Community discussions

MikroTik App
 
akshark
just joined
Topic Author
Posts: 14
Joined: Fri Apr 07, 2023 11:57 am

Local and Remote address In PPP Secret & L2TP

Wed Apr 19, 2023 4:28 pm

Hi All,

We have two uplinks received from the ISP and we have connected those to our switch, each to port sfp-sfpplus1 and sfp-sfpplus2.

Our IPV4 space for each uplinks is as follows
Fiber: 4536 
802.1Q VLAN tag: 4011 
abc.xyz IPv4: 192.168.110.41/30 
Customer IPv4: 192.168.110.42/30 


Fiber: 4537 
802.1Q VLAN tag: 4022
abc.xyz IPv4: 192.168.210.41/30 
Customer IPv4: 192.168.210.42/30
We have connected a server to the switch and assigned it a IP 192.168.110.42.

below is my exported config
# jan/02/1970 04:49:16 by RouterOS 7.8
# software id = KUH3-URPS
#
# model = CRS328-4C-20S-4S+
# serial number = HE508SZCHWN
/interface bridge
add admin-mac=:6A auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=combo3 ] arp=proxy-arp
/interface vlan
add interface=sfp-sfpplus1 name=vlan4011_uplink1 vlan-id=4011
add interface=sfp-sfpplus2 name=vlan4022_uplink2 vlan-id=4022
/interface list
add name=WAN
add name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=yes interface=bridge name=dhcp1
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=combo1
add bridge=bridge comment=defconf ingress-filtering=no interface=combo2
add bridge=bridge comment=defconf ingress-filtering=no interface=combo3
add bridge=bridge comment=defconf ingress-filtering=no interface=combo4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus3
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp-sfpplus4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp2
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp3
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp4
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp6
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp7
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp8
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp9
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp11
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp12
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp13
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp14
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp15
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp16
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp17
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp18
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp19
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp20
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes
/interface l2tp-server server
set enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add interface=sfp1 list=WAN
add interface=sfp2 list=LAN
add interface=sfp3 list=LAN
add interface=sfp4 list=LAN
add interface=sfp5 list=LAN
add interface=sfp6 list=LAN
add interface=sfp7 list=LAN
add interface=sfp8 list=LAN
add interface=sfp9 list=LAN
add interface=sfp10 list=LAN
add interface=sfp11 list=LAN
add interface=sfp12 list=LAN
add interface=sfp13 list=LAN
add interface=sfp14 list=LAN
add interface=sfp15 list=LAN
add interface=sfp16 list=LAN
add interface=sfp17 list=LAN
add interface=sfp18 list=LAN
add interface=sfp19 list=LAN
add interface=sfp20 list=LAN
add interface=combo1 list=LAN
add interface=combo2 list=LAN
add interface=combo3 list=LAN
add interface=combo4 list=LAN
add interface=sfp-sfpplus1 list=LAN
add interface=sfp-sfpplus2 list=LAN
add interface=sfp-sfpplus3 list=LAN
add interface=sfp-sfpplus4 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.88.1/24 comment=defconf interface=sfp2 network=\
    192.168.88.0
add address=192.168.110.42/30 interface=vlan4011_uplink1 network=\
    192.168.110.40
add address=192.168.210.42/30 interface=vlan4022_uplink2 network=\
    192.168.210.40
add address=x.x.x.x/27 interface=sfp2 network=x.x.x.64
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=159.148.147.205 name=upgrade.microtik.com
/ip firewall filter
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=bridge
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.110.41
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.210.41
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=1022
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.110.109 name=LPUser profile=default-encryption \
    remote-address=192.168.110.100 service=l2tp
/system identity
set name=RouterOS
/system routerboard settings
set boot-os=router-os
I am trying to setup VPN following tutorials and looks to be working mostly. below are a few questions i have

1) Looks like we only have two IPV4 addresses we can use: 192.168.110.42 and 192.168.210.42. is this correct? Does this mean we can connect to our switch only two physical devices?

2) When setting up the PPP secret, i see that we have two fields. Local Address and Remote Address. I have currently set
Local address: 192.168.110.109
Remote address: 192.168.110.100

When the VPN connection is established. I see that my client machine gets IP address "192.168.110.100". Although this is not from the range if IPs we have. What does Local an Remote address mean here, what are the valid values we can use here?

Thanks.

Who is online

Users browsing this forum: mszru, svmk and 48 guests