Community discussions

MikroTik App
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 4:15 pm

Hello. Trying to fix the address pool for my L2TP connections. What I have now:
1. 192.168.240.1/23 - LAN address pool
2. 192.168.250.1/23 - l2tp address pool, added in IP-Addresses, IP-Pool, Firewall-Filter rules accept
3. Connecting with CMAK-connection with routes.txt inside on a Windows 10 client. Everything works perfect.

Now I'm changing l2tp pool to 192.168.230.1/23, so I change it in IP-Addresses, IP-Pool, new firewall rule, PPP profile. The client now receives 192.168.230.0 address, route print shows all routes added, but I cant ping neither LAN from L2TP client, nor client from Mikrotik. Trying to RDP from client to one of the LAN machines, Torch shows attempts to connect from 192.168.230.0 to 192.168.240.100 address but still nothing happens. Firewall also shows 0 bytes on this rule.
Reverting changes back brings everything working again. What am I missing?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 4:17 pm

If the address are real private address and not "censored" for the forum:

Make one /export and find all the occurrencies of "250", probably you miss something.

If do not work, the problem can be one fixed settings on remote machines
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 5:02 pm

# jul/25/2021 18:56:47 by RouterOS 6.43
# software id = 6TTH-KAVK
#
# model = 2011iL
# serial number = 5BEC04B45E97
/interface bridge
add admin-mac=4C:5E:0C:EC:67:2C arp=proxy-arp auto-mac=no fast-forward=no \
    name=bridge-local
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full arp=proxy-arp \
    name=ether6-master-local
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether7-slave-local
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether8-slave-local
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether9-slave-local
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether10-slave-local
/interface vlan
add arp=reply-only interface=bridge-local name=WiFi vlan-id=10
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=DHCP240 ranges=192.168.240.50-192.168.241.254
add name=VPN ranges=192.168.250.0/23
add name=WiFi ranges=192.168.246.0/23
add name=VPN230 ranges=192.168.230.0/23
/ip dhcp-server
add address-pool=DHCP240 authoritative=after-2sec-delay disabled=no \
    interface=bridge-local name=default src-address=192.168.240.1
add add-arp=yes address-pool=WiFi disabled=no interface=WiFi name=wifi
/ppp profile
add change-tcp-mss=yes local-address=192.168.188.1 name=L2tp use-encryption=\
    yes
add bridge=bridge-local change-tcp-mss=yes dns-server=192.168.240.100 \
    local-address=192.168.240.1 name=VPN remote-address=VPN230 \
    use-encryption=yes
add change-tcp-mss=yes local-address=192.168.240.1 name=SSTP only-one=no \
    use-compression=yes use-encryption=yes use-mpls=no use-upnp=no
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge-local hw=no interface=ether2
add bridge=bridge-local hw=no interface=ether3
add bridge=bridge-local hw=no interface=ether4
add bridge=bridge-local hw=no interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=ether7-slave-local
add bridge=bridge-local interface=ether8-slave-local
add bridge=bridge-local interface=ether9-slave-local
add bridge=bridge-local interface=ether10-slave-local
add bridge=bridge-local interface=WiFi trusted=yes
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN enabled=yes ipsec-secret=\
    "#" use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=ether6-master-local list=discover
add interface=ether7-slave-local list=discover
add interface=ether8-slave-local list=discover
add interface=ether9-slave-local list=discover
add interface=ether10-slave-local list=discover
add interface=bridge-local list=discover
add interface=ether2 list=mactel
add interface=ether3 list=mactel
add interface=ether2 list=mac-winbox
add interface=ether4 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether5 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether6-master-local list=mactel
add interface=ether5 list=mac-winbox
add interface=ether7-slave-local list=mactel
add interface=ether6-master-local list=mac-winbox
add interface=ether8-slave-local list=mactel
add interface=ether7-slave-local list=mac-winbox
add interface=ether9-slave-local list=mactel
add interface=ether8-slave-local list=mac-winbox
add interface=ether10-slave-local list=mactel
add interface=ether9-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether10-slave-local list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.0.1/23 comment="default configuration" interface=\
    bridge-local network=192.168.0.0
add address=# interface=ether1-gateway network=#
add address=192.168.188.1/24 interface=bridge-local network=192.168.188.0
add address=192.168.240.1/23 interface=bridge-local network=192.168.240.0
add address=192.168.246.1/23 interface=WiFi network=192.168.246.0
add address=192.168.250.1/23 interface=bridge-local network=192.168.250.0
add address=192.168.230.1/23 interface=bridge-local network=192.168.230.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dns static
add address=192.168.0.1 name=router
/ip firewall filter
add action=accept chain=forward in-interface=ether1-gateway src-address-list=\
    Whitelist
add action=accept chain=forward src-address=192.168.250.0/23 \
    src-address-list=""
add action=accept chain=forward log=yes src-address=192.168.230.0/23
/ip route
add distance=1 gateway=#
add distance=1 dst-address=192.168.230.0/23 gateway=bridge-local pref-src=\
    192.168.240.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp aaa
set use-radius=yes
/radius
add address=192.168.240.100 secret=\
    # service=\
    ppp,login src-address=192.168.240.1
/system clock
set time-zone-autodetect=no time-zone-name=Etc/GMT-5
/system identity
set name="PKF MikroTik"
/system logging
set 0 topics=info,!dhcp
/system ntp client
set enabled=yes primary-ntp=128.138.141.172
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool sniffer
set filter-port=radius-acct streaming-server=192.168.0.101
/user aaa
set default-group=full use-radius=yes
This is what I have right now, can't see anything wrong. But also what can be wrong on the client machine, if new address pool and routes are applied?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 5:15 pm

Apart of this problem,
I suggest first to upgrade to 6.47.10, 6.43 is too old and some hack are well know.

