Proper NAT and Firewall Rules for L2TP Server behind Mikrotik Router - firewall

I have configured Windows Server 2016 for a L2TP VPN connections via pre-shared key. The server's LAN side address is 192.10.0.100. I can access the VPN from the LAN side.
From outside the local network, I get an error message saying "the remote server is not responding" and mentioning the possibility of NAT or firewall issue.
Here are the rules I have put in place for the VPN:
NAT
add action=dst-nat chain=dstnat comment="NAT Rule for L2TP General Port 500" \
dst-address="Mikrotik public IP Address" dst-port=500 protocol=udp to-addresses=\
192.10.0.100 to-ports=500
add action=dst-nat chain=dstnat comment="NAT Rule for L2TP General Port 1701" \
dst-address="Mikrotik public IP Address" dst-port=1701 protocol=udp to-addresses=\
192.10.0.100 to-ports=1701
add action=dst-nat chain=dstnat comment="NAT Rule for L2TP General Port 4500" \
dst-address="Mikrotik public IP Address" dst-port=4500 protocol=udp to-addresses=\
192.10.0.100 to-ports=4500
Firewall:
add action=accept chain=input comment="allow L2TP port 500" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow L2TP port 1701" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow L2TP port 4500" dst-port=4500 \
protocol=udp
add action=accept chain=forward comment=\
"Allow forwarding for L2TP VPN (udp)" dst-address=192.10.0.100 \
protocol=udp
It appears the client can contact the server but is getting no response. Is there another NAT for return traffic that I am missing? Thanks in advance.

If you get an error message indicating a problem with firewall, might check your client and server side Registry entries.
The instructions here for setting up an L2TP VPN on a windows server, point out that you have to add a DWord Value to the Registry on both the Server and the client to make the NPS changes work.
Go to
HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Services -> PolicyAgent
Add
AssumeUDPEncapsulationContextOnSendRule
Change the Value Data to 2.
Turns out you do NOT need that for testing the VPN on the LAN side but do on the WAN side. Consequently, did not think to check my spelling until I was able to connect to the VPN from my MacBook Pro.

Related

How to setup routing in Linux to create a NVA in Azure

I am trying to deploy a hub & spoke topology on Azure. I have VNet: hub, spoke1 & spoke2, respectively with the 3 following address spaces: 10.0.0.0/16, 10.1.0.0/16 & 10.2.0.0/16. And each have only one subnet on the /24 address space.
I have peered each spoke to the hub and deployed a Linux machine in my hub subnet. Now, I want to use that Linux machine as a router to forward traffic coming from 10.1.0.0/16 and targetting 10.2.0.0/16 to the spoke2 VNet and vice-versa.
I have added a User Defined Route on each spoke to use the Linux router IP address (10.0.0.5) as the Next hop when targetting the other spoke.
I have enable ip_forwarding on my Linux machine: echo 1 > /proc/sys/net/ipv4/ip_forward and added 2 routes ip route add 10.1.0.0/24 via 10.0.0.1 dev eth0 and ip route add 10.2.0.0/24 via 10.0.0.1 dev eth0 since 10.0.0.1 is my gateway on my router and eth0 my NIC.
I have also enabled IP Forwarding on the NIC of my router in Azure.
But... this does not work. Packets are not forwarded to appropriate network and I don't understand why.
If any of you has a hint or even the solution to implement this I would appreciate.
Thanks.
Don't forget about the setup for NIC for specific machine:
BTW: Microsoft has an easy tutorial on this.
You shoud configure the linux machine as a router.
create a linux bridge, and attach the eth0.
set the bridge ip as 10.0.0.1/24, and setup a dhcp server on it.
on each spokes, set 10.0.0.1 as next hop for target network.
On the linux machine, add router entry to 10.1.0.0/24 and 10.2.0.0/24 through 10.0.0.1.
Okay.
I don't know exactly what went wrong during my first tries.
I simply dropped the Resource Group and restarted from scratch with Windows VM, following Microsoft tutorial.
Then, I replaced step by step the Windows VM by Linux VM... and everything is working.
On the NVA, you simply have to:
enable the IP Forwarding on the Network Interface of the VM in Azure,
enable the IP Forwarding in the VM:
sudo sed -i 's/#net.ipv4.ip_forward=/net.ipv4.ip_forward=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv4.ip_forward=0/net.ipv4.ip_forward=1/' /etc/sysctl.conf
sudo sed -i 's/#net.ipv6.conf.all.forwarding=/net.ipv6.conf.all.forwarding=/' /etc/sysctl.conf
sudo sed -i 's/net.ipv6.conf.all.forwarding=0/net.ipv6.conf.all.forwarding=1/' /etc/sysctl.conf
sudo sysctl -p
Then define routes in Azure (Route table + Routes) in each spoke to forward traffic to the NVA IP.
Nothing more. Works out of the box.
I even created my NVA in a Virtual Machine Scale Set behind an Internal Load Balancer with HA-Ports, so my NVA is highly available.

