Jump to content
Калькуляторы

RB951Ui-2HnD настройка l2tp ipsec NAT и Firewall

Здравствуйте. Проблема такая: поднял l2tp ipsec сервер. Клиенты коннектятся без проблем. Видят внутренние ресурсы сети. Пинг с vpn клиента в локальную сеть проходит. Интернет подключившимся доступен. Но пинги к подключившемуся клиенту по VPN, из локальной сети не ходят. А с маршрутизатора ходят. Всю голову сломал уже. Подключающиеся по vpn и локалка с одной подсети. Вводная:

 

/ip firewall filter

add chain=input comment="Allow Ping" protocol=icmp

add chain=forward protocol=icmp

add chain=input comment="Accept established connections" connection-state=established

add chain=forward connection-state=established

add chain=input comment="Accept related connections" connection-state=related

add chain=forward connection-state=related

add action=drop chain=input comment="Drop invalid connections" connection-state=invalid

add action=drop chain=forward connection-state=invalid

add chain=input comment="Allow UDP" protocol=udp

add chain=forward protocol=udp

add chain=forward comment="Access to Internet from local network" in-interface=bridge-local src-address=192.168.1.0/24

add chain=forward comment="Access to Internet from VPN network" in-interface=all-ppp src-address=192.168.1.0/24

add chain=input comment="Access to Mikrotik only from our local network" src-address=192.168.1.0/24

add action=drop chain=input comment="All other drop" log-prefix=DROP---->

add action=drop chain=forward log-prefix=DROP_FORWARD---->

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" log-prefix=-> out-interface=Rostelecom

/ip firewall service-port

set ftp disabled=yes

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

set pptp disabled=yes

 

/ppp secret

add comment="VPN" name=XXXXXXXXX password=XXXXXXXXXX profile=l2tp-vpn-lan

 

/ppp profile

add bridge=bridge-local dns-server=192.168.1.1 local-address=192.168.1.2 name=\

l2tp-vpn-lan only-one=no remote-address=vpn_clients_remote use-encryption=yes

 

/ip pool

add name=dhcp ranges=192.168.1.10-192.168.1.65

add name=vpn_clients_remote ranges=192.168.1.111-192.168.1.120

 

/interface bridge export

# mar/29/2015 00:27:02 by RouterOS 6.27

#

/interface bridge

add admin-mac=XX:XX:XX:XX:XX:XX arp=proxy-arp auto-mac=no mtu=1500 name=bridge-local

/interface bridge port

add bridge=bridge-local interface=ether2-master-local

add bridge=bridge-local interface=wlan1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this