Now I read the export and write adout it
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 5:31 pm

Paste this on terminal, without omit the { } :
{
/interface bridge
fast-forward=yes
/interface ethernet
set [ find default-name=ether1 ] speed=1Gbps
set [ find default-name=ether2 ] speed=1Gbps
set [ find default-name=ether3 ] speed=1Gbps
set [ find default-name=ether4 ] speed=1Gbps
set [ find default-name=ether5 ] speed=1Gbps
set [ find default-name=ether6 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether7 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether8 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether9 ] advertise=10M-half,10M-full,100M-half,100M-full
set [ find default-name=ether10 ] advertise=10M-half,10M-full,100M-half,100M-full
/interface list
set discover exclude=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc
/ip pool
set VPN230 ranges=192.168.230.1-192.168.230.254,192.168.231.1-192.168.231.254
/ip firewall filter
set [find where src-address="192.168.250.0/23"] !src-address-list
}
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:13 pm

Ok after this changes I'm able to ping from Mikrotik to the client, but from client resources are still unavailable (i.e. ping timeout and inaccessible RDP server)
UPD: also now firewall shows some packets parsing on 230.0 rule, but still cant access from remote to local
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:25 pm

Try to temporarly stop all drop firewall filter rules,
you sure no fixed parameters are set on remote devices?
on radius server, the profiles use the right pool name? from VPN to VPN230?
Last edited by rextended on Sun Jul 25, 2021 6:34 pm, edited 2 times in total.
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:30 pm

This is the route added to CMAK packet:
ADD 192.168.240.0 MASK 255.255.254.0 default METRIC default IF default
Those routes added in route print output
    192.168.230.0    255.255.255.0    192.168.240.1    192.168.230.1     36
    192.168.230.1  255.255.255.255         On-link     192.168.230.1    291
    192.168.240.0    255.255.254.0         On-link     192.168.230.1     53
  192.168.241.255  255.255.255.255         On-link     192.168.230.1    291
Radius is windows server NPS, it only utilizes user name for auth and radius-client ip (ie. 192.168.240.1) nothing else. I can establish connection correctly, so radius shouldn't be an issue. Windows logs also throw no errors here
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:34 pm

One question, you use radius also for access winbox and CLI on this device?
Is set as I describe it.

Sorry, on first read I miss those, paste on terminal:
{
/ip dhcp-server
set [find] authoritative=yes
/interface bridge port
set [find] hw=yes
}
But at this point for me the RouterBOARD (ignoring old software and missing default firewall rules)
look right, I can't deduce why not work.
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:40 pm

Yes I use radius for winbox auth also, but there's a separate rule for login service which shouldn't affect it. The PPP rule doesn't check for VPN or VPN230 range
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:52 pm

It looks kinda weird since all worked perfect on a 250 range, but just changing IPs breaks everything. Maybe I can enable some additional logs to see what happens?
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 6:56 pm

Sincerely I have no idea, just you try to reboot the device?

You can do two things at the same time, full backup first, save to pc
and Upgrade to 6.47.10 last long-term,
the upgrade cause RouterBOARD reboot.

I ask you a courtesy, if possible, when you found the cause, write back here on forum to help the others.
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Sun Jul 25, 2021 7:16 pm

How long does OS upgrade takes? I initiated an upgrade and now the device is not responding for a while already
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Mon Jul 26, 2021 6:09 am

Ok so the update seems to be failed for some reason, since router stopped responding after clicking Download&Install button. After power cycle the OS version came back to 6.43 and the problem still persists (I think that power cycle counts as router reboot). I even tried another remote device with fresh Win7 installation and no result. Tried to disable all drop rules - no result. I'll try another OS update eventually, but that problem scares...
 
kleshki
newbie
Topic Author
Posts: 31
Joined: Tue Mar 10, 2020 6:37 am

Re: Network cannot be accessed after L2TP address pool change

Thu Aug 05, 2021 9:32 am

I ask you a courtesy, if possible, when you found the cause, write back here on forum to help the others.
Ok, so I found the solution: seems that "re-using" the existing profile for a new IP Pool was not working, so creating new IP Pool, new PPP Profile, assigning new pool to new profile, then assigning new ppp profile to L2TP server did the job (dunno why).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: Network cannot be accessed after L2TP address pool change

Thu Aug 05, 2021 10:24 am

:shock:

Who is online

Users browsing this forum: hjf and 80 guests