Community discussions

MikroTik App
  4. RouterOS
  5. General

L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN  [SOLVED]

Post Reply
 
th3game
just joined
Topic Author
Posts: 10
Joined: Sun Dec 22, 2019 10:05 pm

L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 18, 2020 4:48 pm

Hi all,

I am currenty try to create the L2TP IPsec server on my Mikrotik HAP AC2. Everything went smooth and I managed create the server and established the connection from My Iphone running IOS 13.

But the problem is on my phone I cannot access the Internet and cannot also access my Local LAN on my private network. I suspect the Firewall Rules or NAT?

Pls help

FYI,

I have enable IP Cloud features on Mikrotik since my IP is dynamic

I connect to my ISP thru PPPoe client (dynamic IP address)- WAN ether1 with vlan500 & vlan600
My internet goes thru vlan500 from ISP - interface to PPPoe client
My IP TV goes thru vlan600 from ISP bridge-IPTV to ether5 - connect to Set Top Box IPTV

My LAN network is 192.168.1.0/24 - bridge-LAN - ether2,ether3,ether4

The L2TP IPsec VPN supposedly running on vpn-pool ip address (192.168.89.0/24 network)
Seperately, I have NordVPN running for only vlan30 (10.10.30.0/24 network)

below is the export hide-sensitive of my Mikrotik router
Code: Select all
# mar/18/2020 22:16:41 by RouterOS 6.46.4
# software id = -HIDE-
#
# model = RBD52G-5HacD2HnD
# serial number = -HIDE-

/interface bridge
add name=bridge-IPTV
add admin-mac=74:4D:28:F5:E6:EB auto-mac=no comment=defconf name=bridge-LAN

/interface ethernet
set [ find default-name=ether1 ] comment="Connect to Modem" name=ether1-WAN
set [ find default-name=ether2 ] comment="Connect to Switch"
set [ find default-name=ether3 ] comment="Connect to My Computer"
set [ find default-name=ether4 ] comment="Empty Port"
set [ find default-name=ether5 ] comment="Connect to STB IPTV" name=ether5-IPTV

/interface vlan
add comment="Hotspot VLAN" interface=ether2 name=vlan30 vlan-id=30
add comment="CCTV VLAN" interface=ether2 name=vlan40 vlan-id=40
add comment="Guest VLAN" interface=ether2 name=vlan100 vlan-id=100
add comment="Internet VLAN" interface=ether1-WAN name=vlan500 vlan-id=500
add comment="Hypptv VLAN" interface=ether1-WAN name=vlan600 vlan-id=600

/interface pppoe-client
add add-default-route=yes comment="Unifi PPPOE" disabled=no interface=vlan500 \
    name=pppoe-out1 user=-HIDE-
	
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=profile1 supplicant-identity=""
	
/interface wireless
-HIDE- *I disable WLAN1 & WLAN2 as i have access point all over my house
	
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=hotspot.house32 hotspot-address=10.10.30.1 html-directory=\
    flash/hotspot login-by=http-chap name=User-Server-Profile
	
/ip hotspot
add idle-timeout=none interface=vlan30 name=User-Server profile=\
    User-Server-Profile
	
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=vlan30

/ip ipsec policy group
add name=NordVPN

/ip ipsec profile
add name=NordVPN

/ip ipsec peer
add address=sg230.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN

/ip ipsec proposal
add name=NordVPN pfs-group=none

/ip pool
add name=dhcp_lan ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.89.2-192.168.89.254
add name=dhcp_vlan30 ranges=10.10.30.2-10.10.30.254
add name=dhcp_vlan40 ranges=10.10.40.2-10.10.40.254
add name=dhcp_vlan100 ranges=10.10.100.2-10.10.100.254

/ip dhcp-server
add address-pool=dhcp_lan disabled=no interface=bridge-LAN name=dhcp_lan
add address-pool=dhcp_vlan30 disabled=no interface=vlan30 name=dhcp_vlan30
add address-pool=dhcp_vlan40 disabled=no interface=vlan40 name=dhcp_vlan40
add address-pool=dhcp_vlan100 disabled=no interface=vlan100 name=dhcp_vlan100

