Community discussions

MikroTik App
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

l2tp VPN, linux host problem

Mon Nov 28, 2022 3:14 pm

In our office we have RB11AHx4 and someone config it 6 months ago and create l2tp VPN for our users, our users use this l2tp VPN for connect to our office, windows users do not have problem with connections and can use it,
but users with Linux has problem and can not use this VPN, for example they can connect to VPN but can not access to our servers or client from outside of office and have problems,
I thinks some config in our Mikrotik has problems.
I do not have enough information about Mikrotik and I can find problems.
right now I am admin of this network and want find some way to solve this problem.
I have access to this mikrotik and can give you everything you want to solve this problem.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Tue Nov 29, 2022 8:00 am

To avoid any doubt, make a test using the same user account - first connect a Windows client, then disconnect it and connect a Linux one. If the Windows one works fine and the Linux one doesn't, the issue is not the settings at the Mikrotik side but at the Linux side. My quick guess is that whereas on Windows, by default a default route via the L2TP tunnel is created whenever the tunnel comes up, on Linux, you have to configure routing manually. What exactly you have to do depends on the Linux distribution.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Tue Nov 29, 2022 8:31 am

To avoid any doubt, make a test using the same user account - first connect a Windows client, then disconnect it and connect a Linux one. If the Windows one works fine and the Linux one doesn't, the issue is not the settings at the Mikrotik side but at the Linux side. My quick guess is that whereas on Windows, by default a default route via the L2TP tunnel is created whenever the tunnel comes up, on Linux, you have to configure routing manually. What exactly you have to do depends on the Linux distribution.
I tested my VPN account first on Windows and it was good and I can use Remote desktop for connect to office box, then I reboot to Fedora Linux and test VPN connection, it seems OK but I can not connect to remote office and I can not connect to servers by SSH.
I check this on Ubuntu and Fedora too, but all of them has same problem.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Tue Nov 29, 2022 8:38 am

I tested my VPN account first on Windows and it was good and I can use Remote desktop for connect to office box, then I reboot to Fedora Linux and test VPN connection, it seems OK but I can not connect to remote office and I can not connect to servers by SSH.
This confirms my assumption that the issue is in the Linux configuration, not in Mikrotik configuration.

When the L2TP tunnel is up, what do the following CLI commands show on the Linux (it is enough to try that on one of the distributions)?
ip link show
ip address show
ip route show
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Tue Nov 29, 2022 10:03 pm

I tested my VPN account first on Windows and it was good and I can use Remote desktop for connect to office box, then I reboot to Fedora Linux and test VPN connection, it seems OK but I can not connect to remote office and I can not connect to servers by SSH.
This confirms my assumption that the issue is in the Linux configuration, not in Mikrotik configuration.

When the L2TP tunnel is up, what do the following CLI commands show on the Linux (it is enough to try that on one of the distributions)?
ip link show
ip address show
ip route show
thanks
[mostafa@fedora ~]$ ip route 
default via 192.168.1.1 dev wlp0s20f3 proto dhcp src 192.168.1.63 metric 600 
10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1 linkdown 
10.10.150.1 dev ppp0 proto kernel scope link src 10.10.150.5 
10.10.150.1 dev ppp0 proto kernel scope link src 10.10.150.5 metric 50 
46.209.3.90 via 192.168.1.1 dev wlp0s20f3 proto static metric 50 
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown 
172.18.0.0/16 dev br-69922533691a proto kernel scope link src 172.18.0.1 linkdown 
172.19.0.0/16 dev br-ea424b37c7db proto kernel scope link src 172.19.0.1 linkdown 
172.20.0.0/16 dev br-3df98dc438d8 proto kernel scope link src 172.20.0.1 linkdown 
172.21.0.0/16 dev br-6be2e53b8ef4 proto kernel scope link src 172.21.0.1 linkdown 
172.22.0.0/16 dev br-e3d231a34a84 proto kernel scope link src 172.22.0.1 linkdown 
172.23.0.0/16 dev br-bec0635ab71c proto kernel scope link src 172.23.0.1 linkdown 
172.24.0.0/16 dev br-943f08dfb047 proto kernel scope link src 172.24.0.1 linkdown 
172.25.0.0/16 dev br-8cac6d9983b2 proto kernel scope link src 172.25.0.1 linkdown 
172.26.0.0/16 dev br-de53269774e6 proto kernel scope link src 172.26.0.1 linkdown 
172.27.0.0/16 dev br-19dcb3d6ad15 proto kernel scope link src 172.27.0.1 linkdown 
172.28.0.0/16 dev br-c70c3fd33627 proto kernel scope link src 172.28.0.1 linkdown 
172.29.0.0/16 dev br-7a58c4e8a72f proto kernel scope link src 172.29.0.1 linkdown 
172.30.0.0/16 dev br-6e2411ceb936 proto kernel scope link src 172.30.0.1 linkdown 
172.31.0.0/16 dev br-df92af750e3b proto kernel scope link src 172.31.0.1 linkdown 
192.168.1.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.1.63 metric 600 
192.168.1.1 dev wlp0s20f3 proto static scope link metric 50 
192.168.16.0/20 dev br-abeba6abb53a proto kernel scope link src 192.168.16.1 linkdown 
192.168.32.0/20 dev br-279fae8826e5 proto kernel scope link src 192.168.32.1 linkdown 
192.168.48.0/20 dev br-9e7a3033d946 proto kernel scope link src 192.168.48.1 linkdown 
192.168.64.0/20 dev br-0df3dc151116 proto kernel scope link src 192.168.64.1 linkdown 
192.168.80.0/20 dev br-915ddc20fc78 proto kernel scope link src 192.168.80.1 linkdown 
192.168.96.0/20 dev br-f96b148877b4 proto kernel scope link src 192.168.96.1 linkdown 
192.168.112.0/20 dev br-424703d219e3 proto kernel scope link src 192.168.112.1 linkdown 
192.168.128.0/20 dev br-aa79c81a4f66 proto kernel scope link src 192.168.128.1 linkdown 
192.168.144.0/20 dev br-7731fc6c9484 proto kernel scope link src 192.168.144.1 linkdown 
192.168.160.0/20 dev br-8bc4fc2899bf proto kernel scope link src 192.168.160.1 linkdown 
192.168.176.0/20 dev br-bfa3bd5a16d0 proto kernel scope link src 192.168.176.1 linkdown 
192.168.208.0/20 dev br-f05a8b946129 proto kernel scope link src 192.168.208.1 linkdown 
192.168.224.0/20 dev br-32c830eeac56 proto kernel scope link src 192.168.224.1 linkdown 
192.168.240.0/20 dev br-028b729e4986 proto kernel scope link src 192.168.240.1 linkdown 

