quax08
Sep 08, 2020
view2917
view9
0
Goto Top

Mikrotik L2TP IPSEC kein Zugriff aufs Lan aber auf Router und per VPN angebundene Standorte

GermansolvedQuestionMikroTikOther systems
Hallo,

ich habe zwei Standorte per IPSec angebunden, nun wollte ich per L2TP IPSec eine RoadWarrior Verbindung herstellen, dies funktioniert aus soweit. Ich habe aber leider kein Zugriff auf das Lan. Ping zum Router und vom Router gehen. Auch der Zugriff auf die per IPSec eingebundenen Netze.
Wie in der Konfig zu sehen ist, werden IP-Adressen aus dem Lan-Netz an die Clients verteilt. Für den DHCP Server habe ich dementsprechend fürs Lan den Bereich begrenzt und einen extra Pool für L2TP angelegt. Auch wenn ich in der L2TP Konfig den normalen Lan Pool angebe bekomme ich keine Verbindung ins Lan.
Proxy-ARP ist in der Bridge aktiviert. So steht es in dem Beispiel von Mikrotik und auf diversen anderen Seiten.

Ich habe auch zum testen alle Drop-Regeln deaktiviert, auch so war leider kein Ping auf die Geräte im Lan möglich.
Die Geräte im Lan haben keine Firewall aktiv und sind auch aus den anderen Standortverbindungen zu erreichen.

Hier die Konfig.:

[admin@MainRouter] > ppp profile export hide-sensitive
# sep/08/2020 11:19:29 by RouterOS 6.47.2
# software id = 78NP-AYW9
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6B0560E360
/ppp profile
add change-tcp-mss=yes local-address=172.16.51.1 name=l2tp-server-profile \
    remote-address=l2tp-pool use-encryption=yes use-ipv6=no use-upnp=no


[admin@MainRouter] > ip ipsec export hide-sensitive
# sep/08/2020 11:21:38 by RouterOS 6.47.2
# software id = 78NP-AYW9
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6B0560E360
/ip ipsec profile
set [ find default=yes ] dh-group=modp4096,modp2048,modp1024 enc-algorithm=\
    aes-256,aes-192 hash-algorithm=sha256 lifetime=45m
add dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des hash-algorithm=\
    sha256 lifetime=8h name=profile-yyyy
add enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 lifetime=8h name=\
    profile-xxxx
/ip ipsec peer
add address=xyxyxy.de exchange-mode=ike2 name=yyyy profile=\
    profile-yyyy
add exchange-mode=ike2 name=xxxx passive=yes profile=profile-xxxx \
    send-initial-contact=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha512,sha256 enc-algorithms=\
    aes-256-cbc,aes-256-ctr,aes-256-gcm
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h \
    name=yyyy pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h \
    name=xxxx pfs-group=modp2048
/ip ipsec identity
add my-id=user-fqdn:mikrotik@vpn.intern peer=yyyy remote-id=\
    user-fqdn:pfsense@vpn.intern
add my-id=user-fqdn:3011@vpn.intern peer=xxxx remote-id=\
    user-fqdn:hap@vpn.intern
/ip ipsec policy
add dst-address=172.16.1.0/24 peer=yyyy proposal=yyyy \
    sa-dst-address=ersterStandort sa-src-address=eigeneWANIP src-address=\
    172.16.51.0/24 tunnel=yes
add dst-address=192.168.18.0/24 peer=xxxx proposal=xxxx sa-dst-address=\
    zweiterStandort sa-src-address=eigeneWANIP src-address=172.16.51.0/24 \
    tunnel=yes


[admin@MainRouter] > ip pool export hide-sensitive
# sep/08/2020 11:26:26 by RouterOS 6.47.2
# software id = 78NP-AYW9
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6B0560E360
/ip pool
add name=dhcp ranges=172.16.51.200-172.16.51.250
add name=l2tp-pool ranges=172.16.51.190-172.16.51.199


