Community discussions

MikroTik App
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Help with L2TP connection - Can't see other LAN devices

Fri Jun 04, 2021 6:08 am

Hello
I followed a few guides in youtube and online to setup a VPN using L2TP.
Please see my screenshot with the current setup.

The problem is, i am able to connect from a remote location, but i am not able
to see the other LAN devices on the network.

Image
Image

Just for testing, i disabled all firewall rules and tried to ping devices to no avail.
I notice the remote client gets a different network mask than the local network as shown here:

Remote client connected:
Image
Image


Please any tips appreciated
Thank you
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Fri Jun 04, 2021 3:36 pm

From what I can see,

In the remote device connected via l2tp,("thebox") add a route 10.0.0.0/8 to use 10.0.0.1 gateway. I would bet that you have it set to not use the l2tp server as default gateway? In which case you will need to add a route. It should be able to ping and/or telnet/ssh into 10.0.0.1 (depending what services you have enabled on the mikrotik device)

Unless you want it to share broadcast / l2 traffic, in which point I believe you will need to specify which bridge to connect it to in /ppp profile.
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 2:15 am


In the remote device connected via l2tp,("thebox") add a route 10.0.0.0/8 to use 10.0.0.1 gateway.

Ok. I added the route as shown next:

Image



Now the connected client gets:

Image


The ip is working as specified (10.0.0.251) but the routing setting does not seem to be taking effect in the client.
Anymore ideas?
Thank you
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 2:23 am

Add the route in the client. Not in ppp.

In windows it would be route add 10.0.0.0/8 10.0.0.1
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 5:01 am

In your client routing table, if it has the vpn as the default gateway it should have something similar to this, where 192.168.55.254 is my vpn local address. See how the metric has changed to prefer the vpn for default gateway vs local, which in my case is 192.168.88.1.
vpn.png
If you add the route to the client (10.0.0.0/8) it should look like this, and then you have a route to the 10.0.0.0/8 devices local to that router.
vpn with route.png
You do not have the required permissions to view the files attached to this post.
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 5:08 am

If you want them in the same broadcast domain, this may help.

https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 3:56 pm

Ok. I tried setting the IP manually in the client as suggested but the problem persists.
Look:

Image

Ill try removing the manual IP given by the server and see if that makes a difference...
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 4:34 pm

Tested from a windows box:

Image

Same issue.
I tried a few more work arounds on the server playing with the bridge and IPs within the (UNEVEN and DISCONNECTED between each other) configuration tabs on the Mikrotik to no avail.

Im already frustrated trying to setup this thing, absolutely unfriendly.

If this fails i will need to try setting up openvpn instead, but the WAN ip is dynamic and i assume i need a static IP to keep
the certificate in place right?

I have another mikrotik at home, i will setup a L2pt connection and test there to see if there is any issues, maybe this is the way Mikrotik works with this type of connection? Can you guys test and see what happens on your routers?
Thank you
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 9:14 pm

Why are you entering the ip address in the windows box?
 
tdw
Forum Guru
Forum Guru
Posts: 1841
Joined: Sat May 05, 2018 11:55 am

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 11:15 pm

Random videos and blogs found on the internet are often outdated, inaccurate, not optimal, or just wrong.

There are no native layer 2 / ethernet VPNs available in Windows, PPP-like VPNs (L2TP, SSTP, PPTP) use point-to-point connections with a /32 IP at each end of the link, they are never part of a larger broadcast domain. If you are using VPN client addresses which overlap with a subnet attached to an ethernet interface you have to use proxy-arp so the Mikrotik replies to ARP requests from local ethernet connected devices on behalf of the remote VPN client.

Screenshots are rarely helpful, post the output of /export hide-sensitive in a code block (the [] icon above the text entry box in the forum)
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Sat Jun 05, 2021 11:52 pm

Why are you entering the ip address in the windows box?