and
mostafa@fedora ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
    link/ether 90:2e:16:c7:00:c9 brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 10:3d:1c:ed:b1:ba brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.63/24 brd 192.168.1.255 scope global dynamic noprefixroute wlp0s20f3
       valid_lft 85756sec preferred_lft 85756sec
    inet6 fe80::fc54:803b:c753:915c/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever
5: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
    inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
       valid_lft forever preferred_lft forever
6: br-028b729e4986: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:05:a7:ac:22 brd ff:ff:ff:ff:ff:ff
    inet 192.168.240.1/20 brd 192.168.255.255 scope global br-028b729e4986
       valid_lft forever preferred_lft forever
7: br-943f08dfb047: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:8f:d0:00:21 brd ff:ff:ff:ff:ff:ff
    inet 172.24.0.1/16 brd 172.24.255.255 scope global br-943f08dfb047
       valid_lft forever preferred_lft forever
    inet6 fe80::42:8fff:fed0:21/64 scope link 
       valid_lft forever preferred_lft forever
8: br-f05a8b946129: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:0a:83:1c:83 brd ff:ff:ff:ff:ff:ff
    inet 192.168.208.1/20 brd 192.168.223.255 scope global br-f05a8b946129
       valid_lft forever preferred_lft forever
9: br-424703d219e3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:82:13:c5:52 brd ff:ff:ff:ff:ff:ff
    inet 192.168.112.1/20 brd 192.168.127.255 scope global br-424703d219e3
       valid_lft forever preferred_lft forever
10: br-6be2e53b8ef4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:08:2d:f8:7c brd ff:ff:ff:ff:ff:ff
    inet 172.21.0.1/16 brd 172.21.255.255 scope global br-6be2e53b8ef4
       valid_lft forever preferred_lft forever
11: br-c70c3fd33627: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:28:bb:07:cb brd ff:ff:ff:ff:ff:ff
    inet 172.28.0.1/16 brd 172.28.255.255 scope global br-c70c3fd33627
       valid_lft forever preferred_lft forever
    inet6 fe80::42:28ff:febb:7cb/64 scope link 
       valid_lft forever preferred_lft forever
12: br-ea424b37c7db: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:1e:99:94:01 brd ff:ff:ff:ff:ff:ff
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-ea424b37c7db
       valid_lft forever preferred_lft forever
13: br-9e7a3033d946: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:80:17:25:b7 brd ff:ff:ff:ff:ff:ff
    inet 192.168.48.1/20 brd 192.168.63.255 scope global br-9e7a3033d946
       valid_lft forever preferred_lft forever
    inet6 fe80::42:80ff:fe17:25b7/64 scope link 
       valid_lft forever preferred_lft forever
14: br-abeba6abb53a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:10:aa:44:87 brd ff:ff:ff:ff:ff:ff
    inet 192.168.16.1/20 brd 192.168.31.255 scope global br-abeba6abb53a
       valid_lft forever preferred_lft forever
    inet6 fe80::42:10ff:feaa:4487/64 scope link 
       valid_lft forever preferred_lft forever
15: br-bfa3bd5a16d0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:b8:6f:e4:60 brd ff:ff:ff:ff:ff:ff
    inet 192.168.176.1/20 brd 192.168.191.255 scope global br-bfa3bd5a16d0
       valid_lft forever preferred_lft forever
16: br-e3d231a34a84: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:c8:6d:cf:9a brd ff:ff:ff:ff:ff:ff
    inet 172.22.0.1/16 brd 172.22.255.255 scope global br-e3d231a34a84
       valid_lft forever preferred_lft forever
    inet6 fe80::42:c8ff:fe6d:cf9a/64 scope link 
       valid_lft forever preferred_lft forever
17: br-279fae8826e5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:5a:f2:99:81 brd ff:ff:ff:ff:ff:ff
    inet 192.168.32.1/20 brd 192.168.47.255 scope global br-279fae8826e5
       valid_lft forever preferred_lft forever
18: br-6e2411ceb936: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:a9:be:23:a0 brd ff:ff:ff:ff:ff:ff
    inet 172.30.0.1/16 brd 172.30.255.255 scope global br-6e2411ceb936
       valid_lft forever preferred_lft forever
    inet6 fe80::42:a9ff:febe:23a0/64 scope link 
       valid_lft forever preferred_lft forever
19: br-7a58c4e8a72f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:20:fe:b4:08 brd ff:ff:ff:ff:ff:ff
    inet 172.29.0.1/16 brd 172.29.255.255 scope global br-7a58c4e8a72f
       valid_lft forever preferred_lft forever
20: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:22:af:ba:bc brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
21: br-bec0635ab71c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:56:02:4f:db brd ff:ff:ff:ff:ff:ff
    inet 172.23.0.1/16 brd 172.23.255.255 scope global br-bec0635ab71c
       valid_lft forever preferred_lft forever
22: br-915ddc20fc78: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:99:e8:97:3f brd ff:ff:ff:ff:ff:ff
    inet 192.168.80.1/20 brd 192.168.95.255 scope global br-915ddc20fc78
       valid_lft forever preferred_lft forever
23: br-de53269774e6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:33:73:75:0d brd ff:ff:ff:ff:ff:ff
    inet 172.26.0.1/16 brd 172.26.255.255 scope global br-de53269774e6
       valid_lft forever preferred_lft forever
24: br-df92af750e3b: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:93:3e:96:cc brd ff:ff:ff:ff:ff:ff
    inet 172.31.0.1/16 brd 172.31.255.255 scope global br-df92af750e3b
       valid_lft forever preferred_lft forever
    inet6 fe80::42:93ff:fe3e:96cc/64 scope link 
       valid_lft forever preferred_lft forever
25: br-0df3dc151116: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:bf:80:da:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.64.1/20 brd 192.168.79.255 scope global br-0df3dc151116
       valid_lft forever preferred_lft forever
26: br-69922533691a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:2b:02:a8:e5 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-69922533691a
       valid_lft forever preferred_lft forever
27: br-7731fc6c9484: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:da:ea:b3:d0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.144.1/20 brd 192.168.159.255 scope global br-7731fc6c9484
       valid_lft forever preferred_lft forever
28: br-8bc4fc2899bf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:8f:19:94:ad brd ff:ff:ff:ff:ff:ff
    inet 192.168.160.1/20 brd 192.168.175.255 scope global br-8bc4fc2899bf
       valid_lft forever preferred_lft forever
29: br-8cac6d9983b2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:04:ed:dd:b1 brd ff:ff:ff:ff:ff:ff
    inet 172.25.0.1/16 brd 172.25.255.255 scope global br-8cac6d9983b2
       valid_lft forever preferred_lft forever
    inet6 fe80::42:4ff:feed:ddb1/64 scope link 
       valid_lft forever preferred_lft forever
30: br-f96b148877b4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:b8:71:cb:69 brd ff:ff:ff:ff:ff:ff
    inet 192.168.96.1/20 brd 192.168.111.255 scope global br-f96b148877b4
       valid_lft forever preferred_lft forever
31: br-19dcb3d6ad15: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:a2:64:ff:fb brd ff:ff:ff:ff:ff:ff
    inet 172.27.0.1/16 brd 172.27.255.255 scope global br-19dcb3d6ad15
       valid_lft forever preferred_lft forever
32: br-32c830eeac56: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:1c:a2:8c:ce brd ff:ff:ff:ff:ff:ff
    inet 192.168.224.1/20 brd 192.168.239.255 scope global br-32c830eeac56
       valid_lft forever preferred_lft forever
33: br-3df98dc438d8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:48:a6:4b:18 brd ff:ff:ff:ff:ff:ff
    inet 172.20.0.1/16 brd 172.20.255.255 scope global br-3df98dc438d8
       valid_lft forever preferred_lft forever
34: br-aa79c81a4f66: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:78:4a:28:ee brd ff:ff:ff:ff:ff:ff
    inet 192.168.128.1/20 brd 192.168.143.255 scope global br-aa79c81a4f66
       valid_lft forever preferred_lft forever
79: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
81: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3
    link/ppp 
    inet 10.10.150.5 peer 10.10.150.1/32 scope global ppp0
       valid_lft forever preferred_lft forever
    inet6 fe80::8d98:ed1b:a899:6f5 peer fe80::f0:183c/128 scope link 
       valid_lft forever preferred_lft forever

and
[mostafa@fedora ~]$ ip link 
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
    link/ether 90:2e:16:c7:00:c9 brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
    link/ether 10:3d:1c:ed:b1:ba brd ff:ff:ff:ff:ff:ff
5: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
    link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
6: br-028b729e4986: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:05:a7:ac:22 brd ff:ff:ff:ff:ff:ff
7: br-943f08dfb047: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:8f:d0:00:21 brd ff:ff:ff:ff:ff:ff
8: br-f05a8b946129: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:0a:83:1c:83 brd ff:ff:ff:ff:ff:ff
9: br-424703d219e3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:82:13:c5:52 brd ff:ff:ff:ff:ff:ff
10: br-6be2e53b8ef4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:08:2d:f8:7c brd ff:ff:ff:ff:ff:ff
11: br-c70c3fd33627: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:28:bb:07:cb brd ff:ff:ff:ff:ff:ff
12: br-ea424b37c7db: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:1e:99:94:01 brd ff:ff:ff:ff:ff:ff
13: br-9e7a3033d946: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:80:17:25:b7 brd ff:ff:ff:ff:ff:ff
14: br-abeba6abb53a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:10:aa:44:87 brd ff:ff:ff:ff:ff:ff
15: br-bfa3bd5a16d0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:b8:6f:e4:60 brd ff:ff:ff:ff:ff:ff
16: br-e3d231a34a84: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:c8:6d:cf:9a brd ff:ff:ff:ff:ff:ff
17: br-279fae8826e5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:5a:f2:99:81 brd ff:ff:ff:ff:ff:ff
18: br-6e2411ceb936: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:a9:be:23:a0 brd ff:ff:ff:ff:ff:ff
19: br-7a58c4e8a72f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:20:fe:b4:08 brd ff:ff:ff:ff:ff:ff
20: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:22:af:ba:bc brd ff:ff:ff:ff:ff:ff
21: br-bec0635ab71c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:56:02:4f:db brd ff:ff:ff:ff:ff:ff
22: br-915ddc20fc78: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:99:e8:97:3f brd ff:ff:ff:ff:ff:ff
23: br-de53269774e6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:33:73:75:0d brd ff:ff:ff:ff:ff:ff
24: br-df92af750e3b: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:93:3e:96:cc brd ff:ff:ff:ff:ff:ff
25: br-0df3dc151116: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:bf:80:da:16 brd ff:ff:ff:ff:ff:ff
26: br-69922533691a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:2b:02:a8:e5 brd ff:ff:ff:ff:ff:ff
27: br-7731fc6c9484: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:da:ea:b3:d0 brd ff:ff:ff:ff:ff:ff
28: br-8bc4fc2899bf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:8f:19:94:ad brd ff:ff:ff:ff:ff:ff
29: br-8cac6d9983b2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:04:ed:dd:b1 brd ff:ff:ff:ff:ff:ff
30: br-f96b148877b4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:b8:71:cb:69 brd ff:ff:ff:ff:ff:ff
31: br-19dcb3d6ad15: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:a2:64:ff:fb brd ff:ff:ff:ff:ff:ff
32: br-32c830eeac56: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:1c:a2:8c:ce brd ff:ff:ff:ff:ff:ff
33: br-3df98dc438d8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:48:a6:4b:18 brd ff:ff:ff:ff:ff:ff
34: br-aa79c81a4f66: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default 
    link/ether 02:42:78:4a:28:ee brd ff:ff:ff:ff:ff:ff
79: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
    link/ipip 0.0.0.0 brd 0.0.0.0
81: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3
    link/ppp 

