Roaad Warrior L2TP/IPSEC VPN cannot access LAN

haris013 · Fri Aug 06, 2021 8:30 pm

Hello, i have a strange problem, with road warrior VPN, I have the exact setup with other mikrotik routers and is working perfectly but the specific mentioned bellow, can't access other LAN devices.

Clients are connecting without problem with the VPN but somehow cannot "see" the other devices and servers at LAN.

I am using a vpn pool that is the same with the LAN pool. I have my bridge as arp proxy and I have tried many settings like disabling firewall rules, creating another VPN address pool etc

still the same problem, any client connecting at the VPN cannot access devices at LAN.

Please can you help to detect the issue? The same setup is working without problems at another infrastructure.

The setup is dual WAN using direct public IPs given by ISP

# aug/06/2021 20:27:41 by RouterOS 6.48.3
# software id = XXXXXX
#
# model = RB2011UiAS
# serial number = XXXXXXX
/interface bridge
add admin-mac=08:55:31:7D:23:84 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface list
add comment=defconf name=WAN
add comment=defconf include=dynamic name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1536,modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
    bc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc\
    ,aes-128-ctr,aes-128-gcm"
/ip pool
add name=dhcp_pool0 ranges=192.168.2.100-192.168.2.230
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge name=dhcp1
/ppp profile
add bridge=bridge bridge-learning=yes change-tcp-mss=yes dns-server=\
    1.1.1.1,1.0.0.1 local-address=192.168.2.1 name=ipsec_vpn remote-address=\
    dhcp_pool0 use-encryption=yes
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 local-address=10.10.10.1 \
    name=test remote-address=VPN_pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=ipsec_vpn enabled=yes \
    ipsec-secret=XXXXXX keepalive-timeout=disabled use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=194.30.216.146/30 interface=ether1 network=194.30.216.144
add address=194.30.216.150/30 interface=ether2 network=194.30.216.148
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.2.199 client-id=1:0:15:99:88:aa:25 mac-address=\
    00:15:99:88:AA:25 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=www.ependyseis.gr list="Ependyseis Site"
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="Ependyseis Site" \
    new-routing-mark=to_ISP1 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=ISP1_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=ISP2_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=bridge new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=bridge new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat disabled=yes src-address=192.168.2.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=5051-5053 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.2.230 to-ports=\
    5051-5053
add action=accept chain=srcnat disabled=yes src-address=10.10.10.0/24
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=to_ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=1 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=194.30.216.149 scope=10
add distance=20 dst-address=8.8.4.4/32 type=blackhole
add distance=1 dst-address=8.8.8.8/32 gateway=194.30.216.145 scope=10
add distance=20 dst-address=8.8.8.8/32 type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=XXXXX password=XX profile=ipsec_vpn service=l2tp
add name=XXXXX password=XXXXX profile=ipsec_vpn service=l2tp
add name=XXX password=XXXXX profile=ipsec_vpn service=l2tp
/system clock
set time-zone-name=Europe/Athens
/system logging
add topics=l2tp
add topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Please help me to debug the issue

nagylzs · Sat Aug 07, 2021 8:04 pm

Hello,

* Why do you have two ppp profiles? One of them is not assigned to the bridge. The second one references VPN_pool which is not defined. Didn't you delete something important from the export?
* After L2TP client is connected, can you ping the remote router? 192.168.2.1
* Please enable ICMP in forward chain of your firewall and try to ping something else inside your remote LAN.
* What kind of L2TP client are you using? After connecting the L2TP, please export your routes on the client and post it.

haris013 · Sun Aug 08, 2021 2:21 pm

the first PPP profile is not in use right now, also i am not using the vpn pool at the moment.

When the client is connected, i can ping the gateway. Also when i run a network scan/ip scan i can only "see" the gateway and my client(self).

I have allowed the ping and still cannot reach the other clients at my network. I have several web services running at LAN and cannot reach them. I cannot see my NAS, internal web server etc.

I am connecting from windows 10 PC and android Tablet, still the same result, cannot see other devices. I have compared the route tables from my windows 10 PC connected at VPN and I don't see anything weird. Bellow are the routes attached.

