Hello! Thanks in advance for the help.

I have a IPSEC VPN between a MKT and a Dlink-210.

I can access files from both sides and ping.

The problem is with rdp and vpn. All rdp traffic to or from MKT is redirected to one server, the dns server of lan 2. I am guessing is an ARP thing, but not sure. I enabled proxy-arp on lan interface because of that. But i still have the same issue.

Here is my config:
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU
0 R WAN1 ether 1500 1600
1 R ;;; LAN
ether2-master ether 1500 1598
2 RS ether3 ether 1500 1598
3 S ether4 ether 1500 1598
4 S ether5 ether 1500 1598

/ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; LAN
10.2.0.253/16 10.2.0.0 ether2-master
1 ;;; WAN1
200.59.xxx.xxx/29 200.59.xxx.xxx WAN1

/ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S ;;; Puerta de enlace del router
0.0.0.0/0 200.59.xxx.xxx 1
1 ADC 10.2.0.0/16 10.2.0.253 ether2-master 0
2 A S 192.168.1.0/24 0.0.0.0 WAN1 1
3 ADC 200.59.xxx.xxx/29 200.59.xxx.xxx WAN1 0

/ip firewall export
# jan/16/2017 14:42:53 by RouterOS 6.38
# software id = SP58-10Y2
#
/ip firewall filter
add action=accept chain=forward comment="Permitir salida de emails" dst-address=181.30.xxx.xxx/31 src-address=10.2.6.0/24
add action=accept chain=forward comment="Permitir entrada de emails" dst-address=10.2.6.0/24 src-address=181.30.xxx.xxx/31
add action=drop chain=forward comment="Bloquear Acceso a internet" out-interface=WAN1 packet-mark=!sin-internet src-address=10.2.6.0/24
add action=accept chain=input comment="Aceptar ICMP" protocol=icmp
add action=accept chain=input comment="Aceptar IPSec-ah" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Aceptar IPSec-esp" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=WAN1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="Permitir PPTP" disabled=yes dst-port= 1723 protocol=tcp
add action=accept chain=input comment="Permitir PPTP" disabled=yes protocol= gre
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes
add action=drop chain=forward comment= "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=WAN1
add action=drop chain=forward disabled=yes src-address-list=sin-internet
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=192.168.0.0/24 src-address=192.168.10.0/24
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=10.2.0.0/16
add action=accept chain=srcnat dst-address=10.2.0.0/16 dst-address-list=10.2.0.0/16 src-address=192.168.1.0/24 src-address-list=192.168.1.0/24
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes out-interface=WAN1
add action=masquerade chain=srcnat src-address=10.2.0.0/16
add action=dst-nat chain=dstnat comment="RDP a 10.2.0.2" dst-port=3390 protocol=tcp to-addresses=10.2.0.2 to-ports=3389
add action=dst-nat chain=dstnat comment="RDP a 10.2.0.3" dst-port=3389 protocol=tcp to-addresses=10.2.0.3 to-ports=3389
add action=dst-nat chain=dstnat comment="Acceso a LT WEB" dst-port=10001 protocol=tcp to-addresses=10.2.0.3 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=10.2.0.3 protocol= ipsec-esp to-addresses=10.2.0.3
add action=dst-nat chain=dstnat dst-port=5901 protocol=tcp to-addresses= 10.2.2.4 to-ports=5800


IF there is any information extra you would need, please ask.

Thank you!

First of all disable all of your firewall filter rule and try to connect through RDP.
Still, there is or are some inconsistansy(ies) in your firewall rules as there is no mangle rule to define "Sin-Internet"

Sent from my SM-N910C using Tapatalk

Hello!
I did have an address list with that name, "sin-internet", but didnt write them on the post. I did not know that i also had to have a mangle rule (now i realize why it didnt work), thank you!

I will try to disable all rules and connect via RDP and post back. Thank you!

Ey!
So i could figure out the problem.
When i disabled all the firewall rules (except the one accepting ipsec protocol so i wouldnt loose connection) i still had problems with RDP.
Then i tried disabling all NAT rules as well and there i found that the problem was the NAT rule for a remote desktop connection to that server that had the port 3389 (which is the default for rdp), so i guess thats why every connection redirected me to that server.
I changed the port number and now everything working fine.

Thank you for the idea for testing!

Ey!
So i could figure out the problem.
When i disabled all the firewall rules (except the one accepting ipsec protocol so i wouldnt loose connection) i still had problems with RDP.
Then i tried disabling all NAT rules as well and there i found that the problem was the NAT rule for a remote desktop connection to that server that had the port 3389 (which is the default for rdp), so i guess thats why every connection redirected me to that server.
I changed the port number and now everything working fine.

Thank you for the idea for testing!

Happy to help,
Good luck

Sent from my SM-N910C using Tapatalk