I see after connect to VPN, I can browse sites and use internet on Linux box, but I can SSH to servers and I do not have ping of servers and I see error about network unreachable.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Tue Nov 29, 2022 10:23 pm

As the /ip route output shows you, the default route stays on gateway 192.168.1.1 via device wlp0s20f3, and all the other routes are only to connected networks (your bunch of bridges and the Mikrotik address on the L2TP tunnel).
So you have to add route(s) to the subnet(s) behind the Mikrotik via ppp0; ideally, you would set a list of destination subnets somewhere in the L2TP configuration, but any further details are beyond my knowledge of Fedora and/or Ubuntu. From the command line, you could use
ip route add 192.168.0.0/16 dev ppp0
to route via the tunnel the traffic for any 192.168.x.y destination for which there is no better matching route

What Windows do by default is that they redirect all traffic to the tunnel; you can change that to adding just a route to a destination subnet calculated from the address assigned by the remote server, which would be 10.0.0.0/8 in your case, or you can use PowerShell to configure any destination list. Windows ask the server for a destination list using DHCPDISCOVER, but RouterOS only supports this for IKEv2 connections, not for L2TP ones.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Mon Dec 05, 2022 10:19 am

As the /ip route output shows you, the default route stays on gateway 192.168.1.1 via device wlp0s20f3, and all the other routes are only to connected networks (your bunch of bridges and the Mikrotik address on the L2TP tunnel).
So you have to add route(s) to the subnet(s) behind the Mikrotik via ppp0; ideally, you would set a list of destination subnets somewhere in the L2TP configuration, but any further details are beyond my knowledge of Fedora and/or Ubuntu. From the command line, you could use
ip route add 192.168.0.0/16 dev ppp0
to route via the tunnel the traffic for any 192.168.x.y destination for which there is no better matching route

What Windows do by default is that they redirect all traffic to the tunnel; you can change that to adding just a route to a destination subnet calculated from the address assigned by the remote server, which would be 10.0.0.0/8 in your case, or you can use PowerShell to configure any destination list. Windows ask the server for a destination list using DHCPDISCOVER, but RouterOS only supports this for IKEv2 connections, not for L2TP ones.
I add new route you said but nothing happen and I can not connect to server via SSH
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Tue Dec 06, 2022 12:15 pm

I need way to solve this problem
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Tue Dec 06, 2022 2:01 pm

To solve the problem, you have to debug it. You've said you've added a route and that it didn't help, but you haven't shown the address plan at the server side, the route you've added itself, and you haven't sniffed on the various interfaces when the route was in place while trying to access the server from the client, so it is impossible to say what is wrong. Post the configuration of the Mikrotik, the information about particular IP that is unreachable, and the /ip r output from the linux when the tunnel is up and the route is added. I will then tell you what to do next.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Wed Dec 07, 2022 9:26 am