/ip hotspot user profile
add address-pool=dhcp_vlan30 name=User1-User-Profile rate-limit=10M/10M \
    transparent-proxy=yes
add address-pool=dhcp_vlan30 name=User2-User-Profile rate-limit=20M/20M \
    transparent-proxy=yes
	
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.89.1 \
    remote-address=vpn-pool
	
/queue simple
add name="LAN Queue" target=192.168.1.0/24
add max-limit=30M/30M name="Guest Queue" target=10.10.100.0/24,vlan100

/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
	
/user group
set read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sen\
    sitive,api,romon,dude,tikapp,!ftp,!write,!policy"
set write policy="local,telnet,ssh,reboot,read,write,test,winbox,password,web,sn\
    iff,sensitive,api,romon,dude,tikapp,!ftp,!policy"
	
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether3
add bridge=bridge-LAN comment=defconf interface=ether4
add bridge=bridge-IPTV comment=defconf interface=ether5-IPTV
add bridge=bridge-LAN comment=defconf interface=wlan1
add bridge=bridge-LAN comment=defconf interface=wlan2
add bridge=bridge-IPTV interface=vlan600

/ip neighbor discovery-settings
set discover-interface-list=LAN

/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
    LAN wan-interface-list=WAN
	
/interface l2tp-server server
set enabled=yes use-ipsec=yes

/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=pppoe-out1 list=WAN

/interface sstp-server server
set default-profile=default-encryption

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-LAN network=\
    192.168.1.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40 network=10.10.40.0
add address=10.10.100.1/24 interface=vlan100 network=10.10.100.0

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

/ip dhcp-client
add comment=defconf interface=ether1-WAN

/ip dhcp-server lease
-HIDE-
	
/ip dhcp-server network
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.100.0/24 gateway=10.10.100.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24

/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
	
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan

/ip firewall address-list
add address=-HIDE- list=WAN-IP
add address=192.168.1.0/24 list=LAN
add address=10.10.30.0/24 list=vlan30
add address=10.10.40.0/24 list=vlan40
add address=10.10.100.0/24 list=vlan100
add address=192.168.1.16 list=my-iphone

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
    udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow IPSec-esp for WAN-IP" \
    dst-address-list=WAN-IP protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah for WAN-IP" \
    dst-address-list=WAN-IP protocol=ipsec-ah
add action=accept chain=input comment=\
    "Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" \
    ipsec-policy=in,ipsec src-address=192.168.89.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=drop chain=input comment="Drop Winbox connection from outside" \
    dst-address-list=WAN-IP dst-port=8291 log-prefix="\"\"" protocol=tcp
add action=drop chain=input comment="Drop Port Scanners" in-interface=\
    ether1-WAN src-address-list="\"Port Scanners\""
add action=add-src-to-address-list address-list="\"Port Scanners\"" \
    address-list-timeout=none-dynamic chain=input comment="Drop Port Scanners" \
    dst-port=23 in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=forward comment=\
    "Allow ALL forward traffic from 192.168.89.0/24 to any network" \
    dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.89.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
    "Drop tries to reach not from WAN from Guest VLAN" in-interface=vlan100 \
    out-interface=!pppoe-out1
	
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
    192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=NAT ipsec-policy=out,none \
    out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="port forward rule hassio" \
    dst-address-list=WAN-IP dst-port=8123 protocol=tcp to-addresses=\
    192.168.1.247 to-ports=8123
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
	
/ip hotspot user
add comment="username/pass: user1" name=user1 profile=User1-User-Profile \
    server=User-Server
add comment="username/pass: user2" name=user2 profile=User2-User-Profile \
    server=User-Server
	
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
    port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
    username=-HIDE-
	
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 \
    template=yes
	
/ip upnp interfaces
add interface=bridge-LAN type=internal
add interface=pppoe-out1 type=external