[admin@MainRouter] > ip firewall export hide-sensitive
# sep/08/2020 11:45:37 by RouterOS 6.47.2
# software id = 78NP-AYW9
#
# model = RouterBOARD 3011UiAS
# serial number = 5D6B0560E360
/ip firewall filter
add action=accept chain=input dst-port=500,1701,4500 in-interface=pppoe-out1 \
    protocol=udp
add action=accept chain=input in-interface=pppoe-out1 protocol=ipsec-esp
add action=drop chain=input comment="Drop Invalid connections" \  
    connection-state=invalid
add action=accept chain=input comment="Allow ICMP" protocol=icmp  
add action=accept chain=input in-interface=!pppoe-out1 src-address=\
    172.16.51.0/24
add action=drop chain=forward comment="drop invalid connections" \  
    connection-state=invalid protocol=tcp
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established  
add action=accept chain=forward comment="allow related connections" \  
    connection-state=related
add action=accept chain=forward dst-address=172.16.1.0/24
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \  
    protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \  
    protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp  
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp  
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp  
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \  
    protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp  
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\  
    tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp  
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp  
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \  
    protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \  
    protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp  
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp  
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\  
    udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=\  
    icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 \  
    protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 \  
    protocol=icmp
add action=accept chain=icmp comment=\
    "host unreachable fragmentation required" icmp-options=3:4 protocol=icmp  
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 \  
    protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 \  
    protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 \  
    protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 \  
    protocol=icmp
add action=drop chain=icmp comment="deny all other types"  
add action=accept chain=input in-interface=!pppoe-out2 src-address=\
    172.16.110.0/24
add action=accept chain=input comment="Allow Established connections" \  
    connection-state=established
add action=drop chain=input comment="Drop everything eslse"  
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=Konsolen-vlan106 \
    new-connection-mark=Konsolen-Conn passthrough=yes
add action=mark-connection chain=prerouting in-interface=Kamera-vlan100 \
    new-connection-mark=Kamera-Conn passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Konsolen-Conn \
    new-packet-mark=Konsolen-Pack passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Kamera-Conn \
    new-packet-mark=Kamera-Pack passthrough=yes
add action=accept chain=prerouting dst-address=192.168.2.0/24 in-interface=\
    bridge1
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out1 new-connection-mark=WAN-Telekom-Conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=pppoe-out2 new-connection-mark=WAN-gggg-Conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    WAN-Telekom-Conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge1 new-connection-mark=\
    WAN-gggg-Conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN-Telekom-Conn \
    in-interface=bridge1 new-routing-mark=Telekom-Routing passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN-gggg-Conn \
    in-interface=bridge1 new-routing-mark=gggg-Routing passthrough=yes
add action=mark-routing chain=output connection-mark=WAN-Telekom-Conn \
    new-routing-mark=Telekom-Routing passthrough=yes
add action=mark-routing chain=output connection-mark=WAN-gggg-Conn \
    new-routing-mark=gggg-Routing passthrough=yes
/ip firewall nat
add action=accept chain=srcnat comment="VPN yyyy" dst-address=\  
    172.16.1.0/24 src-address=172.16.51.0/24
add action=accept chain=srcnat comment=xxxx dst-address=192.168.18.0/24 \
    src-address=172.16.51.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.0/24 out-interface=\
    ether1 src-address=172.16.51.0/24
add action=masquerade chain=srcnat comment="Telekom PPPoE" out-interface=\  
    pppoe-out1
add action=masquerade chain=srcnat comment="gggg PPPoE" out-interface=\  
    pppoe-out2
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
[admin@MainRouter] >

Recht vielen Dank schon mal für die Hilfe

Gruß
quax08
comment-contentCommentShareShare
Share on Facebook Share on Twitter Share on Reddit Share on Linkedin