To solve the problem, you have to debug it. You've said you've added a route and that it didn't help, but you haven't shown the address plan at the server side, the route you've added itself, and you haven't sniffed on the various interfaces when the route was in place while trying to access the server from the client, so it is impossible to say what is wrong. Post the configuration of the Mikrotik, the information about particular IP that is unreachable, and the /ip r output from the linux when the tunnel is up and the route is added. I will then tell you what to do next.
Thanks for time, this is ip after tunnel is up
[mostafa@fedora ~]$ sudo ip route add 192.168.0.0/16 dev ppp0
[sudo] password for mostafa:
[mostafa@fedora ~]$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 1000
link/ether 90:2e:16:c7:00:c9 brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 10:3d:1c:ed:b1:ba brd ff:ff:ff:ff:ff:ff
inet 192.168.87.193/24 brd 192.168.87.255 scope global dynamic noprefixroute wlp0s20f3
valid_lft 3534sec preferred_lft 3534sec
inet6 fe80::4e5a:c2c0:2fa0:d29/64 scope link noprefixroute
valid_lft forever preferred_lft forever
4: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default qlen 1000
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
inet 10.0.3.1/24 brd 10.0.3.255 scope global lxcbr0
valid_lft forever preferred_lft forever
5: br-f05a8b946129: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:0e:4d:13:ed brd ff:ff:ff:ff:ff:ff
inet 192.168.208.1/20 brd 192.168.223.255 scope global br-f05a8b946129
valid_lft forever preferred_lft forever
6: br-028b729e4986: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a4:02:10:c3 brd ff:ff:ff:ff:ff:ff
inet 192.168.240.1/20 brd 192.168.255.255 scope global br-028b729e4986
valid_lft forever preferred_lft forever
7: br-6be2e53b8ef4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:61:29:e0:f8 brd ff:ff:ff:ff:ff:ff
inet 172.21.0.1/16 brd 172.21.255.255 scope global br-6be2e53b8ef4
valid_lft forever preferred_lft forever
8: br-bfa3bd5a16d0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:12:00:47:4c brd ff:ff:ff:ff:ff:ff
inet 192.168.176.1/20 brd 192.168.191.255 scope global br-bfa3bd5a16d0
valid_lft forever preferred_lft forever
9: br-f96b148877b4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:71:61:2c:5e brd ff:ff:ff:ff:ff:ff
inet 192.168.96.1/20 brd 192.168.111.255 scope global br-f96b148877b4
valid_lft forever preferred_lft forever
10: br-424703d219e3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:44:4f:52:90 brd ff:ff:ff:ff:ff:ff
inet 192.168.112.1/20 brd 192.168.127.255 scope global br-424703d219e3
valid_lft forever preferred_lft forever
11: br-aa79c81a4f66: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:a4:08:b1:9c brd ff:ff:ff:ff:ff:ff
inet 192.168.128.1/20 brd 192.168.143.255 scope global br-aa79c81a4f66
valid_lft forever preferred_lft forever
12: br-abeba6abb53a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ed:8a:d5:12 brd ff:ff:ff:ff:ff:ff
inet 192.168.16.1/20 brd 192.168.31.255 scope global br-abeba6abb53a
valid_lft forever preferred_lft forever
inet6 fe80::42:edff:fe8a:d512/64 scope link
valid_lft forever preferred_lft forever
13: br-e3d231a34a84: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:2c:b8:45:fe brd ff:ff:ff:ff:ff:ff
inet 172.22.0.1/16 brd 172.22.255.255 scope global br-e3d231a34a84
valid_lft forever preferred_lft forever
inet6 fe80::42:2cff:feb8:45fe/64 scope link
valid_lft forever preferred_lft forever
14: br-19dcb3d6ad15: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:f6:1d:50:bb brd ff:ff:ff:ff:ff:ff
inet 172.27.0.1/16 brd 172.27.255.255 scope global br-19dcb3d6ad15
valid_lft forever preferred_lft forever
15: br-bec0635ab71c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:e4:6d:4e:77 brd ff:ff:ff:ff:ff:ff
inet 172.23.0.1/16 brd 172.23.255.255 scope global br-bec0635ab71c
valid_lft forever preferred_lft forever
16: br-c70c3fd33627: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ad:5f:68:31 brd ff:ff:ff:ff:ff:ff
inet 172.28.0.1/16 brd 172.28.255.255 scope global br-c70c3fd33627
valid_lft forever preferred_lft forever
inet6 fe80::42:adff:fe5f:6831/64 scope link
valid_lft forever preferred_lft forever
17: br-69922533691a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:34:a3:57:df brd ff:ff:ff:ff:ff:ff
inet 172.18.0.1/16 brd 172.18.255.255 scope global br-69922533691a
valid_lft forever preferred_lft forever
18: br-915ddc20fc78: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:9e:52:b0:49 brd ff:ff:ff:ff:ff:ff
inet 192.168.80.1/20 brd 192.168.95.255 scope global br-915ddc20fc78
valid_lft forever preferred_lft forever
19: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ec:70:1e:e0 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
20: br-ea424b37c7db: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:c5:e6:3a:7f brd ff:ff:ff:ff:ff:ff
inet 172.19.0.1/16 brd 172.19.255.255 scope global br-ea424b37c7db
valid_lft forever preferred_lft forever
21: br-3df98dc438d8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:ca:85:80:e2 brd ff:ff:ff:ff:ff:ff
inet 172.20.0.1/16 brd 172.20.255.255 scope global br-3df98dc438d8
valid_lft forever preferred_lft forever
22: br-de53269774e6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:86:29:e0:e5 brd ff:ff:ff:ff:ff:ff
inet 172.26.0.1/16 brd 172.26.255.255 scope global br-de53269774e6
valid_lft forever preferred_lft forever
23: br-df92af750e3b: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:df:03:ea:50 brd ff:ff:ff:ff:ff:ff
inet 172.31.0.1/16 brd 172.31.255.255 scope global br-df92af750e3b
valid_lft forever preferred_lft forever
inet6 fe80::42:dfff:fe03:ea50/64 scope link
valid_lft forever preferred_lft forever
24: br-7a58c4e8a72f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:22:a9:2a:ff brd ff:ff:ff:ff:ff:ff
inet 172.29.0.1/16 brd 172.29.255.255 scope global br-7a58c4e8a72f
valid_lft forever preferred_lft forever
25: br-9e7a3033d946: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:40:ad:31:31 brd ff:ff:ff:ff:ff:ff
inet 192.168.48.1/20 brd 192.168.63.255 scope global br-9e7a3033d946
valid_lft forever preferred_lft forever
inet6 fe80::42:40ff:fead:3131/64 scope link
valid_lft forever preferred_lft forever
26: br-0df3dc151116: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:8e:88:09:41 brd ff:ff:ff:ff:ff:ff
inet 192.168.64.1/20 brd 192.168.79.255 scope global br-0df3dc151116
valid_lft forever preferred_lft forever
27: br-279fae8826e5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:3d:86:5e:df brd ff:ff:ff:ff:ff:ff
inet 192.168.32.1/20 brd 192.168.47.255 scope global br-279fae8826e5
valid_lft forever preferred_lft forever
28: br-6e2411ceb936: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:fe:fb:fc:c1 brd ff:ff:ff:ff:ff:ff
inet 172.30.0.1/16 brd 172.30.255.255 scope global br-6e2411ceb936
valid_lft forever preferred_lft forever
inet6 fe80::42:feff:fefb:fcc1/64 scope link
valid_lft forever preferred_lft forever
29: br-32c830eeac56: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:09:54:35:83 brd ff:ff:ff:ff:ff:ff
inet 192.168.224.1/20 brd 192.168.239.255 scope global br-32c830eeac56
valid_lft forever preferred_lft forever
30: br-7731fc6c9484: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:9b:2a:1b:fd brd ff:ff:ff:ff:ff:ff
inet 192.168.144.1/20 brd 192.168.159.255 scope global br-7731fc6c9484
valid_lft forever preferred_lft forever
32: br-943f08dfb047: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:dd:16:9d:7b brd ff:ff:ff:ff:ff:ff
inet 172.24.0.1/16 brd 172.24.255.255 scope global br-943f08dfb047
valid_lft forever preferred_lft forever
inet6 fe80::42:ddff:fe16:9d7b/64 scope link
valid_lft forever preferred_lft forever
33: br-8bc4fc2899bf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:30:2f:ff:00 brd ff:ff:ff:ff:ff:ff
inet 192.168.160.1/20 brd 192.168.175.255 scope global br-8bc4fc2899bf
valid_lft forever preferred_lft forever
34: br-8cac6d9983b2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
link/ether 02:42:6c:d2:14:9b brd ff:ff:ff:ff:ff:ff
inet 172.25.0.1/16 brd 172.25.255.255 scope global br-8cac6d9983b2
valid_lft forever preferred_lft forever
inet6 fe80::42:6cff:fed2:149b/64 scope link
valid_lft forever preferred_lft forever
115: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
116: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 10.10.150.5 peer 10.10.150.1/32 scope global ppp0
valid_lft forever preferred_lft forever
inet6 fe80::15df:7fcc:6a9e:e641 peer fe80::f0:1a85/128 scope link
valid_lft forever preferred_lft forever
[mostafa@fedora ~]$
this route
[mostafa@fedora ~]$ ssh mostafa@192.168.90.76
ssh: connect to host 192.168.90.76 port 22: No route to host
[mostafa@fedora ~]$ ip route
default dev ppp0 proto static scope link metric 50
default via 192.168.87.217 dev wlp0s20f3 proto dhcp src 192.168.87.193 metric 600
10.0.3.0/24 dev lxcbr0 proto kernel scope link src 10.0.3.1 linkdown
10.10.150.1 dev ppp0 proto kernel scope link src 10.10.150.5
10.10.150.1 dev ppp0 proto kernel scope link src 10.10.150.5 metric 50
46.209.3.90 via 192.168.87.217 dev wlp0s20f3 proto static metric 50
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown
172.18.0.0/16 dev br-69922533691a proto kernel scope link src 172.18.0.1 linkdown
172.19.0.0/16 dev br-ea424b37c7db proto kernel scope link src 172.19.0.1 linkdown
172.20.0.0/16 dev br-3df98dc438d8 proto kernel scope link src 172.20.0.1 linkdown
172.21.0.0/16 dev br-6be2e53b8ef4 proto kernel scope link src 172.21.0.1 linkdown
172.22.0.0/16 dev br-e3d231a34a84 proto kernel scope link src 172.22.0.1 linkdown
172.23.0.0/16 dev br-bec0635ab71c proto kernel scope link src 172.23.0.1 linkdown
172.24.0.0/16 dev br-943f08dfb047 proto kernel scope link src 172.24.0.1 linkdown
172.25.0.0/16 dev br-8cac6d9983b2 proto kernel scope link src 172.25.0.1 linkdown
172.26.0.0/16 dev br-de53269774e6 proto kernel scope link src 172.26.0.1 linkdown
172.27.0.0/16 dev br-19dcb3d6ad15 proto kernel scope link src 172.27.0.1 linkdown
172.28.0.0/16 dev br-c70c3fd33627 proto kernel scope link src 172.28.0.1 linkdown
172.29.0.0/16 dev br-7a58c4e8a72f proto kernel scope link src 172.29.0.1 linkdown
172.30.0.0/16 dev br-6e2411ceb936 proto kernel scope link src 172.30.0.1 linkdown
172.31.0.0/16 dev br-df92af750e3b proto kernel scope link src 172.31.0.1 linkdown
192.168.0.0/16 dev ppp0 scope link
192.168.16.0/20 dev br-abeba6abb53a proto kernel scope link src 192.168.16.1 linkdown
192.168.32.0/20 dev br-279fae8826e5 proto kernel scope link src 192.168.32.1 linkdown
192.168.48.0/20 dev br-9e7a3033d946 proto kernel scope link src 192.168.48.1 linkdown
192.168.64.0/20 dev br-0df3dc151116 proto kernel scope link src 192.168.64.1 linkdown
192.168.80.0/20 dev br-915ddc20fc78 proto kernel scope link src 192.168.80.1 linkdown
192.168.87.0/24 dev wlp0s20f3 proto kernel scope link src 192.168.87.193 metric 600
192.168.87.217 dev wlp0s20f3 proto static scope link metric 50
192.168.96.0/20 dev br-f96b148877b4 proto kernel scope link src 192.168.96.1 linkdown
192.168.112.0/20 dev br-424703d219e3 proto kernel scope link src 192.168.112.1 linkdown
192.168.128.0/20 dev br-aa79c81a4f66 proto kernel scope link src 192.168.128.1 linkdown
192.168.144.0/20 dev br-7731fc6c9484 proto kernel scope link src 192.168.144.1 linkdown
192.168.160.0/20 dev br-8bc4fc2899bf proto kernel scope link src 192.168.160.1 linkdown
192.168.176.0/20 dev br-bfa3bd5a16d0 proto kernel scope link src 192.168.176.1 linkdown
192.168.208.0/20 dev br-f05a8b946129 proto kernel scope link src 192.168.208.1 linkdown
192.168.224.0/20 dev br-32c830eeac56 proto kernel scope link src 192.168.224.1 linkdown
192.168.240.0/20 dev br-028b729e4986 proto kernel scope link src 192.168.240.1 linkdown
and this is ip link

