Community discussions

 
gkounis
just joined
Topic Author
Posts: 6
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Greece
Contact:

L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Fri May 17, 2019 8:42 pm

Hello Forum
I have a scenario with L2TP over IPSEC. I have my office at 192.168.200.0/24 and I wish to be connected to 192.168.10.0/23 which is a remote area where I have set up several MikroTik AP and a MikroTik router which acts as DHCP and drives the rest of the APs.
My L2TP is 172.22.23.1 local to 172.22.23.3 remotely and is being performed normally. I can also have ping to the remote devices.
Both my router and the remote router are behind ISP routers that provide a WAN as they cannot be totally disabled while they provide VOIP telephony.
I have tested the scenario in my office before I apply it to the field with my office router and haplite connected with WAN from my mobile phone with LTE through the USB port.
The problem is that with the official test with WAN from LTE teh ping and access to devices behind the router is successfully( I was able to check my laptops share folder while was connected to the hap lite) but when I am applying to the filed remote router behind ISP I ONLY have ping in main router and all AP behind it but not being able to access then though web fig or winbox.
Any ideas or any info you might need.
Shit happens
 
sindy
Forum Guru
Forum Guru
Posts: 3452
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Sat May 18, 2019 10:35 pm

Post the configuration of both the server and the client Mikrotiks following the hint in my automatic signature. The fact that the behaviour depends on which WAN you use is suspicious.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gkounis
just joined
Topic Author
Posts: 6
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Greece
Contact:

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Tue May 28, 2019 11:50 pm

Thank for you answer. It was the NATing of my local and remote local addresses as well as the fact that i have not used the proper routing on my client router as i wanted to avoid the clients on the client router to not have access to computers and devices behind my server router.
Nevertheless now i cannot make my server router to block specific IP addresses in my server router so my clients do not have nay access to them.
I am attaching my firewall export for your help. I suppose has to do with the NATing again.

# may/28/2019 23:48:13 by RouterOS 6.44.3
# software id = XUGM-0HS9
#
# model = 960PGS
# serial number = A51509797D94
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you need this subnet before enable it" disabled=yes list=\
bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you need this subnet before enable it" disabled=yes list=\
bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA # Check if you need this subnet before enable it" disabled=yes list=bogons
add address=192.168.200.0/24 list=support
add address=0.0.0.0/8 comment=RFC6890 list=NotPublic
add address=10.0.0.0/8 comment=RFC6890 list=NotPublic
add address=100.64.0.0/10 comment=RFC6890 list=NotPublic
add address=127.0.0.0/8 comment=RFC6890 list=NotPublic
add address=169.254.0.0/16 comment=RFC6890 list=NotPublic
add address=172.16.0.0/12 comment=RFC6890 list=NotPublic
add address=192.0.0.0/24 comment=RFC6890 list=NotPublic
add address=192.0.2.0/24 comment=RFC6890 list=NotPublic
add address=192.168.0.0/16 comment=RFC6890 list=NotPublic
add address=192.88.99.0/24 comment=RFC3068 list=NotPublic
add address=198.18.0.0/15 comment=RFC6890 list=NotPublic
add address=198.51.100.0/24 comment=RFC6890 list=NotPublic
add address=203.0.113.0/24 comment=RFC6890 list=NotPublic
add address=224.0.0.0/4 comment=RFC4601 list=NotPublic
add address=240.0.0.0/4 comment=RFC6890 list=NotPublic
add address=192.168.200.246 list=disable
/ip firewall filter
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=accept chain=input comment="VPN L2TP/IPSEC RULES" dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=forward dst-port=8291 protocol=tcp
add action=accept chain=input comment="VPN IPSEC RULES" protocol=ipsec-ah
add action=accept chain=input protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN-kobei ola ta paketa pros to main router ao ta vpn" \
in-interface-list=!LAN
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=bogons
add action=accept chain=input comment="Accept established and related packets" connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=invalid
add action=drop chain=input comment="Drop all packets which are not destined to routes IP address" dst-address-type=!local
add action=drop chain=input comment="Drop all packets which does not have unicast source IP address" src-address-type=!unicast
add action=accept chain=input comment="Accept all connections from local network" in-interface=GNEMS
add action=drop chain=input comment="Drop all packets from public internet which should not exist in public network" in-interface=\
ether1 src-address-list=NotPublic
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=accept chain=forward comment="Accept established and related packets" connection-state=established,related
add action=drop chain=forward comment="Drop invalid packets" connection-state=invalid
add action=drop chain=forward comment="Drop new connections from internet which are not dst-natted" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets from public internet which should not exist in public network" in-interface=\
ether1 src-address-list=NotPublic
add action=drop chain=forward comment="Drop all packets in local network which does not have local network address" disabled=yes \
in-interface=GNEMS src-address=!192.168.200.0/24
add action=accept chain=input comment=L2TP_IPSEC port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward comment="Allow LAN" connection-state=new in-interface-list=LAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=forward comment="Drop all packets from local network to internet which should not exist in public network" \
dst-address-list=NotPublic in-interface=GNEMS
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=ether1
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=192.168.200.0/24
add action=accept chain=srcnat dst-address=192.168.2.0/24 src-address=192.168.200.0/24
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1 out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Port forwardings" dst-port=8008 in-interface=ether1 protocol=tcp to-addresses=192.168.10.246 \
to-ports=0-65535
add action=dst-nat chain=dstnat comment="Port forwardings" dst-port=8000 in-interface=ether1 protocol=tcp to-addresses=192.168.200.228 \
to-ports=8000
add action=dst-nat chain=dstnat comment="Port forwardings" dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.200.228 \
to-ports=80
add action=dst-nat chain=dstnat dst-port=554 in-interface=ether1 protocol=tcp to-addresses=192.168.200.228 to-ports=0-65535
Shit happens
 
