Community discussions

MikroTik App
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

VPN (L2TP/IPsec) to VLAN

Thu Aug 09, 2018 9:21 am

I have 3 vlans.
v1
v2
v3

I want certain PPP / secret (accounts) to only have access to certain vlans.
At the moment, any VPN user has access to all vlans.

For example:

VPN user1 can ONLY access v1
VPN user2 can ONLY access v2
VPN user3 can access both v1 and v2

Is this possible?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN (L2TP/IPsec) to VLAN

Thu Aug 09, 2018 11:33 am

You can do that at both L3 (IP subnet) level, using src-address(-list) and dst-address(-list) in the /ip firewall rules, and using in-interface(-list) and out-interface(-list) at L2 (LAN/VLAN) level, or use L2 for source and L3 for destination or vice versa.

The source (the L2TP client) can be identified by an IP address or by interface name. If you create a separate /ip pool for each category of L2TP clients and use the name of that pool as a value of the /ppp secret remote-address (or of /ppp profile remote-address) for /ppp secret of clients belonging this category, they may get dynamically assigned addresses but you can still refer to the address range matching the one used in that pool using src-address in the rule.

Another possibility is to create a static interface name and link it to a particular /ppp secret. This is a 1:1 mapping so you cannot assign the same static interface name to multiple users as the interfaces are tunnel ones.

So assuming you have users a1, a2 in privilege group A, user b1 in privilege group B and VLANs 10,20,30 accessible via interfaces /interface vlan named vlan-10, vlan-20, vlan-30 where privilege group A can access VLANs 10 and 30 and privilege group B can access VLANs 10 and 20, you could do it e.g. the following way:
/ip pool
add name=pg_A ranges=10.10.10.0-10.10.10.19
add name=pg_B ranges=10.10.10.20-10.10.10.39

/ppp secret
set [find name=a1] remote-address=pg_A
set [find name=a2] remote-address=pg_A
set [find name=b1] remote-address=pg_B

/interface list
add name=pg_A
add name=pg_B

/interface list member
add list=pg_A interface=vlan-10
add list=pg_A interface=vlan-30
add list=pg_B interface=vlan-10
add list=pg_B interface=vlan-20

/ip firewall filter
...
add action=accept chain=forward src-address=10.10.10.0-10.10.10.19 out-interface-list=pg_A
add action=accept chain=forward src-address=10.10.10.20-10.10.10.39 out-interface-list=pg_B
...
These firewall rules have to be placed at correct position in the chain and they assume that you have a tight firewall with "a drop everything" rule in the end of the chain preceded by rules constituting intended action=accept exceptions from it. If you have a default hAP/hEX firewall which only filters traffic coming from WAN but lets traffic between LANs flow freely, you have to consider whether you want to invert the logic of the rules above (i.e. say "users from pg_A must not get to vlan-20 whereas users from pg-B must not get to vlan-30") or whether to invert the logic of the firewall from default accept to default drop.
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: VPN (L2TP/IPsec) to VLAN

Fri Aug 10, 2018 4:03 am

Great info, thanks for that
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: VPN (L2TP/IPsec) to VLAN

Sat Aug 18, 2018 12:31 pm

Should DNS resolution from the vpn client be working with this config? At the moment it is not, I can ping by IP but that’s it .?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN (L2TP/IPsec) to VLAN

Sat Aug 18, 2018 12:57 pm

DNS resoltion should work if you want it to work :-)

But there are many factors which affect whether it will work or not for the particular client and DNS server.

You can let the L2TP client keep using the DNS servers it uses normally, or you can set the dns-server item in /ppp secret or /ppp profile to make the client use the server(s) stated there while the L2TP connection is up.

Depending on whether the client uses DNS servers in the internet (regardless how it got their addresses) or DNS servers in your private network, you have to set appropriate firewall rules permitting access to these servers or to the DNS service port regardless the destination address.

If the Mikrotik itself acts as a DNS server for the L2TP clients, you need permissive rules at a proper position in /ip firewall filter chain=input:
/ip firewall filter add chain=input action=accept protocol=udp dst-port=53 src-address=10.10.10.0-10.10.10.39
/ip firewall filter add chain=input action=accept protocol=tcp dst-port=53 src-address=10.10.10.0-10.10.10.39

If the L2TP clients use something else than Mikrotik itself as DNS servers, you need a permissive rule at a proper position in /ip firewall filter chain=forward:
/ip firewall filter add chain=forward action=accept protocol=udp dst-port=53 src-address=10.10.10.0-10.10.10.39
/ip firewall filter add chain=forward action=accept protocol=tcp dst-port=53 src-address=10.10.10.0-10.10.10.39
 
Cvan
Member Candidate
Member Candidate
Topic Author
Posts: 129
Joined: Sat Jun 09, 2018 3:32 am

Re: VPN (L2TP/IPsec) to VLAN

Sat Aug 18, 2018 1:47 pm

Ahh, I see now where my failure is from your post. I totally missed it from my view. I do have DNS blocking rules in my firewall on the input chain. That seems like it would make sense.

