Community discussions

MikroTik App
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 3:05 pm

Hello Everybody

I need help. I have setup the following.

1. LTE Internet Router with DMZ
2. Mikrotik with L2TP Server

Test

1. Internet is working
2. Test VPN locally working using Windows VPN client

Problem
L2TP client doesnt want to connect from internet
You do not have the required permissions to view the files attached to this post.
Last edited by JRJakkals on Mon Jun 05, 2023 8:06 pm, edited 1 time in total.
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 7:33 pm

The router's DMZ feature isn't going to help if the LTE connection uses a CGNAT (which is typically for consumer LTE SIMs). You can check this by seeing if the LTE router is getting a private address (10.x, 192.x) or 100.64.0.0-100.127.255.255 from the LTE WAN connection.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 7:35 pm

(or 172.16......)
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 7:40 pm

LTE Router is getting public(WAN) IP address, internet is working....
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 7:53 pm

Is there a way to enable "passthrough" on your LTE router so the Mikrotik get the public IP?

Otherwise, your Mikrotik config looks pretty standard/correct at first glance, so looks like issue may be how the DMZ works on the Huawei...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 7:57 pm

Also, don't know if you're running V7, but if LTE is a real public IP, you might want to try Wireguard. That might work better with the DMZ since Wiregard just needs one port through to work, not the complex dance the L2TP/IPSec needs. If the Mikrotik is ARM or ARM64, ZeroTier be another option that get you Layer2/Ethernet like L2TP.
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 8:01 pm

# jun/05/2023 13:46:03 by RouterOS 6.49.8
# software id = 5W3V-FDGK
#
# model = RB941-2nD
# serial number = HD7087BDQZT
/interface bridge
add admin-mac=18:FD:74:BA:A0:36 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country="south africa" disabled=no distance=indoors frequency=auto \
installation=indoor mode=ap-bridge ssid=Office wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key= \
wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.1.20-192.168.1.199
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
set *FFFFFFFE dns-server=192.168.1.1 local-address=192.168.89.1 \
remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes ipsec-secret= one-session-per-host=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=\
192.168.1.0
add address=192.168.8.5/24 interface=ether1 network=192.168.8.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip route
add distance=1 gateway=192.168.8.1
/ppp secret
add name=vpn password= profile=default-encryption service=l2tp
add name=jaco password= profile=default-encryption service=l2tp
add name=mari password= profile=default-encryption service=l2tp
add name=mariette password= profile=default-encryption service=l2tp
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=RouterOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


# jun/05/2023 14:00:56 by RouterOS 6.49.8
# software id = 5W3V-FDGK
#
# model = RB941-2nD
# serial number = HD7087BDQZT
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 9:41 pm

Maybe I explained wrong. Mikrotik is getting public IP. DMZ is pushing internet traffic to Mikrotik...
 
User avatar
Amm0
Forum Guru
Forum Guru
Posts: 3169
Joined: Sun May 01, 2016 7:12 pm
Location: California

Re: L2TP Server Setup with LTE\DMZ

Mon Jun 05, 2023 9:49 pm

Ah, so the public IP is coming via DHCP client on ether1...

In that case, I'd change your /ip route to use a distance=2, so the DHCP one with a public is one used for outbound traffic. Otherwise, it will load balance (ECMP) between using the public IP and 192.168.8.5 as the src address to LTE...

e.g. /ip route add distance=1 gateway=192.168.8.1
should be
/ip route add distance=2 gateway=192.168.8.1
 
User avatar
JRJakkals
just joined
Topic Author
Posts: 16
Joined: Thu Feb 25, 2021 9:21 pm
Location: South Africa

Re: L2TP Server Setup with LTE\DMZ  [SOLVED]

Tue Jun 06, 2023 11:47 am

I have resolved the problem

Telkom Incoming Ports blocked - use 'unrestricted' APN
https://mybroadband.co.za/forum/threads ... 185/page-3

https://archie22is.medium.com/how-to-se ... 34ef53af00
You do not have the required permissions to view the files attached to this post.

Who is online

Users browsing this forum: wirelesslywired and 41 guests