Because i exhausted all the options i could think on the mikrotik tabs and nothing works, and another member suggested trying that too so i gave it a shot.



There are no native layer 2 / ethernet VPNs available in Windows, PPP-like VPNs (L2TP, SSTP, PPTP)


This is Windows 10.. i downloaded a VM and it is in vanilla state

Image


Thanks for the suggestions, the other options mentioned are way out of my knowledge and dont make sense to me that there are a zillion
videos showing the process which is rather simple, but in my case it does not work, showing proof. bad luck me,
I am setting up the openvpn option now.. creating certificates, importing on the client on specific program files directories and tricks... a mess to establish a simple client server connection..

Thank you guys
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sun Jun 06, 2021 1:17 am

In the PPP profile, put the local address as an arbitrary non-used ip range IE 192.168.255.254, and for the remote address make an /ip pool in the same subnet. Then in your PPP clients leave "use default gateway on remote network" enabled, and now you can get to the subnets available to the router.

I have 12 or so routers set for l2tp access this way with a different subnet for the ppp connection, and it works great.

Its not a bridged l2 connection as tdw said is not possible. (this I havent explored, but I believe him)

You have to make sure your firewall rules allow this network range for the forward chain to get to your local subnets, and allow it on the input if you would also like to get into the router from the vpn connection.

If you disable "use default gateway on remote network" on the client machine, you will need to add static routes pointing to the 192.168.255.254 (or your desired ppp local address) gateway address in order for the client to know which gateway to forward to for the remote subnet.
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Sun Jun 06, 2021 1:32 am

If you are using VPN client addresses which overlap with a subnet attached to an ethernet interface you have to use proxy-arp so the Mikrotik replies to ARP requests from local ethernet connected devices on behalf of the remote VPN client.
Ok i saw some comments of people having the same issue as i do, im not alone.
One solution for everyone was to use proxy-arp as you mentioned so i did this:

Image


Also i added this rule:
 /ip firewall filter add action=accept chain=forward comment="Test OVPN filter rule" in-interface=all-ppp out-interface=bridge1

Result: Worked for the other people but here i am still having the same problem. But i feel i may be getting close to the solution.

Here is my export with the code..
Both the L2tp and openvpn are enabled.. i havent tested the open VPN connection yet but looking at the comments of other people, it does not matter, i need to
solve that proxy-arp issue so it seems...


[*]
[admin@MikroTik] > /export hide-sensitive
# jun/05/2021 18:19:03 by RouterOS 6.48.3
# software id = W0PA-KWSM
#
# model = CRS109-8G-1S-2HnD
# serial number = D54E0DXXXXX
/interface bridge
add arp=proxy-arp name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no mode=ap-bridge ssid=NCStudio wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.0.2-10.0.0.244
add name=l2tppool1 ranges=10.0.0.245-10.0.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
/ppp profile
add bridge=bridge1 dns-server=8.8.8.8 local-address=10.0.0.1 name=vpn-prof remote-address=l2tppool1
set *FFFFFFFE change-tcp-mss=default dns-server=8.8.8.8 local-address=10.0.0.1 remote-address=l2tppool1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan1
add bridge=bridge1 fast-leave=yes interface=*D
/interface l2tp-server server
set default-profile=vpn-prof enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=server cipher=aes256 enabled=yes require-client-certificate=yes
/ip address
add address=10.0.0.1/8 interface=bridge1 network=10.0.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10h10m
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
add address=10.0.0.0/8 gateway=10.0.0.1 netmask=8
/ip firewall address-list
add address=27.116.56.0/22 comment=AFGHANISTAN list=CountryIPBlocks

