Community discussions

MikroTik App
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Fat fingered VPN config

Tue Feb 16, 2021 5:25 am

I had a fully working router when our ISP failed, and while messing about with a travel router, I did something bad to the router config, so I had to reset it to defaults.

I've got everything working again EXCEPT my L2TP/Ipsec server. The server actually works, and I can connect remotely, and I can remotely open the admin page of the router. What I can't do it RDP to any of the private network clients. An ipconfig on a remote machine shows an assigned IP on the private network, but the subnet is 255.255.255.255 (rather than the expected 255.255.255.0) and the gateway is blank. Maybe this has nothing to do with the problem.

While trying to reconstruct my previously good config, I defined a pool in an area of the private LAN, and used that pool as the Remote Address in the Profile (with my router's private address as the Local Address. My firewall is in the default condition. I thinking maybe I skipped a Firewall step for RDP?
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 10:04 am

An ipconfig on a remote machine shows an assigned IP on the private network, but the subnet is 255.255.255.255 (rather than the expected 255.255.255.0) and the gateway is blank. Maybe this has nothing to do with the problem.
This is a normal behaviour with L3 PPP tunnels (L2TP is basically an augmented PPP). By default, the tunnel interface becomes the default gateway for the Windows once you connect (for everything except the VPN connection itself).

My firewall is in the default condition. I thinking maybe I skipped a Firewall step for RDP?
Correct. At Mikrotik side, a virtual l2tp-server interface is dynamically created when the client connects, and the default firewall rules know nothing about this interface. So if the default firewall setup comes from a recent version of RouterOS, it drops traffic initiated via any other interface but members of the interface list LAN.

As the fastest solution I'd suggest to set the value of the interface-list parameter of the /ppp profile row, to which the /interface l2tp-server server (or the /ppp secret row if you've specified a profile there) refers, to LAN. Once the L2TP client logs out and logs in again, the dynamically created interface will be added as an /interface list member item.

The above is good enough if it is enough for you to treat the real LAN hosts and the L2TP clients equally. If you want to restrict the remote clients somehow (e.g. permit only RDP access to only some LAN hosts), you'll have to use a dedicated /interface list item and a dedicated set of firewall rules for them.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 3:54 pm

I think I was lucky I got things working the first time.

I think I'm confused about the multiple meaning of "bridge". I used the "Quick Set" to do the initial setup and included "bridge all ports". When I then mess with the PPP/Profile, do I tell it to use the bridge? I don't remember doing that the first time. Also, there was an "allow ARP" box somewhere that I can't find now that I think was important.

As of right now, I can remotely access the router over the VPN, the router can ping private addresses on my bridge network, but I can't ping remotely which means I can't browse the network or use RDP.
I've watched dozens of youtubes on the subject, and everyone does it differently.

Update: I added LAN to my ppp/profile interfaces, and I'm now locked out, so I'll have to go into the office to put that back.
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 5:27 pm

I think I'm confused about the multiple meaning of "bridge". I used the "Quick Set" to do the initial setup and included "bridge all ports". When I then mess with the PPP/Profile, do I tell it to use the bridge?
If the client is Windows, you don't. You can only bridge together L2 interfaces, and the L2TP tunnel to the Windows client is only an L3 one. Between two Mikrotiks, you can create an L2 tunnel in parallel, and you can specify which bridges on the two Mikrotiks to link together using that tunnel, but that's not your case.

Also, there was an "allow ARP" box somewhere that I can't find now that I think was important.
You probably have in mind the proxy-arp value of the arp parameter of the bridge interface. This is only necessary if the IP address assigned to the L2TP client fits into the LAN subnet, because in that case, the LAN hosts think that the L2TP client is in the same subnet and use ARP to determine its MAC address to send the packets directly to it. So by setting arp=proxy-arp on an interface, you make the router respond to ARP requests towards addresses in subnets connected to other interfaces with its own MAC address, so that the requestor would then send the IP traffic to the router and the router could deliver it.

As of right now, I can remotely access the router over the VPN, the router can ping private addresses on my bridge network, but I can't ping remotely which means I can't browse the network or use RDP.
This sounds as if you are really assigning addresses from the LAN subnet to the VPN clients, as stated above.

I've watched dozens of youtubes on the subject, and everyone does it differently.
That's no surprise. There are often many ways to do the same thing.

Update: I added LAN to my ppp/profile interfaces, and I'm now locked out, so I'll have to go into the office to put that back.
Sorry for this. It is always better to post the actual configuration rather than to refer to a "default" one - there is a different default configuration for almost every major release of RouterOS. But nevertheless I am surprised, because if the /interface list LAN didn't exist, it should not have allowed you to set it in the ppp profile, and if it exists, I can see no reason why any version of default firewall rules should lock you out. Does the L2TP connection establish or not?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 5:37 pm

Right now, the VPN connects and immediately disconnects. The MS VPN Client flashes "connected" then returns to unconnected.

I do have the vpn pool on the same subnet, so I'll set the ARP when I go into the office in an hour or so.
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 5:43 pm

It sounds to me as if the interface list LAN didn't exist, so the connection gets broken once the stack attempts to add the interface as its member and finds out it doesn't exist. Strange. What was the RouterOS version you started with (i.e. from which one the default configuration came)?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 5:45 pm

I'll post that when I get logged in again.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 6:50 pm

6.47.4

i've reversed the final steps i took last night and now the vpn won't connect.

should my ppp/profile include my bridge?
should it also include LAN in the profile/interface list?

sorry i have so little expertise.
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 7:04 pm

Please start by following the text of my automatic signature below.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 7:06 pm

Much to my surprise, a "set to factory default" didn't erase my backup file, so I just did a restore, and I'm back to where I was. I'll have to document the settings a little better this time.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Tue Feb 16, 2021 7:18 pm

I'll figure out how /export works next time.
 
johnnyy
just joined
Posts: 2
Joined: Tue Nov 17, 2020 11:43 am

Re: Fat fingered VPN config

Thu Feb 18, 2021 7:44 pm

I faced with similar issue, tnx for recommendations. I started using ultra security VPN and it worked for me. Luckily it doesn't cost much but provides a high level of security and helps to bypass all restrictions.
Last edited by johnnyy on Fri Feb 19, 2021 5:30 pm, edited 1 time in total.
 
jjgurley
just joined
Topic Author
Posts: 20
Joined: Wed Oct 14, 2020 6:37 pm

Re: Fat fingered VPN config

Thu Feb 18, 2021 7:55 pm

Although my problem went away with a "restore" (so I don't know exactly what was fouled up) I can post my /export if your configuration is similar to mine. I have a pretty simple setup with one WAN, the other ports bridged to a private LAN with DHCP, and L2TP/Ipsec set up to handle remote access for backup of a local database and RDP users. I think all my RDP users are Windows 10 based, but it works on my Android as well. Both use the built-in client.

Who is online

Users browsing this forum: mustnass, nichky, russelld and 148 guests