SKFREE

Mikrotik™ Podpora - pptp vpn - dostupnost lokalnych hostov

kamen - 20.03.2014 - 17:41
Post subject: pptp vpn - dostupnost lokalnych hostov
Ahojte.

Uz 2 den sa trapim s PPTP vpnkou. vpn klient sa mi normalne pripoji, pingam mikrotik, ale neprepingam sa za mikrotik na lokalnu IP. Tak isto z lokalky pingnem mikrotik ale klienta uz nie...
Je tam nahodene pcc s dual wan. apr proxy je samozrejme na lokale zapnute.

Predpokladam, ze je problem vo firewalle. Ale uz fakt netusim kde...

Code: ›
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add action=drop chain=input connection-state=invalid disabled=yes
add chain=input dst-port=53,123 in-interface=LAN protocol=udp
add chain=input dst-port=53 in-interface=LAN protocol=tcp
add chain=input in-interface=LAN src-address-list=admin_hosts
add action=drop chain=input src-address=!10.0.0.0/24
add action=log chain=forward dst-port=25 in-interface=LAN log-prefix=DROP_25 protocol=tcp src-address=!192.168.1.111
add action=drop chain=forward dst-port=25 in-interface=LAN protocol=tcp src-address=!192.168.1.111
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add chain=forward in-interface=LAN
add chain=forward dst-address=192.168.1.111 dst-port=80,443 protocol=tcp
add chain=forward dst-address=192.168.1.222 dst-port=3389 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=22 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=25 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=110 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=143 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=993 protocol=tcp
add chain=forward src-address=10.0.0.0/24
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.82.0/24 in-interface=LAN
add chain=prerouting dst-address=192.168.55.0/24 in-interface=LAN
add action=mark-connection chain=prerouting connection-state=new dst-port=80,443 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=22 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=25 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=110 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=143 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=993 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=22 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=25 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=110 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=143 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=993 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-address=1.1.1.1 in-interface=LAN new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting disabled=yes dst-address=2.2.2.2 in-interface=LAN new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN new-routing-mark=to_WAN2
add action=mark-connection chain=prerouting in-interface=LAN new-connection-mark=111 protocol=tcp src-address=192.168.1.111
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=222 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.222 to-ports=3389
add action=dst-nat chain=dstnat dst-port=222 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.222 to-ports=3389
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=110 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=110 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=143 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=143 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2 to-addresses=0.0.0.0


Vdaka za napady.
kotol - 21.03.2014 - 07:27
Post subject:
mas v tom firewalle action: accept ?
lukinomt - 23.03.2014 - 13:19
Post subject:
Nezabudni zaskrtnut PROXY ARP REQUESTS inak nevie klient na aku mac adresu ma ping poslat...
kamen - 24.03.2014 - 13:20
Post subject:
lukinomt wrote: ›Nezabudni zaskrtnut PROXY ARP REQUESTS inak nevie klient na aku mac adresu ma ping poslat...

to samozrejme mam...
kamen - 24.03.2014 - 15:22
Post subject:
kotol wrote: ›mas v tom firewalle action: accept ?

ano, mam to tam.
pixall - 24.03.2014 - 15:47
Post subject: pptp vpn - dostupnost lokalnych hostov
... pptp nie je moja silna stranka ktoru by som mal celu v malicku, ale nie je to nahodu bod-bod tunel, ktory neprenasa ARP? teda tym padom proxyarp nema zmysel, kedze arp paket do tunela odproxyuje, ale tunel ho uz neprenesie?

v takom pripade by cez pptp tunel bolo treba spravit routing, teda nastavit si routovaciu tabulku a proxyarp vypnut..

alebo treba pouzit namiesto pptp napriklad eoip, ktory je schopny arp prenasat, ale tam by som uz tiez neriesil proxyarp, ale bohapuste zbridgovanie eoip a ethernetu....
kamen - 24.03.2014 - 18:51
Post subject: pptp vpn - dostupnost lokalnych hostov
pixall wrote: ›... pptp nie je moja silna stranka ktoru by som mal celu v malicku, ale nie je to nahodu bod-bod tunel, ktory neprenasa ARP? teda tym padom proxyarp nema zmysel, kedze arp paket do tunela odproxyuje, ale tunel ho uz neprenesie?

v takom pripade by cez pptp tunel bolo treba spravit routing, teda nastavit si routovaciu tabulku a proxyarp vypnut..

alebo treba pouzit namiesto pptp napriklad eoip, ktory je schopny arp prenasat, ale tam by som uz tiez neriesil proxyarp, ale bohapuste zbridgovanie eoip a ethernetu....

proxy-arp samozrejme na lokalnom interface-i musi byt.
kamen - 24.03.2014 - 18:52
Post subject:
bolo to banalne:
ip firewall add action=masquerade chain=srcnat src-address=10.0.0.0/24

vyriesene...
All times are GMT
Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits