Καλαησπέρα,
αντιμετωπίζω ένα θέμα με ενα vpn site to site που προσπαθώ να στήσω.
Το πρόβλημα είναι ότι ενώ το Mikrotik πού έχει αναλάβει το ρόλο του L2TP Server κάνει Ping κανονικά το Mikrotik που παίζει σαν Client αλλά και τους Hosts του οι Hosts δεν επικοινωνούν μεταξύ τους.
Είναι θέμα Firewall;
Χρειάζομαι κανόνες στο NAT section;
Στο παρελθόν με PPTP είχε παίξει απροβλημάτιστα.
Ευχαριστώ εκ των προτέρων για το χρόνο σας.
Εμφάνιση 1-8 από 8
Θέμα: L2TP/IPSEC
-
22-07-19, 14:07 L2TP/IPSEC #1
-
22-07-19, 22:40 L2TP/IPSEC #2
Κάνε ένα export το config και των 2
Παράθεση Posted from Android app
-
22-07-19, 23:17 Απάντηση: L2TP/IPSEC #3
Router 1
Κώδικας:/caps-man channel add band=2ghz-b/g/n control-channel-width=40mhz-turbo frequency=2437 name=\ channel1 add band=5ghz-onlyac control-channel-width=40mhz-turbo frequency=5180 name=\ channel2 /caps-man configuration add channel=channel2 country=greece mode=ap name=cfg2 \ security.authentication-types=wpa-psk,wpa2-psk security.encryption=\ aes-ccm security.passphrase= ssid= /interface bridge add arp=proxy-arp name=LAN /interface ethernet set [ find default-name=ether1 ] speed=100Mbps set [ find default-name=ether2 ] speed=100Mbps set [ find default-name=ether3 ] speed=100Mbps set [ find default-name=ether4 ] speed=100Mbps set [ find default-name=ether5 ] speed=100Mbps set [ find default-name=ether6 ] speed=100Mbps set [ find default-name=ether7 ] speed=100Mbps set [ find default-name=ether8 ] speed=100Mbps set [ find default-name=ether9 ] speed=100Mbps set [ find default-name=ether10 ] speed=100Mbps set [ find default-name=ether11 ] speed=100Mbps set [ find default-name=ether12 ] speed=100Mbps set [ find default-name=ether13 ] speed=100Mbps /interface pppoe-client add disabled=no interface=ether1 max-mru=1492 max-mtu=1492 name=WAN1 \ password= user= add disabled=no interface=ether2 max-mru=1492 max-mtu=1492 name=WAN2 \ password= user= /interface vlan add interface=LAN name=Irish-staff vlan-id=100 add interface=LAN name=Irish-wifi vlan-id=200 add interface=LAN name="-kato orofos" vlan-id=300 /caps-man configuration add channel=channel1 country=greece datapath.bridge=LAN name=cfg1 \ security.authentication-types=wpa-psk,wpa2-psk security.encryption=\ aes-ccm security.passphrase= ssid= /interface list add name="load balance" /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=192.168.1.10-192.168.1.254 add name=dhcp_pool1 ranges=10.20.0.2-10.20.15.254 add name=dhcp_pool2 ranges=192.168.0.10-192.168.0.254 add name=dhcp_pool3 ranges=172.20.0.2-172.20.0.62 /ip dhcp-server add address-pool=dhcp_pool0 disabled=no interface=LAN lease-time=5h name=\ dhcp1 add address-pool=dhcp_pool1 disabled=no interface=Irish-wifi lease-time=1h \ name=dhcp2 add address-pool=dhcp_pool2 disabled=no interface=Irish-staff lease-time=5h \ name=dhcp3 add address-pool=dhcp_pool3 disabled=no interface="Vagelis-kato orofos" \ lease-time=3h name=dhcp4 /ppp profile add bridge=LAN dns-server=8.8.8.8 local-address=172.16.0.1 name=l2tp \ remote-address=172.16.0.2 /queue simple add max-limit=9M/72M name="ALL Bandwidth" target="" add limit-at=3M/0 max-limit=5M/38M name=Dvr parent="ALL Bandwidth" priority=\ 1/1 target=192.168.0.6/32 add max-limit=9M/72M name=Private parent="ALL Bandwidth" priority=2/2 target=\ 192.168.0.0/24 add max-limit=9M/72M name=LAN parent="ALL Bandwidth" priority=3/3 target=\ 192.168.1.0/24 add max-limit=3M/72M name=Guest parent="ALL Bandwidth" target=10.20.0.0/20 /queue type set 5 pcq-rate=1M set 6 pcq-rate=2M /caps-man provisioning add action=create-dynamic-enabled master-configuration=cfg1 add action=create-dynamic-enabled master-configuration=cfg2 /interface bridge port add bridge=LAN interface=ether3 add bridge=LAN interface=ether4 add bridge=LAN interface=ether5 /interface l2tp-server server set default-profile=l2tp enabled=yes ipsec-secret= use-ipsec=\ required /interface list member add interface=Irish-staff list="load balance" add interface=Irish-wifi list="load balance" add interface=LAN list="load balance" /ip address add address=192.168.1.1/24 interface=LAN network=192.168.1.0 add address=10.20.0.1/20 interface=Irish-wifi network=10.20.0.0 