Hello,
I'm somewhat new to Mikrotiks but have created the site-site L2TP connections from customer router to our phone server's router (all mikrotik).
I'm in the process of updating customers to use the newly created L2TP connection for phone traffic to the main phone server's mikrotik.
I've created a template on my test network and have implemented it in the field a handful of times without issue. The phone traffic goes through the L2TP connection to the private IP of the phone server.
On some customer sites, when I try to route over the newly created L2TP connection, it just won't route.
I can register the phones using the public IP of our phone server, the L2TP connection says connected, but when I change the phones to use the private IP of the phone server they won't work.
For example: Phones on vlan100 will register to a public IP but won't route over the L2TP connection.
How can I get help with this problem?
I don't know the logistics of posting here and how to exclude real IP addresses (so we don't get hacked more than normal).
Any/all help is greatly appreciated.
Thanks!
-
-
joegoldman
Forum Veteran
- Posts: 775
- Joined:
Re: Need help with VLANS and routing their traffic over L2TP
post /export hide-sensitive of both routers.
Also easy way to test connectivity, put a computer on a phone IP on that VLAN and make sure it can PING the VoIP server, also maybe check traceroute see where its stopping if there are multiple hops in the path.
Also easy way to test connectivity, put a computer on a phone IP on that VLAN and make sure it can PING the VoIP server, also maybe check traceroute see where its stopping if there are multiple hops in the path.
Re: Need help with VLANS and routing their traffic over L2TP
Ok, here's 1st try at posting output:
[admin@Customer_Mikrotik] > /export hide-sensitive
# oct/29/2018 15:59:18 by RouterOS 6.43.2
# software id = 7VXJ-4R8J
#
# model = RouterBOARD 750G r3
# serial number = 6F390629E5AD
/interface bridge
add admin-mac=6C:3B:6B:C0:6F:35 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=6C:3B:6B:C0:6F:34 speed=100Mbps
set [ find default-name=ether2 ] comment="Main Switch" mac-address=6C:3B:6B:C0:6F:35 name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] comment="to the switch" mac-address=6C:3B:6B:C0:6F:36 speed=100Mbps
set [ find default-name=ether4 ] mac-address=6C:3B:6B:C0:6F:37 speed=100Mbps
set [ find default-name=ether5 ] mac-address=6C:3B:6B:C0:6F:38 speed=100Mbps
/interface vlan
add interface=bridge1 name="Guest Vlan101" vlan-id=101
add interface=bridge1 name="VOIP Vlan 100" vlan-id=100
add comment="VPN VLan" interface=bridge1 name=vlanVPN vlan-id=102
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
add dh-group=modp1024 dpd-maximum-failures=2 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name="VOIP Pool" ranges=192.168.50.10-192.168.50.50
add name=vpn-pool ranges=192.168.89.2-192.168.89.250
add name="Guest Pool" ranges=192.168.100.10-192.168.100.250
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool="VOIP Pool" authoritative=after-2sec-delay disabled=no interface="VOIP Vlan 100" lease-time=1d name="VOIP DHCP"
add address-pool="Guest Pool" authoritative=after-2sec-delay disabled=no interface="Guest Vlan101" lease-time=1h30m name="Guest Pool"
add address-pool=vpn-pool authoritative=after-2sec-delay disabled=no interface=vlanVPN lease-time=1d name=VPN-DHCP
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.89.1 name=VPN-profile remote-address=vpn-pool use-encryption=yes wins-server=8.8.4.4
add local-address=172.16.203.2 name=L2TP-Out remote-address=172.16.203.1
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=vpn-pool wins-server=8.8.4.4
/interface l2tp-client
add allow=mschap1,mschap2 allow-fast-path=yes connect-to=***.***.***.*** disabled=no mrru=1600 name=Site2Site_Customer profile=L2TP-Out \
use-ipsec=yes user=Site2Site_Customer_User
/queue simple
add name=Total target="VOIP Vlan 100"
add max-limit=4M/4M name=VOIP packet-marks=VOIP_PKT parent=Total priority=1/1 target="VOIP Vlan 100"
add max-limit=3M/15M name=Guest target="Guest Vlan101"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-profile enabled=yes use-ipsec=yes
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface="VOIP Vlan 100" list=discover
add interface="Guest Vlan101" list=discover
add interface=vlanVPN list=discover
add interface=Site2Site_Customer list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge1 network=192.168.1.0
