Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Remote printer via l2tp

Post Reply
 
monobas
just joined
Topic Author
Posts: 1
Joined: Sat Aug 20, 2022 11:04 am

Remote printer via l2tp

Sat Aug 20, 2022 11:41 am

Environment:
Mac / PC (192.168.1.10) -> Synolgoy router -> Internet -> Mikrotik (LtAP LTE) -> Printer (192.168.88.20) connected via Ethernet

Goal:
To print from Mac / PC on the outside office printer.

Current config:
Mikrotik as a l2tp client connect to Synology router - Done
Ping from MT -> Synology OK

I have the current config ...
Code: Select all
# aug/20/2022 10:31:38 by RouterOS 6.48.6
# software id = 0VN5-9AFF
#
# model = RB912R-2nD
# serial number = ************
/interface lte
set [ find ] name=lte1
/interface bridge
add admin-mac=************* arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    disabled=no distance=indoors frequency=auto installation=outdoor mode=\
    ap-bridge ssid=MikroTik-A3918C wireless-protocol=802.11
/interface l2tp-client
add allow=mschap2 connect-to=************ disabled=no ipsec-secret=\
    ********** name=l2tp-out1 password=********* use-ipsec=yes user=vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp always-broadcast=yes disabled=no \
    interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
/ip dhcp-client
add default-route-distance=100 interface=bridge use-peer-ntp=no
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,9.9.9.9
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=VPNonline \
    passthrough=yes src-address=192.168.88.2-192.168.88.254
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=l2tp-out1
add action=dst-nat chain=dstnat disabled=yes dst-address=31.61.225.149 \
    dst-port=1024 in-interface=l2tp-out1 log=yes protocol=tcp to-addresses=\
    192.168.88.108 to-ports=1024
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=VPNonline
/system clock
set time-zone-name=Europe/Warsaw
/system gps
set port=serial0 set-system-time=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Any help appreciated.
Top
 
AidanAus
Member Candidate
Member Candidate
Posts: 177
Joined: Wed May 08, 2019 7:35 am
Location: Australia
Contact:
Contact AidanAus

Re: Remote printer via l2tp

Wed Sep 07, 2022 10:15 am

oki-doki this could be a couple of things, first thing ill get you to do boss is log into the mikrotik and see if the mangle rule is actually counting up when trying to get to the other side, if this works I would also make sure that your masquerade is working as well.
one thing to note about your mangle is that it will be inspecting every packet and marking the routing for it, you can reduce the cpu load be making 2 mangle rules, the first rule will be the one where you filter the traffic down to just want you want then the action will be mark connection and make sure passthrough is ticket. Under that rule you would then make a new one but this time just filter for the connection mark you just made then have the action as mark routing.

Another thing that is extremely important is packet flow; https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
take a look over that link and try and come up with an idea on what the mark connection and the mark routing chains need to be then post your response here so we can confirm if its right :)

last thing I would like to mention is probably why this is not working, and its a guess without knowing what's configured on the sinology BUT I can see a nat on your VPN interface :P
This implies that there might not be a route for the 192.168.88.0 network on the sinology side?

If this is the case the behaviour would be:

Pinging from pc to printer:
pc sends its traffic to the sinology as the destination address is not on its subnet and its the main router, the sinology then looks up in its rroute table and has no spesific route for this address so it chucks it out the 0.0.0.0/default route and it will then get dropped by your isp cos no one wants private traffic on the net.

Pinging the PC form the printer:
The printer sends its packet to the mikrotik, the mikrotik looks up the route and it has one this time going through its VPN interface but before it does your masqerade rule for the vpn will translate its source address to the vpn clients IP address and then goes on its merry way to the pc.
This gets routed through the vpn to the synology, the synology knows where the pc is since it has a connected route installed and the packet makes it there.
Now for on the way back we have to remember we changed the src-address to the vpns, highly important.
So the pc sends it packet to the synology since its the gateway and then from there the synology looks up the route for this traffic, since the traffic got translated to the IP address on the Mikrotik side of the sstp tunnel the synology knows to put this traffic back over the vpn where on the other side it will be translated back to the printers ip and the return packet sent to the printer.

This is a great method if you need just need to initiate a connection from one side(in this case the printers) to fix this you can just remove the nat for the vpn interface as it will no longer be needed then all you need to do is log on to the synology and add a route for the printer going through the vpn interface :)
Top
Post Reply

Who is online

Users browsing this forum: aLinux09 and 42 guests
  4. RouterOS
  5. Beginner Basics