it.

Now, "/ip ipsec peer print" should show the static peers and also the dynamic one created by the L2TP server. If the dynamic peer is not there, the L2TP server has not created it, so try to disable and then re-enable the L2TP server. If it is there, please replace all passwords with xxxxxx and paste here the output for all peers, not just the dynamic one.

[admin@MikroTik] >> /ip ipsec  peer print    
Flags: X - disabled, D - dynamic, R - responder 
 0     ;;; VPN_Tivoli
       address=xxx/32 auth-method=pre-shared-key secret="xx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 1     ;;; VPN_Velletri
       address=xxx/32 auth-method=pre-shared-key secret="xx*" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

 2  DR address=::/0 passive=yes auth-method=pre-shared-key secret="xx" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5 

OK. And if you try to connect your client now, you still get the same log messages like you did before or something else?

What kind of remote device do you try to connect?

OK, we're getting somewhere The lines right before the red one saying "Failed to pre-process ph2 packet" are important:
no template matches
failed to get proposal for responder

A look at your exported config shows the following:

Code: Select all

/ip ipsec policy
set 0 disabled=yes

So the default policy template referring to default IPsec proposal is disabled. Try

Code: Select all

/ip ipsec policy set 0 disabled=no

(or use mouse to re-enable the template) and try to connect the phone again.

That IP in the log says that out of all the Mikrotik's own IPs, this one receives the IPsec packets from the client, so it is fine. You should see somewhere in the ppp server window that client Fabio is connected and which IP address it has been assigned (or use "/interface l2tp-server print"). Also deep in the iPhone's menu you might be able to see the IP you've received.

Now can you use something else than RDP to test whether the iPhone can connect at least somewhere? E.g., the web interface of Mikrotik itself but when the iPhone is connected to such a network that it would be sure that it cannot get there any other way than via the tunnel?

192.168.98.4 is Mikrotik
192.168.98.70 is the client via L2TP
what is the IP of the server and how is it connected to the Mikrotik?

So everything in the same subnet except that the server is on the LAN and the client is connected via L2TP.

Normally, I would expect that the end of this manual chapter is relevant, you have to permit proxy-arp functionality at the LAN interface to which the server is connected, but your configuration export says:

Code: Select all

/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
    igmp-snooping=yes name=bridge

What is unusual, though, is that the IP address of the Mikrotik itself, 192.168.98.4, is assigned to "ether2" which itself is a member interface of a bridge named "bridge". So please activate safe mode and change the interface for that IP address from "ether2-master" to "bridge". That change should not break anything but better safe than sorry.

Safe mode can only be activated in one management session. So if you have activated it somewhere else than in console (the command line window), deactivate it there, then press Ctrl-X in console window, you should see <SAFE> in the prompt.

Then, "/ip address print" shows you all IP addresses with line numbers starting from 0 in the leftmost column. Find the number of 192.168.98.4, you will use it to replace N in the command below:

/ip address set N interface=bridge

Then, do "/ip address print" again to see the change and make sure that you haven't lost connection.
If you get the response and see that the interface has changed, you may press Ctrl-X again to make the change permanent and try again the RDP disconnection and re-connection.

Prego/нема на чему.
If a topic's initial issue got resolved, it is a good idea to mark the final answer as "solved" so that other people searching the forum can see that. I assume only the OP (original poster) may set such verdict.

You haven't written whether the problem at home is only with Win10 or also with the iPhone. If iPhone works both at home and in the office/school, the issue may be related to difference between iOS and Windows in handling L2TP over IPsec; if none of the two works at home, something regarding the network may be related.

One more idea, maybe you simply haven't left the safe mode before logging off the RouterBoard or disconnecting after you have changed the interface to which your LAN IP is attached, so it got back to "ether2" from "bridge"? The safe mode works exactly that way - if the management session where the safe mode was activated gots broken in any way, even by a clean logout, all changes made since activation of safe mode are reverted.

what is the result of "/ip address export" right now?

/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=192.168.98.0

So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.

So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.

This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.

So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.

So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.

This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.

can i write in PVT for another question?

can i write in PVT for another question?

Yes, if you know how. I cannot use the "contact XXX" link at your user page and haven't found any setting relevant to private message permission in the outgoing direction - in incoming direction, I have them permitted by default. Maybe you have forbidden it in your own settings, maybe I have not enough karma to do so. No idea.