Community discussions

MikroTik App
 
waldemaro82
just joined
Topic Author
Posts: 1
Joined: Tue May 10, 2022 9:28 pm

Access to L2TP Client from LAN

Tue May 10, 2022 9:44 pm

Hello.
I can access from client VPN to hosts in LAN but cannot access in reverse direction.
Thanks for any answers.
/ip firewall filter
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward comment="For port forwarding" connection-nat-state=dstnat
add action=accept chain=forward comment="VLAN Rule" in-interface=vlan30 out-interface=ether1 src-address=10.0.30.0/24
add action=accept chain=forward comment=LAN in-interface=bridge1 out-interface=ether1 src-address=192.168.100.0/24
add action=accept chain=forward comment=VPN in-interface-list=VPN
add action=drop chain=forward log=yes
add action=accept chain=input comment=VPN dst-port=500,1701,4500 protocol=udp
add action=accept chain=input connection-state=established,related
add action=accept chain=input icmp-options=8:0 protocol=icmp
add action=accept chain=input icmp-options=3:4 protocol=icmp
add action=accept chain=input connection-state=new dst-address=192.168.100.1 dst-port=53 in-interface=bridge1 protocol=udp src-address=192.168.100.0/24
add action=add-src-to-address-list address-list=BlackList address-list-timeout=10h chain=input comment="Rule #1 \"Block TCP port scanning\": add a device scanning an unused port to BlackList." connection-state=new dst-port=\
    20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 protocol=tcp
add action=accept chain=input connection-state=new disabled=yes dst-address=192.168.100.1 dst-port=8291 in-interface=bridge1 protocol=tcp src-address=192.168.100.0/24
add action=accept chain=input connection-state=new dst-address=192.168.100.1 dst-port=9281 in-interface=bridge1 protocol=tcp src-address=192.168.100.0/24
add action=accept chain=input comment=VPN dst-port=9281 in-interface-list=VPN protocol=tcp src-address=192.168.100.0/24
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=10.0.30.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=192.168.100.0/24

/ip firewall raw
add action=drop chain=prerouting comment="Rule #10 \"BlackList\": reject the connection with a device from the Blacklist." log=yes src-address=!192.168.100.12 src-address-list=BlackList
/ip pool
add name=pool_lan ranges=192.168.100.55-192.168.100.254
add name=pool_vpn ranges=192.168.110.2-192.168.110.50
/ppp profile
add change-tcp-mss=yes dns-server=192.168.100.1,8.8.8.8 interface-list=VPN local-address=192.168.110.1 name=vpn remote-address=pool_vpn use-encryption=yes
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Access to L2TP Client from LAN

Wed May 11, 2022 2:51 am

Check your chain=forward rules, you allow vlan30->ether1, bridge1->ether1, VPN->anywhere and that's it. So you need another one for some_source->VPN.

Who is online

Users browsing this forum: GoogleOther [Bot], johnson73, miks and 76 guests