[mostafa@fedora ~]$ ip link
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp4s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
link/ether 90:2e:16:c7:00:c9 brd ff:ff:ff:ff:ff:ff
3: wlp0s20f3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DORMANT group default qlen 1000
link/ether 10:3d:1c:ed:b1:ba brd ff:ff:ff:ff:ff:ff
4: lxcbr0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default qlen 1000
link/ether 00:16:3e:00:00:00 brd ff:ff:ff:ff:ff:ff
5: br-f05a8b946129: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:0e:4d:13:ed brd ff:ff:ff:ff:ff:ff
6: br-028b729e4986: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:a4:02:10:c3 brd ff:ff:ff:ff:ff:ff
7: br-6be2e53b8ef4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:61:29:e0:f8 brd ff:ff:ff:ff:ff:ff
8: br-bfa3bd5a16d0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:12:00:47:4c brd ff:ff:ff:ff:ff:ff
9: br-f96b148877b4: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:71:61:2c:5e brd ff:ff:ff:ff:ff:ff
10: br-424703d219e3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:44:4f:52:90 brd ff:ff:ff:ff:ff:ff
11: br-aa79c81a4f66: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:a4:08:b1:9c brd ff:ff:ff:ff:ff:ff
12: br-abeba6abb53a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:ed:8a:d5:12 brd ff:ff:ff:ff:ff:ff
13: br-e3d231a34a84: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:2c:b8:45:fe brd ff:ff:ff:ff:ff:ff
14: br-19dcb3d6ad15: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:f6:1d:50:bb brd ff:ff:ff:ff:ff:ff
15: br-bec0635ab71c: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:e4:6d:4e:77 brd ff:ff:ff:ff:ff:ff
16: br-c70c3fd33627: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:ad:5f:68:31 brd ff:ff:ff:ff:ff:ff
17: br-69922533691a: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:34:a3:57:df brd ff:ff:ff:ff:ff:ff
18: br-915ddc20fc78: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:9e:52:b0:49 brd ff:ff:ff:ff:ff:ff
19: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:ec:70:1e:e0 brd ff:ff:ff:ff:ff:ff
20: br-ea424b37c7db: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:c5:e6:3a:7f brd ff:ff:ff:ff:ff:ff
21: br-3df98dc438d8: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:ca:85:80:e2 brd ff:ff:ff:ff:ff:ff
22: br-de53269774e6: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:86:29:e0:e5 brd ff:ff:ff:ff:ff:ff
23: br-df92af750e3b: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:df:03:ea:50 brd ff:ff:ff:ff:ff:ff
24: br-7a58c4e8a72f: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:22:a9:2a:ff brd ff:ff:ff:ff:ff:ff
25: br-9e7a3033d946: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:40:ad:31:31 brd ff:ff:ff:ff:ff:ff
26: br-0df3dc151116: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:8e:88:09:41 brd ff:ff:ff:ff:ff:ff
27: br-279fae8826e5: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:3d:86:5e:df brd ff:ff:ff:ff:ff:ff
28: br-6e2411ceb936: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:fe:fb:fc:c1 brd ff:ff:ff:ff:ff:ff
29: br-32c830eeac56: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:09:54:35:83 brd ff:ff:ff:ff:ff:ff
30: br-7731fc6c9484: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:9b:2a:1b:fd brd ff:ff:ff:ff:ff:ff
32: br-943f08dfb047: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:dd:16:9d:7b brd ff:ff:ff:ff:ff:ff
33: br-8bc4fc2899bf: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:30:2f:ff:00 brd ff:ff:ff:ff:ff:ff
34: br-8cac6d9983b2: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN mode DEFAULT group default
link/ether 02:42:6c:d2:14:9b brd ff:ff:ff:ff:ff:ff
115: ip_vti0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ipip 0.0.0.0 brd 0.0.0.0
116: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1400 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3
link/ppp
[mostafa@fedora ~]$


ip link
Displaying ip route.
how I can get config of VPN server on mikrotik by command line , this router was configured by some else before and I do not have enough information about mikrotik , but I have access to this device by winbox
after VPN is connected I run this command
[mostafa@fedora ~]$ sudo ip route add 192.168.0.0/16 dev ppp0
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Wed Dec 07, 2022 4:27 pm

In Winbox, press the [New Terminal] button to open a command line window within Winbox.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Wed Dec 07, 2022 10:26 pm

