Community discussions

MikroTik App
 
babinos4p
just joined
Topic Author
Posts: 9
Joined: Wed Jan 22, 2020 3:12 pm

L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Thu Mar 26, 2020 12:32 pm

Hello,

I'm new on networking and searched as more i could before i post this.

I 'm using hAP ac2 and i want to setup a VPN tunnel from my office to my home.
i have reset with default config and setup with Quick set - WISP-AP settings throu PPPoe connection.

I can connect from my office and my mobile to my VPN L2pt, i can ping my router (10.0.0.1) but i can't login, neither i cant ping the other devices at my lan (10.0.0.1/24)
I suppose export file is required so i m posting it.
After a lot of research, i can't find anything wrong expect the bridge i have tried both with arp=enabled and arp=proxy-arp. None of them working.
Also with tracert in windows i have that result :
C:\Users\user>tracert 8.8.8.8

Tracing route to dns.google [8.8.8.8]
over a maximum of 30 hops:

1 55 ms 60 ms 53 ms 192.168.89.1
2 72 ms 70 ms 68 ms 79.128.213.100
3 74 ms 90 ms 123 ms 79.128.232.86
4 79 ms 81 ms 75 ms 62.75.3.69
5 116 ms 120 ms 110 ms 62.75.8.58
6 130 ms 113 ms 120 ms 74.125.51.154
7 195 ms 144 ms 114 ms 108.170.252.65
8 118 ms 108 ms 111 ms 108.170.235.247
9 121 ms 107 ms 105 ms dns.google [8.8.8.8]

Trace complete.

C:\Users\user>ping 10.0.0.1

Pinging 10.0.0.1 with 32 bytes of data:
Reply from 10.0.0.1: bytes=32 time=71ms TTL=64
Reply from 10.0.0.1: bytes=32 time=62ms TTL=64
Reply from 10.0.0.1: bytes=32 time=66ms TTL=64
Reply from 10.0.0.1: bytes=32 time=101ms TTL=64
This is the export:
# mar/26/2020 12:05:47 by RouterOS 6.46.4
# software id = 20TD-MASQ
#
# model = RBD52G-5HacD2HnD
# serial number = A6470AD52847
/interface bridge
add admin-mac=74:4D:28:8B:D9:C8 auto-mac=no comment=defconf name=bridge
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 use-peer-dns=yes user=o2n6kc@otenet.gr
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=MikroTik-8BD9CC wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=no_country_set disabled=no distance=indoors frequency=auto frequency-mode=manual-txpower mode=ap-bridge ssid=paok-5ghz wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=10.0.0.100-10.0.0.150
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/queue simple
add name=lan target=10.0.0.0/24
add burst-time=1s/1s limit-at=512k/2M max-limit=1M/4M name=tv+mob parent=lan target=10.0.0.140/32,10.0.0.141/32,10.0.0.145/32
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.0.1/24 comment=defconf interface=ether2 network=10.0.0.0
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=10.0.0.240 client-id=1:30:85:a9:9b:4e:b2 mac-address=30:85:A9:9B:4E:B2 server=defconf
add address=10.0.0.145 client-id=1:6c:c7:ec:83:e4:da mac-address=6C:C7:EC:83:E4:DA server=defconf
add address=10.0.0.141 client-id=1:9c:2e:a1:93:59:df mac-address=9C:2E:A1:93:59:DF server=defconf
add address=10.0.0.140 client-id=1:a0:6f:aa:7b:d9:ea mac-address=A0:6F:AA:7B:D9:EA server=defconf
/ip dhcp-server network
add address=10.0.0.0/24 comment=defconf gateway=10.0.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=10.0.0.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip ssh
set forwarding-enabled=remote
/ppp secret
add name=vpn profile=default-encryption
/system clock
set time-zone-name=Europe/Athens
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I cannot understand what i 'm doing wrong. I noticed when i m using my mobile with VPN active, i have internet but the stats on NAT Rule for VPN connection not going up but the public ip is the home's public office so it seems that working, same at office's pc.

My plan is after L2pt working, i have setup a FreePBX and i want to get the calls at my office pc's and 2 mobiles.

Thank you in advance
Bob
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2984
Joined: Mon Apr 08, 2019 1:16 am

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Sat Mar 28, 2020 2:03 am

If you want a LAN (L2) type of connection, then check this ....https://wiki.mikrotik.com/wiki/Manual:B ... ridging%29

(Bridge must be defined in your PPP profile)
 
babinos4p
just joined
Topic Author
Posts: 9
Joined: Wed Jan 22, 2020 3:12 pm

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Sat Mar 28, 2020 9:25 pm

Thank you for your time and your answer.