Content-Key: 602701

Url: https://administrator.de/contentid/602701

Printed on: April 19, 2024 at 19:04 o'clock

9 Comments
Latest comment
Goto Top
Member: aqui
aqui Sep 08, 2020 updated at 10:42:32 (UTC)
Goto Top
Bist du hiernach vorgegangen ??
Scheitern am IPsec VPN mit MikroTik

Mögliche Fehler:
  • Proxy ARP aktiviert ?
  • L2TP VPN Client IP Adressen vergessen in der MT Firewall einzutragen das sie vom NAT (Adress Translation) ausgenommen sind ?
  • Wenn du Windows Endgeräte anpingst ggf. ICMP (Ping) in der Firewall freigeben was dort generell gesperrt ist.
  • Stimmen die Rückrouten ? Sprich haben die angepingten Endgeräte einen Gateway Eintrag ?
Member: quax08
quax08 Sep 08, 2020 at 11:37:52 (UTC)
Goto Top
Hey, danke für die Antwort.


Zitat von @aqui:

Bist du hiernach vorgegangen ??
Scheitern am IPsec VPN mit MikroTik

Mögliche Fehler:
  • Proxy ARP aktiviert ?
Proxy ARP ist in der Bridge aktiviert.
proxy arp

* L2TP VPN Client IP Adressen vergessen in der MT Firewall einzutragen das sie vom NAT (Adress Translation) ausgenommen sind ?
Die IP ist ja aus dem LAN Netz, auch wenn ich sie in die Firewall eintrage das sie vom NAT ausgenommen sind geht es nicht.

* Wenn du Windows Endgeräte anpingst ggf. ICMP (Ping) in der Firewall freigeben was dort generell gesperrt ist.
Firewall ist wie oben beschrieben deaktiviert. Außerdem sind die Endgeräte von den anderen Standorten anpingbar.

* Stimmen die Rückrouten ? Sprich haben die angepingten Endgeräte einen Gateway Eintrag ?
Ja die Geräte haben einen Gateway Eintrag. Der ganze Traffic soll auch über VPN geroutet werden, das klappt auch. Genauso komme ich auf die Geräte an den anderen Standorten. Nur nicht an dem Standort wo ich mich einwähle.

Gruß
Member: aqui
Solution aqui Sep 08, 2020 at 12:07:08 (UTC)
Goto Top
Das hattest du auch beachtet ?
Mikrotik kein Zugriff über VPN direkt auf Router
Member: quax08
quax08 Sep 08, 2020 at 15:53:57 (UTC)
Goto Top
Ja, aber das bringt nichts. ich komme ja so schon auf den Router, nur nicht ins Lan. Auch wenn ich input und forward alles erlaube kann ich nicht auf Clients im Lan zugreifen.

Ich habe auch schon mal einen neuen Pool angelegt mit einem anderen Netz. Ich bekomme beim Verbinden eine IP aus dem Pool, wenn ich dann eine Regel erstelle für Input komme ich auch auf den Router aus dem Netz. Ich komme auch in Internet, aber nicht auf die Geräte im Lan...

Gruß
Member: aqui
Solution aqui Sep 09, 2020, updated at Sep 11, 2020 at 08:30:38 (UTC)
Goto Top
Zum Verifizieren mal einen kleinen Testaufbau geamacht:

grel2tp-test

2 Mikrotiks mit einem Standort IPsec VPN sowie GRE Tunnel und dynamischen Routing liefen schon. Standard Firewall aus der Default Konfig. Auf dem Roten dann einfach nur einen L2TP Server hinzugefügt.