Also attached some of my settings, take a look please, trying to figure out the mistake.

nagylzs · Mon Aug 09, 2021 8:20 pm

Your routes are okay, I think. You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip settings. All of your traffic goes through the L2TP connection.

I think that this will be a firewall problem. Look at these rules in your input and forward chains:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN

You are dropping all input that is not coming from LAN, and you are dropping all forwards that are not DSTnated. You can ping the router because this rule comes first:

add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

All other packets from your L2TP client are dropped, because they are not coming in on LAN (input chain) and they are not DST nated (forward chain).

You need to do one of these:

1. Specify fixed interface name under "/interface l2tp-server add name=l2tp_user1_in user=user1" and change your firewall rules to accept packets from/to this interface in input and forward chains. One solution is to add l2tp_user1_in interface to your LAN interface list, another solution is to add new rules with this interface as in-interface and out-interface.
2. You can also add new rules with src-address=192.168.2.0/24 and dst-address=192.168.2.0/24 . But then you also need to keep in mind that packets with spoofed IP addresses will be able to come in on your WAN interface (unless you set rp-filter=strict under /ip settings maybe not even then)

nagylzs · Tue Aug 10, 2021 8:55 am

There is an "interface-list" setting under /ppp profile. I suspect that if you specify interface-list=L2TP then it will put the dynamically created L2TP interfaces into that interface list automatically.

But it is not documented. At least not here: https://wiki.mikrotik.com/wiki/Manual:P ... Properties

I wrote a message to MT support and asked them to add missing documentation.

haris013 · Tue Aug 10, 2021 1:58 pm

Thanks for the replies, I tried disabling all filter rules, added l2tpuser at lan, tried the ppp profile interface list, still the same result. I cannot reach lan devices. Also the same firewall setup and VPN settings, i use at other installations without problems. Is there any chance that ISP is the problem? Is something blocked from ISP side? or is any NAT related problem?

The only difference from the other installations where VPN is working, is that mine is dual WAN.

I can't find why i can't reach LAN.

nagylzs · Tue Aug 10, 2021 3:54 pm

Is there any chance that ISP is the problem? Is something blocked from ISP side? or is any NAT related problem?

ICMP ping packets go through your ipsec tunnel. Any other packet goes through the same tunnel. If it was a problem with your ISP then nothing would work. not even ping.

Can you please post the output of these, after L2tp client is connected:

/ip ipsec active-peers print detail
/ip ipsec policy print detail

nagylzs · Tue Aug 10, 2021 4:14 pm

I'm sorry I'm just trying to find out what the problem is. It may not help, but try this.

On the router, set a fixed address for a user, and allow forward packets:

/ppp secret
set remote-address=192.168.2.185 where name=XXXXX
/ip firewall filter
add chain=forward action=accept src-address=192.168.2.185 dst-address=192.168.2.0/24 place-before=[find where comment="defconf: drop all from WAN not DSTNATed"]

Then connect with your L2TP client, check that your IP address is 192.168.2.185 indeed, and then try to access something on the remote LAN.

haris013 · Tue Aug 10, 2021 11:03 pm

Hello, still nothing.

take a look at the screenshot

I tried to rdp our servers, ping our devices, still nothing, seems like i am "out"

nagylzs · Wed Aug 11, 2021 8:50 am

Disclaimer: I'm just guessing now. I don't know what is wrong. But it seems that your accept rule's counter is almost zero.

Please try to add a more specific route, as administrator:

route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185

I doubt that it will help but let's try.

haris013 · Wed Aug 11, 2021 11:19 am

Disclaimer: I'm just guessing now. I don't know what is wrong. But it seems that your accept rule's counter is almost zero.

Please try to add a more specific route, as administrator:

route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185

I doubt that it will help but let's try.

Hello, tried adding route manually, still the same. LAN is unreachable.

nagylzs · Wed Aug 11, 2021 9:55 pm

I'm comparing your config with mine. I don't have bridge=bridge on /ppp profile in my configs. Also, I don't have arp=proxy-arp in my bridge. The problem might be that these packets are not routed, because your ppp interface is added to your bridge as a port.

One more thing to try: remove bridge=bridge setting on your ppp profile and try to reconnect.

