Jump to content
Калькуляторы

Настройка Mikrotik RB2011UAS-2HnD-IN - PPTP VPN + Web Proxy

Добрый день.

Есть задача -

Дома кабельный интернет. На коробке настроен DDNS и проброс всех портов на Mikrotik RB2011UAS-2HnD-IN

IP железки - 192.168.60.10; IP входящего порта на Mikrotik - 192.168.60.20

Mikrotik натсроен как WiFi роутер с сетью 192.168.70.0/24; Gateway для сети - 192.168.70.10

Поднят Web Proxy на 192.168.70.10; Также поднят PPTP сервер на 192.168.80.1

 

Задача - подключиться снаружи (из интернета) к PPTP и достучаться до Web Server

 

На текущий момент не могу подключиться к PPTP, зависает на проверки имени и пароля. При этом подключается нормально, если я подключаюсь из локальной сети 192.168.70.0/24

 

Помогите настроить файрволл и проброс PPTP портов с 192.168.60.20 на 192.168.70.10 Возможно, стоит поднять PPTP в 192.168.60.0 и ничего не пробрасывать? Как потом достучаться до Web сервера?

 

Спасибо!

Share this post


Link to post
Share on other sites

Все настроил, но появилась другая проблема

Не могу скачивать большие файлы через PPTP VPN и Web Proxy - например, видео YouTube или дистирибутив

Зависает закачка, куда копать?

Share this post


Link to post
Share on other sites

RainBoy, вы бы конфиг выложили, тогда и конструктивные ответы возможно появились бы.

Share this post


Link to post
Share on other sites

[admin@MikroTik] > export

# mar/21/2014 23:08:30 by RouterOS 6.10

# software id = NHT6-PNSJ

#

/interface bridge

add l2mtu=1598 name=bridge2

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \

disabled=no l2mtu=2290 mode=ap-bridge ssid=RainBoyWiFi wireless-protocol=\

802.11

/interface pptp-server

add disabled=yes name=pptp-in1 user=Alex

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\

tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \

wpa-pre-shared-key= wpa2-pre-shared-key=

/ip hotspot user profile

set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \

mac-cookie-timeout=3d

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=3des,aes-128-cbc pfs-group=none

