Community discussions

Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark

VPN SERVER with L2 Vlan...

Tue Nov 05, 2019 2:39 pm

Hello everyone
I have a challenge that I have to give up a bit.
I have a CCR 1036 I need to be a VPN Server.
This is a bit spechael as I have to hit more L2 Vlan.
1. Domain Vlan (VLAN3) SSPT SERVER with radius and all ..
2. DISP1Net (VLAN 17) L2TP VPN setup with profile user in the router.
3. DISP2Net (VLAN 40) also L2TP and if it can then PPTP VPN setup with profile user in the router.

I have my VLAN config:
/ interface vlan
add name = vlan3-sfp1 interface = sfp1 vlan-id = 3
add name = vlan17-sfp1 interface = sfp1 vlan-id = 17
add name = vlan40-sfp1 interface = sfp1 vlan-id = 40

add name = vlan3-sfp2 interface = sfp2 vlan-id = 3
add name = vlan17-sfp2 interface = sfp2 vlan-id = 17
add name = vlan40-sfp2 interface = sfp2 vlan-id = 40
add name = vlan999-sfp2 interface = sfp2 vlan-id = 999

add name = vlan3-sfp3 interface = sfp3 vlan-id = 3
add name = vlan17-sfp3 interface = sfp3 vlan-id = 17
add name = vlan40-sfp3 interface = sfp3 vlan-id = 40
add name = vlan999-sfp3 interface = sfp3 vlan-id = 999

add name = vlan3-sfp4 interface = sfp4 vlan-id = 3
add name = vlan17-sfp4 interface = sfp4 vlan-id = 17
add name = vlan40-sfp4 interface = sfp4 vlan-id = 40
add name = vlan999-sfp4 interface = sfp4 vlan-id = 999

/ interface brige
add name = bridge-vlan3
add name = bridge-vlan17
add name = bridge-vlan40
add name = bridge-vlan999

/ interface bridge port
add bridge = bridge-vlan3 interface = vlan3-sfp1
add bridge = bridge-vlan3 interface = vlan3-sfp2
add bridge = bridge-vlan3 interface = vlan3-sfp3
add bridge = bridge-vlan3 interface = vlan3-sfp4
add bridge = bridge-vlan3 interface = ether2
add bridge = bridge-vlan3 interface = ether3
add bridge = bridge-vlan3 interface = ether4
add bridge = bridge-vlan3 interface = ether5
add bridge = bridge-vlan17 interface = vlan17-sfp1
add bridge = bridge-vlan17 interface = vlan17-sfp2
add bridge = bridge-vlan17 interface = vlan17-sfp3
add bridge = bridge-vlan17 interface = vlan17-sfp4
add bridge = bridge-vlan17 interface = ether12
add bridge = bridge-vlan40 interface = vlan40-sfp1
add bridge = bridge-vlan40 interface = vlan40-sfp2
add bridge = bridge-vlan40 interface = vlan40-sfp3
add bridge = bridge-vlan40 interface = vlan40-sfp4
add bridge = bridge-vlan40 interface = ether6
add bridge = bridge-vlan40 interface = ether7
add bridge = bridge-vlan40 interface = ether8
add bridge = bridge-vlan40 interface = ether9
add bridge = bridge-vlan40 interface = ether10
add bridge = bridge-vlan40 interface = ether11

Ether1 is my wan out on public ip. This is not my Gateway cuss I am running Cisco ASA as my default gateway.

I am running trunk to cisco switch and that is also why i have VLAN999 as i am using this as native vlan on cisco.

i have try to setup only sspt server with out vlan and only to my domain with no problem but i need more users in everly vlan.

I am stuk and hopping for help :)

just joined
Posts: 14
Joined: Thu Oct 31, 2019 1:01 pm

Re: VPN SERVER with L2 Vlan...

Wed Nov 06, 2019 1:34 pm

Some large-scale enterprises adopt IEEE802.1Q VLAN for separating IP subnets on the single physical Ethernet equipment in order to reduce both administration costs and cable-wiring costs. It can also reduce the necessary number of ports on each Ethernet switch.

SoftEther VPN is a layer-2 VPN technology, and it fully supports IEEE802.1Q Tagged VLAN packet transmitting. It is a very useful feature if your company has many Ethernet segments on each site. By IEEE802.1Q VLAN technology, all Ethernet packets from each segment can be multiplexed by attaching a VLAN tag on each packet. SoftEther VPN is capable to transmit any tagged VLAN packets in the case of site-to-site VPN. Thus your company can extend the tagged VLAN segments to other sites.

And as an additional function related to the VLAN transmission support, SoftEther VPN has also a function to insert and remove a VLAN tag on the packet automatically. It can be configured on each user object's security policy individually. So you can make a policy such as user-A can access to only VLAN 123, and user-B can access to only VLAN 456. All raw packets from a user will be added a tag of specified VLAN ID transparently, and all tagged toward a user will filter and the tag will be removed transparently.
Hope this information is helpful!
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 80
Joined: Thu Sep 29, 2011 11:42 pm
Location: Denmark

Re: VPN SERVER with L2 Vlan...

Wed Nov 06, 2019 4:02 pm

Hi LewisH95
Yes i no about IEEE802... and my VLAN also work and all, but i need somthing there can tel me about how do i set this VPN server up?
I have no problem with setting up normal VPN server to my domain and all, but how do i set up so wend i login to another VLAN then my domain with user group in mikrotik and be sure to get the right VLAN?
som guid og code to start up maybe?
I am sure that mikrotik can do this or?

Forum Guru
Forum Guru
Posts: 3897
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN SERVER with L2 Vlan...

Fri Nov 08, 2019 12:35 am

LewisH95's posts seem to me like preparing grounds (collecting karma) for some advertising or alike, throuh posting texts copied from the web which contain the keywords related to the topics but are not really relevant to what people ask.

So forget about SoftEther in Mikrotik context.

What is not clear from your post is whether you really need L2 transparency for some of the clients to the VLANs you have listed (i.e. to extend the L2 segment all the way to the client) or whether you, like many, use "VLAN" as a synonym to "IP subnet" because the best common practice is to have a dedicated VLAN for each IP subnet.

In the Mikrotik implementation, all PPP-based protocols (L2TP, SSTP, PPTP) support BCP, which means you can provide L2 transparency between the client and the server, but it's unfortunately rarely the case for the clients. So there is no problem to extend L2 to another Mikrotik using one of those protocols, but there is no way to extend the L2 to e.g. a Windows embedded VPN client, neither using L2TP nor using SSTP.

So if you don't mind that the SSTP and L2TP clients won't get L2 transparency (i.e. won't be able to send broadcast traffic to the VLANs), you can use L3 firewall rules to permit them access only to some subnets (which reside in particular VLANs so you can use out-interface=vlanX rather than dst-address=subnetX in the firewall rules).

Tik allows to set up up to one server for each PPP-based VPN protocol, so you cannot have two independent L2TP servers on the same Tik, but there is no need for two servers as the /ppp profile item attached to each /ppp secret representing the user account determines the behaviour of the connection (whether it supports L3 tunneling, L2 tunneling or both, to which interface list the virtual L3 interface will be added, to which bridge the virtual L2 interface will be added, to which address list the IP address assigned to the client will be added).

Although SSTP can do L2 tunneling, I'd not recommend it as it uses TCP as transport, which should be avoided for VPNs wherever possible. L2TP uses UDP as transport (so no TCP-in-TCP situation can happen) and PPTP uses GRE so it's also fine from this point of view, however PPTP's encryption is not considered safe since years so it should not be used except where better encryption is prohibited by law.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot] and 93 guests