I am currenty try to create the L2TP IPsec server on my Mikrotik HAP AC2. Everything went smooth and I managed create the server and established the connection from My Iphone running IOS 13.
But the problem is on my phone I cannot access the Internet and cannot also access my Local LAN on my private network. I suspect the Firewall Rules or NAT?
Pls help
FYI,
I have enable IP Cloud features on Mikrotik since my IP is dynamic
I connect to my ISP thru PPPoe client (dynamic IP address)- WAN ether1 with vlan500 & vlan600
My internet goes thru vlan500 from ISP - interface to PPPoe client
My IP TV goes thru vlan600 from ISP bridge-IPTV to ether5 - connect to Set Top Box IPTV
My LAN network is 192.168.1.0/24 - bridge-LAN - ether2,ether3,ether4
The L2TP IPsec VPN supposedly running on vpn-pool ip address (192.168.89.0/24 network)
Seperately, I have NordVPN running for only vlan30 (10.10.30.0/24 network)
below is the export hide-sensitive of my Mikrotik router
Code: Select all
# mar/18/2020 22:16:41 by RouterOS 6.46.4
# software id = -HIDE-
#
# model = RBD52G-5HacD2HnD
# serial number = -HIDE-
/interface bridge
add name=bridge-IPTV
add admin-mac=74:4D:28:F5:E6:EB auto-mac=no comment=defconf name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] comment="Connect to Modem" name=ether1-WAN
set [ find default-name=ether2 ] comment="Connect to Switch"
set [ find default-name=ether3 ] comment="Connect to My Computer"
set [ find default-name=ether4 ] comment="Empty Port"
set [ find default-name=ether5 ] comment="Connect to STB IPTV" name=ether5-IPTV
/interface vlan
add comment="Hotspot VLAN" interface=ether2 name=vlan30 vlan-id=30
add comment="CCTV VLAN" interface=ether2 name=vlan40 vlan-id=40
add comment="Guest VLAN" interface=ether2 name=vlan100 vlan-id=100
add comment="Internet VLAN" interface=ether1-WAN name=vlan500 vlan-id=500
add comment="Hypptv VLAN" interface=ether1-WAN name=vlan600 vlan-id=600
/interface pppoe-client
add add-default-route=yes comment="Unifi PPPOE" disabled=no interface=vlan500 \
name=pppoe-out1 user=-HIDE-
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
mode=dynamic-keys name=profile1 supplicant-identity=""
/interface wireless
-HIDE- *I disable WLAN1 & WLAN2 as i have access point all over my house
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
add dns-name=hotspot.house32 hotspot-address=10.10.30.1 html-directory=\
flash/hotspot login-by=http-chap name=User-Server-Profile
/ip hotspot
add idle-timeout=none interface=vlan30 name=User-Server profile=\
User-Server-Profile
/ip ipsec mode-config
add name=NordVPN responder=no src-address-list=vlan30
/ip ipsec policy group
add name=NordVPN
/ip ipsec profile
add name=NordVPN
/ip ipsec peer
add address=sg230.nordvpn.com exchange-mode=ike2 name=NordVPN profile=NordVPN
/ip ipsec proposal
add name=NordVPN pfs-group=none
/ip pool
add name=dhcp_lan ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.89.2-192.168.89.254
add name=dhcp_vlan30 ranges=10.10.30.2-10.10.30.254
add name=dhcp_vlan40 ranges=10.10.40.2-10.10.40.254
add name=dhcp_vlan100 ranges=10.10.100.2-10.10.100.254
/ip dhcp-server
add address-pool=dhcp_lan disabled=no interface=bridge-LAN name=dhcp_lan
add address-pool=dhcp_vlan30 disabled=no interface=vlan30 name=dhcp_vlan30
add address-pool=dhcp_vlan40 disabled=no interface=vlan40 name=dhcp_vlan40
add address-pool=dhcp_vlan100 disabled=no interface=vlan100 name=dhcp_vlan100
/ip hotspot user profile
add address-pool=dhcp_vlan30 name=User1-User-Profile rate-limit=10M/10M \
transparent-proxy=yes
add address-pool=dhcp_vlan30 name=User2-User-Profile rate-limit=20M/20M \
transparent-proxy=yes
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4 local-address=192.168.89.1 \
remote-address=vpn-pool
/queue simple
add name="LAN Queue" target=192.168.1.0/24
add max-limit=30M/30M name="Guest Queue" target=10.10.100.0/24,vlan100
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sen\
sitive,api,romon,dude,tikapp,!ftp,!write,!policy"
set write policy="local,telnet,ssh,reboot,read,write,test,winbox,password,web,sn\
iff,sensitive,api,romon,dude,tikapp,!ftp,!policy"
/interface bridge port
add bridge=bridge-LAN comment=defconf interface=ether2
add bridge=bridge-LAN comment=defconf interface=ether3
add bridge=bridge-LAN comment=defconf interface=ether4