(Once again: I'm not an expert, and I'm not sure if this will work or not. Just trying to help.)

haris013 · Thu Aug 12, 2021 12:40 pm

I'm comparing your config with mine. I don't have bridge=bridge on /ppp profile in my configs. Also, I don't have arp=proxy-arp in my bridge. The problem might be that these packets are not routed, because your ppp interface is added to your bridge as a port.

One more thing to try: remove bridge=bridge setting on your ppp profile and try to reconnect.

(Once again: I'm not an expert, and I'm not sure if this will work or not. Just trying to help.)

Hello, thanks again for the help. I tried removing bridge from PPP profile, also tried with arp-proxy off, still the same result, no LAN. It is very strange this behavior, i have configured many VPNs, it is my first time facing this problem.

Is there any way to trace where the packets go and why the are not routed at LAN?

rajo · Thu Aug 12, 2021 7:42 pm

To get split-include working with your Windows 10 clients, follow the instructions here: viewtopic.php?f=2&t=177314&p=872552#p872552

haris013 · Fri Aug 13, 2021 1:14 am

To get split-include working with your Windows 10 clients, follow the instructions here: viewtopic.php?f=2&t=177314&p=872552#p872552

Hello, i don't need split tunneling. I need to access my remote LAN via VPN. I don't care if the whole traffic is transfered inside VPN.

rajo · Fri Aug 13, 2021 4:10 am

Take a look at the Windows IPv4 route table screenshot you posted. It shows that your VPN connection is the preferred route to the Internet. Thus, once you've established a VPN connection, everything fails. You shouldn't even be able to ping anything on the Internet, once your VPN connection is established. Even if you're not using split-include, make the changes I recommended and try again. If proper routes don't get installed and you don't want to keep it, you can always change it back and try something different.

nagylzs · Fri Aug 13, 2021 8:50 am

Oh, so his problem was that he could not access the local LAN? I thought he could not access the remote LAN.

The second thing I wrote was this:

You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip settings. All of your traffic goes through the L2TP connection.

Yes, if you want to access your LOCAL LAN then go to that setting and uncheck that box.

haris013 · Fri Aug 13, 2021 10:43 pm

tried the settings again i cannot access remote LAN. I tried connecting with android, again i cannot see anything from the remote LAN network. It is like i am not connected at the VPN/remote LAN.

haris013 · Fri Aug 13, 2021 10:44 pm

Oh, so his problem was that he could not access the local LAN? I thought he could not access the remote LAN.

The second thing I wrote was this:

You did not uncheck the "use default gateway on remote network" checkbox in adapter properties / network / ipv4 / properties / special / ip settings. All of your traffic goes through the L2TP connection.
Yes, if you want to access your LOCAL LAN then go to that setting and uncheck that box.

My problem is the REMOTE LAN not the local LAN. You have understood right

rajo · Fri Aug 13, 2021 10:59 pm

tried the settings again i cannot access remote LAN. I tried connecting with android, again i cannot see anything from the remote LAN network. It is like i am not connected at the VPN/remote LAN.

What does your Windows route table [screenshot] look like after you connect? Also, does the connection show up as established when you execute "ip ipsec active-peers print"?

haris013 · Sat Aug 14, 2021 12:43 am

tried the settings again i cannot access remote LAN. I tried connecting with android, again i cannot see anything from the remote LAN network. It is like i am not connected at the VPN/remote LAN.
What does your Windows route table [screenshot] look like after you connect? Also, does the connection show up as established when you execute "ip ipsec active-peers print"?

take a look. My mind is blown. I don't know why remote lan is unreachable.

rajo · Sat Aug 14, 2021 4:19 am

As you can see from the screenshot, with the adapter changes made, your 192.168.2.0/24 network is properly installed.

I suspect the reason it's still not working is because the IPSec client is being assigned an IP address in the same network as the LAN you're trying to reach. Because of that, the client decides that, because remote network is within its own subnet, it is local and ARPs for the MAC address of whatever IP address you're trying to reach; however, ARP is never sent over non-Ethernet links.

You would either have to configure proxy arp on the Windows client or, better yet, assign your VPN addresses from its own separate network pool and add appropriate routing for that VPN network. The latter would be the most versatile and low-maintenance solution.

haris013 · Sat Aug 14, 2021 12:37 pm

As you can see from the screenshot, with the adapter changes made, your 192.168.2.0/24 network is properly installed.

