This is not correct. The order of rules is important but only within a chain. Whether a particular incoming packet will be processed by input chain or forward chain depends on its destination address, not on order of rules.You must first have 'Input' 'rules, then' Output 'and' Forward '.
I'm a bit afraid that we hijack the topic from the OP, maybe we should move somewhere else with this discussion? I agree with part of your points, and I disagree with other ones.... Finally, "drop All" 'forward' is specified. Agree?
/ip firewall filter
add chain=input dst-address=LAN-IP-of-the-RB dst-port=80 action=accept
add chain=forward action=drop
Can't because how do it,Can't do because you don't know how to do that from Winbox or can't do because it is administratively prohibited?
Whatever, the configuration export you've provided earlier contains a static peer configuration with "address=0.0.0.0/0". The L2TP server with IPsec set to "yes" or "required" (the latter should be used to prevent L2TP connections without IPsec from being set up unless you really want to support them too) creates a dynamic peer configuration with all the necessary settings for L2TP over IPsec mode and also with "address=0.0.0.0/0" setting.
Now as the statically configured peer is the first one in the list, it is used to handle the incoming requests from unknown-in-advance IP addresses rather than the dynamically configured one, because among all peers whose "address" parameter matches the source IP of the request, the one with longest mask is chosen; if the mask length is the same for several peers, their order decides.
So please disable the statically configured peer with "address=0.0.0.0/0" (unless that would cut your management connection) and try to connect the client again.
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
igmp-snooping=yes name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n basic-rates-a/g=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
1Mbps,2Mbps,5.5Mbps,11Mbps country=italy distance=indoors frequency=2422 \
mode=ap-bridge name=Miko rate-set=configured ssid=Miko wireless-protocol=\
802.11 wmm-support=enabled wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=@alicebiz.routed
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-ctr,aes-192-cbc,aes-128-cbc,3des lifetime=0s
add enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des name=L2TP \
pfs-group=none
/ip pool
add name=dhcp ranges=192.168.98.150-192.168.98.190
add name=VPN_Pool ranges=192.168.98.70-192.168.98.85
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=50m name=defconf
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.98.4 name=\
L2TP-IN-Profile remote-address=VPN_Pool
add name=profile1
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=Miko
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=mactel
/ip settings
set accept-redirects=yes
/interface l2tp-server server
set allow-fast-path=yes default-profile=L2TP-IN-Profile enabled=yes use-ipsec=\
required
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=Miko list=discover
add interface=bridge list=discover
add interface=pppoe-out1 list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=\
192.168.98.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.98.0/24 comment=defconf dns-server=8.8.8.8 gateway=\
192.168.98.4 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.98.4 name=router
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
add action=accept chain=input dst-port=500,4500,1701 ingress-priority=0 \
priority=0 protocol=tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.54.0/24 src-address=192.168.98.0/24
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.98.0/24 src-address=192.168.54.0/24
add action=accept chain=forward dst-address=192.168.5.0/24 src-address=\
192.168.98.0/24
add action=accept chain=forward dst-address=192.168.98.0/24 src-address=\
192.168.5.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface-list=!mactel
add action=accept chain=input
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.54.0/24 src-address=\
192.168.98.0/24
add action=accept chain=srcnat comment=NAT_Velletri dst-address=192.168.5.0/24 \
src-address=192.168.98.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=\
pppoe-out1 out-interface-list=WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.54.0/24 \
dst-address-list=2XX src-address=192.168.98.0/24 \
src-address-list=XX
/ip ipsec peer
add address=XX/32 comment=VPN_Tivoli dh-group=modp1024 \
enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=XX2/32 comment=VPN_Velletri dh-group=modp1024 \
enc-algorithm=aes-256,aes-192,aes-128,3des nat-traversal=no
add address=0.0.0.0/0 dh-group=modp1024 disabled=yes enc-algorithm=\
aes-256,aes-192,aes-128,3des exchange-mode=main-l2tp generate-policy=\
port-override local-address=192.168.98.4
/ip ipsec policy
set 0 disabled=yes
add comment=VPN_Tivoli dst-address=192.168.54.0/24 sa-dst-address=XX \
sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
add comment=VPN_Velletri dst-address=192.168.5.0/24 sa-dst-address=XX \
sa-src-address=XX src-address=192.168.98.0/24 tunnel=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=fabio profile=L2TP-IN-Profile service=l2tp
/system clock
set time-zone-name=Europe/Rome
/system logging
add topics=ipsec
/system package update
set channel=release-candidate
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mactel
Yes it's createdWell, in your today's export I can see, at the peer in question, "disabled=yes" which was not there in your first export, so I guess you've found how to disable it.
Now, "/ip ipsec peer print" should show the static peers and also the dynamic one created by the L2TP server. If the dynamic peer is not there, the L2TP server has not created it, so try to disable and then re-enable the L2TP server. If it is there, please replace all passwords with xxxxxx and paste here the output for all peers, not just the dynamic one.
[admin@MikroTik] >> /ip ipsec peer print
Flags: X - disabled, D - dynamic, R - responder
0 ;;; VPN_Tivoli
address=xxx/32 auth-method=pre-shared-key secret="xx" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
1 ;;; VPN_Velletri
address=xxx/32 auth-method=pre-shared-key secret="xx*" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=no proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
2 DR address=::/0 passive=yes auth-method=pre-shared-key secret="xx" generate-policy=port-strict policy-template-group=default exchange-mode=main-l2tp send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1
enc-algorithm=aes-256,aes-192,aes-128,3des dh-group=modp2048,modp1024 lifetime=1d dpd-interval=2m dpd-maximum-failures=5
"Failed to pre-process ph2 packet"OK. And if you try to connect your client now, you still get the same log messages like you did before or something else?
