Community discussions

 
wanton
just joined
Topic Author
Posts: 16
Joined: Wed Nov 21, 2018 6:06 pm

L2TP VPN Subnet routing to LAN IPs

Mon Jul 22, 2019 2:09 pm

Hello,

I need help how to configure my RB 3011UiAS to route connections from external clients through a L2TP VPN tunnel to 2 local ip addresses.

Basically what I need is
a . To enable a connection from external clients connecting through our public IP through the VPN tunnel to a postgresql database, setup on a local server (local ip address 192.168.0.100).
b . To enable a connection from external clients connecting through our public IP through the VPN tunnel to a Remote desktop gateway database, setup on a different local server(local ip address 192.168.0.197).

What is done!

The L2TP server has been setup, together with 2 first profiles. - The L2TP VPN server works and I can connect from outside.
The LAN address pool is set to 192.168.0.140 - 185.
The VPN address pool is set to 10.0.1.0 - 10.

What are the boundary conditions ?

1. I have 2 ISPs -
a. ADSL modem
b. LTE modem
The static public address is only available through the ADSL modem - it is through this interface that all VPN traffic has to passthrough.
The LTE modem receives a dynamic ip addres so it is supposed to act as a bandwidth increasing failover for connections from LAN outward.

2. The PCC load balancing You'll see in the code has been configured by me - and it works a beauty so long as the LTE modem is "closer" to the router.
I.E. You'll notice that in the /IP Routes tab the LTE modem has a distance of 1, whereas the ADSL modem has 2.
This was done because it did not work when it was the other way round - my internet connection kept failing.
The downside of this is that, with this configuration I have no direct connectivity to the PSQL server or the RDP server regardless of NAT.
To connect to them I have to disable the LTE modem - then I can connect to RDP or PSQL.


3.
When connected to the L2TP VPN my computer gets 10.0.1.10 as its IP address.
I can ping the IP address of the router (192.168.0.1) through the L2TP VPN tunnel, but that's about it.
I cannot ping IP addresses from the LAN Pool 192.168.0.100 or 192.168.0.197 or 192.168.0.140 - 185 and consequently cannot connect to them.

4. I did not configure the VPN, a temp did, to whom I have no access right now. I am a newbie, but I have a little bit of experience in IT although I do not work on it on a daily basis.


What do I need ?

I need to route connections between the subnets 192.168.0.140 - 185 and 10.0.1.0 - 10.
I need to route connections from IP address 10.0.1.0 - 10 using port 3389 to Ip address 192.168.0.197
I need to route connections from IP address 10.0.1.0 - 10 using port 5432 to Ip address 192.168.0.100

Can You help ?

Below is my configuration without the disableds and sensitive information.

Regarditos !
/interface bridge
add admin-mac=B8:69:F4:87:45:30 auto-mac=no comment=LAN name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether1-adsl speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full name=ether3-lte speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
[..]
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

/ip pool
add name=pool-lan ranges=192.168.0.140-192.168.0.185
add name=pool-l2te ranges=10.0.1.0-10.0.1.10

/ip dhcp-server
add address-pool=pool-lan disabled=no interface=bridge-lan lease-time=1h name=dhcp-lan

/ppp profile
add change-tcp-mss=yes dns-server=10.0.1.1 local-address=10.0.1.1 name=l2tp remote-address=pool-l2te use-encryption=yes
add change-tcp-mss=yes dns-server=10.0.1.1 local-address=10.0.1.1 name=ovpn remote-address=pool-l2te use-encryption=yes

/interface bridge port
add bridge=bridge-lan interface=ether7
add bridge=bridge-lan interface=ether8
add bridge=bridge-lan interface=ether9
add bridge=bridge-lan interface=ether10
add bridge=bridge-lan interface=ether6

/interface l2tp-server server
set default-profile=l2tp enabled=yes use-ipsec=required