add address=192.168.0.1/24 interface=Irish-staff network=192.168.0.0 add address=172.20.0.1/26 interface="-kato orofos" network=172.20.0.0 /ip dhcp-server lease add address=192.168.1.251 client-id=1:fc:ec:da:d1:af:e3 mac-address=\ FC:EC:DA:D1:AF:E3 server=dhcp1 add address=192.168.0.15 client-id=1:0:23:a7:41:e9:bb mac-address=\ 00:23:A7:41:E9:BB server=dhcp3 add address=192.168.0.16 client-id=1:0:23:a7:cc:80:c7 mac-address=\ 00:23:A7:CC:80:C7 server=dhcp3 add address=192.168.0.18 client-id=1:0:23:a7:41:eb:5d mac-address=\ 00:23:A7:41:EB:5D server=dhcp3 add address=192.168.1.56 client-id=1:74:d4:35:b0:e1:66 mac-address=\ 74:D4:35:B0:E1:66 server=dhcp1 add address=192.168.1.254 client-id=1:74:3e:2b:1a:d3:f0 mac-address=\ 74:3E:2B:1A:D3:F0 server=dhcp1 /ip dhcp-server network add address=10.20.0.0/20 dns-server=10.20.0.1 gateway=10.20.0.1 add address=172.20.0.0/26 dns-server=172.20.0.1 gateway=172.20.0.1 add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=192.168.1.0/24 disabled=yes list=support add address=192.168.0.0/24 disabled=yes list=support add address=10.20.0.0/20 disabled=yes list=support add address=172.20.0.0/26 disabled=yes list=support add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=yes \ list=bogons add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\ d this subnet before enable it" disabled=yes list=bogons add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=yes list=\ bogons add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\ bogons add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \ need this subnet before enable it" disabled=yes list=bogons add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\ \_need this subnet before enable it" disabled=yes list=bogons add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \ list=bogons add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\ yes list=bogons add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \ list=bogons add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \ list=bogons add address=224.0.0.0/4 comment=\ "MC, Class D, IANA # Check if you need this subnet before enable it" \ disabled=yes list=bogons add address=172.22.22.0/24 disabled=yes list=support /ip firewall filter add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \ in-interface=WAN2 protocol=ipsec-esp add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=\ 1701 in-interface=WAN2 protocol=udp add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=\ 4500 in-interface=WAN2 protocol=udp add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 \ in-interface=WAN2 protocol=udp add action=add-src-to-address-list address-list=Syn_Flooder \ address-list-timeout=30m chain=input comment=\ "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \ protocol=tcp tcp-flags=syn add action=drop chain=input comment="Drop to syn flood list" disabled=yes \ src-address-list=Syn_Flooder add action=add-src-to-address-list address-list=Port_Scanner \ address-list-timeout=1w chain=input comment="Port Scanner Detect" \ disabled=yes protocol=tcp psd=21,3s,3,1 add action=drop chain=input comment="Drop to port scan list" disabled=yes \ src-address-list=Port_Scanner add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \ jump-target=ICMP protocol=icmp add action=drop chain=input comment="Block all access to the winbox - except t\ o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\ PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \ src-address-list=!support add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\ yes jump-target=ICMP protocol=icmp add action=drop chain=forward comment="Drop to bogon list" disabled=yes \ dst-address-list=bogons add action=add-src-to-address-list address-list=spammers \ address-list-timeout=3h chain=forward comment=\ "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\ yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp add action=drop chain=forward comment="Avoid spammers action" disabled=yes \ dst-port=25,587 protocol=tcp src-address-list=spammers add action=accept chain=input comment="Accept DNS - UDP" disabled=yes port=53 \ protocol=udp add action=accept chain=input