Community discussions

MikroTik App
 
FqYwFq5xZoVE
just joined
Topic Author
Posts: 1
Joined: Tue Oct 19, 2021 5:30 pm

L2TP VPN unable connect to local subnet

Tue Oct 19, 2021 5:52 pm

Hi, I tried to build L2TP/IPsec VPN and it's working, I can connect the VPN via my laptop and able connect to MikroTik RouterOS,
but ping or connect to local workstation all failure,
I tried everything I can found on Google and spend few days but nothing change,
could anyone helps to check my configuration and provide your advice, many thanks.

/interface bridge
add admin-mac=********** auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether2 ] arp=proxy-arp name=ether2
set [ find default-name=ether3 ] name=ether3
set [ find default-name=ether4 ] name=ether4
set [ find default-name=ether5 ] arp=proxy-arp name=ether5
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.1.2-192.168.1.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=1.1.1.1,8.8.8.8 local-address=192.168.89.1 \
    remote-address=vpn use-ipv6=no
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5

/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=********** max-mru=\
    1460 max-mtu=1460 use-ipsec=yes
/interface list member
add comment="defconf for LAN" interface=bridge list=LAN
add comment="defconf for WAN" interface=ether1-Wan list=WAN
add interface=pppoe-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
    192.168.1.0

/ip dhcp-client
add comment=defconf interface=ether1-Wan

/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.89.2-192.168.89.255 list=VPN
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="VPN connection rule" protocol=icmp \
    src-address-list=VPN
add action=accept chain=forward dst-address=192.168.89.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.89.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log=yes
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPN passthrough=yes \
    src-address-list=VPN
/ip firewall nat
add action=accept chain=srcnat comment=bypass_nat_chain_for_vpn dst-address=\
    192.168.89.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
    dst-address-list=!VPN log=yes src-address-list=VPN
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ppp secret
add local-address=192.168.89.1 name=********** password=\
    ********** profile=default-encryption service=l2tp
I deleted some information as above, please help me to check

Who is online

Users browsing this forum: InfraErik, johnson73 and 69 guests