sindy
Forum Guru
Forum Guru
Posts: 3452
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Wed May 29, 2019 12:20 am

Thank for you answer. It was the NATing of my local and remote local addresses as well as the fact that i have not used the proper routing on my client router as i wanted to avoid the clients on the client router to not have access to computers and devices behind my server router.
Nevertheless now i cannot make my server router to block specific IP addresses in my server router so my clients do not have nay access to them.
I am attaching my firewall export for your help. I suppose has to do with the NATing again.
Please re-read what you wrote as if you were somebody else and were reading it for the first time.

Does "to avoid the clients on the client router to not have access to computers and devices" mean that you want the clients to have the access or that you want them not to have it?

Does "make my server router to block specific IP addresses in my server router" actually mean "make my server router to block specific IP addresses in my server router's LAN subnets"?
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
gkounis
just joined
Topic Author
Posts: 6
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Greece
Contact:

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Wed May 29, 2019 1:07 pm

Thank you very much indeed for reading my answer and answering this way. Please excuse my English...

Please re-read what you wrote as if you were somebody else and were reading it for the first time.

Does "to avoid the clients on the client router to not have access to computers and devices" mean that you want the clients to have the access or that you want them not to have it?
The two routers have different subnets obviously 200.x and 10.x. Its very difficult from some in the 10.x to know that there is a vpn tunnel and probably find out that my server's subnet is at 200.x. So the correct demand is to setup my server router in a way, that will not enable anyone in the client router (it has several access point behind it in bridge mode) to accidentally access my systems behind my server router

Does "make my server router to block specific IP addresses in my server router" actually mean "make my server router to block specific IP addresses in my server router's LAN subnets"?
Yes exactly as I explained before.

Thank you very much indeed
Shit happens
 
gkounis
just joined
Topic Author
Posts: 6
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Greece
Contact:

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Wed May 29, 2019 1:48 pm

Hello to anyone else might look to the post.
It seems that forward drop rules in not working at all....
Shit happens
 
gkounis
just joined
Topic Author
Posts: 6
Joined: Mon May 28, 2018 8:44 pm
Location: Chalkida Greece
Contact:

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Wed May 29, 2019 2:18 pm

Hello all
It seems that the rule
add chain=forward action=drop dst=192.168.200.247 scr=192.168.200.247
does not stop ping form 247 to 248.
An this is happening even if I disable all other rules in the firewall and I enable bridge firewall also.
It seems there is a problem with failing forward rules in mikrotik routers
Shit happens
 
sindy
Forum Guru
Forum Guru
Posts: 3452
Joined: Mon Dec 04, 2017 9:19 pm

Re: L2TP over IPSEC with ping but no access to equipment (works only on LTE WAN but not on ISP WAN)

Wed May 29, 2019 2:34 pm

Hello all
It seems that the rule
add chain=forward action=drop dst=192.168.200.247 scr=192.168.200.247
does not stop ping form 247 to 248.
An this is happening even if I disable all other rules in the firewall and I enable bridge firewall also.
It seems there is a problem with failing forward rules in mikrotik routers
First, there is no rule referring to 192.168.200.247 or ..248 as src or dst in your export above. Plus, in the exact form you wrote it, with src-address and dst-address the same, it wouldn't drop any other packets than those sent from ..247 to ..247.
Second, packets between the hosts in the same IP subnet do not go through the IP firewall at all because hosts in the same subnet can see each other at L2 level, so they don't need to send the packets for each other to the gateway.
Third, please read something the basic principles of how the firewall works here and here.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 39 guests