Community discussions

 
stefin31
just joined
Topic Author
Posts: 2
Joined: Thu Jan 10, 2019 9:10 pm

RB2011 configuration question

Thu Jan 10, 2019 9:48 pm

Hi, (new to the forum)

We have been using a MikroTik RB2011 for the last couple of years without fault but have recently changed broadband provider and moved to an FTTC line, so had to switch modem as well (in bridged mode), since changing over the broadband and changing the pppoe setting to reflect the new connection and new fixed IP, we are getting an issue whereby the L2TP VPN we previously had setup no longer works.
As far as I can tell I have changed all rules to reflect the new external IP but for some reason we are still not getting any connections. I have also tried opening ports using NAT rules to then rule external port scans, with the results not showing as being open.

I was wondering you can tell me if anyone has experienced something similar and what settings I should check over?
I can post an exported config if that helps?
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1140
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 configuration question

Sat Jan 12, 2019 8:45 pm

Is this a site-to-site VPN or road warrior (Traveling users) VPN?

If road warrior setup, depending on your firewall rules, but generally there should not be any changes required on the router, but on the clients to point to new IP / FQDN.

Provide full export /export file=whateverfilename hide-sensitive
MTCNA, MTCTCE, MTCRE & MTCINE
 
stefin31
just joined
Topic Author
Posts: 2
Joined: Thu Jan 10, 2019 9:10 pm

Re: RB2011 configuration question

Sat Jan 12, 2019 9:10 pm

Hi many thanks for your response.

It is a road warrior client we are looking to use.

Please see below the requested export.
Upon viewing the below configuration if there are any glaring issues or recommended modifications I would be grateful of pointers and help in this matter.