In Winbox, press the [New Terminal] button to open a command line window within Winbox.
thanks
# dec/07/2022 14:18:47 by RouterOS 6.49.6
# software id = RLH3-RWIH
#
# model = RB1100x4
# serial number = CE9A0C56BC17
/interface gre
add allow-fast-path=no disabled=yes local-address=a.b.c.90 name=\
    GRE-SADERAT remote-address=r.t.u.i
add allow-fast-path=no local-address=a.b.c.90 name=GRE-UID remote-address=\
    r.t.u.e
/interface vlan
add interface=ether3 name=ACC-MIK vlan-id=99
add interface=ether3 name=MGMT vlan-id=100
add interface=ether3 name=NETWORK vlan-id=101
add interface=ether4 name=PTP vlan-id=98
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.91.106-192.168.91.220
add name=dhcp_pool1 ranges=192.168.93.36-192.168.93.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=NETWORK lease-time=\
    2w2d16h10m name=dhcp1
/lora servers
add address=eu.mikrotik.thethings.industries down-port=1700 name=TTN-EU \
    up-port=1700
add address=us.mikrotik.thethings.industries down-port=1700 name=TTN-US \
    up-port=1700
add address=eu1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (eu1)" up-port=1700
add address=nam1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (nam1)" up-port=1700
add address=au1.cloud.thethings.industries down-port=1700 name=\
    "TTS Cloud (au1)" up-port=1700
add address=eu1.cloud.thethings.network down-port=1700 name="TTN V3 (eu1)" \
    up-port=1700
add address=nam1.cloud.thethings.network down-port=1700 name="TTN V3 (nam1)" \
    up-port=1700
add address=au1.cloud.thethings.network down-port=1700 name="TTN V3 (au1)" \
    up-port=1700
/ppp profile
set *FFFFFFFE dns-server=192.168.90.30
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/ip firewall connection tracking
set enabled=yes
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes max-mru=1350 max-mtu=\
    1350
/ip address
add address=192.168.91.11/24 interface=NETWORK network=192.168.91.0
add address=a.b.c.90/29 interface=ether1 network=a.b.c.88
add address=a.b.c.91/29 interface=ether1 network=a.b.c.88
add address=192.168.255.1/28 interface=ACC-MIK network=192.168.255.0
add address=10.10.10.1/30 interface=GRE-UID network=10.10.10.0
add address=a.b.c.92/29 interface=ether1 network=a.b.c.88
add address=a.b.c.93/29 interface=ether1 network=a.b.c.88
add address=a.b.c.94/29 interface=ether1 network=a.b.c.88
add address=d.e.f.110/30 interface=ether1 network=d.e.f.108
add address=192.168.90.11/24 interface=MGMT network=192.168.90.0
add address=192.168.255.17/28 interface=ether5 network=192.168.255.16
add address=172.20.10.1/30 interface=GRE-SADERAT network=172.20.10.0
/ip dhcp-server lease
add address=192.168.91.226 client-id=1:fc:34:97:15:44:6f mac-address=\
    FC:34:97:15:44:6F server=dhcp1
add address=192.168.91.228 client-id=1:fc:34:97:15:42:3e mac-address=\
    FC:34:97:15:42:3E server=dhcp1
add address=192.168.91.31 client-id=1:f8:e4:3b:36:c6:a5 mac-address=\
    F8:E4:3B:36:C6:A5 server=dhcp1
add address=192.168.91.222 client-id=1:fc:34:97:15:42:4c mac-address=\
    FC:34:97:15:42:4C server=dhcp1
add address=192.168.91.190 block-access=yes client-id=1:0:c:29:8f:7e:3d \
    mac-address=00:0C:29:8F:7E:3D server=dhcp1
add address=192.168.91.224 client-id=1:fc:34:97:15:42:65 mac-address=\
    FC:34:97:15:42:65 server=dhcp1
add address=192.168.91.202 client-id=1:fc:34:97:15:43:d mac-address=\
    FC:34:97:15:43:0D server=dhcp1
/ip dhcp-server network
add address=192.168.91.0/24 dns-server=192.168.90.30,8.8.8.8 gateway=\
    192.168.91.11
/ip dns
set allow-remote-requests=yes servers=\
    78.157.42.101,78.157.42.100,46.209.209.209,8.8.8.8
/ip firewall address-list
add address=192.168.0.0/16 list=Local
add address=192.168.93.0/24 list=Local
/ip firewall filter
add action=drop chain=forward disabled=yes dst-address=192.168.90.0/24 \
    src-address=10.10.150.10
add action=drop chain=forward disabled=yes dst-address=192.168.91.0/24 \
    src-address=10.10.150.10
add action=accept chain=forward src-address=10.10.150.3
add action=accept chain=forward src-address=10.10.150.4
add action=accept chain=forward src-address=10.10.150.5
add action=accept chain=forward src-address=10.10.150.6
add action=accept chain=forward src-address=10.10.150.7
add action=accept chain=forward src-address=10.10.150.8
add action=accept chain=forward src-address=10.10.150.9
add action=accept chain=input src-address=10.10.150.5
add action=accept chain=input src-address=10.10.150.3
add action=accept chain=input src-address=192.168.91.0/24
add action=accept chain=input src-address=10.10.150.4
add action=accept chain=input src-address=10.10.150.5
add action=accept chain=input src-address=10.10.150.6
add action=accept chain=input src-address=10.10.150.7
add action=accept chain=input src-address=10.10.150.8
add action=accept chain=input src-address=10.10.150.9
add action=accept chain=input src-address=10.10.150.10
add action=accept chain=input in-interface=all-ppp
add action=accept chain=forward in-interface=all-ppp
add action=accept chain=input src-address=10.10.150.2
add action=accept chain=input src-address=192.168.93.0/24
add action=accept chain=input src-address=192.168.90.0/24
add action=accept chain=forward src-address=192.168.91.0/24
add action=accept chain=forward src-address=192.168.93.0/24
add action=accept chain=forward in-interface=ether5
add action=accept chain=forward src-address=192.168.255.16/28
add action=accept chain=input src-address=192.168.255.16/28
add action=accept chain=forward src-address=192.168.90.0/24
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input comment="***************************************\
    *********FIREWALL RULES ************************************************" \
    connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward in-interface=ACC-MIK
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=forward comment="*************************************\
    ***********OUTPUT IN SERVER  RULES ***************************************\
    *********" dst-address=192.168.255.2 dst-port=4081 protocol=tcp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=4040 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=4040 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.90.2 dst-port=443 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.90.2 dst-port=8080 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.90.70 dst-port=8010 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.90.202 dst-port=443 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.90.76 dst-port=443 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.90.77 dst-port=22 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=1701 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.255.2 protocol=ipsec-ah
add action=accept chain=forward dst-address=192.168.255.2 protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=1701 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=4500 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=4500 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=500 \
    protocol=udp
add action=accept chain=forward dst-address=192.168.255.2 dst-port=500 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.91.49 dst-port=8443 \
    protocol=tcp
add action=accept chain=input comment="***************************************\
    *********INPUT IN SERVER    RULES       **********************************\
    **************" dst-port=8295 protocol=tcp src-address=192.168.255.2
add action=accept chain=input dst-port=8295 protocol=tcp
add action=accept chain=input src-address=81.91.155.98
add action=accept chain=input src-address=5.202.185.64/28
add action=accept chain=input in-interface=ACC-MIK src-address=192.168.90.30
add action=accept chain=input in-interface=ACC-MIK src-address=\
    192.168.90.0/24
add action=accept chain=input src-address=10.189.5.0/24
add action=accept chain=input comment="***************************************\
    ********ALL  VPN AND PPP  PORTRULES            ***************************\
    *********************" protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.13
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.17
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.15
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.12
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.14
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.16
add action=accept chain=input connection-state=established dst-port=4500 \
    protocol=tcp
add action=accept chain=forward dst-address=192.168.91.192 src-address=\
    10.10.150.11
add action=accept chain=input connection-state=established dst-port=2222 \
    protocol=tcp
add action=accept chain=input connection-state=established dst-port=500 \
    protocol=tcp
add action=accept chain=input connection-state=established dst-port=1701 \
    protocol=tcp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=forward in-interface=GRE-UID
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input in-interface=GRE-UID
add action=drop chain=forward
add action=drop chain=input
add action=drop chain=forward connection-state=invalid
add action=drop chain=input connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=FARIDI \
    passthrough=yes src-address=192.168.91.194
/ip firewall nat
add action=masquerade chain=srcnat dst-address-list=!Local out-interface=\
    ether1 src-address=192.168.91.0/24 to-addresses=a.b.c.90
add action=src-nat chain=srcnat out-interface=ether1 src-address=\
    192.168.91.194 to-addresses=d.e.f.110
add action=masquerade chain=srcnat dst-address-list=!Local out-interface=\
    ether1 src-address=192.168.93.0/24 to-addresses=a.b.c.90
add action=masquerade chain=srcnat dst-address-list=!Local out-interface=\
    ether1 src-address=192.168.255.16/28 to-addresses=a.b.c.90
add action=masquerade chain=srcnat comment="INTERNET  SERVER  GITLAB" \
    dst-address-list=!Local out-interface=ether1 src-address=192.168.90.15
add action=src-nat chain=srcnat log=yes out-interface=ether1 src-address=\
    192.168.255.2 to-addresses=a.b.c.90
add action=masquerade chain=srcnat dst-address-list=!Local src-address=\
    192.168.90.30 to-addresses=a.b.c.90
add action=masquerade chain=srcnat dst-address-list=!Local src-address=\
    192.168.90.6 to-addresses=a.b.c.90
add action=masquerade chain=srcnat comment="INTERNET  SERVER  CUNFLUENCE" \
    out-interface=ether1 src-address=192.168.90.20
add action=masquerade chain=srcnat comment="INTERNET  SERVER  CUNFLUENCE" \
    out-interface=ether1 src-address=192.168.90.22
add action=masquerade chain=srcnat comment="INTERNET  SERVER " out-interface=\
    ether1 src-address=192.168.90.202
add action=masquerade chain=srcnat comment="INTERNET  SERVER  " \
    out-interface=ether1 src-address=192.168.90.70
add action=masquerade chain=srcnat comment="INTERNET  SERVER  " \
    out-interface=ether1 src-address=192.168.90.77
add action=masquerade chain=srcnat comment="INTERNET  SERVER  JIRA" \
    out-interface=ether1 src-address=192.168.90.21
add action=masquerade chain=srcnat comment=banihashemi dst-address-list=\
    !Local out-interface=ether1 src-address=10.10.150.2
add action=masquerade chain=srcnat comment=azmoon dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.3
add action=masquerade chain=srcnat comment=faridi dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.4
add action=masquerade chain=srcnat comment=m.faridi dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.5
add action=masquerade chain=srcnat comment=m.najafi dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.6
add action=masquerade chain=srcnat comment=a.gholami dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.7
add action=masquerade chain=srcnat comment=m.bonvari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.8
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.9
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.10
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.18
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.19
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.22
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.23
add action=masquerade chain=srcnat comment=Saderat dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.25
add action=masquerade chain=srcnat comment=ekrami dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.26
add action=masquerade chain=srcnat comment=arsham dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.27
add action=masquerade chain=srcnat comment=security dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.28
add action=masquerade chain=srcnat comment=amirkave dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.33
add action=masquerade chain=srcnat comment=bagherpour dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.30
add action=masquerade chain=srcnat comment=Arezoumandi dst-address-list=\
    !Local out-interface=ether1 src-address=10.10.150.31
add action=masquerade chain=srcnat comment=j.jafari dst-address-list=!Local \
    out-interface=ether1 src-address=10.10.150.20
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=4081 \
    protocol=tcp to-addresses=192.168.255.2 to-ports=4081
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=8080 \
    protocol=tcp to-addresses=192.168.90.2 to-ports=443
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=4081 \
    protocol=tcp src-address=81.91.155.98 to-addresses=192.168.255.2 \
    to-ports=4081
add action=dst-nat chain=dstnat dst-address=a.b.c.90 dst-port=8443 \
    protocol=tcp src-address=5.202.185.70 to-addresses=192.168.91.222 \
    to-ports=8443
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=4040 \
    protocol=udp to-addresses=192.168.255.2 to-ports=4040
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=1701 log=yes \
    protocol=udp to-addresses=192.168.255.2 to-ports=1701
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=1701 log=yes \
    protocol=tcp to-addresses=192.168.255.2 to-ports=1701
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=500 log=yes \
    protocol=udp to-addresses=192.168.255.2 to-ports=500
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=4500 log=yes \
    protocol=udp to-addresses=192.168.255.2 to-ports=4500
add action=dst-nat chain=dstnat dst-address=d.e.f.110 dst-port=443 \
    protocol=tcp to-addresses=192.168.90.80 to-ports=443
add action=dst-nat chain=dstnat dst-address=a.b.c.91 dst-port=2221 \
    protocol=tcp to-addresses=192.168.90.96 to-ports=22
add action=masquerade chain=srcnat dst-address-list=Local out-interface=\
    ether1 src-address=10.10.150.17
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.40
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.50
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.60
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.76
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.80
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.84
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.93
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.96
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.125
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.52
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.78
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.72
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.73
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.74
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.90.75
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.91.67
/ip route
add distance=2 gateway=d.e.f.109 routing-mark=FARIDI
add distance=1 gateway=a.b.c.89
add distance=1 dst-address=10.4.0.0/16 gateway=GRE-UID
add distance=1 dst-address=172.20.10.145/32 gateway=GRE-SADERAT
add comment=banihashemi disabled=yes distance=1 dst-address=192.168.90.0/24 \
    gateway=192.168.255.2
add comment=banihashemi disabled=yes distance=1 dst-address=192.168.91.0/24 \
    gateway=192.168.255.2
add distance=1 dst-address=192.168.93.0/24 gateway=192.168.255.18
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2222
set api disabled=yes
set winbox port=8295
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.150.1 name=banihashemi profile=default-encryption \
    remote-address=10.10.150.2 service=l2tp
add local-address=10.10.150.1 name=azmoon profile=default-encryption \
    remote-address=10.10.150.3 service=l2tp
add local-address=10.10.150.1 name=azmoon1 profile=default-encryption \
    remote-address=10.10.150.4 service=pptp
add local-address=10.10.150.1 name=m.faridi profile=default-encryption \
    remote-address=10.10.150.5 service=l2tp
add local-address=10.10.150.1 name=m.najafi profile=default-encryption \
    remote-address=10.10.150.6 service=l2tp
add local-address=10.10.150.1 name=a.gholami profile=default-encryption \
    remote-address=10.10.150.7 service=l2tp
add local-address=10.10.150.1 name=m.bonvari profile=default-encryption \
    remote-address=10.10.150.8 service=l2tp
add local-address=10.10.150.1 name=j.jafari profile=default-encryption \
    remote-address=10.10.150.9 service=l2tp
add local-address=10.10.150.1 name=bankid profile=default-encryption \
    remote-address=10.10.150.10 service=l2tp
add local-address=10.10.150.1 name=S_Ghadiri profile=default-encryption \
    remote-address=10.10.150.11 service=l2tp
add local-address=10.10.150.1 name=k_hayrapetian profile=default-encryption \
    remote-address=10.10.150.12 service=l2tp
add local-address=10.10.150.1 name=m_kalantari profile=default-encryption \
    remote-address=10.10.150.13 service=l2tp
add local-address=10.10.150.1 name=be_sadeghi profile=default-encryption \
    remote-address=10.10.150.14 service=l2tp
add local-address=10.10.150.1 name=m_ghadiri profile=default-encryption \
    remote-address=10.10.150.15 service=l2tp
add local-address=10.10.150.1 name=m_azarmi profile=default-encryption \
    remote-address=10.10.150.16 service=l2tp
add local-address=10.10.150.1 name=a_mahmoudi profile=default-encryption \
    remote-address=10.10.150.17 service=l2tp
add local-address=10.10.150.1 name=keepa profile=default-encryption \
    remote-address=10.10.150.18 service=l2tp
add local-address=10.10.150.1 name=bankid2 profile=default-encryption \
    remote-address=10.10.150.19 service=l2tp
add local-address=10.10.150.1 name=bonvari2 profile=default-encryption \
    remote-address=10.10.150.20 service=sstp
add local-address=10.10.150.1 name=bankid-saderat profile=default-encryption \
    remote-address=10.10.150.21 service=l2tp
add local-address=10.10.150.1 name=d.khakbaz profile=default-encryption \
    remote-address=10.10.150.23 service=l2tp
add local-address=10.10.150.1 name=saderat profile=default-encryption \
    remote-address=10.10.150.25 service=l2tp
add local-address=10.10.150.1 name=ekrami profile=default-encryption \
    remote-address=10.10.150.26 service=l2tp
add local-address=10.10.150.1 name=bankid-arsham profile=default-encryption \
    remote-address=10.10.150.27 service=l2tp
add local-address=10.10.150.1 name=security profile=default-encryption \
    remote-address=10.10.150.28 service=l2tp
add local-address=10.10.150.1 name=bagherpour profile=default-encryption \
    remote-address=10.10.150.30 service=l2tp
add local-address=10.10.150.1 name=arezoumandi profile=default-encryption \
    remote-address=10.10.150.31 service=l2tp
add local-address=10.10.150.1 name=amirkaveh profile=default-encryption \
    remote-address=10.10.150.33 service=l2tp
/system clock
set time-zone-name=Asia/aaaa
/system identity
set name="BANK ID"
/system ntp client
set enabled=yes primary-ntp=m.n.o.p secondary-ntp=h.j.k.l
/system ntp server
set broadcast=yes enabled=yes multicast=yes
/tool user-manager database
set db-path=user-manager
Last edited by BartoszP on Sat Dec 10, 2022 1:47 am, edited 1 time in total.
Reason: Use proper tags .. quotes for quotting, code for code
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Fri Dec 09, 2022 6:13 pm