A ZILLION BLOCKED COUNTRIES HERE


/ip firewall filter
add action=drop chain=forward comment="Drop invalid connections through router" connection-state=invalid
add action=drop chain=forward comment="Drop all traffic to-from addresses on \\\"CountryIPBlocks\\\" address list" \
    dst-address-list=CountryIPBlocks
add action=accept chain=forward comment="Allow established connections through router" connection-state=established
add action=accept chain=forward comment="Allow related connections through router" connection-state=related
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=\
    new in-interface=ether1
add action=drop chain=forward comment="Drop all other connections through the router" disabled=yes
add action=drop chain=input comment="Drop all traffic from addresses on \"CountryIPBlocks\" address list" \
    src-address-list=CountryIPBlocks
add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface=ether1
add action=accept chain=input comment=\
    "Allow established  connections to the router, these are OK because we aren't allowing new connections" \
    connection-state=established
add action=accept chain=input comment=\
    "Allow related connections to the router, these are OK because we aren't allowing new connections" connection-state=\
    related
add action=drop chain=input comment="Drop everything else to the router" disabled=yes
add action=accept chain=forward comment="Test OVPN filter rule" in-interface=all-ppp out-interface=bridge1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add local-address=10.0.0.1 name=ncvpn profile=vpn-prof remote-address=10.0.0.251 routes=10.0.0.0/8 service=l2tp
add local-address=10.0.0.1 name=vpnancy profile=vpn-prof remote-address=10.0.0.240 service=ovpn
/system clock
set time-zone-name=America/New_York
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Sun Jun 06, 2021 2:44 am

/ip firewall filter
add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=\
new in-interface=ether1

Looking at your firewall config, ether1 is your WAN, and in that rule you're allowing all new forward connections from your WAN, even though your comment says its LAN

You will need to add

add action=accept chain=forward comment="Allow new connections through router coming in PPP interface" src-address-list="your_ppp_list_name_here"
With a list that includes your ppp pool ip subnet.

And you will need to add an input chain also, if you want access to the router.

You also have your input chain accept rule set to your WAN physical port

add action=accept chain=input comment="Allow everything from the LAN interface to the router" in-interface=ether1



Im also unsure if you are actually using this subnet;

/ip dhcp-server network
add address=0.0.0.0/24 gateway=0.0.0.0 netmask=24
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Help with L2TP connection - Can't see other LAN devices

Sun Jun 06, 2021 11:28 am

Axotic, In a firewall filter, policies are executed in a top-down order. You start with "input" and do not "drop" the first.
I will copy the working filter rules that include both L2TP and PPTP. The last filter roll is always Forward drop-All, not "accept". To access internal network devices we install Brigde interface "proxy-arp". Use the RAW section to block Country IP. If you need to block DNS 53port, we also use the RAW section.
ether1=WAN....
bridge1=LAN...

/ip firewall address-list
add address=10.X.X.0/24 list=Allowed-IP

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=L2TP connection-state=new dst-port=\
    500,1701,4500 protocol=udp
add action=accept chain=input comment="IKE IPSec" protocol=ipsec-esp
add chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add chain=input action=accept protocol=gre
add action=accept chain=input comment=\
    "Allow access to router from known network" in-interface-list=!WAN \
    src-address-list=Allowed-IP
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN

/ip firewall address-list
add address=27.116.56.0/22 comment=AFGHANISTAN list=CountryIPBlocks
/ip firewall raw
add action=drop chain=prerouting comment=CountryIPBlocks in-interface-list=WAN src-address-list=CountryIPBlocks
for L2tp you can use this example ...
https://ibb.co/HzYv3yj
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Mon Jun 07, 2021 7:08 am

Thank you guys for the tips and help.
I am watching more articles trying to learn and hopefully be able to implement some basic Mikrotik setups safely.
I created the firewall rules using this site:
https://mikrotikconfig.com/

Looks like that was a bad idea...

Jonson. i will take a look at the screenshot and let you know.
Thank you a lot
 
axotik
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 51
Joined: Sun May 09, 2021 12:25 am

Re: Help with L2TP connection - Can't see other LAN devices

Mon Jun 07, 2021 8:30 pm

Johnson. I got the connection working with the help of your screenshots. I want to thank you a lot for the help.
I am not sure what those IPsec settings do, and i had that DNS checkbox turned off, but now it works.
The mask in the client still shows as 255.255.255.255 but now i can see the other network devices..