I wasn't think for PPTP config because the connector on VPN will be windows client ( my PC ).
I do not have access to the EdgeOs router that ISP provider give to me.

But i ll try it.

Thank you
 
babinos4p
just joined
Topic Author
Posts: 9
Joined: Wed Jan 22, 2020 3:12 pm

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Thu Apr 16, 2020 12:45 pm

After several days,
i still can't make this work and i can't use PPTP because the connection is between Mikrotik to Windows Client.

Thank you
 
User avatar
ingdaka
Trainer
Trainer
Posts: 452
Joined: Thu Aug 30, 2012 3:06 pm
Location: Albania
Contact:

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Thu Apr 16, 2020 12:53 pm

Try to change something on bridge arp=proxy-arp
 
babinos4p
just joined
Topic Author
Posts: 9
Joined: Wed Jan 22, 2020 3:12 pm

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Thu Apr 16, 2020 3:58 pm

I have read many posts that maybe used for my case and i have tried this.
I have the same results.

Because i'm at work right now, i'm connected using L2PT, i can ping 10.0.0.1 (mikrotik router) but i cant login with winbox, only if i disable the default firewall rule : Drop all not coming from LAN.
How can i keep this rule up but i can work with L2PT ????

Thank you for your answer
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Thu Apr 16, 2020 9:51 pm

... if i disable the default firewall rule : Drop all not coming from LAN.
How can i keep this rule up but i can work with L2PT ????

If the firewall filter rule is the problem: you can either add L2TP interface to the LAN interface list (but check if that's OK in all of Mikrotik's config) or you can rework that rule (possibly to multiple rules) referring to other interface lusts (e.g. WAN) or individual interfaces (e.g. the L2TP interface). Or the third possibility: insert an action=allow rule before the mentioned one which will allow traffic from L2TP ...

Many ways to skin the sheep...
 
jebz
Member
Member
Posts: 366
Joined: Sun May 01, 2011 12:03 pm
Location: Australia

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Fri Apr 17, 2020 1:29 am

I have read many posts that maybe used for my case and i have tried this.
I have the same results.

Because i'm at work right now, i'm connected using L2PT, i can ping 10.0.0.1 (mikrotik router) but i cant login with winbox, only if i disable the default firewall rule : Drop all not coming from LAN.
How can i keep this rule up but i can work with L2PT ????

Thank you for your answer
You need to add L2TP interface to -
.
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
.
add comment=VPN_interface interface=L2TP list=LAN
.
Your firewall rules and IP Services, list interface LAN.
 
babinos4p
just joined
Topic Author
Posts: 9
Joined: Wed Jan 22, 2020 3:12 pm

Re: L2pt connecting, internet access ok, i can ping router but cant access , neither lan pcs

Fri Apr 17, 2020 3:51 pm

Thank for your answers!

I managed to succeed L2PT with changing the firewall rule from !LAN to WAN ( since i have my bridge on LAN and my eth1-pppoe on WAN it seems working very well )
I have found a similar post to my question, viewtopic.php?t=131479 , that give the following solution:
You have several possibilities to resolve this, depending on how complex the rest of your configuration is going to grow.

the simplest one is to modify the rule 7 - instead of in-interface-list=!LAN, use in-interface-list=WAN. That way you only prevent the router from being accessed directly via WAN, but access from any other interface, including virtual ones and including some added later, like e.g. your wireless network for guests at home, will be possible
the name of the dynamically created virtual L2TP interface is always <l2tp-username>, so in your case it is <l2tp-vpn> (including the shap brackets). But when the tunnel goes down, the interface is destroyed, so it is also automatically removed from the interface list, and it is not re-created there when another interface, albeit with the same name, appears again. What you can do is to create a static interface of type "L2TP Server Binding" and link it to the ppp user name (vpn in your case). Such an interface is static, therefore it exists regardless whether the L2TP connection is established or not, and you can add it as a member of the interface list "LAN", or insert a rule
Code: Select all

chain=input action=accept in-interface=your-static-binding-name

anywhere between existing rules 1 and 7.
you might be tempted to permit incoming packets based on their source address regardless the in-interface as @misucatinas suggests, but it is not a good idea as a packet with a "proper" source address can be spoofed and sent to your WAN interface. Scenarios exist where such packet may cause some harm to your network.
So thank you again!
Bob

Who is online

Users browsing this forum: Amazon [Bot], baragoon, Bing [Bot], intania, matbcvo, RiStaR, syahpian and 77 guests