Page 1 of 1

Allow users to access clients connected with L2TP

Posted: Tue Oct 08, 2019 7:36 pm
by nagylzs
Hello, I'm using L2TP with pre-shared key.

Here is my current firewall configuration:
/ip firewall filter
add action=accept chain=input comment="L2TP szerver 2/1" port=1701,500,4500 protocol=udp
add action=accept chain=input comment="L2TP szerver 2/2" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop ssh brute forcers 5/1" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="drop ssh brute forcers 5/2" connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/3" connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/4" connection-state=new dst-port=22 protocol=tcp \
    src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="drop ssh brute forcers 5/5" connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input comment="L2TP (es LAN) dns 2/1" dst-port=53 protocol=udp src-address=192.168.5.0/24
add action=accept chain=input comment="L2TP (es LAN) dns 2/2" dst-port=53 protocol=tcp src-address=192.168.5.0/24
add action=accept chain=input comment="ssh router" dst-port=22 in-interface=all-ethernet protocol=tcp
add action=accept chain=input comment="ssh dbserver" dst-port=2222 in-interface=ether1-TCOM protocol=tcp
add action=accept chain=input comment="olajkut 4/1" dst-port=6055 in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="kamera rogzito 6/1" dst-port=82 in-interface=all-ethernet protocol=tcp
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="kamera rogzito 6/3" dst-port=1030 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input comment="kamera rogzito 6/4" dst-port=1030 in-interface=all-ethernet protocol=udp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack (DISABLED, SEE NEXT)" connection-state=established,related disabled=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack with ipsec exception" connection-mark=!ipsec connection-state=established,related
add action=accept chain=input comment="kamera rogzito 6/5" dst-port=8181 in-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="kamera rogzito 6/6" dst-port=8181 in-interface=all-ethernet protocol=udp
add action=accept chain=input comment="WinBox remote" dst-port=8291 in-interface=all-ethernet protocol=tcp
add action=accept chain=input comment="WinBox Bridge 8292" dst-port=8292 in-interface=all-ethernet protocol=tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
Here is my PPP profile:
/ppp profile
add comment="L2TP szerver" dns-server=192.168.5.254,8.8.8.8 local-address=192.168.5.254 name=ipsec_vpn
The router's address is 192.168.5.254. The DHCP server is enabled for local clients. For ppp clients, manual fix IP addresses are given. Here is an example:
add name=gandalf password=xxxxxxxxxxxxxxxxx profile=ipsec_vpn remote-address=192.168.5.202 service=l2tp
Here is what happens:

* Windows ppp client can connect to the router.
* Windows ppp client can ping/connect any other computer that is on the LAN side of the router. For example, 192.168.5.202 can ping 192.168.5.1 ( ppp client -> router -> lan works)
* The ppp client cannot be pinged/connected from the LAN side
* The ppp client cannot be pinged/connected from the router either

I would like to allow a specific port (e.g. TCP/5900) to be accessed from LAN -> router -> ppp -> ppp client direction. But I'm stuck. I don't know what other rules I need to add for this.

Thanks,

Laszlo

Re: Allow users to access clients connected with L2TP

Posted: Tue Oct 08, 2019 7:47 pm
by xvo
Does firewall on ppp client device allow ping at all?

Re: Allow users to access clients connected with L2TP

Posted: Tue Oct 08, 2019 8:39 pm
by nagylzs
Okay, that was the problem. I did not know that the new version of Windows 10 firewall disables ICMP ping requests by default. I could also open port TCP/5900. So the problem was fully with the client, not MikroTik settings.

Thank you for your help!