/ppp secret
add name=vpn profile=default-encryption service=l2tp

/snmp
set enabled=yes

/system clock
set time-zone-name=Asia/Kuala_Lumpur

/system identity
set name="MikroTik HAP AC2"

/system ntp client
set enabled=yes primary-ntp=211.233.84.186 secondary-ntp=62.201.225.9

/tool e-mail
set address=smtp.gmail.com from=-HIDE- port=587 start-tls=\
    yes user=-HIDE-
	
/tool graphing interface
add interface=bridge-LAN store-on-disk=no
add interface=ether5-IPTV store-on-disk=no

/tool graphing resource
add store-on-disk=no

/tool mac-server
set allowed-interface-list=LAN

/tool mac-server mac-winbox
set allowed-interface-list=LAN

/tool romon
set enabled=yes

/tool traffic-monitor
add interface=ether2 name=LAN_transmitted threshold=0
add interface=ether2 name=LAN_received threshold=0 traffic=received

/tool user-manager database
set db-path=flash/user-manager
Top
 
th3game
just joined
Topic Author
Posts: 10
Joined: Sun Dec 22, 2019 10:05 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 18, 2020 8:09 pm

Anyone with good mikrotik background can shed a light?

:(
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Fri Mar 20, 2020 10:19 pm

I don't see it. If it's L2TP, then this is wrong:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow ALL forward traffic from 192.168.89.0/24 to any network" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.89.0/24
because traffic from client will be coming in via dynamic interface (or static, if you'd create one as "L2TP Server Binding") and ipsec-policy=in,ipsec won't match (that's only for L2TP packets as "wrapper" around user traffic). But even if you remove this condition, it won't change anything, because your firewall filter allows everything not specifically blocked anyway.

Do some debugging, connect phone to server and use either Tools->Torch on client interface or logging rules, to see what the phone is sending. Try to connect to some 192.168.1.X on LAN and see if packets come to router. If they do, check on bridge-LAN if they go there. Then watch for response and if it goes back. Same for access to internet. In other words, trace packets step by step and see where exactly it fails.
Top
 
th3game
just joined
Topic Author
Posts: 10
Joined: Sun Dec 22, 2019 10:05 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Sat Mar 21, 2020 4:36 am

I don't see it. If it's L2TP, then this is wrong:
Code: Select all
/ip firewall filter
add action=accept chain=forward comment="Allow ALL forward traffic from 192.168.89.0/24 to any network" dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.89.0/24
because traffic from client will be coming in via dynamic interface (or static, if you'd create one as "L2TP Server Binding") and ipsec-policy=in,ipsec won't match (that's only for L2TP packets as "wrapper" around user traffic). But even if you remove this condition, it won't change anything, because your firewall filter allows everything not specifically blocked anyway.

Do some debugging, connect phone to server and use either Tools->Torch on client interface or logging rules, to see what the phone is sending. Try to connect to some 192.168.1.X on LAN and see if packets come to router. If they do, check on bridge-LAN if they go there. Then watch for response and if it goes back. Same for access to internet. In other words, trace packets step by step and see where exactly it fails.
Hi Sob,

Thanks for replying.

I just made some adjustment to my Firewall Filter Rules as removed the one you mentioend above.

And also try to troubleshoot the error using the Torch Tool.

Video 1 : https://youtu.be/PDDi84gvKcI
This one I already establiehs the connection from my phone to the L2TP server. And try to connect to to my LAN address 192.168.1.20:8443

Video 2: https://youtu.be/Gk7-FMmiC4w
This one I try to go to google.com from my phone.

