Микртотик не пропускает L2TP VPN

Обсуждение ПО и его настройки
Ответить
abuba
Сообщения: 8
Зарегистрирован: 22 сен 2018, 08:33

Пытаюсь подключиться из локальной сети 192.168.0.0/24 к выделенному серверу. Через мобильный интернет виндовой ВПН коннектится на ура. Из локалки никак. Подозреваю что Микротик не пропускает ВПН трафик/порты.

Не подскажите как это исправить?


Настройки микротика тут
 
/interface ethernet
set [ find default-name=ether1 ] comment=Wan loop-protect=on loop-protect-disable-time=10s name=ether1-WAN
set [ find default-name=ether7 ] comment="Bridge-zavod (only port 7)"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.40-192.168.0.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-office lease-time=4h name=defconf
/interface bridge port
add bridge=bridge-office comment=defconf interface=ether2
add bridge=bridge-office comment=defconf interface=ether3
add bridge=bridge-office comment=defconf interface=ether4
add bridge=bridge-office comment=defconf interface=ether5
add bridge=bridge-office comment=defconf interface=ether6
add bridge=bridge-zavod comment=defconf interface=ether7
add bridge=bridge-office comment=defconf interface=ether8
add bridge=bridge-office comment=defconf interface=ether9
add bridge=bridge-office comment=defconf interface=ether10
add bridge=bridge-office comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge-office list=LAN
add comment=defconf interface=ether1-WAN list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge-office network=192.168.0.0
add address=55.55.55.55/30 interface=ether1-WAN network=55.55.55.54
add address=10.10.30.254/24 interface=bridge-zavod network=10.10.30.0
/ip dhcp-client
add comment=defconf interface=ether1-WAN
/ip dhcp-server config
set store-leases-disk=10m
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.11,192.168.0.13 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,88.77.7.7
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall filter
add action=fasttrack-connection chain=output comment="VPN TCP" disabled=yes out-interface=bridge-office protocol=tcp src-address=\
192.168.0.1-192.168.0.254 src-port=1701
add action=fasttrack-connection chain=output comment="VPN TCP" disabled=yes out-interface=bridge-office protocol=udp src-address=\
192.168.0.1-192.168.0.254 src-port=500,4500
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Mikrotik WAN access" in-interface=ether1-WAN protocol=tcp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=jump chain=forward comment=NVR-8000 in-interface=ether1-WAN jump-target=192.168.0.245 protocol=tcp
add action=jump chain=input comment=NVR-8000 in-interface=ether1-WAN jump-target=192.168.0.245 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

add action=src-nat chain=srcnat comment="VPN L2TP TCP" protocol=tcp src-port=1701 to-ports=1701
add action=src-nat chain=srcnat comment="VPN L2TP UDP" protocol=udp src-port=500 to-ports=500
add action=src-nat chain=srcnat comment="VPN L2TP UDP" protocol=udp src-port=4500 to-ports=4500
add action=src-nat chain=srcnat comment="VPN L2TP UDP" protocol=udp src-port=50 to-ports=50
add action=src-nat chain=srcnat comment="VPN L2TP UDP" protocol=udp src-port=1701 to-ports=1701
/ip route
add distance=1 gateway=55.55.55.54
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8001
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/snmp
set enabled=yes trap-community=prtg
/system clock
set time-zone-name=Asia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


abuba
Сообщения: 8
Зарегистрирован: 22 сен 2018, 08:33

А если так просто обьяснить? помочь как бы


Ответить