L2TP/IPSEC

**Smokey** · 22-07-19, 14:07

Καλαησπέρα,

αντιμετωπίζω ένα θέμα με ενα vpn site to site που προσπαθώ να στήσω.
Το πρόβλημα είναι ότι ενώ το Mikrotik πού έχει αναλάβει το ρόλο του L2TP Server κάνει Ping κανονικά το Mikrotik που παίζει σαν Client αλλά και τους Hosts του οι Hosts δεν επικοινωνούν μεταξύ τους.
Είναι θέμα Firewall;
Χρειάζομαι κανόνες στο NAT section;
Στο παρελθόν με PPTP είχε παίξει απροβλημάτιστα.

Ευχαριστώ εκ των προτέρων για το χρόνο σας.

**kostas2911** · 22-07-19, 22:40

Κάνε ένα export το config και των 2

**Smokey** · 22-07-19, 23:17

Router 1

Κώδικας:

/caps-man channel
add band=2ghz-b/g/n control-channel-width=40mhz-turbo frequency=2437 name=\
    channel1
add band=5ghz-onlyac control-channel-width=40mhz-turbo frequency=5180 name=\
    channel2
/caps-man configuration
add channel=channel2 country=greece mode=ap name=cfg2 \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.passphrase= ssid=
/interface bridge
add arp=proxy-arp name=LAN
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=ether11 ] speed=100Mbps
set [ find default-name=ether12 ] speed=100Mbps
set [ find default-name=ether13 ] speed=100Mbps
/interface pppoe-client
add disabled=no interface=ether1 max-mru=1492 max-mtu=1492 name=WAN1 \
    password= user=
add disabled=no interface=ether2 max-mru=1492 max-mtu=1492 name=WAN2 \
    password= user=
/interface vlan
add interface=LAN name=Irish-staff vlan-id=100
add interface=LAN name=Irish-wifi vlan-id=200
add interface=LAN name="-kato orofos" vlan-id=300
/caps-man configuration
add channel=channel1 country=greece datapath.bridge=LAN name=cfg1 \
    security.authentication-types=wpa-psk,wpa2-psk security.encryption=\
    aes-ccm security.passphrase= ssid=
/interface list
add name="load balance"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.10-192.168.1.254
add name=dhcp_pool1 ranges=10.20.0.2-10.20.15.254
add name=dhcp_pool2 ranges=192.168.0.10-192.168.0.254
add name=dhcp_pool3 ranges=172.20.0.2-172.20.0.62
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN lease-time=5h name=\
    dhcp1
add address-pool=dhcp_pool1 disabled=no interface=Irish-wifi lease-time=1h \
    name=dhcp2
add address-pool=dhcp_pool2 disabled=no interface=Irish-staff lease-time=5h \
    name=dhcp3
add address-pool=dhcp_pool3 disabled=no interface="Vagelis-kato orofos" \
    lease-time=3h name=dhcp4
/ppp profile
add bridge=LAN dns-server=8.8.8.8 local-address=172.16.0.1 name=l2tp \
    remote-address=172.16.0.2
/queue simple
add max-limit=9M/72M name="ALL Bandwidth" target=""
add limit-at=3M/0 max-limit=5M/38M name=Dvr parent="ALL Bandwidth" priority=\
    1/1 target=192.168.0.6/32
add max-limit=9M/72M name=Private parent="ALL Bandwidth" priority=2/2 target=\
    192.168.0.0/24
add max-limit=9M/72M name=LAN parent="ALL Bandwidth" priority=3/3 target=\
    192.168.1.0/24
add max-limit=3M/72M name=Guest parent="ALL Bandwidth" target=10.20.0.0/20
/queue type
set 5 pcq-rate=1M
set 6 pcq-rate=2M
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1
add action=create-dynamic-enabled master-configuration=cfg2
/interface bridge port
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
/interface l2tp-server server
set default-profile=l2tp enabled=yes ipsec-secret= use-ipsec=\
    required
/interface list member
add interface=Irish-staff list="load balance"
add interface=Irish-wifi list="load balance"
add interface=LAN list="load balance"
/ip address
add address=192.168.1.1/24 interface=LAN network=192.168.1.0
add address=10.20.0.1/20 interface=Irish-wifi network=10.20.0.0
add address=192.168.0.1/24 interface=Irish-staff network=192.168.0.0
add address=172.20.0.1/26 interface="-kato orofos" network=172.20.0.0
/ip dhcp-server lease
add address=192.168.1.251 client-id=1:fc:ec:da:d1:af:e3 mac-address=\
    FC:EC:DA:D1:AF:E3 server=dhcp1
add address=192.168.0.15 client-id=1:0:23:a7:41:e9:bb mac-address=\
    00:23:A7:41:E9:BB server=dhcp3
add address=192.168.0.16 client-id=1:0:23:a7:cc:80:c7 mac-address=\
    00:23:A7:CC:80:C7 server=dhcp3
add address=192.168.0.18 client-id=1:0:23:a7:41:eb:5d mac-address=\
    00:23:A7:41:EB:5D server=dhcp3
add address=192.168.1.56 client-id=1:74:d4:35:b0:e1:66 mac-address=\
    74:D4:35:B0:E1:66 server=dhcp1
add address=192.168.1.254 client-id=1:74:3e:2b:1a:d3:f0 mac-address=\
    74:3E:2B:1A:D3:F0 server=dhcp1
/ip dhcp-server network
add address=10.20.0.0/20 dns-server=10.20.0.1 gateway=10.20.0.1
add address=172.20.0.0/26 dns-server=172.20.0.1 gateway=172.20.0.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 disabled=yes list=support
add address=192.168.0.0/24 disabled=yes list=support
add address=10.20.0.0/20 disabled=yes list=support
add address=172.20.0.0/26 disabled=yes list=support
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" disabled=yes \
    list=bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" disabled=yes list=bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" disabled=yes list=\
    bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" disabled=yes list=\
    bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" disabled=yes list=bogons
add address=192.168.0.0/16 comment="Private[RFC 1918] - CLASS C # Check if you\
    \_need this subnet before enable it" disabled=yes list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" disabled=yes \