Konfig der beiden Geräte:
back-to-topMikrotik 1:
 [admin@RB750GL] > export
# sep/09/2020 08:38:25 by RouterOS 6.47.3
#
# model = 750GL

/interface bridge
add admin-mac=D4:CA:6D:12:76:34 arp=proxy-arp auto-mac=no comment=Bridge name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Interface"
/interface gre
add allow-fast-path=no ipsec-secret=geheim123 local-address=10.99.1.149 mtu=1400 name=\
    gre-tunnel-RB750 remote-address=10.1.1.150
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc \
    pfs-group=modp2048
/ip pool
add name=dhcp_pool1 ranges=192.168.188.100-192.168.188.150
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=bridge 
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/interface l2tp-server server
set authentication=mschap2 enabled=yes ipsec-secret=test1234 use-ipsec=yes
/ip address
add address=192.168.188.1/24 comment="Lokales LAN" interface=bridge network=192.168.188.0
add address=172.31.31.13/30 interface=gre-tunnel-RB750 network=172.31.31.12
/ip dhcp-client
add comment="Internet Port" disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.188.0/24 dhcp-option="NTP Server" domain=home.arpa gateway=\
    192.168.188.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip ipsec settings
set accounting=no
/ppp secret
add local-address=192.168.188.1 name=testuser password=test123 remote-address=\
    192.168.188.222 service=l2tp
/routing rip
set redistribute-static=yes
/routing rip interface
add interface=bridge passive=yes receive=v2
add interface=gre-tunnel-RB750 receive=v2
/routing rip network
add network=192.168.188.0/24
add network=172.31.31.12/30
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB750GL
/system ntp client
set enabled=yes
[admin@RB750GL] >
back-to-topMikrotik 2:
 [admin@RB750] > export
# sep/09/2020 08:12:58 by RouterOS 6.47.3
#
# model = 750

/interface bridge
add admin-mac=00:0C:42:12:90:34 auto-mac=no comment="VLAN Bridge" igmp-snooping=yes name=\
    bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] comment="WAN Port (NAT)"
set [ find default-name=ether3 ] comment="Management (VLAN1)"
set [ find default-name=ether5 ] comment="Tagged Uplink"
/interface gre
add allow-fast-path=no comment="GRE Tunnel RB750" ipsec-secret=geheim123 local-address=\
    10.1.1.150 mtu=1400 name=gre-tunnel-RB750G remote-address=10.99.1.149
add allow-fast-path=no comment="GRE Tunnel hAP" ipsec-secret=test123 local-address=\
    10.1.1.150 name=gre-tunnel-hap remote-address=10.99.1.199
/interface vlan
add interface=bridge name=vlan1 vlan-id=1
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan20 vlan-id=20
add interface=bridge name=vlan30 vlan-id=30
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=aes-256,aes-128 nat-traversal=no
add dh-group=modp2048 enc-algorithm=aes-256,aes-128 hash-algorithm=sha256 name=Cisco \
    nat-traversal=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc \
    pfs-group=modp2048
add auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=1h name=Cisco \
    pfs-group=modp2048
/ip pool
add name=Pool1 ranges=192.168.88.100-192.168.88.150
add name=Pool10 ranges=172.16.88.15-172.16.88.20
add name=Pool20 ranges=172.16.88.150-172.16.88.200
add name=Pool30 ranges=192.168.178.100-192.168.178.120
/ip dhcp-server
add address-pool=Pool10 disabled=no interface=vlan10 name="DHCP VLAN-10"
add address-pool=Pool1 disabled=no interface=vlan1 name="DHCP VLAN-1"
add address-pool=Pool20 disabled=no interface=vlan20 name="DHCP VLAN-20"
add address-pool=Pool30 disabled=no interface=vlan30 name="DHCP VLAN-30"
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether4 \
    pvid=30
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan1
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan10 pvid=10
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan20 pvid=20
add bridge=bridge comment="Uplink Switch" interface=ether5
add bridge=bridge frame-types=admit-only-vlan-tagged interface=vlan30 pvid=30
/interface bridge vlan
add bridge=bridge tagged=vlan1,bridge untagged=ether5 vlan-ids=1
add bridge=bridge tagged=bridge,vlan10,ether5 vlan-ids=10
add bridge=bridge tagged=bridge,vlan20,ether5 vlan-ids=20
add bridge=bridge tagged=bridge,vlan30,ether5 untagged=ether4 vlan-ids=30
/ip address
add address=192.168.88.1/24 comment="L3 VLAN 1" interface=vlan1 network=192.168.88.0
add address=172.16.88.1/25 comment="L3 VLAN-10" interface=vlan10 network=172.16.88.0
add address=172.16.88.129/25 comment="L3 VLAN-20" interface=vlan20 network=172.16.88.128
add address=172.31.31.2/30 comment="GRE Tunnel IP hAP" interface=gre-tunnel-hap network=\
    172.31.31.0
add address=172.31.31.14/30 interface=gre-tunnel-RB750G network=172.31.31.12
add address=192.168.178.1/24 interface=vlan30 network=192.168.178.0
/ip dhcp-client
add comment=WAN-Port disabled=no interface=ether1
/ip dhcp-server network
add address=172.16.88.0/25 comment=VLAN-10 dns-server=192.168.7.254 gateway=172.16.88.1 \
    netmask=25
add address=172.16.88.128/25 comment=VLAN-20 dns-server=192.168.7.254 gateway=172.16.88.129 \
    netmask=25
add address=192.168.88.0/24 comment=VLAN-1 gateway=192.168.88.1 netmask=24
add address=192.168.178.0/24 dns-server=192.168.7.254 gateway=192.168.178.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
/ip service
set telnet address=192.168.88.0/24
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.88.0/24
set api disabled=yes
set winbox address=192.168.88.0/24
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/routing rip interface
add receive=v2
add interface=vlan1 passive=yes receive=v2
add interface=vlan10 passive=yes receive=v2
add interface=vlan20 passive=yes receive=v2
add interface=gre-tunnel-hap receive=v2
add interface=gre-tunnel-RB750G receive=v2
/routing rip network
add network=172.31.31.8/30
add network=192.168.88.0/24
add network=172.16.88.0/25
add network=172.16.88.128/25
add network=172.31.31.0/30
add network=172.31.31.12/30
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=RB750
/system ntp client
set enabled=yes
[admin@RB750] >

