L2TP / IPSEC Vpn clarifications and firewall limiting internet access

adrianTNT · Mon Jun 15, 2020 1:24 am

// I created this post again, to add latest updates....

I am trying to create VPN server using L2TP.
- I added an interface in interface list, I noticed if I don't it would be created on-the-fly.
- added PPP profiles, secrets, I set it to take IP from dhcp (both local and remote address), is that wrong ? now VPN client gets IP from same group as my LAN computers (192.168.1.x)
- the VPN client (iPhone) connects OK but cannot get internet access unless I disable that last firewall rule (drop all from WAN not DSTNATed).
- it also gets internet access if in "interface list" I remove the L2TP interface from the "WAN" group, but it gets added back when I reconnect.
- it also gets internet access if I add to that highlighted firewall rule: "interface NOT my L2TP interface", but not sure if this is the solution or just lower security.
- I tried setting interface list to "LAN" inside the PPP profiles, but it didn't seem to do anything.
- Inside the NAT rules, I added that rule, trying to mimic the one above it (that was added automatically), maybe that is the right solution but I did something wrong there ?

interfaces.png

interface list.png

firewall.png

nat.png

ppp profiles.png

sutrus · Mon Jun 15, 2020 2:50 pm

Change in PPP profiles -> Inrfacelist to LAN

adrianTNT · Tue Jun 16, 2020 2:12 pm

sutrus, I tried that and didn't seem to work, I re-written the above post again with the updates, maybe you can have a second look ?

Sob · Wed Jun 17, 2020 1:41 am

- If you have "drop all from WAN not DSTNATed" rule, then adding L2TP interface to WAN list is bad idea, because it will block all traffic from VPN client, except if you'd connect to some forwarded port, but you don't have any. Either add it to LAN list or you can keep it separate.
- It seems you're using "detect internet" and it's adding L2TP interface to WAN list. Do you really need it?
- When you give IP addresses from LAN subnet to VPN clients, you'll need proxy ARP on LAN interface, if you want LAN devices and VPN clients communicate with each other.
- It's not clear if you need NAT rule #1 and you shouldn't need #2.
- It's better to post exported config in text form, screenshots don't show everything.

anav · Wed Jun 17, 2020 3:42 am

Concur,
/export hide-sensitive file=anynameyouwish

adrianTNT · Wed Jun 17, 2020 2:13 pm

@anav @Sob I sent the settings export by private message.

// offtopic:
// Even with hide-sensitive, I seen it contained some sensitive data (I edited).
// serial number = ddns record = making yourself a static target

!
// pppoe usernames
// mac addresses and comments associated with device
// vpn usernames
// ports (if you changed them to not use default, it should remain a bit private)
// It would be nice to have another level of sensitivity so it hides even more data.

So I tried to
- disable detect internet, I am not sure I did it right, "detect interface list: none", "internet interface list: none" (?).
- then added the vpn interface to "LAN" only.

And now the VPN would not connect at all.
This is what I tried, the settings export I sent you were *before* this:

disable detect internet (attempt).png

added vpn interface to lan.png

Sob · Wed Jun 17, 2020 6:59 pm

I'd do some things differently, but I don't see anything obviously wrong. There's nothing that would break VPN connections after you disabled 'detect internet', you accept its traffic unconditionally. Routing from VPN to internet is not blocked by any rule either.

adrianTNT · Wed Jun 17, 2020 9:33 pm

OK, I will experiment some more, if anyone has ideeas, please let me know

But the "detect internet" disabling above looks OK in the small image ?
Thank you.

Sob · Wed Jun 17, 2020 11:04 pm

If you want to experiment, then instead of default-allow firewall with rules like:

/ip firewall filter
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=!l2tp-adr-vpn in-interface-list=WAN

that may not be very easy to read and understand, you can try default-block firewall, where the basic idea is to allow selected stuff and block everything else. Not that the first one would be wrong, but I find this easier to get right. E.g. (assumes L2TP interface in interface list name VPN):

/ip firewall filter
add chain=forward connection-state=established,related,untracked action=accept 
add chain=forward connection-state=invalid action=drop
add chain=forward connection-nat-state=dstnat action=accept comment="allow forwarded ports"
add chain=forward in-interface-list=LAN out-interface-list=WAN action=accept comment="allow access from LAN to internet"
add chain=forward in-interface-list=VPN out-interface-list=WAN action=accept comment="allow access from VPN to internet"
add chain=forward in-interface-list=VPN out-interface-list=LAN action=accept comment="allow access from VPN to LAN"
add chain=forward action=log log-prefix="will-be-blocked" disabled=yes comment="enable this to see what is blocked"
add chain=forward action=reject reject-with=icmp-admin-prohibited

Just simple and easy to understand rules. If you forget to allow something by mistake, you'll notice immediatelly, because it will be blocked. And if you are not too careless, you can't incidentally allow something (which if you would is kind of mistake that can be harder to notice).