IIS website hostname accessible locally but not on LAN

The goal here is to set up a hostednetwork wifi on a server (fake server, it's Windows 10 x64), the client connect to this wifi, then connect to the website on the server. This is done by creating the hostednetwork :
netsh wlan set hostednetwork mode=allow ssid=BORNE-1234 key=12345678
netsh wlan start hostednetwork
IIS is configured with a simple website in it. And I just tried every bindings possible :
http borne.fr 80 *
http borne.fr 80 192.168.137.1
http (Empty) 80 192.168.137.1
http www.borne.fr 80 *
http www.borne.fr 80 192.168.137.1
Then i edit the C:\Windows\System32\drivers\etc\hosts file to add this line :
192.168.137.1 borne.fr www.borne.fr
I even tried with 127.0.0.1 but nothing works. On a browser on the server, borne.fr works. But if I connect to the created wifi with another machine borne.fr give the error ERR_NAME_NOT_RESOLVED whereas with the IP address it works. I tried everything mentioned here https://serverfault.com/a/452269.
I also added an exception on the firewall (in and out) for port 80.
Any Ideas ?
You need to also set "192.168.137.1 borne.fr www.borne.fr" on another machine.
If "192.168.137.1 borne.fr www.borne.fr" is not set on another computer, it will not know what the IP address of www.borne.fr is.
Hosts files were used to resolve hosts names before DNS. hosts files would be massive documents used to aide the network name resolution.
If you have a DNS server in your LAN, you can configure the DNS server to resolve www.borne.fr to 192.168.137.1.

Connecting to IIS website from another computer on the LAN - port not listening

I have website working fine on my local machine as host name hml.frontend in the hosts file: 127.0.0.1 hml.frontend
In IIS I have bindings as hml.frontend 127.0.0.1 and hml.frontend 192.168.1.94. The latter I used ipconfig to get my local ip address issued to me by my BT Home Hub 5 router.
In windows 10 firewall I have allowed App/Feature NetLogon service and World Wide Web services (HTTP).
In advanced settings in Inbound Rules I have added a rule which allow the connection from all sources to ports 80 and 443. Scope is any IP addresses.
On my macbook I have added the 192.168.1.94 as hml.frontend to the hosts file.
I can ping hml.frontend OK from the macbook.
However from a web browser the http://hml.frontend site cannot be reached from the macbook.
telnet 192.168.1.94 80 from the macbook says unable to connect to remote host.
Back on the PC I have done netstat -na to see which ports IIS is listening on and 127.0.0.1:80 is there and so is 192.168.1.94:139 and many more ports against that IP address but not port 80.
Any ideas what I can check to get my PC to listen for that website hostname on port 80?
I got it to work, I was on the right track that the IP address was not being listened to.
In order to add the ip address I have to be listened to, I went into cmd as adminstrator, did
netsh
http
show iplisten
'show' result shows that just 127.0.0.1 was being listened on port 80
add iplisten ipaddress=192.168.1.94
show iplisten
quit
'show' result shows that now additionally 192.168.1.94 is being listened on port 80
Then I went back in with
netstat -na
And now I see the line I want:
TCP 192.168.1.94:80 0.0.0.0:0 LISTENING
Some information was gained from this article.
http://windowsitpro.com/windows-server/solve-iis-listener-problems
The site is now reachable from my macbook using the hostname http://hml.frontend

Why do I get an error when connecting to port 80 between guests

I have two VMs. Both on the nat (vmnet8) adapter. Both machines appear to be on the same subnet.
Guest1 - 192.168.18.146
Guest2 - 192.168.18.150
I can ssh between the machines. However, when I try http it fails:
[root#localhost conf]# wget 192.168.18.146
--2016-02-18 09:53:03-- http://192.168.18.146/
Connecting to 192.168.18.146:80... failed: No route to host.
How can I access a webserver hosted on guest1 from guest2?
I have also tried a custom adapter and bridged with the same result.
OS firewall issue. I originally verified that iptables was not running but another service, firewalld was running and blocking access to port 80. Disabling the firewall allows me to access port 80 from my guests and host.

GRE Tunnel routing issue in Linux CentOS

I am creating GRE Tunnel between two Linux (CentOS6) servers using below steps.
On the master server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tun1 mode gre remote 98.123.87.97 local 106.61.58.98 ttl 255
ip addr add 10.0.1.0/24 dev tun1
ip link set dev tun1 up
ip addr add 98.123.87.95/27 dev eth0
On the slave server:
chkconfig iptables off
service iptables stop
sysctl -w net.ipv4.ip_forward=1
sysctl -w net.ipv4.conf.all.forwarding=1
sysctl -w net.ipv4.conf.proxy_arp=1
sysctl -w net.ipv4.conf.all.proxy_arp=1
sysctl -w net.ipv4.conf.eth0.rp_filter=0
sysctl -w net.ipv4.conf.default.rp_filter=0
modprobe ip_gre
ip tunnel add tunx mode gre remote 106.61.58.98 local 98.123.87.97 ttl 255
ip addr add 10.0.2.0/24 dev tun0
ip link set tunx up
ip route add 98.123.87.95/27 dev tun0
I need to add slave server's IP into the on my master server, I am getting the ping response form tunnelled IPs (Slave Server's IP) and when I am trying to SSH the tunnelled IP (Slave IP) I am reaching to Masters(this is what I want).
Problem is when I am trying to send outgoing traffic like DNS query by Tunnelled IP(Slave IP) I am getting time out request.
I guess this is routing issue of one of my server. Any idea what should i do to get through my outgoing traffic by tunnelled IPs?
Thanks,
Are you really adding 10.0.1.0/24 address? This is a network address, looks like mistake.
Also, you shuold add default route(or route to dns servers or whatever you want) on client machine through your tunnel with gateway=another_end_of_tunnel.
Don't forget to add static route to your machine if you don't want to loose connection, before adding default route!

Resources