zyxel giga III pptp сервер+microtik pptp client

Обсуждение ПО и его настройки
Ответить
Аватара пользователя
Dominik
Сообщения: 12
Зарегистрирован: 28 янв 2017, 23:50
Контактная информация:

Здравствуйте, помогите правильно настроить:
Дома на zyxel giga III поднят pptp сервер (Начальный адрес пула: 172.16.1.1) с белым адресом XX.XX.XXX.XX
Для рабочего компа выделен в тунеле ip: 172.16.1.2, на даче еще один микротик ему выделен ip: 172.16.1.3.
На работе Mikrotik RB953U1 (hap ac lite) + 4g модем E3372 (перешит в hilink) работает через yota. Подключение к серверу есть, хочу пустить зашифрованный трафик внутренней сети через домашний белый адрес. Подскажите пожалуйста какие правила и маршруты прописать в микротике, чтобы все компьютеры видели друг друга? Заранее спасибо.


Аватара пользователя
Dominik
Сообщения: 12
Зарегистрирован: 28 янв 2017, 23:50
Контактная информация:

Вот конфиг микротика:

Код: Выделить всё

# jul/10/2018 13:08:24 by RouterOS 6.42.5
# software id = RG2W-6FVW
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = XXXXXXXXXXXXX
/interface lte
set [ find ] comment=Yota mac-address=00:00:00:00:00:00 name=lte1
/interface bridge
add comment=LAN fast-forward=no name=bridge1
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface list
add name=Bridge
add comment="contains WAN interfaces" name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool ranges=192.168.2.2-192.168.2.30
/ip dhcp-server
add address-pool=dhcp_pool authoritative=after-2sec-delay disabled=no \
    interface=bridge1 lease-time=45m name=dhcp
/ppp profile
set *0 bridge=bridge1 change-tcp-mss=no use-compression=no use-encryption=yes \
    use-mpls=no use-upnp=no
set *FFFFFFFE bridge=bridge1 use-mpls=no use-upnp=no
/interface pptp-client
add allow=mschap2 comment="Private VPN" connect-to=XX.XXX.XX.XXX disabled=no \
    mrru=1600 name=pptp_home password=YYYYYYY profile=default user=ZZZZZ
/interface bridge port
add bridge=bridge1 interface=all
/interface list member
add interface=bridge1 list=Bridge
add interface=pptp_home list=WAN
add interface=lte1 list=WAN
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip dhcp-server lease
add address=192.168.2.22 client-id=0:00:00:00:00:00:00 mac-address=\
    00:00:00:00:00:00:00 server=dhcp
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1
/ip firewall filter
add action=accept chain=output comment=pptp_home dst-address=XX.XXX.XX.XXX
add action=accept chain=input comment="defconf: ACCEPT ICMP" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment=\
    "defconf: ACCEPT established and related" connection-state=\
    established,related
add action=drop chain=input comment="defconf: DROP other input from WAN" \
    in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: Fasttrack" \
    connection-mark=!ipsec connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: ACCEPT forward established and related" connection-state=\
    established,related
add action=drop chain=forward comment="defconf: DROP Invalid connections" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: DROP from WAN using static route (not DSTNATed)" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-mss chain=forward in-interface=pptp_home new-mss=\
    clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=\
    1453-65535
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=\
    pptp_home passthrough=yes protocol=tcp tcp-flags=syn,!rst tcp-mss=\
    1453-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1
add action=masquerade chain=srcnat out-interface=bridge1
add action=accept chain=srcnat comment="Private VPN NAT" out-interface=\
    pptp_home
/ip firewall service-port
set sip disabled=yes
/ip route
add check-gateway=ping comment="Private VPN route" distance=1 gateway=\
    pptp_home routing-mark=home-vpn
add check-gateway=ping distance=1 dst-address=172.16.1.0/24 gateway=pptp_home
/ip route rule
add dst-address=192.168.1.0/24 table=home-vpn
add dst-address=192.168.3.0/24 table=home-vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=weblane disabled=no
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system ntp client
set enabled=yes primary-ntp=17.253.54.253 secondary-ntp=17.253.54.125
/system routerboard settings
set silent-boot=no
/system scheduler
/system script
/tool e-mail
сломал весь мозг уже, не пингуется с адреса 192.168.2.1 адреса 192.168.1.1 и 192.168.3.1 (хотя в web морду роутеров заходит)
в обратном направлении с 192.168.1.1 и 192.168.3.1 адрес 192.168.2.1 пингуеся без проблем


goufra
Сообщения: 24
Зарегистрирован: 29 янв 2018, 15:59

какие маршруты прописаны на микротиках ? вкладка routes


gmx
Модератор
Сообщения: 3290
Зарегистрирован: 01 окт 2012, 14:48

У кинетика не все так просто. Там по умолчанию на все входящие соединения по VPN интерфейсу включено "нельзя никому".


