The L2TP/IPSec VPN server is a Mikrotik router, with these firewall configurations:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; VPN L2TP port 500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=500
2 ;;; VPN L2TP port 1701
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=1701
3 ;;; VPN L2TP port 4500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=4500
4 ;;; VPN L2TP IPSec
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1
5 ;;; VPN L2TP AH
chain=input action=accept protocol=ipsec-ah in-interface=pppoe-out1
6 ;;; Allow all from VPN
chain=input action=accept src-address-type=local
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
8 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
9 ;;; Drop SSH requests from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=22 log=no log-prefix=""
10 ;;; Drop Winbox connection from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=8291 log=no log-prefix=""
11 ;;; Drop UDP DNS requests from outside
chain=input action=drop protocol=udp in-interface=pppoe-out1
dst-port=53 log=no log-prefix=""
12 ;;; Drop TCP DNS requests from outside
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
13 ;;; Allow ping from outside
chain=input action=accept protocol=icmp dst-address=103.12.163.90
log=no log-prefix=""
14 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
15 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
16 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
17 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
18 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=pppoe-out1 log=no
log-prefix=""
1 ;;; HTTPS remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=900
protocol=tcp in-interface=pppoe-out1 dst-port=900 log=no log-prefix=""
2 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp in-interface=pppoe-out1 dst-port=443 log=no log-prefix=""
3 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix=""
4 ;;; Plex server remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=32400
protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no
log-prefix=""
5 ;;; HTTPS hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix=""
6 ;;; HTTP hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=""
7 ;;; HTTPS hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 protocol=tcp
src-address=10.0.0.0/24 dst-address=10.0.0.2 out-interface=bridge
dst-port=443 log=no log-prefix=""
8 ;;; HTTP hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 to-ports=80
protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.2
out-interface=bridge dst-port=80 log=no log-prefix=""
Now the strange thing is that iOS clients can connect to this VPN and reach both local network and Internet, but Windows clients can only reach the local network and not the Internet (dunno about other platforms since I don't have access to right now). I've ruled out DNS and route issues, as these Windows clients can ping global IP addresses and domain names and also tracert
. Am I missing something? I've already used the same configuration for many Mikrotik routers, and what the routers with issues have in common is that the WAN connection is PPPoE:
/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah
/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes
/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any
/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des