Community discussions

MikroTik App
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Access to Miktorik's WAN

Fri Jul 30, 2021 1:49 pm

Hi,

I have a question:

I have a Master Mikrotik and others Mikrotiks Client.
All Client have VPN server (L2TP) with same configuration:
VPN Local address: 192.168.30.1
VPN Remote address: 192.168.30.2
Internal LAN: 192.168.20.0/24
WAN (client domestic router): 192.168.1.0/24

When I want to connect to those clients I activate an VPN tunnel to this client (this tunel get default route) and I have access to all networks from mikrotik (192.168.20.0/24, 192.168.1.0/24 and internet) but from my LAN (Master Mikrotik LAN: 192.168.2.0/24) i only have access to 192.168.20.0/24 and not to 192.168.1.0/24 or internet).

Any Idea?

Thanks
 
User avatar
feranmi
just joined
Posts: 14
Joined: Tue Aug 20, 2019 11:11 am
Location: Surulere, Lagos

Re: Access to Miktorik's WAN

Fri Jul 30, 2021 6:16 pm

do you mind sharing your config for better understading?
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Access to Miktorik's WAN

Fri Jul 30, 2021 6:32 pm

Very confusing, a network diagram would help.

It seems like the remote sites are Servers and you are the vpn client??
 
DavidGB
newbie
Topic Author
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Access to Miktorik's WAN

Fri Jul 30, 2021 8:45 pm

Yes, my clients are servers and my mikrotik is the client. The purpose of this configuration is to connect to my clients routers when I need it and to be the same configuration in all client mikrotik.

Here my configuration:
In this configuration you can see VPN client and VPN server. I'm asking for VPN client.
/interface bridge
add admin-mac=AA:4D:AA:89:VF:11 auto-mac=no comment=defconf name=LAN-Bridge \
protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface l2tp-client
add add-default-route=yes allow=mschap2 connect-to=xxxxxxxxxx.sn.mynetname.net \
name=Cliente1 use-ipsec=yes user=Administrador
add add-default-route=yes allow=mschap2 connect-to=xxxxxxxxxxx.sn.mynetname.net \
name=Cliente2 use-ipsec=yes user=Administrador
/interface vlan
add interface=ether1 name=INTERNET vlan-id=100
/interface pppoe-client
add add-default-route=yes default-route-distance=2 disabled=no interface=INTERNET \
name=PPPoE-out1 user=xxxxxxxxxxxx@vodafone
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=LAN-Pool ranges=192.168.2.20-192.168.2.150
add name=vpn ranges=10.10.1.1-10.10.1.200
add name=VPN-Pool ranges=192.168.10.200-192.168.10.250
/ip dhcp-server
add address-pool=LAN-Pool disabled=no interface=LAN-Bridge name=DHCP-LAN
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=\
profile-acceso-router remote-address=VPN-Pool use-encryption=yes
add change-tcp-mss=yes local-address=192.168.10.1 name=profile-clientes-Shelly \
use-encryption=yes
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password\
,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=LAN-Bridge comment=defconf interface=ether2
add bridge=LAN-Bridge comment=defconf interface=ether3
add bridge=LAN-Bridge comment=defconf interface=ether4
add bridge=LAN-Bridge comment=defconf interface=ether5
add bridge=LAN-Bridge comment=defconf interface=ether6
add bridge=LAN-Bridge comment=defconf interface=ether7
add bridge=LAN-Bridge comment=defconf interface=ether8
add bridge=LAN-Bridge comment=defconf interface=ether9
add bridge=LAN-Bridge comment=defconf interface=sfp-sfpplus1
add bridge=LAN-Bridge hw=no interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=LAN-Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=PPPoE-out1 list=WAN
add list=LAN
/interface sstp-server server
set authentication=mschap2 certificate=vpn-server force-aes=yes pfs=yes port=3443 \
tls-version=only-1.2
/ip address
add address=192.168.2.1/24 comment=defconf interface=LAN-Bridge network=\
192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
add address=b8f60a38c7a4.sn.mynetname.net list=public-ip
add address=4ac704c13b00.sn.mynetname.net list=ip-aitas
add address=192.168.2.151-192.168.2.155 list=Internet_Bloqueado
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=reject chain=forward comment="Block Internet" reject-with=\
icmp-network-unreachable src-address-list=Internet_Bloqueado
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting comment=\
"Todas las IP que esten en la lista Internet_Bloqueado no tendran internet" \
new-routing-mark=sin_internet passthrough=yes src-address-list=\
Internet_Bloqueado
add action=set-priority chain=postrouting new-priority=0 out-interface=PPPoE-out1
/ip firewall nat
add action=masquerade chain=srcnat comment="Para llegar a la red del cliente VPN" \
dst-address=192.168.20.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=192.168.2.0/24 \
src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.10.0/24
/ip route
add comment="Red Aitas" disabled=yes distance=1 dst-address=192.168.1.0/24 \
gateway=192.168.10.2
add comment="Para tener acceso a la red interna del cliente" disabled=yes \
distance=1 dst-address=192.168.1.0/24 gateway=192.168.30.1
add comment="Para tener acceso a la red interna del mikrotik del cliente" \
disabled=yes distance=1 dst-address=192.168.20.0/24 gateway=192.168.30.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.2.205/32
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=profile-acceso-router service=l2tp
add name=Cliente_2 profile=profile-clientes-Shelly remote-address=192.168.10.2 \
service=l2tp
add name=Cliente_3 profile=profile-clientes-Shelly remote-address=192.168.10.3 \
service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Router
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Here network diagram:
Diagram.JPG
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: Bing [Bot], GoogleOther [Bot], ItchyAnkle, menyarito and 97 guests