I suspect the reason it's still not working is because the IPSec client is being assigned an IP address in the same network as the LAN you're trying to reach. Because of that, the client decides that, because remote network is within its own subnet, it is local and ARPs for the MAC address of whatever IP address you're trying to reach; however, ARP is never sent over non-Ethernet links.

You would either have to configure proxy arp on the Windows client or, better yet, assign your VPN addresses from its own separate network pool and add appropriate routing for that VPN network. The latter would be the most versatile and low-maintenance solution.

I can't figure why the same setup with local arp proxy works at my other installations and it doesn't work at this specifically.

I have setup many VPNs with exact same setup and the are perfectly working with windows 10 clients without doing anything else. All the other VPNs that working, the remote subnet is the same with the local, bridge arp proxy is enabled and i can reach remote lan without problems. What is the difference I am missing at this one specifically? Why the setup is working at other environments and not at this one?

rajo · Sat Aug 14, 2021 5:01 pm

Out of curiosity, you describe this as a "Road Warrior" setup and you mention "local arp proxy works." By "local," are you referring to proxy ARP configured on the client side LAN or the VPN gateway/responder side? If you take the Windows 10 PC or Android tablet to a network where VPN connections are working, does it work there? Do you control the configuration of the client-side LANs and are they similarly configured as the LANs that are working, with proxy ARP and such? Basically, is this a client problem or client LAN problem?

If you can answer all those for yourself and everything checks out, I have no idea.

haris013 · Sat Aug 14, 2021 7:20 pm

Out of curiosity, you describe this as a "Road Warrior" setup and you mention "local arp proxy works." By "local," are you referring to proxy ARP configured on the client side LAN or the VPN gateway/responder side? If you take the Windows 10 PC or Android tablet to a network where VPN connections are working, does it work there? Do you control the configuration of the client-side LANs and are they similarly configured as the LANs that are working, with proxy ARP and such? Basically, is this a client problem or client LAN problem?

If you can answer all those for yourself and everything checks out, I have no idea.

By proxy arp i am referring at gateway/responder side. I tried connecting clients from networks that other VPN connections work (with the exact mikrotik VPN server setup) and the specific VPN doesn't work. I can't figure why. Maybe ISP issue? It is strange because the tunnel is established. The problem is that clients can't reach/see remote LAN while tunnel is established.

nagylzs · Sat Aug 14, 2021 9:15 pm

You would either have to configure proxy arp on the Windows client or, better yet, assign your VPN addresses from its own separate network pool and add appropriate routing for that VPN network. The latter would be the most versatile and low-maintenance solution.

I also have setups where the L2TP client is getting a single address from the remote subnet, and it works just fine.

nagylzs · Sun Aug 15, 2021 9:15 am

Okay, please try the following:

1. Open Properties of VPN connection
2. Go to Networking tab
3. Open Properties of Internet Protocol Version 4 (TCP/IPv4) (and unckeck TCP/IPv6)
4. Click Advanced... button
5. Change to IP Settings tab

Then do this:

* Uncheck "Use default gateway on remote network"
* Check "Disable class based route addition"

On routeros L2TP server:

* make sure once again that your l2tp server has no "bridge=bridge" property set
* check that your /ppp secret has as fixed ip 192.168.2.185
* make sure that srcnat chain in /ip firewall nat is empty, or at least all nat rules are disabled. The only active rule under nat should be the "action=masquerade out-interface-list=WAN ipsec-policy=out,none"

Then reconnect to your L2TP server, and check the output of "route print -4". It has two parts: "active routes" and "persistent routes". It should not have any dynamically added routes (except for 192.168.2.185 255.255.255.255) The persistent routes should be configured like this, as Administrator:

route add -p 192.168.2.1 mask 255.255.255.255 192.168.2.185
route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185

You may have already added some persistent routes. If they are different, then delete them first.

Then try to "ping 192.168.2.1" from your L2TP client and tell us if it works or not.