Other tips:

- There's no need to open PPTP port if you don't have such server
- When you use L2TP/IPSec, you don't want to accept unencrypted L2TP, you can do that by adding ipsec-policy=in,ipsec to udp/1701 rule

adrianTNT · Thu Jun 18, 2020 3:53 am

So with the above recommended rules, I add my L2TP interface to a "VPN" interface list, and do I also set this list name under the "PPP > Profiles > Interface list" ? Or can I leave that blank ?
And for L2TP with Ipsec, do I only need 1723 and can I disable 443,500,1701,4500 ? (I think router created these when I enabled VPN under quick set).

Sob · Thu Jun 18, 2020 4:47 am

I don't use it often and I'm lazy to test it now, but it should be enough to use only one, either add interface to interface list manually, or let it happen automatically using the config in PPP profile.

Look at the helpful comments you have on the rules, some may not be obvious, but others are:

- 500,4500 - IPSec
- 1701 - L2TP
- 1723 - PPTP
- 443 - SSTP

adrianTNT · Thu Jun 18, 2020 4:49 pm

I saw the ports comments, but I was thinking somehow IPSEC is made inside the L2TP connection (port 1701) and I can disable 500,4500 for IPSEC, but it was a wrong assumption

So if I add my L2TP interface both inside "Interfaces > interface lists" (e.g under LAN) and I also specify "LAN" under interface list of "PPP > profiles", then it disconnects me when I try to connect.
I under if this is a bug. Basically it refuses the connection when PPP profile tries to add the L2TP interface to a list that already has the interface.
Otherwise it works OK if I only specify interface list in one of the above locations.

Sob · Thu Jun 18, 2020 5:12 pm

It's the other way, L2TP inside IPSec. That's why I suggested:

- When you use L2TP/IPSec, you don't want to accept unencrypted L2TP, you can do that by adding ipsec-policy=in,ipsec to udp/1701 rule

And yes, the problem with address list sounds like it could be bug.

adrianTNT · Thu Jun 18, 2020 5:45 pm

Thank you, one more

Is it OK that it seems to work with just port 1701 and 500 without 4500 ?
Default comments said 4500 is the IPSEC and 500 for Internet Key Exchange.
A StackOverflow post says "port 4500 (for IPSEC NAT-Traversal mode)" not sure if I need that here or not.

I hope this^ is not related to the exact same thing you said above, I didn't enable that rule yet.

Sob · Fri Jun 19, 2020 3:59 am

Simple old NAT-less IPSec uses port 500 for negotiating things and then traffic itself is encrypted and sent as ESP packets (another protocol besides TCP, UDP, ...). It doesn't go very well with NAT, so there's also port 4500 which does the same as 500 and additionally it's used for ESP packets wrapped in UDP. So you can have UDP 500 + ESP, UDP 500 + ESP wrapped in UDP 4500, or everything in UDP 4500. And that's just IPsec. L2TP is additional thing, but it's the same for all previous combinations.

adrianTNT · Mon Jun 22, 2020 2:55 am

iPhone connected just fine, but I cannot get it to connect on Android 10.
Edit: nevermind, I got it working and I like my router again

Worked with these options, maybe someone else comes across this:

Type: L2TP/IPSec PSK
L2TP secret: <blank> (if none specified under PPP > L2TP secrets)
IPSec identifier: <blank>
IPSec secret: **********
Username filled
Password filled

.... Aaaannndd just great, there is a popular "bug" on Google Pixel devices that disconnect L2TP/IPSec after around 80 seconds.
Big Brother probably has some surveillance to do and this encryption is bugging them

L2TP / IPSEC Vpn clarifications and firewall limiting internet access [SOLVED]

L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access [SOLVED]

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access

Re: L2TP / IPSEC Vpn clarifications and firewall limiting internet access