Community discussions

MikroTik App
 
acte28
just joined
Topic Author
Posts: 5
Joined: Mon Nov 23, 2020 4:38 am

Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Wed Dec 16, 2020 11:05 am

Hi all,

I have an odd issue. I've successfully set up an L2TP VPN which authenticates to a Radius Server using Winbox. The config is set so that all traffic should be tunnelled through the VPN for technicians to access local internal resources as well as mask their current location by tunnelling traffic through the VPN.

On Windows 10, there are no issues. Clients can authenticate to the VPN - Internet traffic is tunnelled and can access internal Web Interfaces. On both MacOS & Linux however, users can only access the internet (via the VPN), however are unablel to access anything internal. Ping fails as well.

I'm thinking it's a routing table that isn't being provided to non-Windows clients, perhaps the OS is interpreting it in an odd way. I don't see how it could be a Firewall config on the Router since Windows clients can access the internal LAN.

Any tips? I'm fairly new to Mikrotik, would greatly appreciate some help. I've searched the forums, however did not find an article linked to this particular issue.

Attaching my config:
# dec/16/2020 17:51:44 by RouterOS 6.47.4
# software id = M4JN-1399
#
# model = CCR2004-1G-12S+2XS
# serial number =
/interface bridge
add arp=local-proxy-arp name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] name=nuroWAN
set [ find default-name=sfp-sfpplus1 ] name=portLAN01
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.2.100-10.0.2.254
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=ldapvpn ranges=10.0.9.0-10.0.9.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-LAN name=dhcp1
/ppp profile
add dns-server=10.0.0.1 incoming-filter="" interface-list=LAN local-address=\
10.0.0.1 name=ldap-vpn outgoing-filter="" remote-address=ldapvpn \
use-encryption=required
set *FFFFFFFE dns-server=10.0.0.1 local-address=10.1.0.0 remote-address=vpn
/interface bridge port
add bridge=bridge-LAN interface=portLAN01
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=ldap-vpn enabled=yes \
use-ipsec=required
/interface list member
add interface=nuroWAN list=WAN
add interface=bridge-LAN list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.0.1/16 interface=portLAN01 network=10.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=no interface=nuroWAN
/ip dhcp-server lease
add address=10.0.2.232 mac-address=08:00:27:70:7E:98 server=dhcp1
/ip dhcp-server network
add address=10.0.0.0/16 dns-server=10.0.0.1 gateway=10.0.0.1 netmask=16 \
ntp-server=10.0.0.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.0.5.1 name=hydro.corp
add address=10.0.5.2 name=helium.corp
add address=10.0.2.1 name=lic001.corp
add address=10.0.1.10 name=swmain.corp
add address=10.0.3.2 name=cube02.corp
add address=10.0.3.1 name=cube01.corp
add address=10.0.3.3 name=cube03.corp
add address=10.0.3.5 name=cube05.corp
add address=10.0.0.34 name=cube04.corp
add address=10.0.3.6 name=cube06.corp
add address=10.0.3.7 name=cube07.corp
add address=10.0.3.10 name=cube10.corp
add address=10.0.3.8 name=cube08.corp
add address=10.0.3.9 name=cube09.corp
add address=10.0.3.11 name=cube11.corp
add address=10.0.3.12 name=cube12.corp
add address=10.0.3.13 name=cube13.corp
add address=10.0.3.21 name=cube21.corp
add address=10.0.3.22 name=cube22.corp
add address=10.0.3.23 name=cube23.corp
add address=10.0.3.24 name=cube24.corp
add address=10.0.2.1 name=lic001.corp.com
add address=10.0.6.10 name=herp010.corp
add address=10.0.6.11 name=herp011.corp
add address=10.0.6.12 name=herp012.corp
add address=10.0.1.1 name=swnetgeara.corp
add address=10.0.1.2 name=swnetgearb.corp
add address=10.0.6.1 name=herp001.corp
add address=10.0.6.2 name=herp002.corp
add address=10.0.6.3 name=herp003.corp
add address=10.0.6.4 name=herp004.corp
add address=10.0.6.5 name=herp005.corp
add address=10.0.6.6 name=herp006.corp
add address=10.0.6.7 name=herp007.corp
add address=10.0.6.8 name=herp008.corp
add address=10.0.6.9 name=herp009.corp
add address=10.0.6.13 name=herp013.corp
add address=10.0.6.14 name=herp014.corp
add address=10.0.6.15 name=herp015.corp
add address=10.0.6.16 name=herp016.corp
add address=10.0.5.3 name=lithium.corp
add address=10.0.2.232 name=spike.corp
/ip firewall address-list
add address=10.0.9.0-10.0.9.254 list=OutVpn
/ip firewall filter
add action=accept chain=input protocol=gre
add action=accept chain=input dst-port=1723 protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting connection-limit=100,32 \
dst-address-type="" dst-limit=1,5,dst-address/1m40s hotspot="" limit=\
1,5:packet new-routing-mark=VpnRoute passthrough=no psd=21,3s,3,1 \
src-address=10.0.9.0-10.0.9.254 src-address-type="" tcp-flags=""
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=!10.0.0.0/16 \
out-interface=nuroWAN src-address=10.0.0.0/16
add action=src-nat chain=srcnat dst-address=10.0.0.1 src-address=\
10.0.9.0-10.0.9.254 src-address-list=OutVpn to-addresses=10.0.0.1
add action=masquerade chain=srcnat out-interface=nuroWAN
/ip route
add check-gateway=ping distance=1 gateway=nuroWAN routing-mark=VpnRoute
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=10.0.3.227 name=vpn1
add local-address=10.0.3.226 name=vpn2
add local-address=10.0.3.225 name=vpn3
add name=vpn_test profile=default-vpn4
add local-address=10.0.3.224 name=vpn5
add local-address=10.0.3.223 name=vpn6
add name=joe
add name=bob
add name=chris
add name=derp
/radius
add address=10.0.5.3 domain=corp service=ppp src-address=10.0.0.1
/system clock
set time-zone-name=
/system identity
set name=rockyrouter
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Wed Dec 16, 2020 11:12 am

