Jump to content

RB951Ui-2HnD настройка l2tp ipsec NAT и Firewall

Здравствуйте. Проблема такая: поднял l2tp ipsec сервер. Клиенты коннектятся без проблем. Видят внутренние ресурсы сети. Пинг с vpn клиента в локальную сеть проходит. Интернет подключившимся доступен. Но пинги к подключившемуся клиенту по VPN, из локальной сети не ходят. А с маршрутизатора ходят. Всю голову сломал уже. Подключающиеся по vpn и локалка с одной подсети. Вводная:

 

/ip firewall filter

add chain=input comment="Allow Ping" protocol=icmp

add chain=forward protocol=icmp

add chain=input comment="Accept established connections" connection-state=established

add chain=forward connection-state=established

add chain=input comment="Accept related connections" connection-state=related

add chain=forward connection-state=related

add action=drop chain=input comment="Drop invalid connections" connection-state=invalid

add action=drop chain=forward connection-state=invalid

add chain=input comment="Allow UDP" protocol=udp

add chain=forward protocol=udp

add chain=forward comment="Access to Internet from local network" in-interface=bridge-local src-address=192.168.1.0/24

add chain=forward comment="Access to Internet from VPN network" in-interface=all-ppp src-address=192.168.1.0/24

add chain=input comment="Access to Mikrotik only from our local network" src-address=192.168.1.0/24

add action=drop chain=input comment="All other drop" log-prefix=DROP---->

add action=drop chain=forward log-prefix=DROP_FORWARD---->

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" log-prefix=-> out-interface=Rostelecom

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

 

/ppp secret

add comment="VPN" name=XXXXXXXXX password=XXXXXXXXXX profile=l2tp-vpn-lan

 

/ppp profile

add bridge=bridge-local dns-server=192.168.1.1 local-address=192.168.1.2 name=\

l2tp-vpn-lan only-one=no remote-address=vpn_clients_remote use-encryption=yes

 

/ip pool

add name=dhcp ranges=192.168.1.10-192.168.1.65

add name=vpn_clients_remote ranges=192.168.1.111-192.168.1.120

 

/interface bridge export

# mar/29/2015 00:27:02 by RouterOS 6.27

#

/interface bridge

add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no mtu=1500 name=bridge-local

/interface bridge port

add bridge=bridge-local interface=ether2-master-local

add bridge=bridge-local interface=wlan1

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.