comment="Accept DNS - TCP" disabled=yes port=53 \ protocol=tcp add action=accept chain=input comment="Accept to established connections" \ connection-state=established disabled=yes add action=accept chain=input comment="Accept to related connections" \ connection-state=related disabled=yes add action=accept chain=input comment="Full access to SUPPORT address list" \ disabled=yes src-address-list=support add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \ RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \ disabled=yes icmp-options=8:0 limit=1,5:packet protocol=icmp add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\ 0:0 protocol=icmp add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \ icmp-options=11:0 protocol=icmp add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \ icmp-options=3:0-1 protocol=icmp add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \ protocol=icmp add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \ protocol=icmp add action=jump chain=output comment="Jump for icmp output" disabled=yes \ jump-target=ICMP protocol=icmp /ip firewall mangle add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\ wan1_conn passthrough=yes add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\ wan2_conn passthrough=yes add action=mark-routing chain=output connection-mark=wan1_conn \ new-routing-mark=to_wan1 passthrough=yes add action=mark-routing chain=output connection-mark=wan2_conn \ new-routing-mark=to_wan2 passthrough=yes add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface-list="load balance" new-connection-mark=wan1_conn \ passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 add action=mark-connection chain=prerouting dst-address-type=!local \ in-interface-list="load balance" new-connection-mark=wan2_conn \ passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 add action=mark-routing chain=prerouting connection-mark=wan1_conn \ in-interface-list="load balance" new-routing-mark=to_wan1 passthrough=yes add action=mark-routing chain=prerouting connection-mark=wan2_conn \ in-interface-list="load balance" new-routing-mark=to_wan2 passthrough=yes add action=accept chain=prerouting in-interface=WAN1 add action=accept chain=prerouting in-interface=WAN2 add action=mark-routing chain=prerouting new-routing-mark=to_wan2 \ passthrough=yes src-address=192.168.0.6 /ip firewall nat add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\ 192.168.1.0/24 add action=masquerade chain=srcnat out-interface=WAN1 add action=masquerade chain=srcnat out-interface=WAN2 add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=\ 192.168.0.6 to-ports=8001 add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\ 192.168.0.6 to-ports=8080 add action=dst-nat chain=dstnat dst-port=5555 protocol=tcp to-addresses=\ 192.168.0.6 to-ports=5555 /ip firewall raw add action=accept chain=prerouting dst-address=192.168.10.0/24 src-address=\ 192.168.1.0/24 add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\ 192.168.10.0/24 /ip route add check-gateway=ping distance=1 gateway=WAN1 routing-mark=to_wan1 add check-gateway=ping distance=1 gateway=WAN2 routing-mark=to_wan2 add check-gateway=ping distance=1 gateway=WAN1 add check-gateway=ping distance=2 gateway=WAN2 add distance=1 dst-address=192.168.10.0/24 gateway=172.16.0.2 /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ppp secret add name= password= profile=l2tp service=l2tp /system clock set time-zone-name=Europe/Athens
Κώδικας:/interface bridge add arp=proxy-arp fast-forward=no name=LAN /interface ethernet set [ find default-name=ether1 ] speed=100Mbps set [ find default-name=ether2 ] speed=100Mbps set [ find default-name=ether3 ] speed=100Mbps set [ find default-name=ether4 ] speed=100Mbps set [ find default-name=ether5 ] speed=100Mbps set [ find default-name=ether6 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether7 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether8 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether9 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether10 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\ 1492 name=pppoe-out1 password= user= /interface