Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

Port forwarding - l2tp client to server - Problems

Post Reply
 
nicolaviale
just joined
Topic Author
Posts: 2
Joined: Wed Mar 03, 2021 12:57 pm

Port forwarding - l2tp client to server - Problems

Thu Mar 04, 2021 9:52 am

Good morning everybody,

We are newbies but we already tried every tutorial and read all the possible posts.

We have an l2tp vpn client to server where the server is M1 and the client is M2. We have to connect using the Ethernet a device to M2. Then we have to access this device using a PC connected to M1 using the vpn.
The device’s address is 192.168.11.100 and the ports that uses for communications are 2000-2005 both udp and tcp.
If we connect the PC to M2 the software recognize correctly the device. However, if we connect (using vpn) the PC to M1 the program doesn’t see the device.

We set up many different configurations of nat and firewall rules. I attach the configuration that we have at the moment.

- M1
Code: Select all
# mar/04/2021 08:14:01 by RouterOS 6.44.6
# software id = 9TLC-VZSA
#
# model = RB750r2
# serial number = 
/interface bridge
add admin-mac=C4:DA:E4:E8:47:62 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp
set [ find default-name=ether2 ] arp=proxy-arp
set [ find default-name=ether3 ] arp=proxy-arp
set [ find default-name=ether4 ] arp=proxy-arp
set [ find default-name=ether5 ] arp=proxy-arp
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-192,aes-128,3des,des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc,3des,des,null pfs-group=none
/ip pool
add name=dhcp ranges=192.168.11.10-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge dns-server=8.8.8.8 local-address=192.168.11.1 name=L2TPprofile remote-address=dhcp
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=L2TPprofile enabled=yes one-session-per-host=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.11.1/24 comment=defconf interface=ether2 network=192.168.11.0
add address=130.111.29.7/24 interface=ether1 network=130.192.29.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=130.111.3.24
/ip dns static
add address=192.168.11.1 name=router.lan
/ip firewall address-list
add address=192.168.88.10-192.168.88.254 list="Block dhcp"
/ip firewall filter
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=forward port=2000-2005,1534 protocol=tcp
add action=accept chain=forward port=2000-2005,1534 protocol=udp
add action=drop chain=forward src-address-list="Block dhcp"
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat port=2000-2005,49841,1534 protocol=tcp to-addresses=192.168.11.3 to-ports=2000-2005
add action=dst-nat chain=dstnat port=2000-2005,49841,1534 protocol=udp to-addresses=192.168.11.3 to-ports=2000-2005
/ip route
add distance=1 gateway=130.111.29.17
/ppp secret
add name=L2TP profile=L2TPprofile service=l2tp
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

- M2
Code: Select all
# mar/03/2021 18:36:32 by RouterOS 6.47.9
# software id = DP6U-UX08
#
# model = RB941-2nD
# serial number = D1190CFCBFD5
/interface bridge
add admin-mac=48:8F:6E:6E:C0:A3 arp=proxy-arp auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX country=italy disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-6EC0A7 wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.11.220-192.168.11.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add bridge=bridge local-address=192.168.11.3 name=profile1 remote-address=dhcp
/interface l2tp-client
add connect-to=castiglano.it disabled=no keepalive-timeout=disabled name=l2tp-out1 profile=profile1 user=L2TP
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=pwr-line1
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.11.3/24 comment=defconf interface=ether4 network=192.168.11.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.11.0/24 comment=defconf gateway=192.168.11.3 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.11.3 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=forward port=2000-2005 protocol=tcp
add action=accept chain=forward port=2000-2005 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward connection-nat-state=dstnat in-interface=bridge
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=bridge out-interface-list=WAN
add action=dst-nat chain=dstnat port=2000-2005,49841,1534 protocol=tcp to-addresses=192.168.11.100 to-ports=2000-2005
add action=dst-nat chain=dstnat port=2000-2005,49841,1534 protocol=udp to-addresses=192.168.11.100 to-ports=2000-2005
/ip hotspot ip-binding
add address=192.168.11.100 disabled=yes type=bypassed
/ip route
add disabled=yes distance=1 gateway=192.168.1.1
add distance=1 dst-address=192.168.11.0/32 gateway=192.168.11.1
/system clock
set time-zone-name=Europe/Rome
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Can someone help us to figure this out?

Thank you in advance,
Nicola Viale
Top
 
sarah
newbie
Posts: 27
Joined: Mon Feb 29, 2016 1:41 am

Re: Port forwarding - l2tp client to server - Problems

Thu Mar 04, 2021 2:07 pm

Hi,

Not too sure what is the requirement of your 'software'. Looking at your configuration it seems like you are trying to achieve L2 bridging over L2TP.
Have a look at this https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

Hope this helps.
Top
 
nicolaviale
just joined
Topic Author
Posts: 2
Joined: Wed Mar 03, 2021 12:57 pm

Re: Port forwarding - l2tp client to server - Problems

Thu Mar 04, 2021 4:17 pm

Hi sarah, thank you for your time.

One of our main problems is that we cannot completely access to M1 since it is used for licenses of the university.
For what we understand, we have already a "perfectly" working vpn since from the PC we can ping the device connected to M2.
We thought that the problem was more related to some nat/firewall rules.
What do you think?

Nicola Viale
Top
 
sarah
newbie
Posts: 27
Joined: Mon Feb 29, 2016 1:41 am

Re: Port forwarding - l2tp client to server - Problems

Fri Mar 05, 2021 3:05 am

Not too sure how you conclude that the vpn is working. Pinging from PC attached to M1 to M2 (when the vpn tunnel is up) should be possible. I am not sure about if pinging device behind M2 will work, even you get ping replies, it could be the reply is coming from device connected to M1.
I think you need to be clear how you want to setup the vpn server, ie do you want to bridge on L2 level or you want it to be L3 routed?
If you want to have it on L2, the follow the guide I've posted earlier. If you want it to be L3 routed then you can follow this guide https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP

One of the confusion I see from your configuration is that both M1 and M2 shares the same subnet. This by itself is not too much of a problem if you are doing L2 bridging over L2TP tunnel, but it seems that you are mixing up L2 and L3.

Also what do you mean by 'we cannot completely access to M1 since it is used for licenses of the university.'? Do you mean you have no access to configure the router?
Top
Post Reply

Who is online

Users browsing this forum: Ahrefs [Bot] and 14 guests
  4. RouterOS
  5. Beginner Basics