/ip pool

add name=dhcp ranges=192.168.70.100-192.168.70.250

add name="vpn pool" ranges=192.168.80.2-192.168.80.220

/ip dhcp-server

add address-pool=dhcp disabled=no lease-time=10m name=default

add address-pool=dhcp disabled=no interface=ether2 name=dhcp1

add address-pool=dhcp disabled=no interface=bridge2 name=dhcp2

/port

set 0 name=serial0

/ppp profile

set 0 bridge=bridge2 dns-server=8.8.8.8 local-address=192.168.80.1 \

remote-address="vpn pool" wins-server=8.8.4.4

set 1 bridge=bridge2 dns-server=8.8.8.8,8.8.4.4 local-address=192.168.80.1 \

remote-address="vpn pool" use-compression=yes use-encryption=required \

use-mpls=yes use-vj-compression=yes

/interface bridge port

add bridge=bridge2 interface=ether2

add bridge=bridge2 interface=ether3

add bridge=bridge2 interface=ether4

add bridge=bridge2 interface=ether5

add bridge=bridge2 interface=ether6

add bridge=bridge2 interface=ether7

add bridge=bridge2 interface=ether8

add bridge=bridge2 interface=ether9

add bridge=bridge2 interface=ether10

add bridge=bridge2 interface=wlan1

add bridge=bridge2 interface=sfp1

/interface bridge settings

set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \

use-ip-firewall-for-vlan=yes

/interface l2tp-server server

set enabled=yes

/interface pptp-server server

set enabled=yes

/interface sstp-server server

set default-profile=default-encryption

/ip address

add address=192.168.70.10/24 interface=ether2 network=192.168.70.0

/ip dhcp-client

add dhcp-options=hostname,clientid disabled=no interface=ether1

/ip dhcp-server network

add address=192.168.60.0/24 gateway=192.168.60.20 netmask=24

add address=192.168.70.0/24 gateway=192.168.70.10 netmask=24

/ip dns

set servers=65.32.5.111,65.32.5.75,65.32.5.112,65.32.5.11

/ip firewall filter

add chain=input disabled=yes

add chain=input protocol=icmp

add chain=input dst-port=1723 protocol=tcp

add chain=input protocol=gre

add chain=input connection-state=established

/ip firewall nat

add action=dst-nat chain=dstnat dst-address=192.168.60.20 dst-port=1723 \

protocol=tcp to-addresses=192.168.80.1 to-ports=1723

add action=dst-nat chain=dstnat dst-address=192.168.60.20 protocol=gre \

to-addresses=192.168.80.1

add action=src-nat chain=srcnat dst-address=192.168.80.1 dst-port=1723 \

protocol=tcp to-addresses=192.168.70.10 to-ports=0-65535

add action=src-nat chain=srcnat dst-address=192.168.80.1 protocol=gre \

to-addresses=192.168.70.10

add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0

/ip ipsec peer

add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override \

nat-traversal=yes secret=

/ip proxy

set cache-administrator="" cache-on-disk=yes enabled=yes max-cache-size=none \

max-client-connections=1000 max-server-connections=1000 parent-proxy=\

0.0.0.0 serialize-connections=yes

/ip route

add disabled=yes distance=1 gateway=173.170.64.1

add distance=1 dst-address=192.168.1.0/24 gateway="(unknown)"

/ip service

set ftp disabled=yes

/ip upnp

set allow-disable-external-interface=no enabled=yes

/lcd interface

set sfp1 interface=sfp1

set ether1 interface=ether1

set ether2 interface=ether2

set ether3 interface=ether3

set ether4 interface=ether4

set ether5 interface=ether5

set ether6 interface=ether6

set ether7 interface=ether7

set ether8 interface=ether8

set ether9 interface=ether9

set ether10 interface=ether10

set wlan1 interface=wlan1

/ppp secret

add name=Alex password= service=pptp

add name=OpenVPN

/system clock

set time-zone-name=America/New_York

/system ntp client

set enabled=yes mode=unicast primary-ntp=66.187.233.4 secondary-ntp=\

213.249.66.35

/system scheduler

add interval=1m name=dynDNS on-event="/system script run dynDNS" policy=\

reboot,read,write,policy,test,password,sniff,sensitive start-time=startup

/system script

add name=dynDNS policy=reboot,read,write,policy,test,password,sniff,sensitive \

source="#:global theinterface \"ether1-gateway\"\

\n# Set needed variables\

\n:local username \"RainBoy\"\

\n:local password \"\"\

\n:local hostname \"\"\

\n\

\n:global dyndnsForce\

\n:global previousIP\

\n\

\n# print some debug info \

\n:log info (\"UpdateDynDNS: username = \$username\")\

\n:log info (\"UpdateDynDNS: hostname = \$hostname\")\

\n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\

\n\

\n# get the current IP address from the internet (in case of double-nat)\

\n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\

path=\"/dyndns.checkip.html\"\

\n:local result [/file get dyndns.checkip.html contents]\

\n\

\n# parse the current IP result\

\n:local resultLen [:len \$result]\

\n:local startLoc [:find \$result \": \" -1]\

\n:set startLoc (\$startLoc + 2)\

\n:local endLoc [:find \$result \"</body>\" -1]\

\n:local currentIP [:pick \$result \$startLoc \$endLoc]\

\n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\

\n\

\n# Remove the # on next line to force an update every single time - usefu\

l for debugging, but you could end up getting blacklisted by DynDNS!\

\n#:set dyndnsForce true\

\n\

\n# Determine if dyndns update is needed\

\n# more dyndns updater request details available at http://www.dyndns.com\

/developers/specs/syntax.html\

\n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\

\n :set dyndnsForce false\

\n :set previousIP \$currentIP\

\n /tool fetch user=\$username password=\$password mode=http address=\"\

members.dyndns.org\" src-path=\"/nic/update\?hostname=\$hostname&myip=\$cu\

rrentIP\" dst-path=\"/dyndns.txt\"\

\n :local result [/file get dyndns.txt contents]\

\n :log info (\"UpdateDynDNS: Dyndns update needed\")\

\n :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\

\n :put (\"Dyndns Update Result: \".\$result)\

\n} else={\

\n :log info (\"UpdateDynDNS: No dyndns update needed\")\

\n}"

[admin@MikroTik] >

 

Я также не могу достучаться до устройств в сети дома при работе через VPN

Маршрут прописал в системе как route add 192.168.70.10 mask 255.255.255.0 192.168.80.1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this