Community discussions

just joined
Topic Author
Posts: 1
Joined: Mon May 22, 2017 2:24 pm

L2tp VPN Network with Vlan

Mon Aug 05, 2019 4:43 pm

Helo Guys,

I need help, i have a network that uses Vlan as you can see described below. I have a trunk port with the Vlans that are connected to a Layer2 Switch that is working correctly.

The problem is, i cannot get the users that are connected to VPN to contact the other equipment in the network, like servers, printers.

Can you please adivse ? the router config is below.

# aug/05/2019 11:56:21 by RouterOS 6.45.3
# software id = AMF3-4SIC
# model = CCR1009-7G-1C-1S+
# serial number =
/interface bridge
add arp=proxy-arp name=BRIDGE-IP192
add arp=proxy-arp name=Bridge-ALUNO-1914
add arp=proxy-arp name=Bridge-CORPORATE-1910
add arp=proxy-arp name=Bridge-MANAGEMENT-1916
add arp=proxy-arp name=Bridge-TRUNK
add arp=proxy-arp name=Bridge-VOIP-1912
/interface ethernet
set [ find default-name=ether2 ] name=ETH2-FUJITSU-SERVER
set [ find default-name=ether7 ] arp=proxy-arp name=ETH7-ROUTER-DRAYTEK
set [ find default-name=combo1 ] arp=proxy-arp combo-mode=sfp name=\
set [ find default-name=ether1 ] name=WAN-MEO
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface l2tp-server
add name=kevin user=kevin
/interface vlan
add arp=proxy-arp interface=Bridge-TRUNK name=VLAN-1910-CORPORATE vlan-id=\
add arp=proxy-arp interface=Bridge-TRUNK name=VLAN-1912-VOIP vlan-id=1912
add arp=proxy-arp interface=Bridge-TRUNK name=VLAN-1914-ALUNO vlan-id=1914
add arp=proxy-arp interface=Bridge-TRUNK name=VLAN-1916-MANAGEMENT vlan-id=\
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec peer
# This entry is unreachable
add name=l2tpserver passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=POOL-CORPORATE ranges=
add name=dhcp_pool1 ranges=
add name=POOL-VPN-USERS ranges=
/ip dhcp-server
add address-pool=POOL-CORPORATE disabled=no interface=VLAN-1910-CORPORATE \
lease-time=1h name=DHCP-CORPORATE
add address-pool=dhcp_pool1 disabled=no interface=BRIDGE-IP192 name=dhcp1
/ppp profile
add dns-server= local-address= name=\
VPN-USER-CORPORATE remote-address=POOL-VPN-USERS use-encryption=yes
/interface bridge port
add bridge=Bridge-TRUNK interface=TRUNK-PORT-SFP
add bridge=BRIDGE-IP192 interface=ether5
add bridge=BRIDGE-IP192 interface=ether6
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-USER-CORPORATE \
enabled=yes use-ipsec=yes
/ip address
add address= interface=VLAN-1910-CORPORATE network=
add address= interface=BRIDGE-IP192 network=
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=WAN-MEO
/ip dhcp-server network
add address= dns-server= domain=XXXX.local \
add address= gateway=
/ip dns
set allow-remote-requests=yes servers=
/ip dns static
add address= regexp=XXXX
/ip firewall address-list
add address= list=Bogon
add address= disabled=yes list=Bogon
add address= list=Bogon
add address= list=Bogon
add address= list=Bogon
add address= list=Bogon
/ip firewall filter
add action=accept chain=input comment="Accept Established / Related Input" \
add action=accept chain=input comment=\
"Allow Management Input -" src-address=
add action=accept chain=input comment="Allow UDP" protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=accept chain=input comment="VPN L2TP UDP 500" dst-port=500 \
in-interface=WAN-MEO protocol=udp
add action=accept chain=input comment="VPN L2TP UDP 1701" dst-port=1701 \
in-interface=WAN-MEO protocol=udp
add action=accept chain=input comment="VPN L2TP 4500" dst-port=4500 \
in-interface=WAN-MEO protocol=udp
add action=accept chain=input comment="VPN L2TP ESP" in-interface=WAN-MEO \
add action=accept chain=input comment="VPN L2TP AH" in-interface=WAN-MEO \
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
add action=accept chain=forward comment=\
"Accept Established / Related Forward" connection-nat-state="" \
add action=accept chain=forward connection-nat-state=dstnat
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" \
out-interface=WAN-MEO src-address=
add action=accept chain=forward out-interface-list=all src-address=\
add action=accept chain=forward in-interface-list=all src-address=\
add action=drop chain=forward comment="Drop Forward"
/ip firewall nat
# kevinguerreiro not ready
add action=masquerade chain=srcnat dst-address= out-interface=\
add action=masquerade chain=srcnat out-interface=WAN-MEO src-address=\
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec identity
add generate-policy=port-override peer=l2tpserver
/ip ipsec policy
set 0 dst-address= src-address=
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set default-screen=interfaces read-only-mode=yes
/ppp secret
add name=kevin profile=VPN-USER-CORPORATE service=l2tp
/system clock
set time-zone-name=Europe/Lisbon
/system identity
set name=MikroTik

Tanks Allot

Who is online

Users browsing this forum: No registered users and 64 guests