I'm running two sites, my home which is having a Ubiquiti ER-X as router and VPN gateway plus my external site (ES), which is running a Mikrotik Router with RouterOS 7.5. The ES is doing an L2TP connection to my home which works. I had various issues with data transfers, but solved them with two mangle rules that reduce the MSS. The tunnel has an MTU of 1400 based upon the interface information on the Miktrotik.
The mangle rule is lowering this to 1320 and this seems to work for servers attached to the Mikrotik.
What doesn't work, is https or Winbox access from my home through the tunnel to the Mikrotik itself. I think the mangle rule doesn't apply to "input" traffic to the Mikrotik and only traffic through it "forward" queue.
Any ideas how I could access my Mikrotik interface through the VPN?
I have made various tests as you can see in the code. SSH access does work, until I do a command that utilizes a larger MSS, like /ip/firewall/connection/print, which will kill the SSH session.
Here some prints of the rules:
Code: Select all
[admin@MikroTik] > /ip/firewall/filter/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
3 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
4 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
5 chain=input action=accept src-address-list=allowed_to_router
6 chain=input action=accept protocol=tcp dst-port=443,22,80 log=no log-prefix=""
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 chain=input action=accept protocol=tcp fragment=yes
11 chain=forward action=accept protocol=tcp fragment=yes
12 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection hw-offload=yes connection-state=established,related
13 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
14 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
15 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
16 chain=forward action=accept protocol=tcp src-address=192.168.1.0/24 dst-address=192.168.88.0/24 dst-port=443 log=no
log-prefix=""
17 X chain=forward action=accept src-address=192.168.88.0/24 dst-address=192.168.1.0/24 log=no log-prefix=""
[admin@MikroTik] > /ip/firewall/mangle/print
Flags: X - disabled, I - invalid; D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=prerouting action=passthrough
1 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
2 D ;;; special dummy rule to show fasttrack counters
chain=postrouting action=passthrough
3 chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp in-interface=l2tp-out-ubnt log=no
log-prefix=""
4 chain=forward action=change-mss new-mss=1320 passthrough=yes tcp-flags=syn protocol=tcp out-interface=l2tp-out-ubnt log=no
log-prefix=""
[admin@MikroTik] >