Community discussions

just joined
Topic Author
Posts: 16
Joined: Wed Nov 21, 2018 6:06 pm

L2TP VPN Subnet routing to LAN IPs

Mon Jul 22, 2019 2:09 pm


I need help how to configure my RB 3011UiAS to route connections from external clients through a L2TP VPN tunnel to 2 local ip addresses.

Basically what I need is
a . To enable a connection from external clients connecting through our public IP through the VPN tunnel to a postgresql database, setup on a local server (local ip address
b . To enable a connection from external clients connecting through our public IP through the VPN tunnel to a Remote desktop gateway database, setup on a different local server(local ip address

What is done!

The L2TP server has been setup, together with 2 first profiles. - The L2TP VPN server works and I can connect from outside.
The LAN address pool is set to - 185.
The VPN address pool is set to - 10.

What are the boundary conditions ?

1. I have 2 ISPs -
a. ADSL modem
b. LTE modem
The static public address is only available through the ADSL modem - it is through this interface that all VPN traffic has to passthrough.
The LTE modem receives a dynamic ip addres so it is supposed to act as a bandwidth increasing failover for connections from LAN outward.

2. The PCC load balancing You'll see in the code has been configured by me - and it works a beauty so long as the LTE modem is "closer" to the router.
I.E. You'll notice that in the /IP Routes tab the LTE modem has a distance of 1, whereas the ADSL modem has 2.
This was done because it did not work when it was the other way round - my internet connection kept failing.
The downside of this is that, with this configuration I have no direct connectivity to the PSQL server or the RDP server regardless of NAT.
To connect to them I have to disable the LTE modem - then I can connect to RDP or PSQL.

When connected to the L2TP VPN my computer gets as its IP address.
I can ping the IP address of the router ( through the L2TP VPN tunnel, but that's about it.
I cannot ping IP addresses from the LAN Pool or or - 185 and consequently cannot connect to them.

4. I did not configure the VPN, a temp did, to whom I have no access right now. I am a newbie, but I have a little bit of experience in IT although I do not work on it on a daily basis.

What do I need ?

I need to route connections between the subnets - 185 and - 10.
I need to route connections from IP address - 10 using port 3389 to Ip address
I need to route connections from IP address - 10 using port 5432 to Ip address

Can You help ?

Below is my configuration without the disableds and sensitive information.

Regarditos !
/interface bridge
add admin-mac=B8:69:F4:87:45:30 auto-mac=no comment=LAN name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether1-adsl speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether3-lte speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/ip pool
add name=pool-lan ranges=
add name=pool-l2te ranges=

/ip dhcp-server
add address-pool=pool-lan disabled=no interface=bridge-lan lease-time=1h name=dhcp-lan

/ppp profile
add change-tcp-mss=yes dns-server= local-address= name=l2tp remote-address=pool-l2te use-encryption=yes
add change-tcp-mss=yes dns-server= local-address= name=ovpn remote-address=pool-l2te use-encryption=yes

/interface bridge port
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether6

/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required

/interface list member
add interface=ether1-adsl list=WAN
add interface=ether3-lte list=WAN
add interface=bridge-lan list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN

/ip dhcp-server lease
add address= mac-address=00:0A:E4:88:AB:4A  (<--PostgreSQL database)
add address= mac-address=00:15:17:DA:26:D0  (<--RDP Gateway)

/ip dhcp-server network
add address= dns-server= gateway= netmask=24

/ip firewall address-list
add address= list=LAN_VPN
add address= list=L2TP_VPN
add address= list=Connected
add address= list=Connected
add address= list=Connected

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=LAN_VPN
add action=accept chain=input src-address-list=Connected
add action=accept chain=input protocol=icmp
add action=accept chain=input port=1022 protocol=tcp
add action=accept chain=input port=1194 protocol=tcp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes protocol=ipsec-esp
add action=drop chain=input
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward src-address-list=LAN_VPN
add action=accept chain=forward src-address-list=Connected
add action=accept chain=forward src-address-list=L2TP_VPN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp

/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-routing chain=prerouting dst-port=110,995,143,993,25,465,587 new-routing-mark=LTE-Route passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=500,4500,1701 new-connection-mark=ADSL passthrough=yes protocol=udp
add action=mark-routing chain=prerouting new-routing-mark=ADSL-Route passthrough=yes protocol=udp src-port=500,4500,1701
add action=accept chain=prerouting connection-state="" log=yes src-address= src-address-list=L2TP_VPN
add action=accept chain=prerouting dst-address=

add action=mark-connection chain=prerouting comment="Per Connection Classifier Load Balancing - Per Steve Discher" connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=ADSL passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=LTE passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ADSL in-interface=bridge-lan new-routing-mark=ADSL-Route passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LTE in-interface=bridge-lan new-routing-mark=LTE-Route passthrough=yes
add action=mark-routing chain=output connection-mark=ADSL new-routing-mark=ADSL-Route passthrough=yes
add action=mark-routing chain=output connection-mark=LTE new-routing-mark=LTE-Route passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-adsl new-connection-mark=ADSL passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3-lte new-connection-mark=LTE passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1-adsl src-address-list=LAN_VPN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3-lte src-address-list=LAN_VPN
add action=dst-nat chain=dstnat connection-mark=ADSL dst-port=3389 protocol=tcp routing-mark=ADSL-Route src-address= to-addresses= to-ports=3389
add action=dst-nat chain=dstnat dst-port=5432 protocol=tcp src-address= to-addresses= to-ports=5432

add action=dst-nat chain=dstnat dst-port=8282 in-interface=ether1-adsl protocol=tcp to-addresses= to-ports=8282

/ip route
add check-gateway=ping distance=1 gateway= routing-mark=LTE-Route
add check-gateway=ping distance=1 gateway= routing-mark=ADSL-Route

add check-gateway=ping distance=1 gateway= pref-src=
add check-gateway=ping distance=2 gateway= pref-src= (<--distance to ADSL modem = 2) 

/ppp secret
add name=serafin profile=l2tp service=l2tp
add name=wantondude profile=l2tp service=l2tp
add name=lukus profile=l2tp service=l2tp

Who is online

Users browsing this forum: No registered users and 34 guests