Fazit:
Funktioniert fehlerlos und ohne Probleme. Alle Endgeräte in den jeweiligen lokalen LANs sind vom L2TP Client völlig problemlos ping- und erreichbar !
Dein Verhalten lässt sich absolut nicht nachvollziehen !!
Member: quax08
quax08 Sep 09, 2020 at 18:22:01 (UTC)
Goto Top
Hey, danke für die Antwort.

ich habe meine Regeln um die von dir genannten in der Default-Konfig vorhandenen Regeln ergänzt wo in und out die IpSec mit angegeben wird, trotzdem kann ich über die Roadwarrior Verbindung keine Geräte im Lan erreichen. Ich habe mal das ganze. Hier mal der Firewall Log:

19:58:37 system,info filter rule moved by admin
19:58:43 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48588->192.168.51.50:80, len 60
19:58:43 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48590->192.168.51.50:80, len 60
19:58:44 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:54372->192.168.252.6:53, len 78
19:58:44 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:49025->192.168.252.5:53, len 78
19:58:45 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48592->192.168.51.50:80, len 60
19:58:45 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48594->192.168.51.50:80, len 60
19:58:46 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48596->192.168.51.50:80, len 60
19:58:46 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48598->192.168.51.50:80, len 60
19:58:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:37602->192.168.252.6:53, len 78
19:59:04 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:36156->8.8.8.8:53, len 78
19:59:04 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41882->192.168.252.3:53, len 71
19:59:05 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:63316->192.168.252.3:53, len 71
19:59:15 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:52553->192.168.252.4:53, len 71
19:59:15 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:52860->192.168.252.3:53, len 71
19:59:15 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:50073->192.168.252.4:53, len 71
19:59:15 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:48744->192.168.252.3:53, len 71
19:59:16 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48600->192.168.51.50:80, len 60
19:59:16 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48602->192.168.51.50:80, len 60
19:59:49 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48604->192.168.51.50:80, len 60
19:59:49 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48606->192.168.51.50:80, len 60
19:59:50 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (SYN), 172.16.51.199:48947->217.237.xxx.xxx:853, len 60
19:59:50 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 52
19:59:50 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 569
19:59:50 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 52
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 103
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 211
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.xxx.xxx:443, len 996
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:48947->217.237.xxx.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.xxx.xxx:853, len 52
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.xxx.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 1378
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.xxx.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.xxx.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:51 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.xxx.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:43141->192.168.252.5:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:33403->192.168.252.4:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:33410->192.168.252.3:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:39599->192.168.252.3:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:47663->192.168.252.4:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:62546->192.168.252.5:53, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 216
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 217
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 71
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:52 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 219
19:59:53 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:53 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:53 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 225
19:59:53 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:53 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 224
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:42669->69.171.250:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.250.:443, len 52
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:42669->69.171.250.:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.250.:443, len 55
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:42669->69.171.250.:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.250.:443, len 78
19:59:54 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 225
19:59:54 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42133->172.16.51.50:80, len 60
19:59:54 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42135->172.16.51.50:80, len 60
19:59:55 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:55 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:55 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 226
19:59:55 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:55 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:41381->216.58.205.xxx:443, NAT (172.16.51.199:41381->93.229.73.xxx:41381)->216.58.205.xxx:443, len 61
19:59:55 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42135->172.16.51.50:80, len 60