/interface list member
add interface=ether1-adsl list=WAN
add interface=ether3-lte list=WAN
add interface=bridge-lan list=LAN
add interface=ether6 list=LAN
add interface=ether7 list=LAN
add interface=ether8 list=LAN
add interface=ether9 list=LAN
add interface=ether10 list=LAN

/ip dhcp-server lease
add address=192.168.0.100 mac-address=00:0A:E4:88:AB:4A  (<--PostgreSQL database)
add address=192.168.0.197 mac-address=00:15:17:DA:26:D0  (<--RDP Gateway)

/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24

/ip firewall address-list
add address=192.168.0.0/24 list=LAN_VPN
add address=10.0.1.0/24 list=L2TP_VPN
add address=192.168.1.0/24 list=Connected
add address=192.168.2.0/24 list=Connected
add address=192.168.0.0/24 list=Connected

/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input src-address-list=LAN_VPN
add action=accept chain=input src-address-list=Connected
add action=accept chain=input protocol=icmp
add action=accept chain=input port=1022 protocol=tcp
add action=accept chain=input port=1194 protocol=tcp
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input log=yes protocol=ipsec-esp
add action=drop chain=input
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=accept chain=forward src-address-list=LAN_VPN
add action=accept chain=forward src-address-list=Connected
add action=accept chain=forward src-address-list=L2TP_VPN
add action=accept chain=forward connection-nat-state=dstnat in-interface-list=WAN
add action=drop chain=forward
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp

/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected src-address-list=Connected
add action=mark-routing chain=prerouting dst-port=110,995,143,993,25,465,587 new-routing-mark=LTE-Route passthrough=yes protocol=tcp
add action=mark-connection chain=prerouting dst-port=500,4500,1701 new-connection-mark=ADSL passthrough=yes protocol=udp
add action=mark-routing chain=prerouting new-routing-mark=ADSL-Route passthrough=yes protocol=udp src-port=500,4500,1701
add action=accept chain=prerouting connection-state="" log=yes src-address=10.0.1.0/24 src-address-list=L2TP_VPN
add action=accept chain=prerouting dst-address=192.168.1.0/24

add action=mark-connection chain=prerouting comment="Per Connection Classifier Load Balancing - Per Steve Discher" connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=ADSL passthrough=yes per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge-lan new-connection-mark=LTE passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ADSL in-interface=bridge-lan new-routing-mark=ADSL-Route passthrough=yes
add action=mark-routing chain=prerouting connection-mark=LTE in-interface=bridge-lan new-routing-mark=LTE-Route passthrough=yes
add action=mark-routing chain=output connection-mark=ADSL new-routing-mark=ADSL-Route passthrough=yes
add action=mark-routing chain=output connection-mark=LTE new-routing-mark=LTE-Route passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1-adsl new-connection-mark=ADSL passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3-lte new-connection-mark=LTE passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1-adsl src-address-list=LAN_VPN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3-lte src-address-list=LAN_VPN
add action=dst-nat chain=dstnat connection-mark=ADSL dst-port=3389 protocol=tcp routing-mark=ADSL-Route src-address=46.175.47.252 to-addresses=192.168.0.197 to-ports=3389
add action=dst-nat chain=dstnat dst-port=5432 protocol=tcp src-address=46.175.47.252 to-addresses=192.168.0.100 to-ports=5432

add action=dst-nat chain=dstnat dst-port=8282 in-interface=ether1-adsl protocol=tcp to-addresses=192.168.0.80 to-ports=8282

/ip route
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=LTE-Route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=ADSL-Route

add check-gateway=ping distance=1 gateway=192.168.2.1 pref-src=192.168.2.2
add check-gateway=ping distance=2 gateway=192.168.1.1 pref-src=192.168.1.2 (<--distance to ADSL modem = 2) 

/ppp secret
add name=serafin profile=l2tp service=l2tp
add name=wantondude profile=l2tp service=l2tp
add name=lukus profile=l2tp service=l2tp

Who is online

Users browsing this forum: No registered users and 34 guests