RainBoy Posted March 12, 2014 · Report post Добрый день. Есть задача - Дома кабельный интернет. На коробке настроен DDNS и проброс всех портов на Mikrotik RB2011UAS-2HnD-IN IP железки - 192.168.60.10; IP входящего порта на Mikrotik - 192.168.60.20 Mikrotik натсроен как WiFi роутер с сетью 192.168.70.0/24; Gateway для сети - 192.168.70.10 Поднят Web Proxy на 192.168.70.10; Также поднят PPTP сервер на 192.168.80.1 Задача - подключиться снаружи (из интернета) к PPTP и достучаться до Web Server На текущий момент не могу подключиться к PPTP, зависает на проверки имени и пароля. При этом подключается нормально, если я подключаюсь из локальной сети 192.168.70.0/24 Помогите настроить файрволл и проброс PPTP портов с 192.168.60.20 на 192.168.70.10 Возможно, стоит поднять PPTP в 192.168.60.0 и ничего не пробрасывать? Как потом достучаться до Web сервера? Спасибо! Share this post Link to post Share on other sites
RainBoy Posted March 19, 2014 · Report post Все настроил, но появилась другая проблема Не могу скачивать большие файлы через PPTP VPN и Web Proxy - например, видео YouTube или дистирибутив Зависает закачка, куда копать? Share this post Link to post Share on other sites
SOFTOLAB Posted March 20, 2014 · Report post RainBoy, вы бы конфиг выложили, тогда и конструктивные ответы возможно появились бы. Share this post Link to post Share on other sites
RainBoy Posted March 22, 2014 · Report post [admin@MikroTik] > export # mar/21/2014 23:08:30 by RouterOS 6.10 # software id = NHT6-PNSJ # /interface bridge add l2mtu=1598 name=bridge2 /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \ disabled=no l2mtu=2290 mode=ap-bridge ssid=RainBoyWiFi wireless-protocol=\ 802.11 /interface pptp-server add disabled=yes name=pptp-in1 user=Alex /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk group-ciphers=\ tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm \ wpa-pre-shared-key= wpa2-pre-shared-key= /ip hotspot user profile set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \ mac-cookie-timeout=3d /ip ipsec proposal set [ find default=yes ] enc-algorithms=3des,aes-128-cbc pfs-group=none /ip pool add name=dhcp ranges=192.168.70.100-192.168.70.250 add name="vpn pool" ranges=192.168.80.2-192.168.80.220 /ip dhcp-server add address-pool=dhcp disabled=no lease-time=10m name=default add address-pool=dhcp disabled=no interface=ether2 name=dhcp1 add address-pool=dhcp disabled=no interface=bridge2 name=dhcp2 /port set 0 name=serial0 /ppp profile set 0 bridge=bridge2 dns-server=8.8.8.8 local-address=192.168.80.1 \ remote-address="vpn pool" wins-server=8.8.4.4 set 1 bridge=bridge2 dns-server=8.8.8.8,8.8.4.4 local-address=192.168.80.1 \ remote-address="vpn pool" use-compression=yes use-encryption=required \ use-mpls=yes use-vj-compression=yes /interface bridge port add bridge=bridge2 interface=ether2 add bridge=bridge2 interface=ether3 add bridge=bridge2 interface=ether4 add bridge=bridge2 interface=ether5 add bridge=bridge2 interface=ether6 add bridge=bridge2 interface=ether7 add bridge=bridge2 interface=ether8 add bridge=bridge2 interface=ether9 add bridge=bridge2 interface=ether10 add bridge=bridge2 interface=wlan1 add bridge=bridge2 interface=sfp1 /interface bridge settings set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \ use-ip-firewall-for-vlan=yes /interface l2tp-server server set enabled=yes /interface pptp-server server set enabled=yes /interface sstp-server server set default-profile=default-encryption /ip address add address=192.168.70.10/24 interface=ether2 network=192.168.70.0 /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=ether1 /ip dhcp-server network add address=192.168.60.0/24 gateway=192.168.60.20 netmask=24 add address=192.168.70.0/24 gateway=192.168.70.10 netmask=24 /ip dns set servers=65.32.5.111,65.32.5.75,65.32.5.112,65.32.5.11 /ip firewall filter add chain=input disabled=yes add chain=input protocol=icmp add chain=input dst-port=1723 protocol=tcp add chain=input protocol=gre add chain=input connection-state=established /ip