add address=192.168.50.1/24 interface="VOIP Vlan 100" network=192.168.50.0
add address=174.77.226.178/27 interface=ether1 network=174.77.226.160
add address=192.168.100.1/24 interface="Guest Vlan101" network=192.168.100.0
add address=192.168.89.1/24 interface=vlanVPN network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=1h name=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.89.0/28 gateway=192.168.89.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=68.105.28.16,68.105.29.16
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Guest to LAN DROP" dst-address=192.168.50.0/24 src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.1.0/24 src-address=192.168.50.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
disabled=yes in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-port=5060 new-connection-mark=VOIP-Conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP-Conn new-packet-mark=VOIP_PKT passthrough=yes
add action=change-dscp chain=postrouting dst-port=5060 new-dscp=7 passthrough=yes protocol=tcp
add action=change-dscp chain=postrouting dst-port=5060 new-dscp=7 passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" dst-address=192.168.1.0/24 src-address=192.168.89.0/24
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.1.150 to-ports=8000
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.1.150 to-ports=2000
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.89.2-192.168.89.254
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override local-address=192.168.89.1 passive=yes profile=profile_1
/ip pool
add name=dhcp next-pool=dhcp ranges=192.168.1.10-192.168.1.150
/ip route
add distance=1 gateway=174.77.226.161
add disabled=yes distance=1 dst-address=8.38.***.***/32 gateway=Site2Site_Customer pref-src=172.16.203.2
add distance=1 dst-address=10.201.21.0/24 gateway=Site2Site_Customer pref-src=172.16.203.2
add distance=1 dst-address=10.201.21.10/32 gateway=Site2Site_Customer pref-src=172.16.203.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=dsr profile=VPN-profile service=l2tp
add name=vpn profile=VPN-profile service=l2tp
add name=Customer profile=VPN-profile service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name=Customer_Mikrotik
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@Customer_Mikrotik] >
[admin@Customer_Mikrotik] > /export hide-sensitive
# oct/29/2018 15:59:18 by RouterOS 6.43.2
# software id = 7VXJ-4R8J
#
# model = RouterBOARD 750G r3
# serial number = 6F390629E5AD
/interface bridge
add admin-mac=6C:3B:6B:C0:6F:35 auto-mac=no comment="created from master port" name=bridge1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment=WAN mac-address=6C:3B:6B:C0:6F:34 speed=100Mbps
set [ find default-name=ether2 ] comment="Main Switch" mac-address=6C:3B:6B:C0:6F:35 name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] comment="to the switch" mac-address=6C:3B:6B:C0:6F:36 speed=100Mbps
set [ find default-name=ether4 ] mac-address=6C:3B:6B:C0:6F:37 speed=100Mbps
set [ find default-name=ether5 ] mac-address=6C:3B:6B:C0:6F:38 speed=100Mbps
/interface vlan
add interface=bridge1 name="Guest Vlan101" vlan-id=101
add interface=bridge1 name="VOIP Vlan 100" vlan-id=100
add comment="VPN VLan" interface=bridge1 name=vlanVPN vlan-id=102
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer profile
add dh-group=modp1024 dpd-maximum-failures=2 enc-algorithm=aes-256,aes-128,3des name=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name="VOIP Pool" ranges=192.168.50.10-192.168.50.50
add name=vpn-pool ranges=192.168.89.2-192.168.89.250
add name="Guest Pool" ranges=192.168.100.10-192.168.100.250
add name=dhcp_pool1 ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool="VOIP Pool" authoritative=after-2sec-delay disabled=no interface="VOIP Vlan 100" lease-time=1d name="VOIP DHCP"
add address-pool="Guest Pool" authoritative=after-2sec-delay disabled=no interface="Guest Vlan101" lease-time=1h30m name="Guest Pool"
add address-pool=vpn-pool authoritative=after-2sec-delay disabled=no interface=vlanVPN lease-time=1d name=VPN-DHCP
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.89.1 name=VPN-profile remote-address=vpn-pool use-encryption=yes wins-server=8.8.4.4
add local-address=172.16.203.2 name=L2TP-Out remote-address=172.16.203.1
set *FFFFFFFE dns-server=8.8.8.8 local-address=192.168.89.1 remote-address=vpn-pool wins-server=8.8.4.4
/interface l2tp-client
add allow=mschap1,mschap2 allow-fast-path=yes connect-to=***.***.***.*** disabled=no mrru=1600 name=Site2Site_Customer profile=L2TP-Out \
