Hello,
I have a RB2011UiAS-2Hnd-IN which works well but has one issue regarding PPTP connections. Setting up a L2TP/IPsec connection the router dials out to a IP of 10.64.64.105 with a network 10.112.112.153 (the connection drops after 5 seconds). I have no idea where this configuration is coming from. Flashing firmware and downgrading back to 6.49.18, same results. The default config has this issue, building a configuration from scratch is the same.
The only way I can stop the connection to the 10.64.64.105, is to add the Local and Remote address to the PPTP profile. The connection is established but no traffic is produced.
I have four other Mikrotik routers which connect to the VPN connection without issue and without any IP entries in the PPTP profile.
Does anyone know how/why this DAC connection is being made regardless of what is input in the LT2P/IPsec config?
Thanks
Please see the config below
[admin@MikroTik] /ip> route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 VpnOut 1
1 A S 10.1.20.0/24 VpnOut 1
2 A S 10.2.20.0/24 VpnOut 1
*3 ADC 10.112.112.153/32 10.64.64.105 VpnOut 0
4 A S 172.15.0.0/23 VpnOut 1
5 A S 172.38.5.0/24 VpnOut 1
6 ADC 192.168.86.0/24 192.168.86.4 bridge 0
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30 target-scope=10
1 A S dst-address=10.1.20.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
2 A S dst-address=10.2.20.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
3 ADC dst-address=10.112.112.155/32 pref-src=10.64.64.107 gateway=VpnOut gateway-status=VpnOut reachable
distance=0 scope=10
4 A S dst-address=172.15.0.0/23 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
5 A S dst-address=172.38.5.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
6 ADC dst-address=192.168.86.0/24 pref-src=192.168.86.4 gateway=bridge gateway-status=bridge reachable
distance=0 scope=10
# mar/27/2025 19:49:55 by RouterOS 6.49.18
# software id = F8W0-NHZM
#
# model = 2011UiAS-2HnD
# serial number = 4674044B36E1
/interface bridge
add admin-mac=4C:5E:0C:33:1F:DE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface l2tp-client
add add-default-route=yes allow=pap connect-to=HOST dial-on-demand=yes \
disabled=no ipsec-secret=Name name=VpnOut password="Pass\
\n" src-address=192.168.86.4 use-ipsec=yes user=USER
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=FLASHDDM supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Verizon-SM supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=ATT76bu2Kz supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn basic-rates-a/g=24Mbps,36Mbps,48Mbps,54Mbps \
channel-width=20/40mhz-XX country="united states" disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower installation=INDOOR rate-set=configured security-profile=Verizon-SM \
ssid="" wireless-protocol=802.11
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd name=VpnOutOut proposal-check=claim
add dpd-interval=disable-dpd name=default proposal-check=claim
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
8h pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc,3des lifetime=8h name=VpnOutOut pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.86.10-192.168.86.40
/ip dhcp-server
add address-pool=default-dhcp bootp-support=none disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=no name=VpnOutOut use-compression=no use-mpls=no use-upnp=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set route-cache=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=WAN
/interface wireless connect-list
add comment=FLASHDDM disabled=yes interface=wlan1 security-profile=FLASHDDM ssid=FLASHDDM
add comment=Verizon-SM interface=wlan1 security-profile=Verizon-SM ssid=Verizon-SM
add comment=ATT76bu2Kz interface=wlan1 security-profile=ATT76bu2Kz ssid=ATT76bu2Kz
/ip address
add address=192.168.86.4/24 comment=defconf interface=bridge network=192.168.86.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.86.0/24 comment=defconf dns-server=192.168.86.4 gateway=192.168.86.4
/ip dns
set allow-remote-requests=yes servers=192.168.86.4
/ip dns static
add address=192.168.86.4 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input in-interface-list=WAN protocol=udp src-port=1701,500,4500
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VpnOut
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat ipsec-policy=out,ipsec
/ip route
add distance=1 dst-address=10.1.20.0/24 gateway=VpnOutOut
add distance=1 dst-address=10.2.20.0/24 gateway=VpnOutOut
add distance=1 dst-address=172.15.0.0/23 gateway=VpnOutOut
add distance=1 dst-address=172.38.5.0/24 gateway=VpnOutOut
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/New_York
/system leds
add disabled=yes interface=bridge leds="" type=interface-status
add disabled=yes interface=sfp1 leds="" type=interface-status
/system package update
set channel=development
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I have a RB2011UiAS-2Hnd-IN which works well but has one issue regarding PPTP connections. Setting up a L2TP/IPsec connection the router dials out to a IP of 10.64.64.105 with a network 10.112.112.153 (the connection drops after 5 seconds). I have no idea where this configuration is coming from. Flashing firmware and downgrading back to 6.49.18, same results. The default config has this issue, building a configuration from scratch is the same.
