I have a RB3011 working well for months with a quite non-standard configuration (it's used as a failover device) with an extended use of netmap function.
I used to use PPTP for maintenance purpose, but my ISP doesn't allow it anymore, so I wanted to switch to L2TP.
Problem : it doesn't work. It seems like the IPSec policy automatically created use a LAN address as the src-address, so it doesn't match the L2TP connection.
If I disable the netmap rule, it works well.
I tried to add an "accept" rule for udp/500 and udp/4500 and to place it before the netmap rule, but it does not change anything.
Here is the configuration :
Code: Select all
/interface bridge
add admin-mac=C4:AD:34:D9:16:67 auto-mac=no comment=defconf name=bridge
add arp=proxy-arp name=bridge-voip
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] lifetime=8h
/ip pool
add name=dhcp_pool1 ranges=172.16.1.101-172.16.1.130
add name=pptp-pool ranges=172.16.1.20-172.16.1.30
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge-voip name=dhcp-voip
/ppp profile
add local-address=172.16.1.253 name=PPTP only-one=no remote-address=pptp-pool
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge-voip comment=defconf interface=ether7
add bridge=bridge-voip comment=defconf interface=ether8
add bridge=bridge-voip comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-voip interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface ethernet switch rule
add new-vlan-priority=5 ports=switch1-cpu src-mac-address=\
C4:AD:34:D9:16:69/FF:FF:FF:FF:FF:FF switch=switch1
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=required
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=ether2 list=WAN
add interface=ether3 list=WAN
add interface=bridge-voip list=LAN
add list=LAN
/interface pptp-server server
set default-profile=PPTP
/ip address
add address=XX.XX.XX.81/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.82/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.83/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.84/29 interface=ether1 network=XX.XX.XX.80
add address=XX.XX.XX.85/29 interface=ether1 network=XX.XX.XX.80
add address=YY.YY.YY.97/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.98/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.99/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.100/29 interface=ether2 network=YY.YY.YY.96
add address=YY.YY.YY.101/29 interface=ether2 network=YY.YY.YY.96
add address=192.168.254.1/24 interface=ether3 network=192.168.254.0
add address=10.0.0.5/29 interface=bridge network=10.0.0.0
add address=172.16.1.253/24 comment="LAN VOIP" interface=bridge-voip network=\
172.16.1.0
/ip dhcp-server network
add address=172.16.1.0/24 dns-server=80.12.10.152,80.12.10.156 gateway=\
172.16.1.254
/ip dns
set allow-remote-requests=yes servers=194.2.0.50,194.2.0.20
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="Accept L2TP over IPSec" dst-port=\
1701,500,4500 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"accept WebFig HTTPS connexions from WAN" dst-port=8443 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address=172.16.1.250 in-interface=bridge new-connection-mark=SSP \
passthrough=yes src-address=10.0.0.2
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=in-BIO passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=in-BIV passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=bridge new-connection-mark=out passthrough=yes
add action=mark-routing chain=prerouting connection-mark=SSP in-interface=\
bridge new-routing-mark=SSP passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in-BIO \
dst-address-type=!local in-interface-list=LAN new-routing-mark=BIO \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=in-BIV \
dst-address-type=!local in-interface-list=LAN new-routing-mark=BIV \
passthrough=yes
add action=mark-routing chain=output connection-mark=in-BIO new-routing-mark=\
BIO passthrough=yes
add action=mark-routing chain=output connection-mark=in-BIV new-routing-mark=\
BIV passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3
add action=masquerade chain=srcnat out-interface=ether4
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
src-address=10.0.0.1 to-addresses=XX.XX.XX.81
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
src-address=10.0.0.2 to-addresses=XX.XX.XX.82
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
src-address=10.0.0.3 to-addresses=XX.XX.XX.83
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
src-address=10.0.0.4 to-addresses=XX.XX.XX.84
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether1 \
src-address=10.0.0.5 to-addresses=XX.XX.XX.85
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
src-address=10.0.0.1 to-addresses=YY.YY.YY.97
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
src-address=10.0.0.2 to-addresses=YY.YY.YY.98
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
src-address=10.0.0.3 to-addresses=YY.YY.YY.99
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
src-address=10.0.0.4 to-addresses=YY.YY.YY.100
add action=src-nat chain=srcnat ipsec-policy=out,none out-interface=ether2 \
src-address=10.0.0.5 to-addresses=YY.YY.YY.101
add action=netmap chain=dstnat dst-address=XX.XX.XX.80/29 in-interface=ether1 \
to-addresses=10.0.0.0/29
add action=netmap chain=dstnat dst-address=YY.YY.YY.96/29 in-interface=ether2 \
to-addresses=10.0.0.0/29
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping distance=1 dst-address=172.16.1.250/32 gateway=\
YY.YY.YY.102 routing-mark=SSP
add check-gateway=ping distance=1 gateway=XX.XX.XX.86 routing-mark=BIO
add distance=2 routing-mark=BIO type=unreachable
add check-gateway=ping distance=1 gateway=YY.YY.YY.102 routing-mark=BIV
add distance=2 routing-mark=BIV type=unreachable
add check-gateway=ping distance=1 gateway=172.16.1.254 routing-mark=VOIP
add check-gateway=ping comment=BIO distance=1 gateway=XX.XX.XX.86
add check-gateway=ping comment=BIV distance=2 gateway=YY.YY.YY.102
add check-gateway=ping distance=3 gateway=192.168.254.254
add check-gateway=ping distance=1 dst-address=80.12.10.152/32 gateway=\
172.16.1.254
add check-gateway=ping distance=1 dst-address=80.12.10.156/32 gateway=\
172.16.1.254
add check-gateway=ping distance=1 dst-address=192.252.164.144/32 gateway=\
172.16.1.254
add check-gateway=ping distance=1 dst-address=217.167.53.129/32 gateway=\
172.16.1.254
add check-gateway=ping distance=1 dst-address=217.167.210.132/32 gateway=\
172.16.1.254
/ip service
set www-ssl certificate=WebFig disabled=no port=443
/lcd
set time-interval=hour
/ppp secret
add local-address=172.16.1.253 name=l2tp_user remote-address=172.16.1.20 service=\
l2tp
How can I do ?
Thanks,
Joris