Аватара пользователя
Dominik
Сообщения: 12
Зарегистрирован: 28 янв 2017, 23:50
Контактная информация:

goufra писал(а): 17 июл 2018, 21:03 какие маршруты прописаны на микротиках ? вкладка routes
Изображение


Аватара пользователя
Dominik
Сообщения: 12
Зарегистрирован: 28 янв 2017, 23:50
Контактная информация:

Народ помогите разобраться: Нет доступа из сети 192.168.2.0/24 до сети 192.168.3.0/24
из сети 192.168.2.0/24 до сети сети 192.168.1.0/24 доступ есть!
из сети 192.168.1.0/24 до сети 192.168.2.0/24 и сети 192.168.3.0/24, а вот между ними 192.168.2.0/24 до сети 192.168.3.0/24 нет.
Весь мозг сломал!!!

Прилагаю мою конфигурацию
---------------------------------------------------
# feb/15/2019 18:02:19 by RouterOS 6.43.12
# software id = RG2W-6FVW
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 6CBA06D53F0A
/interface lte
set [ find ] comment=Yota mac-address=0C:5B:8F:27:9A:64 name=lte1
/interface bridge
add arp=proxy-arp comment=LAN fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether3 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/interface pptp-client
add allow=mschap2 comment="Private VPN" connect-to=xx.xx.xx.xx disabled=no \
max-mru=1350 max-mtu=1350 name=pptp_home password=xxxxxx user=xxxxx
/interface list
add name=VPN
add name=Internet
add name=Local
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] disabled=yes
/ip pool
add name=dhcp_pool ranges=192.168.2.2-192.168.2.30
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool disabled=no interface=bridge1 \
lease-time=59m name=dhcp
/ppp profile
set *0 bridge=bridge1 change-tcp-mss=no use-compression=no use-encryption=no \
use-mpls=no use-upnp=no
set *FFFFFFFE bridge=bridge1 use-compression=no use-mpls=no use-upnp=no
/routing bgp instance
set default as=64999 disabled=yes ignore-as-path-len=yes router-id=172.16.1.2
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=Local
/interface list member
add interface=pptp_home list=VPN
add interface=lte1 list=Internet
add interface=bridge1 list=Local
/ip address
add address=192.168.2.1/24 interface=bridge1 network=192.168.2.0
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 name=router-mikrotik
/ip firewall address-list
add address=192.168.1.0/24 list=AdminIP
add address=192.168.3.0/24 list=AdminIP
add address=192.168.2.0/24 list=AdminIP
add address=8.8.4.4 list=dns
add address=8.8.8.8 list=dns
add address=77.88.8.8 list=dns
add address=77.88.8.1 list=dns
add address=89.255.66.53 list=dns
add address=89.255.64.7 list=dns
add address=1.11.3.201 list=rkn
add address=1.32.194.0/25 list=rkn
add address=1.32.194.195 list=rkn
add address=1.36.178.179 list=rkn
add address=1.36.236.74 list=rkn
add address=1.36.236.229 list=rkn
add address=1.36.237.118 list=rkn
add address=1.85.189.35 list=rkn
add address=1.135.251.23 list=rkn
add address=1.156.198.35 list=rkn
/ip firewall filter
add action=accept chain=forward comment=\
"defconf: Allow forward established and related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: DROP Invalid connections" \
connection-state=invalid
add action=accept chain=input comment=\
"defconf: ACCEPT input established and related" connection-state=\
established,related
add action=drop chain=input comment="defconf: DROP Invalid connections" \
connection-state=invalid
add action=add-src-to-address-list address-list=ddos-blacklist \
address-list-timeout=1d chain=input comment=\
"defconf: DDoS Protect - Connection Limit" connection-limit=100,32 \
in-interface-list=Internet protocol=tcp
add action=tarpit chain=input connection-limit=3,32 protocol=tcp \
src-address-list=ddos-blacklist
add action=jump chain=forward comment="defconf: DDoS Protect - SYN Flood" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=Internet \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="defconf: Protected - Ports Scanners" \
src-address-list="Port Scanners"
add action=add-src-to-address-list address-list="Port Scanners" \
address-list-timeout=none-dynamic chain=input in-interface-list=Internet \
protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="defconf: Protected - WinBox Access" \
src-address-list="Black List Winbox"
add action=add-src-to-address-list address-list="Black List Winbox" \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=8291 in-interface-list=Internet log=yes log-prefix=\
"BLACK WINBOX" protocol=tcp src-address-list="Winbox Stage 3"
add action=add-src-to-address-list address-list="Winbox Stage 3" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 2"
add action=add-src-to-address-list address-list="Winbox Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp src-address-list="Winbox Stage 1"