The only way I can stop the connection to the 10.64.64.105, is to add the Local and Remote address to the PPTP profile. The connection is established but no traffic is produced.
I have four other Mikrotik routers which connect to the VPN connection without issue and without any IP entries in the PPTP profile.
Does anyone know how/why this DAC connection is being made regardless of what is input in the LT2P/IPsec config?
Thanks
Please see the config below
[admin@MikroTik] /ip> route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 VpnOut 1
1 A S 10.1.20.0/24 VpnOut 1
2 A S 10.2.20.0/24 VpnOut 1
*3 ADC 10.112.112.153/32 10.64.64.105 VpnOut 0
4 A S 172.15.0.0/23 VpnOut 1
5 A S 172.38.5.0/24 VpnOut 1
6 ADC 192.168.86.0/24 192.168.86.4 bridge 0
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30 target-scope=10
1 A S dst-address=10.1.20.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
2 A S dst-address=10.2.20.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
3 ADC dst-address=10.112.112.155/32 pref-src=10.64.64.107 gateway=VpnOut gateway-status=VpnOut reachable
distance=0 scope=10
4 A S dst-address=172.15.0.0/23 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
5 A S dst-address=172.38.5.0/24 gateway=VpnOut gateway-status=VpnOut reachable distance=1 scope=30
target-scope=10
6 ADC dst-address=192.168.86.0/24 pref-src=192.168.86.4 gateway=bridge gateway-status=bridge reachable
distance=0 scope=10
# mar/27/2025 19:49:55 by RouterOS 6.49.18
# software id = F8W0-NHZM
#
# model = 2011UiAS-2HnD
# serial number = 4674044B36E1
/interface bridge
add admin-mac=4C:5E:0C:33:1F:DE auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=sfp1 ] disabled=yes
/interface l2tp-client
add add-default-route=yes allow=pap connect-to=HOST dial-on-demand=yes \
disabled=no ipsec-secret=Name name=VpnOut password="Pass\
\n" src-address=192.168.86.4 use-ipsec=yes user=USER
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=FLASHDDM supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=Verizon-SM supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=ATT76bu2Kz supplicant-identity="" \
wpa-pre-shared-key=KEY wpa2-pre-shared-key=KEY
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn basic-rates-a/g=24Mbps,36Mbps,48Mbps,54Mbps \
channel-width=20/40mhz-XX country="united states" disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower installation=INDOOR rate-set=configured security-profile=Verizon-SM \
ssid="" wireless-protocol=802.11
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd name=VpnOutOut proposal-check=claim
add dpd-interval=disable-dpd name=default proposal-check=claim
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=aes-256-cbc,aes-128-cbc,3des lifetime=\
8h pfs-group=none
add auth-algorithms=sha1,md5 enc-algorithms=aes-128-cbc,3des lifetime=8h name=VpnOutOut pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.86.10-192.168.86.40
/ip dhcp-server
add address-pool=default-dhcp bootp-support=none disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=no name=VpnOutOut use-compression=no use-mpls=no use-upnp=no
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set route-cache=no
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=wlan1 list=WAN
/interface wireless connect-list
add comment=FLASHDDM disabled=yes interface=wlan1 security-profile=FLASHDDM ssid=FLASHDDM
add comment=Verizon-SM interface=wlan1 security-profile=Verizon-SM ssid=Verizon-SM
add comment=ATT76bu2Kz interface=wlan1 security-profile=ATT76bu2Kz ssid=ATT76bu2Kz
/ip address
add address=192.168.86.4/24 comment=defconf interface=bridge network=192.168.86.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
add disabled=no interface=wlan1
/ip dhcp-server network
add address=192.168.86.0/24 comment=defconf dns-server=192.168.86.4 gateway=192.168.86.4
/ip dns
set allow-remote-requests=yes servers=192.168.86.4
/ip dns static
add address=192.168.86.4 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input in-interface-list=WAN protocol=udp src-port=1701,500,4500
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=\
127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VpnOut
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat ipsec-policy=out,ipsec
/ip route
add distance=1 dst-address=10.1.20.0/24 gateway=VpnOutOut
add distance=1 dst-address=10.2.20.0/24 gateway=VpnOutOut
add distance=1 dst-address=172.15.0.0/23 gateway=VpnOutOut
add distance=1 dst-address=172.38.5.0/24 gateway=VpnOutOut
/lcd
set enabled=no touch-screen=disabled
/system clock
set time-zone-name=America/New_York
/system leds
add disabled=yes interface=bridge leds="" type=interface-status
add disabled=yes interface=sfp1 leds="" type=interface-status
/system package update
set channel=development
/tool bandwidth-server
set authenticate=no enabled=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Statistics: Posted by jojorock — Mon Mar 31, 2025 1:38 am