Community discussions

just joined
Topic Author
Posts: 1
Joined: Tue Jan 08, 2019 4:33 pm

No Outgoing UDP possible when remote VPN user is connected

Tue Jan 08, 2019 11:41 pm

Hi there,

Been searchinga while for a solution,

I have 2 VPN profiles listening on our local router:
  1. Accepting connections and bridging them to the last 4 ports of the router (TelenetVPN) (2nd problem: works but is very slow)
  2. Accepting connections, handing out an default-dhcp ip to the vpn client and connecting it to the local network of the local router (l2p-profile)
Now, when a client behind a NAT network 2 connects to the local router using a VPN,
it seems like outgoing UDP traffic from our local network to the same network 2 (forwarded port over there to an internal server) is dropped.
After the remote VPN client disconnects, the UDP traffic gets through again.

(TCP traffic to the same network 2 keeps on working when the VPN client is connected) (UDP traffic to other servers also keeps on working).
# jan/08/2019 16:08:28 by RouterOS 6.43.8
# model = 2011UiAS

/interface bridge
add admin-mac=E4:8D:8C:22:D6:C8 arp=proxy-arp auto-mac=no comment=defconf \
    fast-forward=no name=bridge-local
add admin-mac=E4:8D:8C:22:D6:CC auto-mac=no fast-forward=no name=\
/interface ethernet
set [ find default-name=ether1 ] comment=Internet name=WAN speed=100Mbps
set [ find default-name=ether2 ] comment=Local name=ether2-master-local \
set [ find default-name=ether3 ] name=ether3-slave-local speed=100Mbps
set [ find default-name=ether4 ] name=ether4-slave-local speed=100Mbps
set [ find default-name=ether5 ] name=ether5-slave-local speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip ipsec peer profile
add dh-group=modp1024 enc-algorithm=aes-256,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
add enc-algorithms=aes-256-cbc,3des name=L2TP-Proposal pfs-group=none
/ip pool
add name=default-dhcp ranges=
add name=L2TP-Pool ranges=
/ip dhcp-server
add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no \
    interface=bridge-local lease-time=2d name=default
/ppp profile
add change-tcp-mss=yes dns-server= local-address= name=\
    l2tp-profile remote-address=default-dhcp use-encryption=required
add change-tcp-mss=yes dns-server= local-address= name=\
    "OpenVPN profile" remote-address=default-dhcp use-encryption=required
add bridge=bridge-telenetext change-tcp-mss=yes dns-server= name=\
    TelenetVPN use-encryption=required

/snmp community
set [ find default=yes ] addresses=
/interface bridge port
add bridge=bridge-local comment=defconf interface=ether2-master-local
add bridge=bridge-telenetext comment=defconf interface=ether6-master-local
add bridge=bridge-local comment=defconf hw=no interface=sfp1
add interface=WAN
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
add bridge=bridge-telenetext interface=ether7-slave-local
add bridge=bridge-telenetext interface=ether8-slave-local
add bridge=bridge-telenetext interface=ether9-slave-local
add bridge=bridge-telenetext interface=ether10-slave-local
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp-profile enabled=yes \
    ipsec-secret=pass max-mru=1460 max-mtu=1460 mrru=1600 use-ipsec=yes
/interface list member
add interface=sfp1 list=discover
add interface=ether2-master-local list=discover
add interface=ether3-slave-local list=discover
add interface=ether4-slave-local list=discover
add interface=ether5-slave-local list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=bridge-local list=discover
add interface=bridge-telenetext list=discover
add interface=bridge-local list=mactel
add interface=ether2-master-local list=mactel
add interface=bridge-local list=mac-winbox
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=sfp1 list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=sfp1 list=mac-winbox
/interface ovpn-server server
set certificate=my-rtr require-client-certificate=yes
/ip address
add address= comment="default configuration" interface=\
    bridge-local network=
add address= comment="default configuration" interface=\
    bridge-local network=

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN \
/ip dhcp-server network
add address= comment="default configuration" dhcp-option=unifi \
    dns-server= gateway= ntp-server=\,,
/ip dns
set allow-remote-requests=yes servers=,
/ip dns static
add address= name=router
add address= name=router
/ip firewall address-list
add comment="IPs that exceeded the connection limit will added to this list" \
add address= list=fasttrack

/ip firewall filter
add action=accept chain=input comment="Test purposes" src-address=\
add action=drop chain=input comment="Drop invalid packets" connection-state=\
add action=accept chain=input comment=ping protocol=icmp
add action=accept chain=input comment="Incoming SSH, winbox from trusted ips" \
    dst-port=22,8291,8728,80 protocol=tcp src-address-list=host_trusted_ips
add action=accept chain=input comment="Incoming SSH, winbox from trusted ips" \
    dst-port=8888 protocol=tcp
add action=accept chain=input comment=openvpn disabled=yes dst-port=1194 \
add action=accept chain=input comment="L2TP over IPsec" dst-port=\
    500,4500,1701 protocol=udp
add action=accept chain=input comment="L2TP over IPsec" protocol=ipsec-esp
add action=accept chain=input comment=\
    "Accept established and related connections" connection-state=\
add action=accept chain=input comment="Accept all from inside" in-interface=\
add action=accept chain=input comment="Accept all from VPN" in-interface=\
add action=drop chain=input comment="Drop all"
add action=drop chain=forward comment="Drop invalid packets" \
    connection-state=invalid log-prefix=dropped
add action=drop chain=forward comment="Block outgoing port" disabled=yes \
    dst-port=2323 in-interface=bridge-local protocol=tcp
add action=add-src-to-address-list address-list=connection_limit_exceeded \
    address-list-timeout=1d chain=forward comment=\
    "log_ limit connections per ip" connection-limit=700,32 log-prefix=\
    CONN_LIMIT: protocol=tcp tcp-flags=syn
add action=drop chain=forward comment="Limit connections per ip" \
    connection-limit=700,32 disabled=yes protocol=tcp tcp-flags=""
add action=fasttrack-connection chain=forward connection-mark=\
    low_pri_interactive_conn connection-state=established,related
add action=fasttrack-connection chain=forward comment=\
    "FastTrack from these IPs" connection-state=established,related \
add action=accept chain=forward comment="Allow dstnat port forward rules" \
add action=accept chain=forward comment=\
    "Accept established and related connections" connection-state=\
add action=accept chain=forward comment="Accept inside" in-interface=\
add action=accept chain=forward comment="Accept from VPN" in-interface=\
add action=drop chain=forward comment="Drop all"
add action=accept chain=forward connection-state=established,related

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
add action=dst-nat chain=dstnat comment=rdp dst-port=9000 in-interface=WAN \
    protocol=tcp to-addresses= to-ports=3389

/ip ipsec peer
add address= exchange-mode=main-l2tp generate-policy=port-override \
    passive=yes profile=profile_1 secret=pass
/ip ipsec policy
set 0 disabled=yes
add proposal=L2TP-Proposal template=yes
add dst-address= proposal=L2TP-Proposal src-address= \

/ppp secret
add name="syl" password=pass profile=l2tp-profile service=\
add name="greg" password=pass profile=l2tp-profile service=\
add name="gre" password=pass profile=l2tp-profile service=\
add local-address= name=telenet password=pass profile=\
    TelenetVPN remote-address=
/system clock
set time-zone-name=Europe/Brussels
/system logging
add disabled=yes topics=l2tp
/system ntp client
set enabled=yes primary-ntp= secondary-ntp= \

/tool graphing
set store-every=hour
/tool graphing interface
add interface=WAN
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox

Who is online

Users browsing this forum: No registered users and 125 guests