19:59:55 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42133->172.16.51.50:80, len 60
19:59:57 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42135->172.16.51.50:80, len 60
19:59:57 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42133->172.16.51.50:80, len 60
20:00:01 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42135->172.16.51.50:80, len 60
20:00:01 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42133->172.16.51.50:80, len 60
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:44598->192.168.252.6:53, len 71
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:48426->192.168.252.5:53, len 71
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:65312->192.168.252.4:53, len 71
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:49764->192.168.252.5:53, len 71
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:47396->192.168.252.6:53, len 71
20:00:02 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:39918->192.168.252.4:53, len 71
20:00:06 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:48947->217.237.149.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.149.xxx:853, len 52
20:00:09 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42135->172.16.51.50:80, len 60
20:00:09 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42133->172.16.51.50:80, len 60
20:00:11 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:48947->217.237.149.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.149.xxx:853, len 83
20:00:11 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,FIN), 172.16.51.199:48947->217.237.149.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.149.xxx:853, len 52
20:00:11 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (RST), 172.16.51.199:48947->217.237.149.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.149.xxx:853, len 40
20:00:11 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (RST), 172.16.51.199:48947->217.237.149.xxx:853, NAT (172.16.51.199:48947->93.229.73.xxx:48947)->217.237.149.xxx:853, len 40
20:00:12 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:57319->192.168.252.5:53, len 71
20:00:12 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:38211->192.168.252.5:53, len 71
20:00:12 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:32953->192.168.252.6:53, len 71
20:00:12 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:36448->192.168.252.6:53, len 71
20:00:22 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:46786->192.168.252.6:53, len 71
20:00:22 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:44754->192.168.252.6:53, len 71
20:00:26 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42137->172.16.51.50:80, len 60
20:00:26 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42139->172.16.51.50:80, len 60
20:00:27 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42137->172.16.51.50:80, len 60
20:00:27 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42139->172.16.51.50:80, len 60
20:00:29 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42139->172.16.51.50:80, len 60
20:00:29 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42137->172.16.51.50:80, len 60
20:00:48 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42139->172.16.51.50:80, len 60
20:00:48 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42137->172.16.51.50:80, len 60
20:00:48 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:60603->8.8.8.8:53, len 71
20:00:48 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:64938->8.8.8.8:53, len 71
20:00:48 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto UDP, 172.16.51.199:37135->192.168.252.3:53, len 77
20:01:14 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:49407->172.217.18.163:443, NAT (172.16.51.199:49407->93.229.73.xxx:49407)->172.217.18.163:443, len 64
20:01:14 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:49407->172.217.18.163:443, NAT (172.16.51.199:49407->93.229.73.xxx:49407)->172.217.18.163:443, len 52
20:01:15 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42139->172.16.51.50:80, len 60
20:01:15 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42137->172.16.51.50:80, len 60
20:01:28 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:42669->69.171.xxx:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.xxx:443, len 55
20:01:28 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK,PSH), 172.16.51.199:42669->69.171.xxx:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.xxx:443, len 87
20:01:29 firewall,info forward: in:<l2tp-handy> out:pppoe-out1, proto TCP (ACK), 172.16.51.199:42669->69.171.xxx:443, NAT (172.16.51.199:42669->93.229.73.xxx:42669)->69.171.xxx:443, len 52
20:01:34 system,info filter rule changed by admin
20:01:47 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42141->172.16.51.50:80, len 60
20:01:47 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42143->172.16.51.50:80, len 60
20:01:48 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42143->172.16.51.50:80, len 60
20:01:48 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42141->172.16.51.50:80, len 60
20:01:50 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42143->172.16.51.50:80, len 60
20:01:50 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42141->172.16.51.50:80, len 60
20:01:54 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42143->172.16.51.50:80, len 60
20:01:54 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42141->172.16.51.50:80, len 60
20:02:03 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42143->172.16.51.50:80, len 60
20:02:03 firewall,info forward: in:<l2tp-handy> out:bridge1, proto TCP (SYN), 172.16.51.199:42141->172.16.51.50:80, len 60