firewall nat add action=dst-nat chain=dstnat dst-address=192.168.60.20 dst-port=1723 \ protocol=tcp to-addresses=192.168.80.1 to-ports=1723 add action=dst-nat chain=dstnat dst-address=192.168.60.20 protocol=gre \ to-addresses=192.168.80.1 add action=src-nat chain=srcnat dst-address=192.168.80.1 dst-port=1723 \ protocol=tcp to-addresses=192.168.70.10 to-ports=0-65535 add action=src-nat chain=srcnat dst-address=192.168.80.1 protocol=gre \ to-addresses=192.168.70.10 add action=masquerade chain=srcnat out-interface=ether1 to-addresses=0.0.0.0 /ip ipsec peer add enc-algorithm=3des exchange-mode=main-l2tp generate-policy=port-override \ nat-traversal=yes secret= /ip proxy set cache-administrator="" cache-on-disk=yes enabled=yes max-cache-size=none \ max-client-connections=1000 max-server-connections=1000 parent-proxy=\ 0.0.0.0 serialize-connections=yes /ip route add disabled=yes distance=1 gateway=173.170.64.1 add distance=1 dst-address=192.168.1.0/24 gateway="(unknown)" /ip service set ftp disabled=yes /ip upnp set allow-disable-external-interface=no enabled=yes /lcd interface set sfp1 interface=sfp1 set ether1 interface=ether1 set ether2 interface=ether2 set ether3 interface=ether3 set ether4 interface=ether4 set ether5 interface=ether5 set ether6 interface=ether6 set ether7 interface=ether7 set ether8 interface=ether8 set ether9 interface=ether9 set ether10 interface=ether10 set wlan1 interface=wlan1 /ppp secret add name=Alex password= service=pptp add name=OpenVPN /system clock set time-zone-name=America/New_York /system ntp client set enabled=yes mode=unicast primary-ntp=66.187.233.4 secondary-ntp=\ 213.249.66.35 /system scheduler add interval=1m name=dynDNS on-event="/system script run dynDNS" policy=\ reboot,read,write,policy,test,password,sniff,sensitive start-time=startup /system script add name=dynDNS policy=reboot,read,write,policy,test,password,sniff,sensitive \ source="#:global theinterface \"ether1-gateway\"\ \n# Set needed variables\ \n:local username \"RainBoy\"\ \n:local password \"\"\ \n:local hostname \"\"\ \n\ \n:global dyndnsForce\ \n:global previousIP\ \n\ \n# print some debug info \ \n:log info (\"UpdateDynDNS: username = \$username\")\ \n:log info (\"UpdateDynDNS: hostname = \$hostname\")\ \n:log info (\"UpdateDynDNS: previousIP = \$previousIP\")\ \n\ \n# get the current IP address from the internet (in case of double-nat)\ \n/tool fetch mode=http address=\"checkip.dyndns.org\" src-path=\"/\" dst-\ path=\"/dyndns.checkip.html\"\ \n:local result [/file get dyndns.checkip.html contents]\ \n\ \n# parse the current IP result\ \n:local resultLen [:len \$result]\ \n:local startLoc [:find \$result \": \" -1]\ \n:set startLoc (\$startLoc + 2)\ \n:local endLoc [:find \$result \"</body>\" -1]\ \n:local currentIP [:pick \$result \$startLoc \$endLoc]\ \n:log info \"UpdateDynDNS: currentIP = \$currentIP\"\ \n\ \n# Remove the # on next line to force an update every single time - usefu\ l for debugging, but you could end up getting blacklisted by DynDNS!\ \n#:set dyndnsForce true\ \n\ \n# Determine if dyndns update is needed\ \n# more dyndns updater request details available at http://www.dyndns.com\ /developers/specs/syntax.html\ \n:if ((\$currentIP != \$previousIP) || (\$dyndnsForce = true)) do={\ \n :set dyndnsForce false\ \n :set previousIP \$currentIP\ \n /tool fetch user=\$username password=\$password mode=http address=\"\ members.dyndns.org\" src-path=\"/nic/update\?hostname=\$hostname&myip=\$cu\ rrentIP\" dst-path=\"/dyndns.txt\"\ \n :local result [/file get dyndns.txt contents]\ \n :log info (\"UpdateDynDNS: Dyndns update needed\")\ \n :log info (\"UpdateDynDNS: Dyndns Update Result: \".\$result)\ \n :put (\"Dyndns Update Result: \".\$result)\ \n} else={\ \n :log info (\"UpdateDynDNS: No dyndns update needed\")\ \n}" [admin@MikroTik] > Я также не могу достучаться до устройств в сети дома при работе через VPN Маршрут прописал в системе как route add 192.168.70.10 mask 255.255.255.0 192.168.80.1 Share this post Link to post Share on other sites
