Community discussions

MikroTik App
 
brg3466
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

L2TP/IPSec VPN can access LAN but not Router  [SOLVED]

Fri Mar 02, 2018 6:33 pm

Hello everyone,
I am a newbie on Mikrotik. In my house, I have a RB750G ( 192.168.88.1) as the router and have 2 hAP lite as wireless AP ( 192.168.88.2, 192.168.888.3) + one NAS (192.168.88.4) connected to the LAN port of RB750G.

I set up the L2TP/IPsec VPN in order to remotely access my home network. The VPN network was assigned to 192.168.6.0/24. Everything works fine. I can connect VPN from outside. The IP address I got is 192.168.6.2 But once the VPN is established, I can get access to hAP, or NAS when I key in the hAP IP address or NAS address, but NOT 192.168.88.1.

I thought since I can access the hAP lite via VPN, I am supposed to acess the router as well, but no matter how I try, I cannot access my Router.

Anyone who can help me with it ?

MJ
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec VPN can access LAN but not Router

Fri Mar 02, 2018 8:53 pm

Have a look at this topic.

If you don't find the answer there, come back.
 
brg3466
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: L2TP/IPSec VPN can access LAN but not Router

Sun Mar 04, 2018 2:56 am

Have a look at this topic.

If you don't find the answer there, come back.
Have a look at this topic.

If you don't find the answer there, come back.
Hi Sindy,
Thank you for the help. Looks like the linked topic has the same issue as me. I will look throough carefully and see if I can solve it with the idea you provided in that link.
The key seems falls on the firewall settings.

You have a nice weekend !
 
brg3466
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: L2TP/IPSec VPN can access LAN but not Router

Sat Mar 10, 2018 4:06 am

Hi, I tried but no luck ! The linked topic has much more complicated firewall rules than mine.
I just have the default config and activate the L2TP/IPsec VPN server on the main router. - set DHCP server for VPN, enable L2TP,....., etc.

I can get VPN from my iPhone without any problem, and I can remotely access my hAP lite ( wireless AP connected to RB750G) or NAS, but NOT the router.

Here below are the config, please advise how to fix it. Thank you !

# mar/09/2018 15:37:27 by RouterOS 6.41.2
# software id = PKFZ-FS3Q
#
# model = 750GL
# serial number = 467B041AAC6E
/interface bridge
add admin-mac=4C:5E:0C:79:9F:60 auto-mac=no comment=defconf name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name="vpn pool" ranges=192.168.6.2-192.168.6.10
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 local-address=192.168.6.1 only-one=no remote-address="vpn pool" \
use-encryption=yes
set *FFFFFFFE idle-timeout=10m only-one=no session-timeout=0s
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=default enabled=yes ipsec-secret=1234 use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
ether1
/ip dhcp-server lease
add address=192.168.88.118 client-id=1:4c:b1:99:a5:b2:c mac-address=\
4C:B1:99:A5:B2:0C server=defconf
add address=192.168.88.116 always-broadcast=yes client-id=1:18:65:90:36:c:d7 \
mac-address=18:65:90:36:0C:D7 server=defconf
add address=192.168.88.137 client-id=1:3c:2e:f9:8c:53:dc mac-address=\
3C:2E:F9:8C:53:DC server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input disabled=yes port=1701,500,4500 protocol=udp
add action=accept chain=input disabled=yes protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=no \
src-address=192.168.6.0/24
/ppp secret
add name=vpn password=1234
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name="Main Router"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
misucatinas
newbie
Posts: 32
Joined: Thu Mar 01, 2018 9:11 am

Re: L2TP/IPSec VPN can access LAN but not Router

Sat Mar 10, 2018 10:40 am

Hello,
add action=accept chain=input dst-address=192.168.88.0/24 src-address=192.168.6.0/24
and move above:
add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid
Last edited by misucatinas on Sat Mar 10, 2018 12:54 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec VPN can access LAN but not Router

Sat Mar 10, 2018 10:42 am

Here below are the config, please advise how to fix it. Thank you !
The relevant part of your configuration is the following one:
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall filter
1. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
2. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
3. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
4. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
5. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
6. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
7. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
The issue must be in chain input of the firewall filter rules because
  • you can reach other devices on the LAN via the VPN
  • there are no non-standard rules in raw and mangle tables, and rules in srcnat chain of nat table do not handle packets sent out by the router itself
  • there are no rules in chain output of the firewall filter, and rules in chain forward do not handle packets sent by the router itself nor those whose destination is the router itself
Next, you have to understand how the L2TP/IPsec works. L2TP creates a virtual interface. Any packet routed through that interface is encapsulated into a UDP packet with destination port 1701 (see note below) and sent to the remote side. If L2TP is tunnelled via IPsec, the UDP packet to port 1701 is encapsulated and encrypted using the security association of IPsec into an ESP packet. And if there is NAT between the local and remote end, the ESP packet is further encapsulated into a UDP packet with destination port 4500.
Note: the server always listens at port 1701, the client may use a different port at its side which has some advantage.

On receiving side, the onion is peeled in reverse order.
  • The IPsec encrypted and encapsulated packet arrives via WAN interface (in your case, ether1) as a UDP packet to port 4500.
  • If it is the first one of the connection, rule 1 ignores it but rule 2 matches and accepts it; further packets are matched and accepted already by rule 1.
  • Now the IPsec processing takes place. The outer UDP and ESP envelope is removed and the decrypted UDP packet to port 1701 remains.
  • This extracted packet is treated as a new incoming packet which came in via the same interface as the one from which it has been extracted. So the firewall inspects it as such.
  • If it is the first one of a connection, rules 1, 2 and 3 ignore it and rule 4 matches and accepts it, otherwise already rule 1 matches and accepts it.
  • Now L2TP processing takes place. The outer IP and UDP envelope is removed and an L2 packet is extracted. But this time, the packet is not seen as coming in via the WAN (ether1) interface, but via the virtual interface which has been dynamically created (at server side, at client side it is a static one) when the L2TP session has been established. And this "new" packet is processed by the input chain of firewall filter rules as well.
  • None of rules 1-6 match it, so it reaches rule 7. And as the dynamically created L2TP interface is not a member of interface list LAN, the rule matches and the packet is dropped.