Next, add this rule to the top of your forward chain:

/ip firewall filter add action=accept chain=forward comment="Accept ICMP" protocol=icmp place-before=0

Then select an internal address that can be pinged from inside your remote LAN. For example, 192.168.2.111. Make sure that you can ping it from your L2TP server, before your try it from your L2TP client! Then try to ping it from your L2TP client and please let us know if it works or not. If it does not work, then please also try to do:

tracert 192.168.2.111

and show us the result.

haris013 · Sun Aug 15, 2021 8:46 pm

Okay, please try the following:

1. Open Properties of VPN connection
2. Go to Networking tab
3. Open Properties of Internet Protocol Version 4 (TCP/IPv4) (and unckeck TCP/IPv6)
4. Click Advanced... button
5. Change to IP Settings tab

Then do this:

* Uncheck "Use default gateway on remote network"
* Check "Disable class based route addition"

On routeros L2TP server:

* make sure once again that your l2tp server has no "bridge=bridge" property set
* check that your /ppp secret has as fixed ip 192.168.2.185
* make sure that srcnat chain in /ip firewall nat is empty, or at least all nat rules are disabled. The only active rule under nat should be the "action=masquerade out-interface-list=WAN ipsec-policy=out,none"

Then reconnect to your L2TP server, and check the output of "route print -4". It has two parts: "active routes" and "persistent routes". It should not have any dynamically added routes (except for 192.168.2.185 255.255.255.255) The persistent routes should be configured like this, as Administrator:

route add -p 192.168.2.1 mask 255.255.255.255 192.168.2.185
route add -p 192.168.2.0 mask 255.255.255.0 192.168.2.185

You may have already added some persistent routes. If they are different, then delete them first.

Then try to "ping 192.168.2.1" from your L2TP client and tell us if it works or not.

Next, add this rule to the top of your forward chain:

/ip firewall filter add action=accept chain=forward comment="Accept ICMP" protocol=icmp place-before=0

Then select an internal address that can be pinged from inside your remote LAN. For example, 192.168.2.111. Make sure that you can ping it from your L2TP server, before your try it from your L2TP client! Then try to ping it from your L2TP client and please let us know if it works or not. If it does not work, then please also try to do:

tracert 192.168.2.111

and show us the result.

Hello again, thanks for the reply. I tried everything above, step by step, the result is the same. I am reaching the remote gateway but not the Remote LAN. take a look at the screenshots.

Is there any way to trace the packets, were they are going? It is unbelievable/

nagylzs · Mon Aug 16, 2021 3:52 pm

> Is there any way to trace the packets, were they are going? It is unbelievable/

Yes, there is. It is called packet sniffer.

For sniffing ICMP packets, prepare your terminal with this command (on Windows):

ping 192.168.2.240 -c 1

Then on routeros, go to this menu:

/tool sniffer
set filter-ip-protocol=icmp
start

Immediately after "start", press ENTER in your L2TP client's terminal to send exactly one ICMP ping request, then stop sniffing on the router as soon as possible:

stop

Finally, you can examine captured packets:

/tool sniffer packet
print
print detail

If you are not quick enough between start / ping / stop, then ICMP packets from other hosts may arrive and you will see lots of packets captured.

You can also filter the packets to be captured even more, for example you can try to set "filter-ip-address" property of the sniffer. But since we are not really sure what is going on, I suggest that you capture all icmp packets and use a very short window of time.

Documentation for sniffer is here: https://wiki.mikrotik.com/wiki/Manual:T ... et_Sniffer

Please try to copy the results as text and paste it here between [ code ] tags, instead of making screenshots.

nagylzs · Mon Aug 16, 2021 4:01 pm

haris013 I tired to contact you in a private message but I can't - there is no way to do it on this forum (or I could not find it)

Please contact me at gmail, user name nagylzs - I think it would be much more efficient to try to solve this problem using some remote desktop connection. (Well, only if you dare to share your screen with me for a short time.)

haris013 · Tue Aug 17, 2021 1:03 am

Hello again. Something very interesting, I added a nat rule :

 add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24

I masquerade my own LAN and now I have access to my remote LAN!!

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now?

thanks!!

nagylzs · Tue Aug 17, 2021 10:00 am

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now?