When the L2TP is running and you add the route to 192.168.0.0/16 via ppp0, what does ip route get 192.168.90.76 show?

The thing is that when the destination address of a packet matches the destination prefixes of multiple routes, the route whose destination prefix is the longest one is chosen among them.

So here, for 192.168.90.76 , the route to 192.168.0.0/16 (via ppp0) is shadowed by the one to just 192.168.96.0/20 (via br-f96b148877b4) on your Fedora; I'm not sure whether that route is actually active as it says "linkdown" which is something I have never seen yet. The ip route get will answer this question.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Fri Dec 09, 2022 6:46 pm

When the L2TP is running and you add the route to 192.168.0.0/16 via ppp0, what does ip route get 192.168.90.76 show?

The thing is that when the destination address of a packet matches the destination prefixes of multiple routes, the route whose destination prefix is the longest one is chosen among them.

So here, for 192.168.90.76 , the route to 192.168.0.0/16 (via ppp0) is shadowed by the one to just 192.168.96.0/20 (via br-f96b148877b4) on your Fedora; I'm not sure whether that route is actually active as it says "linkdown" which is something I have never seen yet. The ip route get will answer this question.
When I type that command I see
┌──(mostafa㉿fedora)-[~]
└─$ ip route get 192.168.90.76
192.168.90.76 dev br-915ddc20fc78 src 192.168.80.1 uid 1000
cache
We use 192.168.90.0 range for servers and use 192.168.91.0 range for desktop client
in linux after VPN connection, I do not have ping of servers and client and I see error about no route to host.
for example I do not have ping of 192.168.90.76 is linux server and I do not have ping of 192.168.91.222 is my windows desktop.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Fri Dec 09, 2022 9:36 pm

When I type that command I see
┌──(mostafa㉿fedora)-[~]
└─$ ip route get 192.168.90.76
192.168.90.76 dev br-915ddc20fc78 src 192.168.80.1 uid 1000
     cache
We use 192.168.90.0 range for servers and use 192.168.91.0 range for desktop client
It is a combination of two distinct issues.
  • One issue is that the route to the HQ network is not automatically added on the Linux client. This issue can be solved by adding the route, and in ideal case, there is a way to add that somehow to the L2TP client configuration so that the route would be added automatically whenever the client would connect.
  • The other issue is that you use the same IP address range for something else on your Fedora machine (as you've attached an address from 192.168.80.0/20, in particular, 192.168.80.1, to one of the br-xxxxxxxx interfaces on it). The server subnet 192.168.90.0/24 and the client subnet 192.168.91.0/24 both fit into 192.168.80.0/20, so the Fedora uses the automatically added route to 192.168.80.0/20 to send traffic to 192.168.90.76, because this route overrides the route to 192.168.0.0/16 via ppp0. It overrides it because it matches 192.168.90.76 "better" than the one you've added.

    You can check that this is the case by adding a route to 192.168.90.0/23 via ppp0 instead of a route to 192.168.0.0/16 via ppp0, but I don't know what this will break on the Fedora machine, as I don't know what containers or other stuff is running there in the 192.168.80.0/20 subnet.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sat Dec 10, 2022 10:29 pm

When I type that command I see
┌──(mostafa㉿fedora)-[~]
└─$ ip route get 192.168.90.76
192.168.90.76 dev br-915ddc20fc78 src 192.168.80.1 uid 1000
     cache
We use 192.168.90.0 range for servers and use 192.168.91.0 range for desktop client
It is a combination of two distinct issues.
  • One issue is that the route to the HQ network is not automatically added on the Linux client. This issue can be solved by adding the route, and in ideal case, there is a way to add that somehow to the L2TP client configuration so that the route would be added automatically whenever the client would connect.
  • The other issue is that you use the same IP address range for something else on your Fedora machine (as you've attached an address from 192.168.80.0/20, in particular, 192.168.80.1, to one of the br-xxxxxxxx interfaces on it). The server subnet 192.168.90.0/24 and the client subnet 192.168.91.0/24 both fit into 192.168.80.0/20, so the Fedora uses the automatically added route to 192.168.80.0/20 to send traffic to 192.168.90.76, because this route overrides the route to 192.168.0.0/16 via ppp0. It overrides it because it matches 192.168.90.76 "better" than the one you've added.

    You can check that this is the case by adding a route to 192.168.90.0/23 via ppp0 instead of a route to 192.168.0.0/16 via ppp0, but I don't know what this will break on the Fedora machine, as I don't know what containers or other stuff is running there in the 192.168.80.0/20 subnet.
Thanks
after add route 192.168.90.0/23 via ppp0
I have ping of 192.168.91.222 and I can connect to remote desktop by remmina
but I do not have ping of 192.168.90.76 ,
I have ping of 192.168.91.0/24 but I do not have ping of 192.168.90.0/24
┌──(mostafa㉿fedora)-[~]
└─$ ip route get 192.168.90.76
192.168.90.76 dev ppp0 src 10.10.150.5 uid 1000
cache

┌──(mostafa㉿fedora)-[~]
└─$ ip route get 192.168.91.222
192.168.91.222 dev ppp0 src 10.10.150.5 uid 1000
cache
Last edited by mfaridi on Sun Dec 11, 2022 8:45 am, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Sat Dec 10, 2022 10:44 pm

after add route 192.168.90.0/23 via ppp0
I have ping of 192.168.91.222 and I can connect to remote desktop by remmina
but I do not have ping of 192.168.90.76 ,
I have ping of 192.168.91.0/16 but I do not have ping of 192.168.90.0/16
You probably mean 192.168.91.0/24 and 192.168.90.0/24, but that's not important. ip route get shows the gateway to be ppp0 for both these subnets, and the src address shown is the one assigned by the server (10.10.150.5), so everything seems to be OK at the Fedora side (except that now the addresses in the 192.168.90.0/23 range within the 192.168.80.0/20 one are inaccessible locally at the Fedora).