You have several possibilities to resolve this, depending on how complex the rest of your configuration is going to grow.
  • the simplest one is to modify the rule 7 - instead of in-interface-list=!LAN, use in-interface-list=WAN. That way you only prevent the router from being accessed directly via WAN, but access from any other interface, including virtual ones and including some added later, like e.g. your wireless network for guests at home, will be possible
  • the name of the dynamically created virtual L2TP interface is always <l2tp-username>, so in your case it is <l2tp-vpn> (including the shap brackets). But when the tunnel goes down, the interface is destroyed, so it is also automatically removed from the interface list, and it is not re-created there when another interface, albeit with the same name, appears again. What you can do is to create a static interface of type "L2TP Server Binding" and link it to the ppp user name (vpn in your case). Such an interface is static, therefore it exists regardless whether the L2TP connection is established or not, and you can add it as a member of the interface list "LAN", or insert a rule
    chain=input action=accept in-interface=your-static-binding-name
    anywhere between existing rules 1 and 7.
  • you might be tempted to permit incoming packets based on their source address regardless the in-interface as @misucatinas suggests, but it is not a good idea as a packet with a "proper" source address can be spoofed and sent to your WAN interface. Scenarios exist where such packet may cause some harm to your network.
One extra question, do you have any special reason to permit "untracked" packets in rule 1?
 
brg3466
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: L2TP/IPSec VPN can access LAN but not Router

Sat Mar 10, 2018 10:41 pm

Hi Sindy,
Thank you for such a detailed explanation for this issue ! Really appreciated your great help !

I modified the rule 7 as per your suggestion and it works !!! Now I can remotely access the whole LAN network including the Router. :-)

As to your question regarding on the 'untracked' in rule 1, In fact, it is the default configuration from the factory setting. Once you reset configuration to factory setting, it is there.

To be honest, I don't know very well why Mikrotik put it in the rule 1.

Thanks again and you have a nice weekend !
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec VPN can access LAN but not Router

Sat Mar 10, 2018 10:55 pm

As to your question regarding on the 'untracked' in rule 1, In fact, it is the default configuration from the factory setting. Once you reset configuration to factory setting, it is there.
Right you are, but it seems to be a recent addition.
 
brg3466
Member Candidate
Member Candidate
Topic Author
Posts: 177
Joined: Sat Aug 01, 2015 7:29 am

Re: L2TP/IPSec VPN can access LAN but not Router

Sun Mar 11, 2018 2:02 am

Hi Sindy,

I tried the other way you suggested just as an experiment, i.e. create a static interface of <l2tp-vpn> and add it to the LAN.

It works as well !!!

Really learn a lot from you ! Thank you for sharing your knowledge on this topic !
 
Fesiitis
newbie
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: L2TP/IPSec VPN can access LAN but not Router

Thu Sep 12, 2019 1:34 pm

I found this topic, because I have a same issue the OP had. Except I don't have L2TP/IPsec VPN, but IKE2 IPsec configured. And changing from !LAN to WAN does not fix issue, I can't access to router from any device on 10.12.14.0/24 network at all. If I disable that default "not from LAN" rule, I can access to router. I think it's because IKE2 IPsec doesn't create separate virtual interface. I have one PPTP VPN configured as well. And if I change from !LAN to WAN, I can access to router from PPTP VPN network.

This is my FW and IPsec VPN configuration, basically everything is router default -
Image
Image
Image

What do I need to change to make router accessible from 10.12.14.0/24 network? I have to accept another input from 10.12.14.0/24 network?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP/IPSec VPN can access LAN but not Router

Thu Sep 12, 2019 1:56 pm

I think it's because IKE2 IPsec doesn't create separate virtual interface.
Yes, this changes a lot.

This is my FW and IPsec VPN configuration, basically everything is router default
Screenshots are not a good method of presenting configuration for analysis. See my automatic signature below regarding proper way of posting configuration.

What do I need to change to make router accessible from 10.12.14.0/24 network? I have to accept another input from 10.12.14.0/24 network?
Yes, you have to add another accept rule to input for that source subnet; if you want to be super-sure, add in-interface=X ipsec-policy=in,ipsec to the rule, where X is the name of the interface through which the IPsec tunnel flows, so that packets from that IP could not be spoofed through other interface while IPsec policy would eventually be disabled (when the policy is active, packets matching the traffic selector of the policy in receive direction are dropped if they didn't come via the IPsec tunnel).
 
Fesiitis
newbie
Posts: 45
Joined: Tue Sep 13, 2016 10:24 am
Location: Latvia, Riga

Re: L2TP/IPSec VPN can access LAN but not Router

Thu Sep 12, 2019 2:08 pm

Thanks for reply. This works. Next time I will post configuration as a text, thanks for suggestion. ;)
 
jaytcsd
Member
Member
Posts: 332
Joined: Wed Dec 29, 2004 9:50 am
Location: Pittsboro IN
Contact:

Re: L2TP/IPSec VPN can access LAN but not Router

Mon Sep 16, 2019 6:51 pm

I started copying all the info sindy puts in these posts into a 'sindy says' text file for future reference.

Who is online

Users browsing this forum: Bing [Bot], korg, slimmerwifi and 91 guests