Probably rajo was right, and this is related to ARP requests. What is the default gateway on the 192.168.2.240 computer?

haris013 · Tue Aug 17, 2021 10:24 am

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now?
Probably rajo was right, and this is related to ARP requests. What is the default gateway on the 192.168.2.240 computer?

It is the 10.0.0.1 the local PC GW. The remote GW is 192.168.2.1 .Why on the other VPN setups doesn't have this problem? It works without any extra masq rule.

mikeeg02 · Tue Aug 17, 2021 2:44 pm

I came across some odd behavior in a new r2 revision 3011 that won't show up in an export.(as it was from default config) I'm not sure if the r2 2011s have the same default configuration now, but get a winbox screen shot of the ->switch then port tab.

The problem I had with the 3011 was everything in the switch1 group was configured differently than the switch2 group. Local traffic passed fine, but remote traffic puzzled me until I found it. And the 3011 was only connected to untagged traffic so it really shouldn't of mattered, but it did. Again I realize you're using a 2011, but there's a chance you're experiencing a similar problem that won't show itself from an export.

Ultimately my solution was:

/interface ethernet switch port
set 0 vlan-header=always-strip vlan-mode=fallback
set 1 vlan-header=always-strip vlan-mode=fallback
set 2 vlan-header=always-strip vlan-mode=fallback
set 3 vlan-header=always-strip vlan-mode=fallback
set 4 vlan-header=always-strip vlan-mode=fallback
set 5 vlan-header=always-strip vlan-mode=fallback
set 6 vlan-header=always-strip vlan-mode=fallback
set 7 vlan-header=always-strip vlan-mode=fallback
set 8 vlan-header=always-strip vlan-mode=fallback
set 9 vlan-header=always-strip vlan-mode=fallback
set 10 vlan-header=always-strip vlan-mode=fallback
set 11 vlan-header=always-strip vlan-mode=fallback

haris013 · Tue Aug 17, 2021 10:36 pm

this is the switch default settings on 2011, should i change anything?

mikeeg02 · Tue Aug 17, 2021 10:38 pm

Thats what my 3011 looked like and it caused me issues with remote untagged traffic. If you paste the code above in terminal it will set them the same, and you may find it fixes your problem.

mikeeg02 · Tue Aug 17, 2021 11:01 pm

You'll still need proxy-arp on the remote bridge if your VPN pool ips are in the same subnet as the remote Lan subnet. But I think you will be able to make this installation like your others. If your other installations are revision 1 routers I think the default switch chip settings worked fine. Which IIRC were disabled and leave as is. I have atleast 50 of the original in the field and haven't run into this until recently with r2 hardware.

haris013 · Tue Aug 17, 2021 11:34 pm

You'll still need proxy-arp on the remote bridge if your VPN pool ips are in the same subnet as the remote Lan subnet. But I think you will be able to make this installation like your others. If your other installations are revision 1 routers I think the default switch chip settings worked fine. Which IIRC were disabled and leave as is. I have atleast 50 of the original in the field and haven't run into this until recently with r2 hardware.

i have still enabled proxy-arp, so what i have to do for the switch chip? should i execute the switch settings mentioned above?

mikeeg02 · Wed Aug 18, 2021 12:23 am

You can manually set each in winbox so you can be sure the default vlan id goes away. Depending on how you are accessing the router, you may drop connectivity briefly, but it should come back after winbox closes. If its remote, safemode may be worth utilizing.

haris013 · Thu Aug 19, 2021 4:15 pm

You can manually set each in winbox so you can be sure the default vlan id goes away. Depending on how you are accessing the router, you may drop connectivity briefly, but it should come back after winbox closes. If its remote, safemode may be worth utilizing.