However, I have 3 ppp profiles for my vpn clients. One for admins allowing all access, which is on the same subnet as the admin vlan.. And this profile works perfectly for DNS and everything, etc.. Then the other 2 ppp profiles are for users in vlan A and users in vlan B, neither of these profiles are resolving any DNS, they both ping fine to the IPs exclusive in each vlan. The only difference between these 2 ppp profiles and the admin profile ( which works flawlessly ) is they are NOT on the same net equal to each vlan for which they belong..

For ex; vlan A is on 192.168.1.0/24 and the ppp profile for vlan A is on 192.168.2.0/24

Thoughts?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN (L2TP/IPsec) to VLAN

Sat Aug 18, 2018 2:21 pm

1. check your firewall rules one more time
2. if 1. fails to reveal the root cause, follow the suggestion in my automatic signature (exporting just the firewall rules is not enough)
 
nickb333
just joined
Posts: 19
Joined: Sat Jul 25, 2015 1:45 pm
Location: UK

Re: VPN (L2TP/IPsec) to VLAN

Tue Jul 23, 2019 8:35 pm

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however -
/ppp secret
set [find name=a1] remote-address=pg_A
set [find name=a2] remote-address=pg_A
set [find name=b1] remote-address=pg_B
does not work on mine (version 6.44.5). It appears you can only assign an ip pool in the remote-address in a ppp profile.
 /ppp secret set [find name=net1-remote] remote-address=net1-vpn-pool
invalid value for argument remote-address
Gives an error
/ppp profile add name=testme remote-address=net1-vpn-pool
Works OK.
 
User avatar
CZFan
Forum Guru
Forum Guru
Posts: 2098
Joined: Sun Oct 09, 2016 8:25 pm
Location: South Africa, Krugersdorp (Home town of Brad Binder)
Contact:

Re: VPN (L2TP/IPsec) to VLAN

Tue Jul 23, 2019 10:57 pm

Just following this really helpful thread as I have a similar configuration project for multiple L2tp users, however -
/ppp secret
set [find name=a1] remote-address=pg_A
set [find name=a2] remote-address=pg_A
set [find name=b1] remote-address=pg_B
does not work on mine (version 6.44.5). It appears you can only assign an ip pool in the remote-address in a ppp profile.
 /ppp secret set [find name=net1-remote] remote-address=net1-vpn-pool
invalid value for argument remote-address
Gives an error
/ppp profile add name=testme remote-address=net1-vpn-pool
Works OK.

Have not tested, but you are doing one in "profile" and the other command in "secret", so there is big difference between command that works and one that doesn't
Try with:
/ppp profile set [find where name="net1-remote"] remote-address=net1-vpn-pool
 
zespri
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Sat Mar 26, 2016 1:45 pm

Re: VPN (L2TP/IPsec) to VLAN

Wed Jun 24, 2020 11:15 am

I'm trying to solve the same problem as in OP, and I have this question:
/ppp secret set [find name=a1] remote-address=pg_A
This will make sure that this user will always get this IP address. If it logins from two different boxes he will get the same IP on both, which obviously is a problem. How can this be solved?
The goal here is that the user is able to use the connection even if he forgot to disconnect at a previous location, not to allow simultaneous connections (but that would work for me too).


In addition I noticed that the following from the answer above does not work:
/ip pool
add name=pg_A ranges=10.10.10.0-10.10.10.19
add name=pg_B ranges=10.10.10.20-10.10.10.39

/ppp secret
set [find name=a1] remote-address=pg_A
The last line does not accept a range and require a single ip address. The above gives a error: "invalid value for argument remote-address"
 
attilhacks
just joined
Posts: 11
Joined: Sun May 03, 2020 11:32 pm

Re: VPN (L2TP/IPsec) to VLAN

Mon Nov 07, 2022 9:45 pm

Hello, I have the opposite issue, how can I have a VPN user access all VLAN?

thanks
I have 3 vlans.
v1
v2
v3

I want certain PPP / secret (accounts) to only have access to certain vlans.
At the moment, any VPN user has access to all vlans.

For example:

VPN user1 can ONLY access v1
VPN user2 can ONLY access v2
VPN user3 can access both v1 and v2

Is this possible?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: VPN (L2TP/IPsec) to VLAN

Mon Nov 07, 2022 10:15 pm

Hello, I have the opposite issue, how can I have a VPN user access all VLAN?
It all depends on the firewall and routing setup. Post the export of your configuration to get a more useful advice.

Who is online

Users browsing this forum: aoravent, Bing [Bot], K0NCTANT1N, ofatieiev and 63 guests