Most VPN solutions require routes...have you configured one for the VPN clients?
Can you please share your config?
/export hide-sensitive file=anynameyoulike (don't leave any personal info in it)
Hi @elinden,
Thanks a lot for your reply. I am placing here the configuration, as per your request. Any personal info has been replaced with asterisks.
Thanks a lot in advance for your effort and your time. It is much appreciated.
# nov/24/2022 20:18:15 by RouterOS 7.6
# software id = ****-****
#
# model = CCR1016-12S-1S+
# serial number = ***********
/interface bridge
add arp=proxy-arp name=LAN-Bridge
add name=VPN-Bridge
/interface ethernet
set [ find default-name=sfp1 ] name="sfp1 (WAN)"
set [ find default-name=sfp2 ] disabled=yes name="sfp2 (WAN-LTE)"
set [ find default-name=sfp3 ] name="sfp3 (LAN1)"
set [ find default-name=sfp4 ] name="sfp4 (LAN2)"
set [ find default-name=sfp5 ] name="sfp5 (LAN3)"
set [ find default-name=sfp6 ] name="sfp6 (LAN4)"
set [ find default-name=sfp12 ] name="sfp12 (Management)"
/interface pppoe-client
add add-default-route=yes disabled=no interface="sfp1 (WAN)" name=\
MK-Netzdienste user=***********@****.**
/interface vlan
add interface=LAN-Bridge name="WLAN \"**L\" (VLAN 5)" vlan-id=5
add interface=LAN-Bridge name="WLAN \"**L-Gast\" (VLAN 4)" vlan-id=4
add interface=LAN-Bridge name=vlan1 vlan-id=1
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add comment="Subnet 192.168.1.0/24" name=dhcp ranges=\
192.168.1.120-192.168.1.239
add comment="Subnet 192.168.3.0/24" name=WLAN-DHCP ranges=\
192.168.3.10-192.168.3.250
add comment="Subnet 192.168.2.0/24" name=WLAN-GUEST-DCHP ranges=\
192.168.2.10-192.168.2.250
add comment="Subnet 192.168.5.0/24 (VPN)" name=VPN-Pool ranges=\
192.168.5.2-192.168.5.250
/ip dhcp-server
add address-pool=dhcp interface=LAN-Bridge name=192.168.1.120-239
add address-pool=WLAN-DHCP interface="WLAN \"**L\" (VLAN 5)" name=\
192.168.3.0/24
add address-pool=WLAN-GUEST-DCHP interface="WLAN \"**L-Gast\" (VLAN 4)" name=\
192.168.2.0/24
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add local-address=192.168.5.1 name=VPN remote-address=VPN-Pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=LAN-Bridge interface="sfp3 (LAN1)"
add bridge=LAN-Bridge interface="sfp4 (LAN2)"
add bridge=LAN-Bridge interface="sfp5 (LAN3)"
add bridge=LAN-Bridge interface="sfp6 (LAN4)"
add bridge=LAN-Bridge interface=vlan1
add bridge=LAN-Bridge interface="WLAN \"**L\" (VLAN 5)"
add bridge=LAN-Bridge interface="WLAN \"**L-Gast\" (VLAN 4)"
add bridge=VPN-Bridge interface=LAN
add bridge=VPN-Bridge disabled=yes interface=WAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface bridge vlan
add bridge=LAN-Bridge tagged="WLAN \"**L-Gast\" (VLAN 4)" vlan-ids=4
add bridge=LAN-Bridge tagged="WLAN \"**L\" (VLAN 5)" vlan-ids=5
add bridge=LAN-Bridge vlan-ids=1
/interface list member
add interface=LAN-Bridge list=LAN
add interface=VPN-Bridge list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set authentication=mschap2 certificate=**L-HQ-FW01 default-profile=VPN \
enabled=yes pfs=yes
/ip address
add address=192.168.178.22/24 comment=WAN-LTE interface="sfp2 (WAN-LTE)" \
network=192.168.178.0
add address=192.168.90.1/24 comment=Management interface="sfp12 (Management)" \
network=192.168.90.0
add address=192.168.1.24/24 comment=LAN interface=LAN-Bridge network=\
192.168.1.0
add address=192.168.3.1/24 interface="WLAN \"**L\" (VLAN 5)" network=\
192.168.3.0
add address=192.168.2.1/24 interface="WLAN \"**L-Gast\" (VLAN 4)" network=\
192.168.2.0
add address=192.168.5.1/24 comment=VPN interface=LAN-Bridge network=\
192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m
/ip dhcp-client
add interface="sfp2 (WAN-LTE)"
add interface=sfpplus1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.2 domain=*******.local \
gateway=192.168.1.24 wins-server=192.168.1.2
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1
/ip dns
set servers=1.1.1.1,8.8.8.8
/ip firewall address-list
add address=**.******************.** list=Authorized_IPs
/ip firewall filter
add action=accept chain=input comment="Allow established connections" \
connection-state=established
add action=accept chain=input comment="Allow related connections" \
connection-state=related
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=accept chain=input comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=input comment="Drop excess pings" protocol=icmp
add action=accept chain=input comment=\
"Access WebFig & WinBox Management interface" dst-address=192.168.90.1 \
dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
"Access WebFig & WinBox LAN interface list" dst-address=192.168.1.24 \
dst-port=80,443,8291 protocol=tcp
add action=accept chain=input comment=\
"Access Webfig & WinBox on any interface from Authorized IPs" dst-port=\
80,443,8291 protocol=tcp src-address-list=Authorized_IPs
add action=accept chain=input comment="Access SSTP connections from WAN" \
dst-port=443 log=yes log-prefix=SSTP-Input protocol=tcp
add action=accept chain=input comment="Custom SSH port for secure shell" \
dst-address=192.168.1.24 dst-port=2202 protocol=tcp
add action=accept chain=input comment="Allow local loopback (for CAPsMAN)" \
dst-address=127.0.0.1
add action=accept chain=input comment="Access Wireguard VPN" dst-port=13233 \
in-interface="sfp1 (WAN)" protocol=udp