use-ipsec=yes user=Site2Site_Customer_User
/queue simple
add name=Total target="VOIP Vlan 100"
add max-limit=4M/4M name=VOIP packet-marks=VOIP_PKT parent=Total priority=1/1 target="VOIP Vlan 100"
add max-limit=3M/15M name=Guest target="Guest Vlan101"
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether2-master
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap1,mschap2 default-profile=VPN-profile enabled=yes use-ipsec=yes
/interface list member
add interface=bridge1 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface="VOIP Vlan 100" list=discover
add interface="Guest Vlan101" list=discover
add interface=vlanVPN list=discover
add interface=Site2Site_Customer list=discover
add interface=bridge1 list=mactel
add interface=bridge1 list=mac-winbox
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge1 network=192.168.1.0
add address=192.168.50.1/24 interface="VOIP Vlan 100" network=192.168.50.0
add address=174.77.226.178/27 interface=ether1 network=174.77.226.160
add address=192.168.100.1/24 interface="Guest Vlan101" network=192.168.100.0
add address=192.168.89.1/24 interface=vlanVPN network=192.168.89.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge1 lease-time=1h name=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.89.0/28 gateway=192.168.89.1
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=68.105.28.16,68.105.29.16
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="Block Port 53" dst-port=53 in-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Guest to LAN DROP" dst-address=192.168.50.0/24 src-address=192.168.1.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.1.0/24 src-address=192.168.50.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701 in-interface=ether1 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
disabled=yes in-interface=ether1
/ip firewall mangle
add action=mark-connection chain=prerouting dst-port=5060 new-connection-mark=VOIP-Conn passthrough=yes protocol=udp
add action=mark-packet chain=prerouting connection-mark=VOIP-Conn new-packet-mark=VOIP_PKT passthrough=yes
add action=change-dscp chain=postrouting dst-port=5060 new-dscp=7 passthrough=yes protocol=tcp
add action=change-dscp chain=postrouting dst-port=5060 new-dscp=7 passthrough=yes protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="masq. vpn traffic" dst-address=192.168.1.0/24 src-address=192.168.89.0/24
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.1.150 to-ports=8000
add action=dst-nat chain=dstnat in-interface=ether1 protocol=tcp to-addresses=192.168.1.150 to-ports=2000
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.89.2-192.168.89.254
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override local-address=192.168.89.1 passive=yes profile=profile_1
/ip pool
add name=dhcp next-pool=dhcp ranges=192.168.1.10-192.168.1.150
/ip route
add distance=1 gateway=174.77.226.161
add disabled=yes distance=1 dst-address=8.38.***.***/32 gateway=Site2Site_Customer pref-src=172.16.203.2
add distance=1 dst-address=10.201.21.0/24 gateway=Site2Site_Customer pref-src=172.16.203.2
add distance=1 dst-address=10.201.21.10/32 gateway=Site2Site_Customer pref-src=172.16.203.2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ip smb shares
set [ find default=yes ] directory=/pub
/ppp secret
add name=dsr profile=VPN-profile service=l2tp
add name=vpn profile=VPN-profile service=l2tp
add name=Customer profile=VPN-profile service=l2tp
/system clock
set time-zone-name=America/New_York
/system identity
set name=Customer_Mikrotik
/system resource irq rps
set ether1 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
/system routerboard settings
set silent-boot=no
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@Customer_Mikrotik] >
Re: Need help with VLANS and routing their traffic over L2TP
Is anything wrong with the routing of my VOIP VLAN in this config?
I'm trying to route the VOIP over the L2TP connection.
I'm trying to route the VOIP over the L2TP connection.
-
-
nescafe2002
Forum Veteran
- Posts: 915
- Joined:
- Location: Netherlands
Re: Need help with VLANS and routing their traffic over L2TP
Add a routing mark and default routing entry:
https://wiki.mikrotik.com/wiki/Policy_Base_Routing
Code: Select all
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=VOIP-Conn \
in-interface="VOIP Vlan 100" new-routing-mark=Via-Site2Site passthrough=yes
/ip route
add gateway=Site2Site_Customer routing-mark=Via-Site2Site
https://wiki.mikrotik.com/wiki/Policy_Base_Routing