add bridge=bridge-IPTV comment=defconf interface=ether5-IPTV
add bridge=bridge-LAN comment=defconf interface=wlan1
add bridge=bridge-LAN comment=defconf interface=wlan2
add bridge=bridge-IPTV interface=vlan600
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all internet-interface-list=all lan-interface-list=\
LAN wan-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge-LAN list=LAN
add comment=defconf interface=ether1-WAN list=WAN
add interface=pppoe-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge-LAN network=\
192.168.1.0
add address=10.10.30.1/24 interface=vlan30 network=10.10.30.0
add address=10.10.40.1/24 interface=vlan40 network=10.10.40.0
add address=10.10.100.1/24 interface=vlan100 network=10.10.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server lease
-HIDE-
/ip dhcp-server network
add address=10.10.30.0/24 gateway=10.10.30.1
add address=10.10.40.0/24 gateway=10.10.40.1
add address=10.10.100.0/24 gateway=10.10.100.1
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=-HIDE- list=WAN-IP
add address=192.168.1.0/24 list=LAN
add address=10.10.30.0/24 list=vlan30
add address=10.10.40.0/24 list=vlan40
add address=10.10.100.0/24 list=vlan100
add address=192.168.1.16 list=my-iphone
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=\
udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow IPSec-esp for WAN-IP" \
dst-address-list=WAN-IP protocol=ipsec-esp
add action=accept chain=input comment="Allow IPSec-ah for WAN-IP" \
dst-address-list=WAN-IP protocol=ipsec-ah
add action=accept chain=input comment=\
"Allow ALL incoming traffic from 192.168.89.0/24 to this RouterOS" \
ipsec-policy=in,ipsec src-address=192.168.89.0/24
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="Drop Winbox connection from outside" \
dst-address-list=WAN-IP dst-port=8291 log-prefix="\"\"" protocol=tcp
add action=drop chain=input comment="Drop Port Scanners" in-interface=\
ether1-WAN src-address-list="\"Port Scanners\""
add action=add-src-to-address-list address-list="\"Port Scanners\"" \
address-list-timeout=none-dynamic chain=input comment="Drop Port Scanners" \
dst-port=23 in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=forward comment=\
"Allow ALL forward traffic from 192.168.89.0/24 to any network" \
dst-address=0.0.0.0/0 ipsec-policy=in,ipsec src-address=192.168.89.0/24
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"Drop tries to reach not from WAN from Guest VLAN" in-interface=vlan100 \
out-interface=!pppoe-out1
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=masquerade chain=srcnat comment="HAIRPIN NAT" dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment=NAT ipsec-policy=out,none \
out-interface=pppoe-out1
add action=dst-nat chain=dstnat comment="port forward rule hassio" \
dst-address-list=WAN-IP dst-port=8123 protocol=tcp to-addresses=\
192.168.1.247 to-ports=8123
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip hotspot user
add comment="username/pass: user1" name=user1 profile=User1-User-Profile \
server=User-Server
add comment="username/pass: user2" name=user2 profile=User2-User-Profile \
server=User-Server
/ip ipsec identity
add auth-method=eap certificate="" eap-methods=eap-mschapv2 generate-policy=\
port-strict mode-config=NordVPN peer=NordVPN policy-template-group=NordVPN \
username=-HIDE-
/ip ipsec policy
add dst-address=0.0.0.0/0 group=NordVPN proposal=NordVPN src-address=0.0.0.0/0 \
template=yes
/ip upnp interfaces
add interface=bridge-LAN type=internal
add interface=pppoe-out1 type=external
/ppp secret
add name=vpn profile=default-encryption service=l2tp
/snmp
set enabled=yes
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system identity
set name="MikroTik HAP AC2"
/system ntp client
set enabled=yes primary-ntp=211.233.84.186 secondary-ntp=62.201.225.9
/tool e-mail
set address=smtp.gmail.com from=-HIDE- port=587 start-tls=\
yes user=-HIDE-
/tool graphing interface
add interface=bridge-LAN store-on-disk=no
add interface=ether5-IPTV store-on-disk=no
/tool graphing resource
add store-on-disk=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes
/tool traffic-monitor
add interface=ether2 name=LAN_transmitted threshold=0
add interface=ether2 name=LAN_received threshold=0 traffic=received
/tool user-manager database
set db-path=flash/user-manager