I'm not sure what's wrong about not getting any responses on both test on my phone; cannot connect to LAN and cannot reach google.com

Thanks again for your help!
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Sun Mar 22, 2020 2:21 am

First thing I see are failing attempts to send DNS queries to router. You have this rule:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=192.168.89.0/24
but it has the same problem as the one in forward chain had. You can replace it with:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" in-interface=all-ppp src-address=192.168.89.0/24
Then I see other incoming traffic from client to other destinations, but nothing coming back. But I still don't see anything in config that would block it, so it should reach destination (both in LAN and internet) and something should come back. Try this as a test:
Code: Select all
/ip firewall mangle
add chain=postrouting src-address=192.168.89.254 action=log log-prefix=from-vpn
It will log packets from phone, after they passed through router. You can also check LAN or WAN interface, if you see them there. But they will no longer have original source address, because of srcnat. Even those going to LAN, because this rule applies for all destinations:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
It may not be required for LAN access, but you can keep it like this for now, just know that it will change source address for all connection from phone to LAN to 192.168.1.1.
Top
 
th3game
just joined
Topic Author
Posts: 10
Joined: Sun Dec 22, 2019 10:05 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 25, 2020 3:53 am

First thing I see are failing attempts to send DNS queries to router. You have this rule:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" ipsec-policy=in,ipsec src-address=192.168.89.0/24
but it has the same problem as the one in forward chain had. You can replace it with:
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" in-interface=all-ppp src-address=192.168.89.0/24
Then I see other incoming traffic from client to other destinations, but nothing coming back. But I still don't see anything in config that would block it, so it should reach destination (both in LAN and internet) and something should come back. Try this as a test:
Code: Select all
/ip firewall mangle
add chain=postrouting src-address=192.168.89.254 action=log log-prefix=from-vpn
It will log packets from phone, after they passed through router. You can also check LAN or WAN interface, if you see them there. But they will no longer have original source address, because of srcnat. Even those going to LAN, because this rule applies for all destinations:
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
It may not be required for LAN access, but you can keep it like this for now, just know that it will change source address for all connection from phone to LAN to 192.168.1.1.
Hi Sob,

I managed to find out the culprit and it is this default Fireawall Filter Rules;
Code: Select all
/ip firewall filter
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
when i disble that particular rule (i place it at the most bottom firewall list), eveything works perfectly!!, I have internet on my phone and also can connect to my LAN.
but i am a bit worry to disable that rule as that one seems important? pls help to edit it abit to allow my L2TP IPSec connection reach internet an my LAN.

and yes that <l2tp-vpn> is added dynamically into my Interface List WAN
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN  [SOLVED]

Wed Mar 25, 2020 5:01 am

That's because of this:

https://wiki.mikrotik.com/wiki/Manual:Detect_internet

I've never used it myself yet, so I missed it in your config. Firewall rule is good, you want to keep it. But it you really need detect internet feature (I'm not sure you do), you should tweak its detect-interface-list option to include only interfaces where you want it to look for internet.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 25, 2020 9:30 pm

I ve never used the Internet Detect as well, so @sob what problem did exactly caused in this situation...?
Also, for the OP, you mean the l2tp is added manually in the WAN interfaces ?
Last edited by Zacharias on Wed Mar 25, 2020 9:59 pm, edited 1 time in total.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 25, 2020 9:57 pm

Dynamic L2TP interface ended up in WAN interface list, added there by detect internet. And default firewall blocks access from WAN.
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Wed Mar 25, 2020 10:00 pm

Oh ok that explains how the l2tp got in the WAN list...
Top
 
th3game
just joined
Topic Author
Posts: 10
Joined: Sun Dec 22, 2019 10:05 pm

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Thu Mar 26, 2020 3:34 am

Dynamic L2TP interface ended up in WAN interface list, added there by detect internet. And default firewall blocks access from WAN.
yes..this is the most correct answer!. noted to everyone later on once enable detect internet
Top
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: L2TP IPSec Server for Remote Clients - Can connect but No Internet & Cannot Access Local LAN

Thu Mar 26, 2020 8:31 pm

yes... i just dont find any reason, at least up to now, to use that feature...
Top
Post Reply

Who is online

Users browsing this forum: Amazon [Bot], bobr, dioeyandika, Onas, tgkmilo, tim427 and 132 guests
  4. RouterOS
  5. General