Iphone 5s and i'm trying with Windows 10 too...same errorWhat kind of remote device do you try to connect?
/ip ipsec policy
set 0 disabled=yes
/ip ipsec policy set 0 disabled=no
Ok connected but now i have other problem, if i'm trying to connect via RDP to a remote Server i canno't connect itOK, we're getting somewhere The lines right before the red one saying "Failed to pre-process ph2 packet" are important:
no template matches
failed to get proposal for responder
A look at your exported config shows the following:
So the default policy template referring to default IPsec proposal is disabled. TryCode: Select all/ip ipsec policy set 0 disabled=yes
(or use mouse to re-enable the template) and try to connect the phone again.Code: Select all/ip ipsec policy set 0 disabled=no
the ip it's 192.168.98.70 see this stranger things...That IP in the log says that out of all the Mikrotik's own IPs, this one receives the IPsec packets from the client, so it is fine. You should see somewhere in the ppp server window that client Fabio is connected and which IP address it has been assigned (or use "/interface l2tp-server print"). Also deep in the iPhone's menu you might be able to see the IP you've received.
Now can you use something else than RDP to test whether the iPhone can connect at least somewhere? E.g., the web interface of Mikrotik itself but when the iPhone is connected to such a network that it would be sure that it cannot get there any other way than via the tunnel?
192.168.98.222192.168.98.4 is Mikrotik
192.168.98.70 is the client via L2TP
what is the IP of the server and how is it connected to the Mikrotik?
/interface bridge
add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \
igmp-snooping=yes name=bridge
So i've activated safe mode, how do i do the other?So everything in the same subnet except that the server is on the LAN and the client is connected via L2TP.
Normally, I would expect that the end of this manual chapter is relevant, you have to permit proxy-arp functionality at the LAN interface to which the server is connected, but your configuration export says:
What is unusual, though, is that the IP address of the Mikrotik itself, 192.168.98.4, is assigned to "ether2" which itself is a member interface of a bridge named "bridge". So please activate safe mode and change the interface for that IP address from "ether2-master" to "bridge". That change should not break anything but better safe than sorry.Code: Select all/interface bridge add admin-mac=64:D1:54:00:6C:41 arp=proxy-arp auto-mac=no comment=defconf \ igmp-snooping=yes name=bridge
Seems to be all ok!!! THANK YOU!! VERY VERY TJANK YOUI!!!!!Safe mode can only be activated in one management session. So if you have activated it somewhere else than in console (the command line window), deactivate it there, then press Ctrl-X in console window, you should see <SAFE> in the prompt.
Then, "/ip address print" shows you all IP addresses with line numbers starting from 0 in the leftmost column. Find the number of 192.168.98.4, you will use it to replace N in the command below:
/ip address set N interface=bridge
Then, do "/ip address print" again to see the change and make sure that you haven't lost connection.
If you get the response and see that the interface has changed, you may press Ctrl-X again to make the change permanent and try again the RDP disconnection and re-connection.
Hi sindy...i've got problem connecting from my home with windows 10.....first time i'm connected but i can't login to my server, i'm tried too many times to ping server but only timeout....after 10 minutes ad a lots of manual disconnection to VPN i finally logged in my server....Prego/нема на чему.
If a topic's initial issue got resolved, it is a good idea to mark the final answer as "solved" so that other people searching the forum can see that. I assume only the OP (original poster) may set such verdict.
I've tried to connect Via Phone via my network and all it's fine, if i connect via my network with my PC had this problemYou haven't written whether the problem at home is only with Win10 or also with the iPhone. If iPhone works both at home and in the office/school, the issue may be related to difference between iOS and Windows in handling L2TP over IPsec; if none of the two works at home, something regarding the network may be related.
I've change nothing and for now with my phone it's working...i've to test this evening at home....i have to see other?One more idea, maybe you simply haven't left the safe mode before logging off the RouterBoard or disconnecting after you have changed the interface to which your LAN IP is attached, so it got back to "ether2" from "bridge"? The safe mode works exactly that way - if the management session where the safe mode was activated gots broken in any way, even by a clean logout, all changes made since activation of safe mode are reverted.
what is the result of "/ip address export" right now?
/ip address
add address=192.168.98.4/24 comment=defconf interface=ether2-master network=192.168.98.0
It seems to be ok,So what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.
So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.
This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.
Very thank youSo what I've suspected has really happened. You've made the change in safe mode, but you haven't pressed the Ctrl-X again to leave the safe mode before leaving the session, and so the change got rolled back.
So repeat the steps described in post #26 of this topic, except that after changing the initerface to which the IP address is bound, you will first leave the safe mode and only after doing that leave the management session.
This should be enough. If evening shows that it was not, you'll have to add the second subnet as suggested in post #34.
Yes, if you know how. I cannot use the "contact XXX" link at your user page and haven't found any setting relevant to private message permission in the outgoing direction - in incoming direction, I have them permitted by default. Maybe you have forbidden it in your own settings, maybe I have not enough karma to do so. No idea.can i write in PVT for another question?
Don't know....ok i'll open another ThreadYes, if you know how. I cannot use the "contact XXX" link at your user page and haven't found any setting relevant to private message permission in the outgoing direction - in incoming direction, I have them permitted by default. Maybe you have forbidden it in your own settings, maybe I have not enough karma to do so. No idea.can i write in PVT for another question?