Mikrotik doesn't allow me to remove the default dag from the ports. I got error message.

mikeeg02 · Thu Aug 19, 2021 4:19 pm

In winbox you can click the up arrow. I think the other changes are more important though. I think the reason this is necessary is because of how the bridge processes the dynamic (vpn) traffic.

winbox.png

haris013 · Fri Aug 20, 2021 2:13 pm

In winbox you can click the up arrow. I think the other changes are more important though. I think the reason this is necessary is because of how the bridge processes the dynamic (vpn) traffic.

winbox.png

take a look, it doesn't allow me

mikeeg02 · Fri Aug 20, 2021 3:09 pm

In mikrotik the default untagged vlan is 0 anyway. But the other settings will need changed.

vlan-header=always-strip
vlan-mode=fallback

haris013 · Fri Aug 20, 2021 3:20 pm

In mikrotik the default untagged vlan is 0 anyway. But the other settings will need changed.

vlan-header=always-strip
vlan-mode=fallback

i changed the settings vlan-header=always-strip and vlan-mode=fallback at all switch ports but still the i cannot "see" the remote LAN if i close the masquerade rule.

mikeeg02 · Fri Aug 20, 2021 4:54 pm

Can you give us a current export of your config?

haris013 · Sun Aug 22, 2021 10:44 pm

Hello again, I have not mentioned something that maybe is important!!

I got the 2011, 2 WANs connected, VPN server configured. The thing is that all my LAN devices are connected to a CRS328 switch AND NOT direct at the rb2011.

The crs is working only as a switch, i haven't configured anything on in it. I just powered it and connected my servers. Do i need to configure anything at the CRS that is related at my VPN problem ???

thanks!

mikeeg02 · Wed Aug 25, 2021 9:11 pm

The current export file from the router would be helpful.

Additionally, when removing your nat rule, you have to remember to wait for the timeout, and/or remove the connection from the firewall. If the connection tracking is still running from the nat rule, it will fail until the connection is dropped from tracking.

haris013 · Thu Aug 26, 2021 6:58 pm

ok bellow is the latest config.

# model = RB2011UiAS
# serial number = E1480D55D33C
/interface bridge
add admin-mac=08:55:31:7D:23:84 arp=proxy-arp auto-mac=no comment=defconf \
    name=bridge
/interface ethernet switch port
set 0 vlan-header=always-strip vlan-mode=fallback
set 1 vlan-header=always-strip vlan-mode=fallback
set 2 vlan-header=always-strip vlan-mode=fallback
set 3 vlan-header=always-strip vlan-mode=fallback
set 4 vlan-header=always-strip vlan-mode=fallback
set 5 vlan-header=always-strip vlan-mode=fallback
set 6 vlan-header=always-strip vlan-mode=fallback
set 7 vlan-header=always-strip vlan-mode=fallback
set 8 vlan-header=always-strip vlan-mode=fallback
set 9 vlan-header=always-strip vlan-mode=fallback
set 10 vlan-header=always-strip vlan-mode=fallback
/interface list
add comment=defconf name=WAN
add comment=defconf include=dynamic name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] dh-group=ecp256,modp2048,modp1536,modp1024 \
    enc-algorithm=aes-256,aes-192,aes-128
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms="aes-256-c\
    bc,aes-256-ctr,aes-256-gcm,aes-192-cbc,aes-192-ctr,aes-192-gcm,aes-128-cbc\
    ,aes-128-ctr,aes-128-gcm"
/ip pool
add name=dhcp_pool0 ranges=192.168.2.100-192.168.2.230
add name=VPN_pool ranges=10.10.10.2-10.10.10.10
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge name=dhcp1
/ppp profile
add bridge=bridge change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 \
    interface-list=LAN local-address=192.168.2.1 name=ipsec_vpn \
    remote-address=dhcp_pool0 use-encryption=yes
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 local-address=10.10.10.1 \
    name=test remote-address=VPN_pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=ipsec_vpn enabled=yes \
    keepalive-timeout=disabled use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=194.30.216.146/30 interface=ether1 network=194.30.216.144
add address=194.30.216.150/30 interface=ether2 network=194.30.216.148
add address=192.168.2.1/24 interface=bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-server lease
add address=192.168.2.199 client-id=1:0:15:99:88:aa:25 mac-address=\
    00:15:99:88:AA:25 server=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=1.1.1.1,1.0.0.1 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=www.ependyseis.gr list="Ependyseis Site"
/ip firewall filter
add action=accept chain=input dst-port=8291 in-interface-list=WAN protocol=\
    tcp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list="Ependyseis Site" \
    new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
    to_ISP1 passthrough=yes src-address=192.168.2.240
add action=accept chain=prerouting dst-address=192.168.1.0/24 in-interface=\
    bridge
add action=accept chain=prerouting dst-address=192.168.0.0/24 in-interface=\
    bridge
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1 new-connection-mark=ISP1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=ISP2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=ISP1_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge new-connection-mark=ISP2_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=bridge new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=bridge new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.2.0/24 \
    src-address=192.168.2.0/24
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_ISP1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_ISP1
add check-gateway=ping distance=1 gateway=8.8.4.4 routing-mark=to_ISP2
add check-gateway=ping distance=2 gateway=8.8.8.8 routing-mark=to_ISP2
add check-gateway=ping distance=1 gateway=8.8.8.8
add check-gateway=ping distance=1 gateway=8.8.4.4
add distance=1 dst-address=8.8.4.4/32 gateway=194.30.216.149 scope=10
add distance=20 dst-address=8.8.4.4/32 type=blackhole
add distance=1 dst-address=8.8.8.8/32 gateway=194.30.216.145 scope=10
add distance=20 dst-address=8.8.8.8/32 type=blackhole
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=systemcon profile=ipsec_vpn remote-address=192.168.2.185 service=\
    l2tp
add name=giorgos profile=ipsec_vpn service=l2tp
add name=test profile=ipsec_vpn service=l2tp
/system clock
set time-zone-name=Europe/Athens
/system logging
add topics=l2tp
add topics=ipsec
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-ip-protocol=icmp