add action=drop chain=input comment="Block DNS request from WAN" dst-port=53 \
in-interface-list=WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="Drop any TCP port left OPEN" protocol=\
tcp
add action=drop chain=input comment="Drop any UDP port left OPEN" protocol=\
udp
add action=drop chain=input comment="Drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="Allow established connections" \
connection-state=established
add action=accept chain=forward comment="Allow related connections" \
connection-state=related
add action=accept chain=forward comment="Allow all inbound traffic from VPN su\
bnet (192.168.5.0/24) to LAN-Bridge (192.168.1.0/24)" dst-address=\
192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=forward comment="Allow all inbound traffic from LAN-Br\
idge (192.168.1.0/24) to VPN subnet (192.168.5.0/24)" dst-address=\
192.168.5.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Drop invalid connections" \
connection-state=invalid log=yes log-prefix=Drop-invalid-Input
add action=drop chain=forward comment="Block Bogon IP Addresses" src-address=\
0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=accept chain=forward comment="Allow limited pings" limit=\
50/5s,2:packet protocol=icmp
add action=drop chain=forward comment="Drop excess pings" protocol=icmp
add action=accept chain=forward comment=\
"Allow subnet 192.168.1.0/24 Web Surfing (HTTP & HTTPS)" dst-address=\
0.0.0.0/0 dst-port=80,443 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"Allow subnet 192.168.1.0/24 DNS & NTP (TCP)" dst-address=0.0.0.0/0 \
dst-port=53,123 protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"Allow subnet 192.168.1.0/24 DNS & NTP (UDP)" dst-address=0.0.0.0/0 \
dst-port=53,123 protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"Allow subnet 192.168.1.0/24 Email communication" dst-address=0.0.0.0/0 \
dst-port=465,587,25,993,995,110,143 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward dst-address=0.0.0.0/0 dst-port=25 protocol=\
udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow FTP connections" dst-address=\
0.0.0.0/0 dst-port=20,21,990,6000-6100 protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward comment=\
"Allow 3CX SBC communicating with our hosted 3CX PBX" dst-address=\
***.***.***.*** dst-port=5090,5001 protocol=tcp
add action=accept chain=forward dst-address=***.***.***.*** dst-port=5090 \
protocol=udp
add action=accept chain=forward comment=\
"Allow 3CX Web Clients communicating with our hosted 3CX PBX" \
dst-address=***.***.***.*** dst-port=9000-10999 protocol=udp
add action=accept chain=forward comment="Allow 3CX Tunnels" dst-port=\
5090,5001 protocol=tcp
add action=accept chain=forward dst-port=5090 protocol=udp
add action=accept chain=forward comment="Allow Speedtest" dst-port=8080 \
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow HBCI chip card" dst-port=3000 \
protocol=tcp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow WhatsApp calls" dst-port=\
5222,5223 log-prefix=WhatApp-Calls protocol=tcp src-address=\
192.168.1.0/24
add action=accept chain=forward dst-port=3478 log-prefix=WhatApp-Calls \
protocol=udp src-address=192.168.1.0/24
add action=accept chain=forward comment="Allow Wi-Fi calling" dst-port=\
500,4500,16384-49327 log-prefix=WiFi-Calling protocol=udp
add action=drop chain=forward comment="Drop all outbound traffic" \
dst-address=0.0.0.0/0 log-prefix=Drop-All-Outbound src-address=\
192.168.1.0/24
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat comment="VPN with Road Warriors" dst-address=\
192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=srcnat comment="VPN with Road Warriors" disabled=yes \
dst-address=192.168.1.0/24 src-address=192.168.5.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" dst-address=\
192.168.5.0/24 src-address=192.168.1.0/24
add action=accept chain=dstnat comment="VPN with Road Warriors" dst-address=\
192.168.1.0/24 src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.1.0/24" \
ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.2.0/24" \
ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.3.0/24" \
ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
192.168.3.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.4.0/24" \
ipsec-policy=out,none out-interface=MK-Netzdienste src-address=\
192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade for 192.168.5.0/24" \
ipsec-policy=out,none src-address=192.168.5.0/24
add action=masquerade chain=srcnat comment="masquerade for all networks" \
ipsec-policy=out,none
add action=masquerade chain=srcnat disabled=yes out-interface=\
"sfp2 (WAN-LTE)"
add action=netmap chain=dstnat dst-address=192.168.1.0/24 src-address=\
192.168.5.0/24 to-addresses=192.168.1.0/24
/ip route
add comment="WAN (LTE)" disabled=yes distance=2 dst-address=0.0.0.0/0 \
gateway=192.168.178.1 routing-table=main suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2202
/lcd
set backlight-timeout=never default-screen=stats
/lcd interface
set sfpplus1 disabled=yes
set sfp7 disabled=yes
set sfp8 disabled=yes
set sfp9 disabled=yes
set sfp10 disabled=yes
set sfp11 disabled=yes
/ppp secret
add name=a****** profile=VPN service=sstp
add name=t***** profile=VPN service=sstp
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=***-HQ-FW01
/system ntp client
set enabled=yes
/system ntp client servers
add address=de.pool.ntp.org