On the LAN side, I have a hAP ac², serving as gateway and DHCP server.
The internet box provided by my ISP simply DMZ to the static IP of the hAP WAN port (assigned via the ISP box DHCP server as static IP 192.168.1.10).
(Now a disclaimer: RouterOS is very advanced compared to my limited knowledge of network configurations.)
What was tried:
* I activated the PPP > L2TP Server with a long IPsec secret.
* I added a PPP > Secret user named "vpn", with a long password.
* In the PPP > Profiles > default, I set local address to the range dhcp and remote address to the range vpn (see config below)
* I added firewall rules found in this post.
With that in place, a machine on a different network can establish a VPN connection to the Mikrotik router. It does get assigned an address in the vpn range "pointing to" and address in the dhcp range.
Code: Select all
ppp0: inet 192.168.89.100 -> 192.168.88.15 netmask 0Xffffff00
But it cannot ping another machine on the LAN (machine-B), which has another address in the dhcp range.
(Please note that I confirmed that machine-B responds to ping: if I connect the remote machine directly to the LAN, then it can ping machine-B).
I suspect the issue is that the routes are not installed on the remote machine when the VPN connection is established.
Is it possible to install such routes automatically?
Are there other potential issues in my configuration? (In particular, I am not confident regarding my firewall rules).
Please see the output of /export hide-sensitive below:
Code: Select all
/interface bridge
add admin-mac=74:4D:28:E0:B6:8A auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MySSID \
station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MySSID \
station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.10-192.168.89.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *0 bridge=bridge local-address=dhcp remote-address=vpn
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall address-list
add address=192.168.88.0/24 list=InternalNetworks
add address=192.168.89.0/24 list=InternalNetworks
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow all internal networks (see: https://forum.mikrotik.com/viewtopic.php\?t=92543#p477316)" src-address-list=InternalNetworks
add action=accept chain=forward comment="Allow all internal networks (see: https://forum.mikrotik.com/viewtopic.php\?t=92543#p477316)" dst-address-list=InternalNetworks
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.100 dst-port=8554 protocol=udp src-port=8554
add action=accept chain=dstnat disabled=yes dst-address=192.168.88.100 dst-port=8554 protocol=tcp src-port=8554
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=8554 protocol=tcp to-addresses=192.168.88.100 to-ports=8554
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=8554 protocol=udp to-addresses=192.168.88.100 to-ports=8554
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
add action=dst-nat chain=dstnat dst-address=192.168.1.10 dst-port=9090 protocol=tcp to-addresses=192.168.88.41
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=vpn routes=192.168.88.0/24
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN