Community discussions

MikroTik App
  4. RouterOS
  5. General

L2TP IPSEC l2tp-out1 traffic -> wlan1

Post Reply
 
vampy
just joined
Topic Author
Posts: 11
Joined: Fri May 30, 2014 6:43 pm

L2TP IPSEC l2tp-out1 traffic -> wlan1

Thu Sep 29, 2016 3:20 pm

I try to get internet working on wlan1 interface on our MikroTik Ceiling AP (cAP2n) through l2tp-out1 client interface.

The cAP2n is successfully connected as l2tp ipsec client to our cisco l2tp ipsec server.
Interface l2tp-out1 has internet access, I tried that many times with the internal ping tool.
Eth1 and wlan1 interface can't ping anything in the internet.

I have set up NAT on quick set page and no firewall rules enabled.
I also tried to change NAT without success:
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1
/ip firewall nat add action=masquerade chain=srcnat out-interface=l2tp-out1

I need internet on wlan1 interface so our students can connect to the wlan with their smartphones.

My config:
Code: Select all
# sep/29/2016 06:30:35 by RouterOS 6.37rc40
# software id = Z6MB-JY1T
#
/interface bridge
add admin-mac=mymac auto-mac=no mtu=1500 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    country=iran disabled=no distance=indoors frequency=auto mode=ap-bridge \
    ssid=Pingo-AP wireless-protocol=802.11 wps-mode=disabled
/interface l2tp-client
add connect-to=172.16.255.254 disabled=no ipsec-secret=mysecret name=\
    l2tp-out1 password=mypassword use-ipsec=yes user=myuser
/ip neighbor discovery
set ether1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik wpa-pre-shared-key=mykey \
    wpa2-pre-shared-key=mykey
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc pfs-group=none
/ip pool
add name=dhcp ranges=192.168.88.20-192.168.88.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=3d name=\
    dhcp1
/ppp profile
set *FFFFFFFE use-encryption=default
/system logging action
set 1 disk-file-name=log
/interface bridge port
add bridge=bridge-local disabled=yes interface=ether1
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 interface=wlan1 network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=Pingo
/system logging
add topics=l2tp
add topics=ipsec
add topics=interface
add topics=system
add topics=firewall
add topics=route
/system routerboard settings
set cpu-frequency=400MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=wlan1
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=wlan1
Thanks in advance!
Top
 
User avatar
kaptain46
just joined
Posts: 22
Joined: Thu Sep 18, 2008 1:27 pm
Location: Rho
Contact:
Contact kaptain46

Re: L2TP IPSEC l2tp-out1 traffic -> wlan1

Thu Sep 29, 2016 3:33 pm

Hi vampy,
the right NAT rules is
Code: Select all
/ip firewall nat add action=masquerade chain=srcnat out-interface=l2tp-out1
(you can also add a src-address-list in order to make this NAT rule valid only for 192.168.88.0/24 network.

The main issue is that you haven't set any default route for traffic, then you cannot route all traffic except local-dst.

Try to add:
Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=<remotel2tpaddress>
(change remotel2tpaddress to your p2p remote address of l2tp tunnel)

or you can also try:
Code: Select all
/ip route add dst-address=0.0.0.0/0 gateway=l2tp-out1
(using gateway interface)

and check about it.
Top
 
vampy
just joined
Topic Author
Posts: 11
Joined: Fri May 30, 2014 6:43 pm

Re: L2TP IPSEC l2tp-out1 traffic -> wlan1

Thu Sep 29, 2016 3:52 pm

Hi kaptain, thanks for your answer.

The routes are dynamically already set:

Image
Top
 
vampy
just joined
Topic Author
Posts: 11
Joined: Fri May 30, 2014 6:43 pm

Re: L2TP IPSEC l2tp-out1 traffic -> wlan1

Thu Sep 29, 2016 5:27 pm

Hi kaptain,

it is working now, thank you!!!

I deleted the first automatic DAS routing with 0.0.0.0/0 to 172.16.255.254 and changed it to 0.0.0.0/0 gateway l2tp-out1.

Thanks again!
Top
Post Reply
  4. RouterOS
  5. General