You should add in logging the topic=ipsec to found errors at lack of enc.
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software
 
korg
Frequent Visitor
Frequent Visitor
Posts: 91
Joined: Tue Apr 26, 2016 4:10 pm

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Wed Dec 16, 2020 1:01 pm

Hi there,

i had the same problem.. and hve resolved it with adding (always adding as soon as i connect via VPN) a statis route like

sudo route -n add -net (subnet of the local network to which you are connecting>)/24 (subnet of the vpn ip range - if any present)

i hope this will help

korg
 
acte28
just joined
Topic Author
Posts: 5
Joined: Mon Nov 23, 2020 4:38 am

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Wed Jan 06, 2021 8:32 am

Thank you Korg. This indeed does the trick for MacOS hosts, however why does the routing table config not get 'pushed' automatically to Mac & Linux clients in the same manner that Windows does?

Is there a missing item on the VPN config side to allow Mac & Linux clients to gain full roadwarrior access without needing to manually add in a routing table entry?
 
acte28
just joined
Topic Author
Posts: 5
Joined: Mon Nov 23, 2020 4:38 am

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Fri Jan 08, 2021 8:29 am

Anyone?
 
sindy
Forum Guru
Forum Guru
Posts: 6844
Joined: Mon Dec 04, 2017 9:19 pm

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Fri Jan 08, 2021 7:00 pm

On L2TP, RouterOS doesn't push routes to the Windows client either, but depending on its settings, the Windows client either sends everything via the VPN, or only adds a so-called "class-based route", which means it takes the IP address it got from the server, finds out by its prefix whether it belongs to an A (/8), B (/16) or C (/24) class per RFC791, and adds a route to the whole corresponding subnet. So if it gets 172.19.245.12, it will add a route to 172.19.0.0/16 via the VPN connection.

The Windows client sends a DHCPINFORM message through the tunnel, asking for a response with Option 249 which is a route list, but it reverts to the above mechanism if it doesn't get any response, which is the case with RouterOS as a server.

RouterOS does support the DHCPINFORM mechanism, but only as an IKEv2 responder.

I have no clue whether MacOS or some Linux distributions use the DHCPINFORM with PPP-based protocols, but given that Mikrotik doesn't support it anyway, it changes nothing if they do. So static routes are the only way, you may add and remove them using some scripts.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
acte28
just joined
Topic Author
Posts: 5
Joined: Mon Nov 23, 2020 4:38 am

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Tue Jan 12, 2021 3:34 am

Fantastic. Really appreciate the detailed response :) Fairly simple to script.
 
User avatar
SiB
Forum Guru
Forum Guru
Posts: 1367
Joined: Sun Jan 06, 2013 11:19 pm
Location: Poland

Re: Mikrotik L2TP VPN - Cannot access internal LAN on MacOS or Linux. Windows OK.

Tue Feb 23, 2021 2:58 am

for Windows 8/8.1/10 it one line and we can do many cmd for one vpn:
Add-VpnConnectionRoute -ConnectionName "VPN Connection" -DestinationPrefix 10.20.30.0/24 -RouteMetric 1 -PassThru

for MAC all routes must be given in one command per one vpn:
networksetup -setadditionalroutes "VPN Connection" 10.20.30.0 255.255.255.0 192.168.88.1 10.20.31.0 255.255.255.0 192.168.88.1

Maybe I help :) or not give any new info...
MTCNA + MTCRE + MTCINE | ~600 users at ~150 RouterBoards in EMEA | Telegram: @SiB_PL | Buy me a caffe
WinBox Tip: F6 works as ALT+TAB | Gliffy.com - free network schematic | prnt.sc - free ScreenShot software

Who is online

Users browsing this forum: akakua, andkar, kennethtipton, Note, PPFilip, smitas3400, Znevna and 142 guests