    list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" disabled=\
    yes list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" disabled=yes list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" disabled=yes \
    list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" disabled=yes \
    list=bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    disabled=yes list=bogons
add address=172.22.22.0/24 disabled=yes list=support
/ip firewall filter
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
    in-interface=WAN2 protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (1701/udp)" dst-port=\
    1701 in-interface=WAN2 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (4500/udp)" dst-port=\
    4500 in-interface=WAN2 protocol=udp
add action=accept chain=input comment="allow L2TP VPN (500/udp)" dst-port=500 \
    in-interface=WAN2 protocol=udp
add action=add-src-to-address-list address-list=Syn_Flooder \
    address-list-timeout=30m chain=input comment=\
    "Add Syn Flood IP to the list" connection-limit=30,32 disabled=yes \
    protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" disabled=yes \
    src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner \
    address-list-timeout=1w chain=input comment="Port Scanner Detect" \
    disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" disabled=yes \
    src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" disabled=yes \
    jump-target=ICMP protocol=icmp
add action=drop chain=input comment="Block all access to the winbox - except t\
    o support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUP\
    PORT ADDRESS LIST" disabled=yes dst-port=8291 protocol=tcp \
    src-address-list=!support
add action=jump chain=forward comment="Jump for icmp forward flow" disabled=\
    yes jump-target=ICMP protocol=icmp
add action=drop chain=forward comment="Drop to bogon list" disabled=yes \
    dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=\
    "Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=\
    yes dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" disabled=yes \
    dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" disabled=yes port=53 \
    protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" disabled=yes port=53 \
    protocol=tcp
add action=accept chain=input comment="Accept to established connections" \
    connection-state=established disabled=yes
add action=accept chain=input comment="Accept to related connections" \
    connection-state=related disabled=yes
add action=accept chain=input comment="Full access to SUPPORT address list" \
    disabled=yes src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS \
    RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED" disabled=yes
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" \
    disabled=yes icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" disabled=yes icmp-options=\
    0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" disabled=yes \
    icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" disabled=yes \
    icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD disabled=yes icmp-options=3:4 \
    protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" disabled=yes \
    protocol=icmp
add action=jump chain=output comment="Jump for icmp output" disabled=yes \
    jump-target=ICMP protocol=icmp
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=\
    wan1_conn passthrough=yes
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=\
    wan2_conn passthrough=yes
add action=mark-routing chain=output connection-mark=wan1_conn \
    new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=wan2_conn \
    new-routing-mark=to_wan2 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface-list="load balance" new-connection-mark=wan1_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
    in-interface-list="load balance" new-connection-mark=wan2_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=wan1_conn \
    in-interface-list="load balance" new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=wan2_conn \
    in-interface-list="load balance" new-routing-mark=to_wan2 passthrough=yes
add action=accept chain=prerouting in-interface=WAN1
add action=accept chain=prerouting in-interface=WAN2
add action=mark-routing chain=prerouting new-routing-mark=to_wan2 \
    passthrough=yes src-address=192.168.0.6
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.10.0/24 src-address=\
    192.168.1.0/24
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=dst-nat chain=dstnat dst-port=8001 protocol=tcp to-addresses=\
    192.168.0.6 to-ports=8001
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.0.6 to-ports=8080
add action=dst-nat chain=dstnat dst-port=5555 protocol=tcp to-addresses=\
    192.168.0.6 to-ports=5555
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.10.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    192.168.10.0/24
/ip route
add check-gateway=ping distance=1 gateway=WAN1 routing-mark=to_wan1
add check-gateway=ping distance=1 gateway=WAN2 routing-mark=to_wan2
add check-gateway=ping distance=1 gateway=WAN1
add check-gateway=ping distance=2 gateway=WAN2
add distance=1 dst-address=192.168.10.0/24 gateway=172.16.0.2
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name= password= profile=l2tp service=l2tp
/system clock
set time-zone-name=Europe/Athens