l2tp-client add add-default-route=yes connect-to=router 1 wan ip disabled=no \ ipsec-secret= name=l2tp-out1 password= use-ipsec=yes \ user= /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.253 add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254 add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254 /ip dhcp-server add address-pool=dhcp_pool2 disabled=no interface=LAN lease-time=3h name=\ dhcp1 /queue type add kind=pcq name=PCQ_UPLOAD pcq-classifier=src-address \ pcq-dst-address6-mask=64 pcq-rate=3500k pcq-src-address6-mask=64 add kind=pcq name=PCQ_DOWNLAOD pcq-classifier=dst-address \ pcq-dst-address6-mask=64 pcq-rate=7M pcq-src-address6-mask=64 add kind=pcq name=IPTV_PCQ pcq-classifier=dst-address pcq-dst-address6-mask=\ 64 pcq-limit=8000000KiB pcq-rate=9M pcq-src-address6-mask=64 set 8 pcq-rate=1M set 9 pcq-rate=10M /queue tree add name=DOWNLOAD packet-mark=Client_Download parent=global queue=\ PCQ_DOWNLAOD add name=UPLOAD packet-mark=Client_Upload parent=global queue=PCQ_UPLOAD add disabled=yes name="NICK IPTV" packet-mark=IPTV_NICK parent=DOWNLOAD \ priority=1 queue=IPTV_PCQ /interface bridge port add bridge=LAN interface=ether2 add bridge=LAN interface=ether3 add bridge=LAN interface=ether4 add bridge=LAN interface=ether5 add bridge=LAN interface=ether6 add bridge=LAN interface=ether7 add bridge=LAN interface=ether8 add bridge=LAN interface=ether9 add bridge=LAN interface=ether10 /ip address add address=192.168.10.1/24 interface=LAN network=192.168.10.0 /ip cloud set ddns-enabled=yes /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip firewall address-list add address=192.168.1.2-192.168.1.254 disabled=yes list=allowed_to_router add address=172.20.0.2-172.20.0.254 disabled=yes list=allowed_to_router /ip firewall filter add action=accept chain=input dst-port=8291 protocol=tcp add action=accept chain=input comment="default configuration" \ connection-state=established,related disabled=yes add action=accept chain=input disabled=yes src-address-list=allowed_to_router add action=accept chain=input disabled=yes protocol=icmp add action=drop chain=input disabled=yes /ip firewall mangle add action=mark-packet chain=prerouting comment="NIKOS IPTV" disabled=yes \ dst-port=5353-60000 new-packet-mark=IPTV_NICK passthrough=no protocol=tcp \ src-address=192.168.1.37 add action=mark-packet chain=prerouting in-interface=LAN new-packet-mark=\ Client_Upload passthrough=yes add action=mark-packet chain=prerouting in-interface=pppoe-out1 \ new-packet-mark=Client_Download passthrough=yes /ip firewall nat add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\ 192.168.10.0/24 add action=masquerade chain=srcnat out-interface=pppoe-out1 add action=dst-nat chain=dstnat dst-port=555 protocol=tcp to-addresses=\ 192.168.1.100 to-ports=555 add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\ 192.168.1.100 to-ports=8000 add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\ 192.168.1.100 to-ports=8080 /ip firewall raw add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\ 192.168.10.0/24 add action=accept chain=prerouting dst-address=192.168.10.0/24 src-address=\ 192.168.1.0/24 /ip route add distance=1 dst-address=192.168.1.0/24 gateway=172.16.0.1 /ip ssh set allow-none-crypto=yes /system clock set time-zone-name=Europe/Athens /system identity set name="Pounta Router"
-
23-07-19, 22:44 Απάντηση: L2TP/IPSEC #4
Το πιθανότερο είναι να σου δημιουργούν το πρόβλημα τα mangles του load balancing.
Δοκιμασε με disable τα mangles.
-
24-07-19, 13:47 Απάντηση: L2TP/IPSEC #5
Έκοψα όλα τα mangle rules άφησα την μια WAN αλλά και πάλι το ίδιο.
-
24-07-19, 22:47 L2TP/IPSEC #6
Οπότε μπορείς δώσε ενα anydesk να το δούμε
Παράθεση Posted from Android app
-
25-07-19, 23:00 Re: L2TP/IPSEC #7
Σου έχω στείλει προσωπικό μήνυμα.
Ευχαριστώ.
- - - Updated - - -
Είχες δίκιο, πρόσθεσα ένα κανόνα στο mangle και έπαιξε κανονικά. Σε ευχαριστώ πολύ.Κώδικας:/ip firewall mangle add action=accept chain=prerouting dst-address=REMOTE ROUTER LAN IP
Τελευταία επεξεργασία από το μέλος Smokey : 25-07-19 στις 22:38.
-
02-08-19, 13:39 Απάντηση: L2TP/IPSEC #8
μπραβο κωστα!
Άλλα Ντάλλα....
Bookmarks