Community discussions

MikroTik App
 
aitw
just joined
Topic Author
Posts: 3
Joined: Fri Apr 29, 2022 1:44 pm

50% packets lost when accessing Local network from VPN

Fri Apr 29, 2022 1:51 pm

Hello!
I have set up VPN server on my mikrotik.
Local network and VPN network have same network 192.168.101.0/24
I want to have access from VPN clients to local network.

From VPN client I can ping mikrotik - OK
But when I ping from VPN client any device in local network - 50%-100% of packets are lost.

Please, help me.
Why packets are lost? Thank you in advance.

Config:
# apr/29/2022 13:39:54 by RouterOS 6.49.6
# software id = AH0R-01NU
#
# model = RB952Ui-5ac2nD
# serial number = F0DB0E67D186
/interface l2tp-server
add name=l2tp-xxx user=xxx
/interface bridge
add admin-mac=2C:C8:1B:8D:9B:8C arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country=russia disabled=no distance=indoors frequency=auto installation=\
    indoor mode=ap-bridge ssid=xxx wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country=russia disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=xxx wireless-protocol=\
    802.11
/interface vlan
add arp=proxy-arp interface=ether2 name=vlan1 vlan-id=1000
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=xxx \
    wpa2-pre-shared-key=xxx
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,ecp384,modp2048,modp1024 \
    enc-algorithm=aes-256
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
    aes-256-cbc,aes-256-ctr
/ip pool
add name=dhcp ranges=192.168.101.30-192.168.101.254
add name=vpn ranges=192.168.101.10-192.168.101.29
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge change-tcp-mss=no local-address=192.168.101.3 name=\
    "xxx vpn" remote-address=vpn use-compression=no use-encryption=no \
    use-mpls=no
set *FFFFFFFE local-address=192.168.101.1 remote-address=vpn use-encryption=\
    required
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add bridge=bridge interface=vlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile="xxx vpn" enabled=yes \
    ipsec-secret=xxx use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=mschap2
/ip address
add address=192.168.101.1/24 comment=defconf interface=vlan1 network=\
    192.168.101.0
add address=91.143.xxx.xxx/22 interface=ether1 network=91.143.xxx.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.101.3/24 interface=bridge network=192.168.101.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.101.0/24 comment=defconf dns-server=192.168.101.1 \
    gateway=192.168.101.1 netmask=24 ntp-server=192.168.101.1
/ip dns
set allow-remote-requests=yes servers=\
    8.8.8.8,4.2.2.2
/ip dns static
add address=192.168.101.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.101.0/24 list="Local Nets"
add address=192.168.100.0/24 list="Local Nets"
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="NTP Server" dst-port=123 in-interface=\
    bridge protocol=udp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment=VPN dst-port=1723 in-interface=ether1 \
    protocol=tcp
add action=accept chain=input comment=IPSec in-interface=ether1 protocol=\
    ipsec-esp
add action=accept chain=input comment=IPSec dst-port=500,4500,1701 \
    in-interface=ether1 protocol=udp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes dst-address=!192.168.201.0/24 \
    src-address=192.168.201.0/24
add action=masquerade chain=srcnat dst-address-list="!Local Nets" \
    out-interface-list=WAN
/ip route
add distance=1 gateway=91.143.xxx.xxx
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
add disabled=yes interface=ether4 type=internal
/ppp l2tp-secret
add
/ppp secret
add name=xxx password=xxx profile="xxx vpn" service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system logging
add topics=l2tp,!debug
/system ntp client
set enabled=yes primary-ntp=132.163.97.1 secondary-ntp=188.225.9.167
/system ntp server
set enabled=yes multicast=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
You do not have the required permissions to view the files attached to this post.
Last edited by aitw on Fri Apr 29, 2022 9:15 pm, edited 2 times in total.
 
User avatar
own3r1138
Long time Member
Long time Member
Posts: 686
Joined: Sun Feb 14, 2021 12:33 am
Location: Pleiades
Contact:

Re: Access to Local network from VPN issue

Fri Apr 29, 2022 2:45 pm

The local network and VPN network have the same network 192.168.101.0/24
Why packets are lost? Thank you in advance.
Your VPN IPPool and your LAN IPPool should not be in the same range.
change one of them and check again.
/ip pool
add name=dhcp ranges=192.168.101.30-192.168.101.254
add name=vpn ranges=192.168.101.10-192.168.101.29
 
aitw
just joined
Topic Author
Posts: 3
Joined: Fri Apr 29, 2022 1:44 pm

Re: Access to Local network from VPN issue

Fri Apr 29, 2022 3:26 pm

The local network and VPN network have the same network 192.168.101.0/24
Why packets are lost? Thank you in advance.
Your VPN IPPool and your LAN IPPool should not be in the same range.
change one of them and check again.
/ip pool
add name=dhcp ranges=192.168.101.30-192.168.101.254
add name=vpn ranges=192.168.101.10-192.168.101.29
I changed VPN IP Pool to 192.168.201.0/24, but problem still the same.
Packets to LAN devices are lost.
 
aitw
just joined
Topic Author
Posts: 3
Joined: Fri Apr 29, 2022 1:44 pm

Re: 50% packets lost when accessing Local network from VPN  [SOLVED]

Fri Apr 29, 2022 9:15 pm

The problem was resolved by switching off Hardware Offload on interface.

Who is online

Users browsing this forum: yosue111 and 22 guests