I want to explain that this behavior of the system is just the desired.
But I want to understand why in one case dynamic routes to remote clients work and not in another to finaly close this question ))

Thank you guys for helping to see the real moment of misunderstanding ))) So in result I set local address 192.168.10.1 for both SSTP and L2TP remote clients. 100.1-100.254 pool for trusted clients, who must have an smb-access to local server 1.10 an rdp-access to all remote clients 101.1-101.254 po...

Thank you a lot ! It'is really work fine now )) Scheme with IKE we will try for road warior setup, great idea ! I make 192.168.100.0/24 with 192.168.100.1 local-address for l2tp clients, and 192.168.101.0/24 with 192.168.101.1 local address for sstp clients with "route add 192.168.10.0 MASK 255...

One more addition - I try to separate hosts in different networks, routing in Microtik work predictable now, but on remote l2tp clients static routes for communication with different networks must be added like this route add 192.168.8.0 MASK 255.255.255.0 192.168.10.1 METRIC 21 IF 25 -p And I'm rea...

Guys you both are realy great in networking !! Thank you very much for not letting my brain to explode in an attempt to understand what else can work ugly in our CCR ))) As mducharme was wrote - problem be on the way that Windows 7 add routes when "use the default gateway on the remote network&...

Also as I understand routing inside microtik - when I connect from any private network i.e. 192.168.8.0 etc. to br1-lan 192.168.10.0 - I don't need to set special routing rules because of dynamicaly created route, so RouterOs know how to reach 10.0/24 2 ADC 192.168.10.0/24 192.168.10.1 br1-lan 0 and...

Thank you all for your help ! I set mpls to default in l2tp profile, launch torch and log icmp on input/forward chains via firewall rules. Windows firewall on l2tp client is also disabled. /tool torch <l2tp-aaa@aaa> src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=icmp When l2tp client connec...

Thank you a lot, I don't know this way to monitor packets :D /tool torch <l2tp-aaa@aaa> src-address=0.0.0.0/0 dst-address=0.0.0.0/0 ip-protocol=icmp In attachment my config where 11.22.33.1 is ISP gateway and 11.22.33.54 is CCR1009 wan ip. I would be very grateful if you tell me in which direction t...

It's some kind of stupid confusion.. Firewall rules in windows file server allow ANY networks traffic, but I completely disable windows firewall in both file server and clients. Output / forward chains rules in microtik firewall are all completely disabled too. Remote client 192.168.8.100/32 with 19...

I probably did not see an elementary way on the second question and this set of static rules will work for merging 10.0/24 and 20.0/24 networks is not it ? add distance=1 dst-address=192.168.20.0/24 gateway=192.168.20.1 pref-src=192.168.10.1 add distance=1 dst-address=192.168.10.0/24 gateway=br1-lan...

Thank you, Mudcharme I can change general CCR settings only at the night when no active users present. So tests get time. I understand that you say from position of practical network experience. And we want to separate local and remote vpn users in different networks as you propose. But I something ...

Thank you all ! I understand about dns / wins server and because we now not use domain I'm going to raise up wins server on Windows Server 2012R2 But when I make as mducharme suggest and separate vpn-clients to 192.168.8.0/24 with 192.168.10.1 local-address, gatewey receive pings but all other resou...

Thank you all ! I understand about dns / wins server and because we now not use domain I'm going to raise up wins server on Windows Server 2012R2 But when I make as mducharme suggest and separate vpn-clients to 192.168.8.0/24 with 192.168.10.1 local-address, gatewey receive pings but all other resou...

Great thanks to all who help to find decision !!! And in gratitude, here are a few winter photos from places deep in Siberia https://yadi.sk/i/kDVd6WYm3Uk93q , https://yadi.sk/i/oQik4OT_3Uk9Cj , where we install Microtik hardware now )) And also please help me to understand two more things about thi...

Thank you a lot, mducharme ! Excellent, you are the genius of networking )) In the firewall rules on my hosts - rdp and icmp-echo v.4/6 are evidently enabled for private networks in the level of windows firewall preset rules. And I'am stupidly stick to Microtik settings being absolutely sure that ev...

thank you all for the suggestions ! As I understand local-address in this l2tp profile configuration is the aggress of vpn-gateway add change-tcp-mss=yes comment="Remote VPN clients-to-site with complete lan access" dns-server=192.168.10.1 local-address=192.168.10.1 name="L2TP C2S&quo...

And may it be related to L2TP server defenition w/o directly setting an br1-lan bridge ? add change-tcp-mss=yes comment="Remote VPN clients-to-site with complete lan access" dns-server=192.168.10.1 local-address=192.168.10.100 name="L2TP C2S" remote-address=dhcp-vpn wins-server=1...

Thank you a lot for this explanation ! I really forgot that the ping from the microtik is processed by the output chain rules. You are also absolutely right about out-interface=combo when drop rule on the bottom of forward chain is active - l2tp really not work )) But even when we completely disable...

Thank you for this info ! in these rules (as I think, please correct me if this is not really true ))) we accept all connection-state other than invalid add action=accept chain=output comment="allow only non-invalid connections" connection-state=!invalid disabled=yes add action=drop chain=...

Have a good day to all experienced microtik users ! We have CCR1009-7G-1C-1S+ router acting as L2TP/Ipsec vpn gateway for remote users can join "main office" network. 37.213.241.55/24 on combo interface see to ISP. Local network 192.168.10.0/24 on br1-lan with proxy-arp dhcp pool for local...