Hi,

We have a trouble at one of our partners. They have a system admin company who are doing their IT stuff, they brought a Zyxel Firewall and would want to connect with an L2TP to their device, but the zyxel is behind a Mikrotik 960PGS router, and the mikrotik is doing the PPPOE connection and DHCP for lan. - PPPOE has a Public IP address. If we create firewall accept rules and 1-1 NAT with the ports needed for L2TP with IPsec (1701, 500, 4500, 50, 51, 47, 5500) the connection still isn't working, looks like that the packets are stuck at the Mikrotik.

Is this VPN "passthrough" even possible ?

Thanks in advance!
Mihawk95

One should simply have to port forward the incoming VPN port to the zyxel router from the MT. Thus the incoming handshake goes to the zyxel device.

One should simply have to port forward the incoming VPN port to the zyxel router from the MT. Thus the incoming handshake goes to the zyxel device.

Hi,

Ok I know that a port forward should work, maybe I am only applying bad rules so I copy the created rules please have a look at them.

Following rules were created and are not working (192.168.12.233 is the zyxel) :
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=45.130.250.250 dst-port=1701 protocol=tcp to-addresses=192.168.12.233 to-ports=1701
add action=dst-nat chain=dstnat dst-address=45.130.250.250 dst-port=1701 protocol=udp to-addresses=192.168.12.233 to-ports=1701
add action=dst-nat chain=dstnat dst-address=45.130.250.250 dst-port=500 protocol=udp to-addresses=192.168.12.233 to-ports=500
add action=dst-nat chain=dstnat dst-address=45.130.250.250 dst-port=4500 protocol=udp to-addresses=192.168.12.233 to-ports=4500
add action=dst-nat chain=dstnat dst-address=45.130.250.250 dst-port=5500 protocol=udp to-addresses=192.168.12.233 to-ports=5500
add action=dst-nat chain=dstnat dst-address=45.130.250.250 protocol=ipsec-esp to-addresses=192.168.12.233
add action=dst-nat chain=dstnat dst-address=45.130.250.250 protocol=ipsec-ah to-addresses=192.168.12.233
add action=dst-nat chain=dstnat dst-address=45.130.250.250 protocol=gre to-addresses=192.168.12.233
add action=dst-nat chain=dstnat dst-address=45.130.250.250 protocol=l2tp to-addresses=192.168.12.233
add action=masquerade chain=srcnat out-interface=Internet src-address=192.168.12.0/24
add action=masquerade chain=srcnat src-address=192.168.30.10

Mihawk95

The complete MT config would be required to ascertain the issues..........
Im assuming your actual public WANIP information is not what you are using ,,,,,if so go back and edit your post and put in fake numbers for WANIP or gateway WANIP info

The complete MT config would be required to ascertain the issues..........

I attached the full config, hope you can open it, maybe you will find something. I'm clueless. The firewall filter accept rules were just attempts if maybe the problem lies there.

Thanks in advance!

Dont understand your config at all.

Why three bridges?
What is the pppoe client doing on vlan1001 is that a vlan provided by the ISP?\

Need to provide a network diagram.

Dont understand your config at all.

Why three bridges?
What is the pppoe client doing on vlan1001 is that a vlan provided by the ISP?\

Need to provide a network diagram.

The router config can be a little bit confusing thats true and it is hard to explain every vlans and ports functions.

VLAN1001 is from the ISP and has PPPOE - Server in it.
VLAN5 is a management vlan from the ISP.
VLAN3901 doesn't need to be mentiont right now, does not have any function that could cause problems. - could be even disabled.

ETH3 is connected via a 5GHZ link to the customer LAN (ETH3 is in a bridge , it shouldn't be there now because its alone in that bridge- but don't think that is a problem) - On this "bridge_pelpuszta" is the DHCP that gives out addresses to lan devices.

So VLAN1001 (PPPOE_service vlan) -> PPPOE Client --> DHCP server on "bridge_pelpuszta" --> LAN devices.

Hope this helps.