Не работает VPN-сервер

[alibek]

Что не так в конфигурации?

/interface bridge add arp=proxy-arp fast-forward=no name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] arp=disabled name=eth1
set [ find default-name=ether2 ] arp=disabled name=eth2
set [ find default-name=ether3 ] name=eth3
set [ find default-name=ether4 ] name=eth4
set [ find default-name=ether5 ] name=eth5
/interface vlan
add interface=eth2 name=vlan30 vlan-id=30
add interface=eth2 name=vlan100 vlan-id=100
/interface pppoe-client add add-default-route=yes interface=eth1 name=pppoe use-peer-dns=yes user=username
/interface bridge port
add bridge=bridge-lan interface=eth3
add bridge=bridge-lan interface=eth4

/ppp profile
add bridge=bridge-lan name=users only-one=yes
/ppp secret
add local-address=192.168.1.254 name=vpn1 profile=users remote-address=192.168.1.191 service=pptp
add local-address=192.168.1.254 name=vpn2 profile=users remote-address=192.168.1.192 service=pptp
/interface pptp-server server
set default-profile=users enabled=yes

/ip address
add address=AA.AA.AA.80/25 comment="GW to Public" interface=vlan100 network=AA.AA.AA.0
add address=10.1.144.3/24 comment="GW to Core" interface=vlan30 network=10.1.144.0
add address=192.168.1.254/24 interface=bridge-lan network=192.168.1.0
/ip dhcp-client add default-route-distance=100 interface=eth5

/ip firewall address-list
add address=192.168.1.0/24 list=acl-lan
add address=AA.AA.AA.95 list=acl-admin
add address=AA.AA.AA.0/25 list=acl-service
add address=10.1.128.0/24 list=acl-service
add address=192.168.1.9 list=acl-admin
add address=10.1.10.0-10.1.19.255 list=acl-network
add address=0.0.0.0/8 comment="source this" list=acl-bogon
add address=10.0.0.0/8 comment="private network" list=acl-bogon
add address=100.64.0.0/10 comment=CG-NAT list=acl-bogon
add address=127.0.0.0/8 comment="loopback addresses" list=acl-bogon
add address=169.254.0.0/16 comment="link-local subnet" list=acl-bogon
add address=172.16.0.0/12 comment="private network" list=acl-bogon
add address=192.0.0.0/24 comment=reserved list=acl-bogon
add address=192.0.2.0/24 comment="test network" list=acl-bogon
add address=192.42.172.0/24 comment=non-work list=acl-bogon
add address=192.88.99.0/24 comment="anycast relay" list=acl-bogon
add address=192.168.0.0/16 comment="private network" list=acl-bogon
add address=198.18.0.0/15 comment="test inter-network" list=acl-bogon
add address=198.51.100.0/24 comment="test network" list=acl-bogon
add address=203.0.113.0/24 comment="test network" list=acl-bogon
add address=224.0.0.0/4 comment=multicast list=acl-bogon
add address=240.0.0.0/4 comment=reserved list=acl-bogon
add address=0.0.0.0/8 list=acl-invalid
add address=127.0.0.0/8 list=acl-invalid
add address=AA.AA.AA.0/24 list=acl-monitor
add address=192.168.1.0/24 list=acl-monitor

/ip firewall filter
add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe log=yes log-prefix="BOGONS: " src-address-list=acl-bogon
add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=vlan100 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon
add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=eth1 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon
add action=drop chain=input comment="Self Normalization: Drop Invalid" connection-state=invalid log=yes log-prefix="INVALID: "
add action=accept chain=input comment="Self Normalization: Skip Established" connection-state=established,related
add action=jump chain=input comment="Border: Allow ICMP" jump-target=icmp protocol=icmp
add action=accept chain=input comment="Border: Allow Remote" connection-state=new dst-port=8291 protocol=tcp src-address-list=acl-admin
add action=accept chain=input comment="Border: Graphs access" dst-port=80 protocol=tcp src-address-list=acl-monitor
add action=accept chain=input comment="Border: Allow LAN" connection-state="" in-interface=bridge-lan src-address-list=acl-lan
add action=accept chain=forward comment="Border: Allow PPTP" in-interface=vlan100 protocol=gre src-address-list=acl-admin
add action=accept chain=forward comment="Border: Allow PPTP" dst-port=1723 in-interface=vlan100 protocol=tcp src-address-list=acl-admin
add action=drop chain=input comment="Border: Default Policy" log=yes log-prefix="DEFAULT: "
add action=drop chain=forward comment="Drop Invalid Src" log=yes log-prefix="INVALID: " src-address-list=acl-invalid
add action=drop chain=forward comment="Drop Invalid Dst" dst-address-list=acl-invalid log=yes log-prefix="INVALID: "
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid log=yes log-prefix="INVALID: "
add action=accept chain=forward comment="Skip Established" connection-state=established,related
add action=jump chain=forward comment="Processing ICMP" jump-target=icmp protocol=icmp
add action=accept chain=forward comment="Admin access" in-interface=all-vlan src-address-list=acl-admin
add action=accept chain=forward comment="Allow LAN OUT" in-interface=bridge-lan out-interface=!bridge-lan src-address-list=acl-lan
add action=accept chain=forward comment="Allow LAN IN (RDP)" dst-port=65200-65209 in-interface=vlan100 out-interface=bridge-lan protocol=tcp src-address-list=acl-lan
add action=drop chain=forward comment="LAST RULE" log=yes log-prefix="LAST: "
add action=accept chain=output comment="Border: Limit outgoing UDP" limit=15,20:packet protocol=udp
add action=accept chain=icmp comment="ICMP: echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="ICMP: network unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="ICMP: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="ICMP: host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="ICMP: source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="ICMP: echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="ICMP: time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="ICMP: parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="ICMP: drop other" log=yes log-prefix="ICMP: "
add action=return chain=icmp comment="ICMP: continue"

/ip firewall nat
add action=masquerade chain=srcnat comment="Main Internet" out-interface=pppoe src-address-list=acl-lan
add action=masquerade chain=srcnat comment="Main subinterfaces" out-interface=all-vlan src-address-list=acl-lan
add action=masquerade chain=srcnat comment="Alt. Internet" disabled=yes out-interface=eth5 src-address-list=acl-lan

/ip route
add distance=10 dst-address=10.1.0.0/16 gateway=10.1.144.1
add distance=10 dst-address=10.102.0.0/16 gateway=10.1.144.1
add distance=10 dst-address=10.202.0.0/16 gateway=10.1.144.1
add distance=10 dst-address=AA.AA.AA.0/22 gateway=AA.AA.AA.126

Подключение не происходит, клиент долго висит на этапе подключения, потом выдает ошибку.

[boav]

8 часов назад, alibek сказал:

add action=accept chain=forward comment="Border: Allow PPTP" in-interface=vlan100 protocol=gre src-address-list=acl-admin add action=accept chain=forward comment="Border: Allow PPTP" dst-port=1723 in-interface=vlan100 protocol=tcp src-address-list=acl-admin

Почему у вас чепочка форвард а не инпут?

 

Edited May 29, 2018 by boav
на большом экране лучше видно

[alibek]

Очепятка. Сейчас поправлю.