# jan/11/2019 09:24:56 by RouterOS 6.37.1
# software id = ZJN7-AV1Q
#
/interface bridge
add admin-mac=6C:3B:6B:09:84:3E auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] name=ether6-master
set [ find default-name=ether7 ] master-port=ether6-master
set [ find default-name=ether8 ] master-port=ether6-master
set [ find default-name=ether9 ] master-port=ether6-master
set [ find default-name=ether10 ] master-port=ether6-master
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=chl2@a.1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country="united kingdom" disabled=no distance=indoors frequency=auto \
mode=ap-bridge ssid=Conatus-mikrotik wireless-protocol=802.11
/ip neighbor discovery
set ether1 discover=no
set bridge comment=defconf
/interface wireless
add mac-address=6E:3B:6B:09:84:47 master-interface=wlan1 mode=ap-bridge name=\
Conatus_guest ssid=conatus_guest vlan-id=3 wds-default-bridge=bridge \
wps-mode=disabled
/interface vlan
add disabled=yes interface=Conatus_guest loop-protect-disable-time=0s \
loop-protect-send-interval=0s name=vlan1-guest vlan-id=2
/interface list
add name=internal
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,3des pfs-group=none
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=50m name=L2tp-proposal pfs-group=none
/ip pool
add name=dhcp ranges=172.16.1.10-172.16.1.200
add name=VPN-pool ranges=172.16.2.100-172.16.2.160
add name=guest-pool ranges=172.16.2.10-172.16.2.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=40m name=\
defconf
add address-pool=guest-pool always-broadcast=yes interface=vlan1-guest \
lease-time=1h10m name=guest-dhcp
/ppp profile
add change-tcp-mss=yes local-address=dhcp name="L2tp-in Profile" \
remote-address=VPN-pool use-encryption=required
set *FFFFFFFE dns-server=8.8.8.8 remote-address=VPN-pool
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf interface=ether6-master
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge comment=defconf interface=wlan1
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes keepalive-timeout=disabled \
max-mru=1460 max-mtu=1460 max-sessions=10 use-ipsec=yes
/interface list member
add interface=ether1 list=internal
/ip address
add address=172.16.1.1/24 comment=defconf interface=ether2-master network=\
172.16.1.0
add address=172.16.2.1/24 disabled=yes interface=vlan1-guest network=\
172.16.2.0
add address=217.169.14.163 interface=pppoe-out1 network=217.169.14.163
/ip arp
add address=172.16.1.5 interface=bridge mac-address=00:15:17:E5:25:30
add address=172.16.1.82 interface=bridge mac-address=D0:27:88:92:D9:C0
add address=172.16.1.163 interface=bridge mac-address=00:15:65:1A:79:41
add address=172.16.1.164 interface=bridge mac-address=00:15:65:1E:4F:74
add address=172.16.1.165 interface=bridge mac-address=00:15:65:1A:73:BD
add address=172.16.1.167 interface=bridge mac-address=A0:99:9B:18:E4:39
add address=172.16.1.22 interface=bridge mac-address=8C:EC:4B:57:35:D4
add address=172.16.1.202 interface=bridge mac-address=74:03:BD:05:7E:53
add address=172.16.1.33 interface=bridge mac-address=18:60:24:68:10:83
add address=172.16.1.12 interface=bridge mac-address=74:DA:38:D0:E7:A2
add address=172.16.1.16 interface=bridge mac-address=44:03:2C:F2:27:A9
add address=172.16.1.24 interface=bridge mac-address=BC:A8:A6:C3:DD:95
add address=172.16.1.103 interface=bridge mac-address=00:04:13:83:19:F8
add address=172.16.1.17 interface=bridge mac-address=00:04:13:8E:24:0C
add address=172.16.1.53 interface=bridge mac-address=00:15:65:6E:ED:E6
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=172.16.1.21 client-id=1:18:60:24:68:10:82 mac-address=\
18:60:24:68:10:82 server=defconf
add address=172.16.1.77 client-id=1:b0:4e:26:69:81:39 mac-address=\
B0:4E:26:69:81:39 server=defconf
/ip dhcp-server network
add address=172.16.1.0/24 comment=defconf dns-server=8.8.8.8,8.8.4.4 gateway=\
172.16.1.1 netmask=24
add address=172.16.2.0/24 dns-server=172.16.1.1 gateway=172.16.1.1
/ip dns static
add address=172.16.1.1 name=router
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=forward connection-state=established,related
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=pppoe-out1
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-address=217.169.14.163 \
dst-port=25 protocol=tcp to-addresses=172.16.1.5 to-ports=25
add action=dst-nat chain=dstnat dst-address=172.16.1.202 dst-port=22022 \
protocol=tcp src-address=217.169.14.163 to-addresses=172.16.1.202
add action=dst-nat chain=dstnat disabled=yes dst-address=217.169.14.163 \
dst-port=993 protocol=tcp to-addresses=172.16.1.5 to-ports=993
add action=dst-nat chain=dstnat disabled=yes dst-address=217.169.14.163 \
dst-port=143 protocol=tcp to-addresses=172.16.1.5 to-ports=143
add action=accept chain=dstnat disabled=yes dst-port=53 protocol=tcp \
src-address=37.157.54.2
add action=accept chain=dstnat disabled=yes dst-address=172.16.1.1 dst-port=\
1701 protocol=udp
add action=accept chain=dstnat disabled=yes dst-address=172.16.1.1 dst-port=\
500,4500 protocol=udp
add action=accept chain=dstnat disabled=yes dst-address=172.16.1.5 dst-port=\
3269 protocol=tcp
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1
add action=masquerade chain=srcnat disabled=yes dst-address=172.16.1.5 \
dst-port=443 protocol=tcp src-address=172.16.1.0/24
add action=masquerade chain=srcnat disabled=yes dst-address=172.16.1.202 \
dst-port=22 protocol=tcp
/ip firewall service-port
set ftp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=aes-256,aes-128,3des exchange-mode=\
main-l2tp generate-policy=port-override local-address=172.16.1.100 \
passive=yes
/ip ipsec policy
set 0 proposal=L2tp-proposal
/ip route
add distance=1 gateway=pppoe-out1 pref-src=217.169.14.163
/ip service
set www-ssl disabled=no
/lcd interface pages
set 0 interfaces="sfp1,ether1,ether2-master,ether3,ether4,ether5,ether6-master\
,ether7,ether8,ether9,ether10"
/ppp secret
add name=remote profile="L2tp-in Profile" service=l2tp
add name=alastair profile="L2tp-in Profile" service=l2tp
add name=steve profile="L2tp-in Profile" service=l2tp
/system clock
set time-zone-name=Europe/London
/system logging
set 0 disabled=yes
add prefix=ipse topics=ipsec
add topics=ppp
/system routerboard settings
set protected-routerboot=disabled
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=bridge
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=bridge
/tool traffic-monitor
add disabled=yes interface=pppoe-out1 name=tmon1 threshold=0 traffic=received \
trigger=always
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 1140
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa
Contact:

Re: RB2011 configuration question

Sat Jan 12, 2019 11:49 pm

I think the reason for your problem firewall is not allowing L2TP/IPSec ports before the "add action=drop chain=input in-interface=pppoe-out1" rule, which is kind off a "Drop All" rule, but only for incoming from the WAN/Internet.

You need to add accept rules on input chain for UDP Ports 500, 1701, 4500 before above mentioned rule

I suggest you also relook at your config, it is not the best and suspect you can experience weird / intermittent problems as usually the case when a device is not configured properly, or maybe hire a consultant in your area to assist.
MTCNA, MTCTCE, MTCRE & MTCINE
 
anav
Forum Guru
Forum Guru
Posts: 2227
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: RB2011 configuration question

Sun Jan 13, 2019 4:59 am

Yes, the glaring error is that you are using old firmware. Update to 6.43.8.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 27 guests