Wie man in zeile 60 sieht ist das IN Interface die L2TP Verbindung und Out die Bridge, so soll es doch auch sein?!

Gruß und danke

quax
Member: aqui
Solution aqui Sep 10, 2020 updated at 07:27:57 (UTC)
Goto Top
Muss aber de facto an deiner Konfig oder einer falschen FW Regel liegen. Wie gesagt...in einer Standard Konfig mit typischer Internet Firewall lässt sich der Fehler nicht nachvollziehen.
Das o.a. Setup rennt fehlerlos !
Ggf. deaktivierst du temporär mal schrittweise deine Regeln mit Ausnahme der wichtigsten und checkst welche da den VPN Traffic blockt ?!
Member: quax08
quax08 Sep 10, 2020 at 18:26:44 (UTC)
Goto Top
Hey,
habe schon mal alle Drop Regeln deaktiviert.
Wenn ich auf dem Server mit Tcpdump schaue kommen die Anfragen auch an.

Ich werde es erstmal anders lösen bis ich die Zeit habe es nochmal in Ruhe nachzustellen. Ich erreiche auch über die Verbindung die eingerichteten VLAN´s, so wie es momentan auch sein soll.
Nur halt aus dem Lan scheinen die Pakete wieder über die PPPOE Verbindung zu gehen. Habe jetzt ein extra Netz erstellt und damit läuft es jetzt erstmal.

Danke dir für deine Hilfe ;)

Gruß
quax
Member: aqui
aqui Sep 11, 2020 at 08:31:25 (UTC)
Goto Top
Immer gerne... face-wink

Wenn's das denn war bitte dann auch
How can I mark a post as solved?
nicht vergessen.
GermansolvedQuestionMikroTikOther systems
Hotly discussed
gleixnerdCheck of ZFW Firewallgleixnerd - 3 CommentsAlexWishaHow to set up and configure a Linux GRE tunnelAlexWisha - 3 CommentsjstrickerWIREGUARD VPN ON UDM PRO BEHIND FRITZBOX - HANDSHAKE DID NOT COMPLETEjstricker - 3 CommentsDaniEnd of Support dates for Office 2016, 2019 Apps und Productivity ServersDani - 1 Comment