Router 2

Κώδικας:

/interface bridge
add arp=proxy-arp fast-forward=no name=LAN
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether8 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether9 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether10 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 max-mru=1492 max-mtu=\
    1492 name=pppoe-out1 password= user=
/interface l2tp-client
add add-default-route=yes connect-to=router 1 wan ip disabled=no \
    ipsec-secret= name=l2tp-out1 password= use-ipsec=yes \
    user=
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.253
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.254
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=dhcp_pool2 disabled=no interface=LAN lease-time=3h name=\
    dhcp1
/queue type
add kind=pcq name=PCQ_UPLOAD pcq-classifier=src-address \
    pcq-dst-address6-mask=64 pcq-rate=3500k pcq-src-address6-mask=64
add kind=pcq name=PCQ_DOWNLAOD pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=7M pcq-src-address6-mask=64
add kind=pcq name=IPTV_PCQ pcq-classifier=dst-address pcq-dst-address6-mask=\
    64 pcq-limit=8000000KiB pcq-rate=9M pcq-src-address6-mask=64
set 8 pcq-rate=1M
set 9 pcq-rate=10M
/queue tree
add name=DOWNLOAD packet-mark=Client_Download parent=global queue=\
    PCQ_DOWNLAOD
add name=UPLOAD packet-mark=Client_Upload parent=global queue=PCQ_UPLOAD
add disabled=yes name="NICK IPTV" packet-mark=IPTV_NICK parent=DOWNLOAD \
    priority=1 queue=IPTV_PCQ
/interface bridge port
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
add bridge=LAN interface=ether9
add bridge=LAN interface=ether10
/ip address
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 disabled=yes list=allowed_to_router
add address=172.20.0.2-172.20.0.254 disabled=yes list=allowed_to_router
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="default configuration" \
    connection-state=established,related disabled=yes
add action=accept chain=input disabled=yes src-address-list=allowed_to_router
add action=accept chain=input disabled=yes protocol=icmp
add action=drop chain=input disabled=yes
/ip firewall mangle
add action=mark-packet chain=prerouting comment="NIKOS IPTV" disabled=yes \
    dst-port=5353-60000 new-packet-mark=IPTV_NICK passthrough=no protocol=tcp \
    src-address=192.168.1.37
add action=mark-packet chain=prerouting in-interface=LAN new-packet-mark=\
    Client_Upload passthrough=yes
add action=mark-packet chain=prerouting in-interface=pppoe-out1 \
    new-packet-mark=Client_Download passthrough=yes
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.1.0/24 src-address=\
    192.168.10.0/24
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=555 protocol=tcp to-addresses=\
    192.168.1.100 to-ports=555
add action=dst-nat chain=dstnat dst-port=8000 protocol=tcp to-addresses=\
    192.168.1.100 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8080 protocol=tcp to-addresses=\
    192.168.1.100 to-ports=8080
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.1.0/24 src-address=\
    192.168.10.0/24
add action=accept chain=prerouting dst-address=192.168.10.0/24 src-address=\
    192.168.1.0/24
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=172.16.0.1
/ip ssh
set allow-none-crypto=yes
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="Pounta Router"

Ευχαριστώ πολύ.

**kostas2911** · 23-07-19, 22:44

Το πιθανότερο είναι να σου δημιουργούν το πρόβλημα τα mangles του load balancing.
Δοκιμασε με disable τα mangles.

**Smokey** · 24-07-19, 13:47

Έκοψα όλα τα mangle rules άφησα την μια WAN αλλά και πάλι το ίδιο.

**kostas2911** · 24-07-19, 22:47

Οπότε μπορείς δώσε ενα anydesk να το δούμε

**Smokey** · 25-07-19, 23:00

Σου έχω στείλει προσωπικό μήνυμα.
Ευχαριστώ.

- - - Updated - - -

Είχες δίκιο, πρόσθεσα ένα κανόνα στο mangle και έπαιξε κανονικά. Σε ευχαριστώ πολύ.

Κώδικας:

/ip firewall mangle add action=accept chain=prerouting dst-address=REMOTE ROUTER LAN IP

**macro** · 02-08-19, 13:39

μπραβο κωστα!

Θέμα: L2TP/IPSEC

Bookmarks

Bookmarks

Δικαιώματα - Επιλογές