I haven't modified the firewall yet. Im not sure if i should erase all the current firewall settings and use the code you posted previously?
I am afraid to use that website again with the firewall configurations.. I will be watching some basic tutorials on Mikrotik firewalls today.
Thank you
 
johnson73
Member Candidate
Member Candidate
Posts: 172
Joined: Wed Feb 05, 2020 10:07 am

Re: Help with L2TP connection - Can't see other LAN devices

Mon Jun 07, 2021 10:51 pm

if you want you can not change anything for yourself, but I would recommend looking at the diagram where it is very clearly shown how the incoming packets are filtered.
Section - "Packet flow chains"
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
The first will be "prerouting", then "Input", then "Forward" .... "Output". I'll copy a tested and working example for you that will suffice for you, unless you have specific network requirements.
The netmask 255.255.255.255 should not appear if you have specified the internal network addresses correctly.
Your above configuration had the following entry: '' '' / ip dhcp-server network
add address = 0.0.0.0 / 24 gateway = 0.0.0.0 netmask = 24 '' '' ''
It's not necessary! We only record the current subnet (10.0.0.0/24..or another)... either one or several, depending on how much is needed. The link I copied where L2TP configs were displayed had one subnet and nothing more. With this configuration, everything will work without problems
 
mikeeg02
Member Candidate
Member Candidate
Posts: 162
Joined: Fri Mar 30, 2018 2:28 am
Location: Pennsylvania

Re: Help with L2TP connection - Can't see other LAN devices

Tue Jun 08, 2021 1:42 am

If he changed his ppp network addresses like provided in the screen shots, thats why he can now get to his existing 10.0.0.0/8 subnets attached to the router. The reason he couldnt before is because he was trying to overlap his ppp and local to the router subnets, which is why I suggested changing to an unused subnet such as 192.168.255.0/24, or one hes not going to otherwise use. As also suggested above, I was able to use proxy-arp on the bridge and get to the subnets while overlapping, as also suggested above.

I believe the reason the latter didnt work for him, is because he also manually assigned an ip address on the client, which may or may not have matched where the router was attempting to send for its ppp client.

Now you will need to protect your router, and set appropriate firewall rules.
 
pierrot
just joined
Posts: 2
Joined: Thu Nov 25, 2021 11:51 pm

Re: Help with L2TP connection - Can't see other LAN devices

Fri Nov 26, 2021 12:15 am

hello,
please need some help , i cannot ping my sxt connected to ether2 of my mikrotik on site while i am connected vpn to the mikrotik.
ip of sxt 10.1.10.1
below is the config


/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Uplink
set [ find default-name=ether2 ] arp=proxy-arp name=ether2-ToSwitch
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-Uplink name=pppoe-out1 \
password=test user=test
/interface l2tp-server
add name=l2tp-in1 user=vpn
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp_pool0 ranges=192.168.5.2-192.168.5.254
add name=ppptp-pool ranges=192.168.50.1-192.168.50.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/ppp profile
add change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=ppptp-pool \
name=pptp-profile remote-address=ppptp-pool use-encryption=yes
/interface bridge port
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=ether2-swtich
/interface l2tp-server server
set enabled=yes ipsec-secret=secret use-ipsec=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile
/ip address
add address=192.168.5.1/24 interface=bridge1 network=192.168.5.0
add address=10.1.10.10/24 interface=ether2-ToSwitch network=10.1.10.0
/ip dhcp-server network
add address=192.168.5.0/24 gateway=192.168.5.1
/ip dns
set servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.5.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1 src-address=\
192.168.50.0/24
/ppp secret
add name=testvpn password=vpn profile=pptp-profile service=l2tp

Who is online

Users browsing this forum: Bing [Bot] and 71 guests