If from a Windows client connected using the same user account you can ping the 192.168.90.0/24, I've got no idea what else could be wrong. So while pinging 192.168.90.76 from the Fedora, run /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5 on the Mikrotik, to see whether the ping requests arrive from the Fedora end, and if any responses come back from 192.168.90.76, what happens to them.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sat Dec 10, 2022 11:02 pm

after add route 192.168.90.0/23 via ppp0
I have ping of 192.168.91.222 and I can connect to remote desktop by remmina
but I do not have ping of 192.168.90.76 ,
I have ping of 192.168.91.0/16 but I do not have ping of 192.168.90.0/16
You probably mean 192.168.91.0/24 and 192.168.90.0/24, but that's not important. ip route get shows the gateway to be ppp0 for both these subnets, and the src address shown is the one assigned by the server (10.10.150.5), so everything seems to be OK at the Fedora side (except that now the addresses in the 192.168.90.0/23 range within the 192.168.80.0/20 one are inaccessible locally at the Fedora).

If from a Windows client connected using the same user account you can ping the 192.168.90.0/24, I've got no idea what else could be wrong. So while pinging 192.168.90.76 from the Fedora, run /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5 on the Mikrotik, to see whether the ping requests arrive from the Fedora end, and if any responses come back from 192.168.90.76, what happens to them.
I see these
.. Move up one level
/command Use command at the base level
[admin@BANK ID] > /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5
INTERFACE TIME NUM DIR SRC-MAC DST-MAC VLAN SRC-ADDRESS DST-ADDRESS PROTOCOL SIZE CPU FP
MGMT 291.968 851 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 291.968 852 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 292.982 853 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 292.982 854 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 292.982 855 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 294.006 856 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 294.006 857 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 294.006 858 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 295.038 859 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 295.038 860 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 295.038 861 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 296.051 862 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 296.052 863 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 296.052 864 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 297.083 865 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 297.083 866 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 297.083 867 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
<l2tp-m.faridi-1> 298.108 868 <- 10.10.150.5 192.168.90.76 ip:icmp 84 2 no
MGMT 298.108 869 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 10.10.150.5 192.168.90.76 ip:icmp 98 2 no
ether3 298.108 870 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100 10.10.150.5 192.168.90.76 ip:icmp 102 2 no
-- [Q quit|D dump|C-z pause]
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 10:04 am

Instead of the [quote] tag (the ["] button), use the [code] tag (the [</>] button) - see the output below. Also, there is no need to quote the whole previous post.

To the topic - the sniff shows you that the ping request packets come in via <l2tp-m.faridi-1> (the tunnel interface that gets created dynamically once user m.faridi establishes the VPN connection), and then they are routed out via VLAN "MGMT" with VID 100 that is attached to ether3. But there is no response coming in, neither via ether3 nor via any other interface. So this moves the issue outside both the Fedora and the Mikrotik. Is the Mikrotik the default gateway of the 192.168.90.76 device? If not, is it at least its gateway for 10.10.150.0/24?

Can you try the same (sniffing on the Mikrotik while pinging from the VPN client) with the Windows VPN client?
[admin@BANK ID] >  /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5
INTERFACE                                                                                 TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
MGMT                                                                                   291.968    851 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 291.968    852 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      292.982    853 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   292.982    854 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 292.982    855 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      294.006    856 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   294.006    857 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 294.006    858 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      295.038    859 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   295.038    860 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 295.038    861 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      296.051    862 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   296.052    863 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 296.052    864 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      297.083    865 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   297.083    866 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 297.083    867 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      298.108    868 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   298.108    869 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 298.108    870 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
-- [Q quit|D dump|C-z pause]
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 10:59 am

Instead of the [quote] tag (the ["] button), use the [code] tag (the [</>] button) - see the output below. Also, there is no need to quote the whole previous post.

To the topic - the sniff shows you that the ping request packets come in via <l2tp-m.faridi-1> (the tunnel interface that gets created dynamically once user m.faridi establishes the VPN connection), and then they are routed out via VLAN "MGMT" with VID 100 that is attached to ether3. But there is no response coming in, neither via ether3 nor via any other interface. So this moves the issue outside both the Fedora and the Mikrotik. Is the Mikrotik the default gateway of the 192.168.90.76 device? If not, is it at least its gateway for 10.10.150.0/24?

Can you try the same (sniffing on the Mikrotik while pinging from the VPN client) with the Windows VPN client?
[admin@BANK ID] >  /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5
INTERFACE                                                                                 TIME    NUM DIR SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE CPU FP 
MGMT                                                                                   291.968    851 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 291.968    852 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      292.982    853 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   292.982    854 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 292.982    855 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      294.006    856 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   294.006    857 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 294.006    858 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      295.038    859 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   295.038    860 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 295.038    861 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      296.051    862 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   296.052    863 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 296.052    864 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      297.083    865 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   297.083    866 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 297.083    867 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
<l2tp-m.faridi-1>                                                                      298.108    868 <-                                             10.10.150.5                         192.168.90.76                       ip:icmp      84   2 no 
MGMT                                                                                   298.108    869 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      98   2 no 
ether3                                                                                 298.108    870 ->  48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp     102   2 no 
-- [Q quit|D dump|C-z pause]
192.168.90.76 is linux sever run on ESXI and we connect to this server by ssh, default gateway for 192.168.90.76 is 192.168.90.11
192.168.91.222 is windows desktop client and default gateway for 192.168.91.222 is 192.168.91.11
all servers on ESXI use 192.168.90.11 as default gateway and all client use 192.168.91.11
I have this problem only in Linux and I do not have this problem on windows, when I use VPN.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 11:18 am

I run this command
[admin@BANK ID] >  /tool sniffer quick ip-protocol=icmp ip-address=10.10.150.5
IN..     TIME    NUM DI SRC-MAC           DST-MAC           VLAN   SRC-ADDRESS                         DST-ADDRESS                         PROTOCOL   SIZE
MGMT   16.738     11 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   16.738     12 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..    21.78     13 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT    21.78     14 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..    21.78     15 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..   26.761     16 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT   26.762     17 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   26.762     18 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..   37.117     19 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT   37.117     20 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   37.117     21 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..   41.842     22 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT   41.842     23 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   41.842     24 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..   46.738     25 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT   46.738     26 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   46.738     27 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
<l..   51.907     28 <-                                            10.10.150.5                         192.168.90.76                       ip:icmp      60
MGMT   51.907     29 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84        10.10.150.5                         192.168.90.76                       ip:icmp      74
et..   51.907     30 -> 48:8F:5A:4D:47:AF 00:0C:29:8F:F8:84 100    10.10.150.5                         192.168.90.76                       ip:icmp      78
in windows box after VPN connection
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 11:39 am

So in case of Windows, the response also doesn't return via ether3/MGMT and leave via the L2TP tunnel towards Windows, so it must be taking some other path. So check that first.

Windows network card drivers strip VLAN IDs on received frames. How is the Windows machine you use for the test connected to the network?
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 12:15 pm

So in case of Windows, the response also doesn't return via ether3/MGMT and leave via the L2TP tunnel towards Windows, so it must be taking some other path. So check that first.

Windows network card drivers strip VLAN IDs on received frames. How is the Windows machine you use for the test connected to the network?
Windows machine in last test was windows 10 installed on laptop and I make l2tp vpn connection on it and use it for test.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: l2tp VPN, linux host problem

Sun Dec 11, 2022 3:30 pm

Windows machine in last test was windows 10 installed on laptop and I make l2tp vpn connection on it and use it for test.
That doesn't say much about the network topology. I assume the ultimate goal is that the L2TP clients connect from outside your enterprise network, i.e. from some home networks to a public IP address of your VPN server, where there is internet between these client site and the server one; since currently the Windows client receives the ping responses but they do not pass through the Mikrotik, it means that there is some other path through your LAN that allows the ping response to reach the Windows machine, bypassing the tunnel. And the same path may not work for Linux because it's connected differently, or because it handles tagged frames properly, or both.

So disconnect the Windows from any wired network, connect them to an access point made of your mobile phone, and try to connect to the VPN and ping and sniff again.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Sat Dec 17, 2022 1:49 pm

Windows machine in last test was windows 10 installed on laptop and I make l2tp vpn connection on it and use it for test.
That doesn't say much about the network topology. I assume the ultimate goal is that the L2TP clients connect from outside your enterprise network, i.e. from some home networks to a public IP address of your VPN server, where there is internet between these client site and the server one; since currently the Windows client receives the ping responses but they do not pass through the Mikrotik, it means that there is some other path through your LAN that allows the ping response to reach the Windows machine, bypassing the tunnel. And the same path may not work for Linux because it's connected differently, or because it handles tagged frames properly, or both.

So disconnect the Windows from any wired network, connect them to an access point made of your mobile phone, and try to connect to the VPN and ping and sniff again.
After search around and check everything, problem was ESXi and after reboot ESXi reboot SSH to Linux Server solved and I can SSH to servers, when I connected to VPN, but for Linux client we have to add this route
sudo ip route add 192.168.90.0/23 dev ppp0
Thanks @sindy help me to solve this problem.
 
mfaridi
just joined
Topic Author
Posts: 15
Joined: Mon Nov 28, 2022 2:56 pm

Re: l2tp VPN, linux host problem

Tue Feb 14, 2023 2:08 pm

How I can solve this problem by edit Mikrotik config?
for example linux users d not have to add new route to their linux system, we add this route to our Mirotik config and all Linux users can use l2tp VPN.

Who is online

Users browsing this forum: dmconde and 44 guests