mikeeg02 · Thu Aug 26, 2021 9:11 pm

Unless you are doing site to site with another router, remove the bridge from the ppp profile, then remove the nat rule. Wait for the connection to drop from connection tracking (3m by default I believe)

/ppp profile
add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 \
    interface-list=LAN local-address=192.168.2.1 name=ipsec_vpn \
    remote-address=dhcp_pool0 use-encryption=yes

From what I have read on here, windows doesnt support bcp (adding the bridge to the ppp profile) which could be causing you trouble. I only have it enabled for site to site connections between two routers, not for client access. I can try to test this later. I believe thats the only difference I can see.

mikeeg02 · Thu Aug 26, 2021 9:32 pm

Changing the bridge configuration didnt make a difference for me, but this should. I missed it because its not a line in your config.

/interface ethernet switch port
set switch1-cpu vlan-header=always-strip vlan-mode=fallback
set switch2-cpu vlan-header=always-strip vlan-mode=fallback

To match the rest of your ports. I believe the dynamic tunnel is associated with the switch-cpu.

haris013 · Fri Aug 27, 2021 2:07 am

Hello, thank for the replies, still the same problem, it is insane. I configured the switch cpus, when i disable the action=masquerade chain=srcnat disabled=no dst-address=192.168.2.0/24 \
src-address=192.168.2.0/24 rule, i cannot see remote LAN. When i enable the nat rule everything is fine.

I can't undestand why and what is the difference with my other mikrotik setups that works perfect without adding a nat rule.

mikeeg02 · Fri Aug 27, 2021 2:13 am

Silly question, the devices you are trying to access are using 192.168.2.1 as their gateway?

And you definitely waited the 3 minutes or so after disabling the nat rule, to allow the firewall connection tracking to release the nat connection?

haris013 · Fri Aug 27, 2021 9:37 am

Silly question, the devices you are trying to access are using 192.168.2.1 as their gateway?

yes that's right

And you definitely waited the 3 minutes or so after disabling the nat rule, to allow the firewall connection tracking to release the nat connection?

i waited more than an hour after disabling the rule, connected at the VPN and no access to remote servers. When i enable back the nat rule, instantly i can connect to remote servers.

TheIBM · Fri Aug 19, 2022 12:27 am

Hello again. Something very interesting, I added a nat rule :
Code: Select all
 add action=masquerade chain=srcnat dst-address=192.168.2.0/24 src-address=\
    192.168.2.0/24
I masquerade my own LAN and now I have access to my remote LAN!!

My problem is why the masquerade rule works and I can reach the remote LAN? Why is needed? My other configurations with l2tp they work without masquerading the LAN. It is very strange. Can someone explain what is wrong and why it works now?

thanks!!

The L2tp or VPN IP's are seen as being 'external or floating' as they are not actually bridged to the internal LAN even though they share the same address space. Applying the NAT rule provides the necessary bridge.