Jump to content
Калькуляторы

mikrotik pptp server

имеется mikrotik ccr-1036 поднимаю на нем pptp server в итоге клиент который логинится через ppt server не видит внутренние ресурсы сети на интерфейсе который смотри в локальную сеть пробывал включать proxy-arp результат не изменялся

ppp profile

set 1 dns-server=172.16.0.5
/ppp secret
add local-address=10.0.50.1 name=user1 password="user1" profile=default-encryption remote-address=10.0.50.2

ip address> print

Flags: X - disabled, I - invalid, D - dynamic 
#   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
0   ;;; default configuration
    91.216.x.x/24     91.216.x.x     ether1                                                                                                                                                                                                             
1   172.16.0.17/16     172.16.0.0      ether2 
6 D 10.0.50.1/32       10.0.50.2       <pptp-user1>

на клиента к которому пытался достучаться из вне route на сеть 10.0.50.0 прописан

10.0.50.0    255.255.255.0      172.16.0.17     172.16.0.111

Edited by svetogor82

Share this post


Link to post
Share on other sites

Надо бы прописать для клиента маршрут на 172.16.0.0/16

а арп-прокси используется если выдаете адрес из внутренней сети, а не туннельной.

Share this post


Link to post
Share on other sites

/ip firewall filter> print detail

Flags: X - disabled, I - invalid, D - dynamic 
0   ;;; out
    chain=output action=accept protocol=udp 

1   chain=output action=accept protocol=tcp 

2   ;;; Allow IPSec-esp
    chain=input action=accept protocol=ipsec-esp 

3   ;;; Allow IKE
    chain=input action=accept protocol=udp dst-port=500 

4   ;;; Allow IPSec-ah
    chain=input action=accept protocol=ipsec-ah 

5   ;;; icp_input
    chain=input action=accept protocol=icmp 

6   ;;; ssh
    chain=input action=accept protocol=tcp dst-port=22 

7   chain=input action=accept protocol=tcp dst-port=22 

8   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=3h dst-port=22 

9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-port=22 

11   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

12   ;;; www
    chain=input action=accept protocol=tcp dst-port=80 

13   chain=input action=accept protocol=tcp dst-port=443 

14   ;;; access to winbox
    chain=input action=accept protocol=tcp in-interface=ether1 dst-port=8291 

15   chain=input action=accept protocol=tcp in-interface=ether2 dst-port=8291 

16   chain=input action=accept connection-state=new protocol=tcp dst-port=8291,65522 

17   ;;; dns
    chain=input action=accept protocol=udp dst-port=53 

18   chain=input action=accept protocol=tcp in-interface=all-ethernet dst-port=53 

19   ;;; pptp
    chain=input action=accept protocol=tcp dst-port=1723 

20   ;;; drop ftp brute forcers
    chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=21 

21   chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m 

22   chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=1h content=530 Login incorrect 

23   ;;; drop telnet brute forcers
    chain=input action=drop protocol=tcp src-address-list=ftp_blacklist dst-port=23 

24   chain=output action=accept protocol=tcp content=530 Login incorrect dst-limit=1/1m,9,dst-address/1m 

25   chain=output action=add-dst-to-address-list protocol=tcp address-list=ftp_blacklist address-list-timeout=1h content=530 Login incorrect 

26   chain=input action=accept protocol=tcp dst-port=1723 

27   chain=input action=accept protocol=gre 

28   ;;; sip
    chain=input action=accept protocol=udp dst-port=5060-5070 

29   chain=input action=accept protocol=tcp dst-port=5060-5070 

30   chain=input action=accept protocol=udp dst-port=17000-30000 

31   chain=input action=accept protocol=tcp dst-port=17000-30000 

32   ;;; drop_all
    chain=input action=drop protocol=tcp in-interface=ether1 

33   chain=input action=drop protocol=udp in-interface=ether1 

Share this post


Link to post
Share on other sites

Смущает маска /32 для local-address. Вроде нужно, чтобы remote-address попадал в маску.

А в firewall больше интересует ветка nat, а не filter, может вы натите 10.0.50 при хождении в 172.16/16, а обратно - нет.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this