add action=add-src-to-address-list address-list="Winbox Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=8291 in-interface-list=Internet \
protocol=tcp
add action=drop chain=input comment=\
"defconf: Protected - PPTP-VPN Connections" src-address-list=\
"Black List OpenVPN"
add action=add-src-to-address-list address-list="Black List OpenVPN" \
address-list-timeout=none-dynamic chain=input connection-state=new \
dst-port=1723 in-interface-list=Internet log=yes log-prefix="BLACK OVPN" \
protocol=tcp src-address-list="OpenVPN Stage 3"
add action=add-src-to-address-list address-list="OpenVPN Stage 3" \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
in-interface-list=Internet protocol=tcp src-address-list=\
"OpenVPN Stage 2"
add action=add-src-to-address-list address-list="OpenVPN Stage 2" \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
in-interface-list=Internet protocol=tcp src-address-list=\
"OpenVPN Stage 1"
add action=add-src-to-address-list address-list="OpenVPN Stage 1" \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
in-interface-list=Internet protocol=tcp
add action=accept chain=input dst-port=1723 in-interface-list=Internet \
protocol=tcp
add action=accept chain=input comment="defconf: ACCEPT VPN Connections" \
in-interface-list=VPN
add action=accept chain=input comment="defconf: ACCEPT ICMP" \
in-interface-list=Internet limit=50/5s,2:packet protocol=icmp
add action=accept chain=input comment="defconf: Allow DNS request from LAN" \
dst-port=53 in-interface-list=Local protocol=udp
add action=accept chain=input comment=\
"defconf: Allow access for AdminIP group" src-address-list=AdminIP
add action=accept chain=forward comment="defconf: ACCEPT VPN connections" \
connection-state=established,new in-interface=bridge1 out-interface=\
pptp_home src-address=192.168.2.0/24
add action=accept chain=forward connection-state=established,related \
in-interface=pptp_home out-interface=bridge1
add action=drop chain=input comment="defconf: All other drop"
add action=fasttrack-connection chain=forward comment="defconf: Fasttrack" \
connection-state=established,related disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark Blocket Adress" \
dst-address-list=rkn new-routing-mark=rkn_mark passthrough=no \
src-address=192.168.2.2
add action=mark-routing chain=prerouting comment="Mark DNS traffic" \
dst-address-list=dns new-routing-mark=traffic_dns passthrough=no \
src-address=192.168.2.0/24
add action=change-mss chain=forward comment="Change MSS" new-mss=1300 \
out-interface-list=VPN passthrough=yes protocol=tcp tcp-flags=syn \
tcp-mss=1301-65535
/ip firewall nat
add action=masquerade chain=srcnat out-interface=lte1 src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat out-interface-list=VPN src-address=\
192.168.2.0/24
add action=masquerade chain=srcnat disabled=yes dst-address-list=\
192.168.3.0/24 out-interface=pptp_home
add action=masquerade chain=srcnat disabled=yes dst-address-list=\
192.168.3.0/24 out-interface=pptp_home src-address=192.168.2.0/24
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 disabled=yes
/ip route
add comment="Telegram to VPN" distance=1 gateway=pptp_home routing-mark=\
rkn_mark
add comment="Route DNS" distance=1 gateway=pptp_home routing-mark=traffic_dns
add comment="Private VPN route" distance=1 gateway=pptp_home routing-mark=\
home-vpn
add distance=1 dst-address=172.16.1.3/32 gateway=pptp_home
add distance=1 dst-address=192.168.1.0/24 gateway=pptp_home
add distance=1 dst-address=192.168.3.0/24 gateway=pptp_home
/ip route rule
add dst-address=192.168.8.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set www-ssl certificate=weblane disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/routing bgp peer
add disabled=yes in-filter=dynamic-in multihop=yes name=VPS remote-address=\
89.255.94.163 remote-as=64998 ttl=default
/routing filter
add action=accept chain=dynamic-in comment="Set nexthop" protocol=bgp \
set-in-nexthop=172.16.1.33
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system ntp client
set enabled=yes primary-ntp=17.253.54.253 secondary-ntp=17.253.54.125
/system scheduler
/tool mac-server
set allowed-interface-list=Local
/tool mac-server mac-winbox
set allowed-interface-list=Local

Что не так то?


Аватара пользователя
Dominik
Сообщения: 12
Зарегистрирован: 28 янв 2017, 23:50
Контактная информация:

Решение нашёл:
на роутере с адресом 192.168.2.1 (адрес в туннеле 172.16.1.2) надо было прописать

/ip route
add distance=1 dst-address=172.16.1.3/32 gateway=pptp_home

---
на роутере с адресом 192.168.3.1 (адрес в туннеле 172.16.1.3) надо было прописать

/ip route
add distance=1 dst-address=172.16.1.2/32 gateway=pptp_home

Все работает во всех направлениях!


Ответить