Prihlásiť sa Odoslať Novinky :: FAQ :: Rozšírené vyhľadávanie :: Napísali o nás :: Ankety
Main Menu
· Home
· 
· FAQ
· 
· Diskusia
· 











Main Menu
· Domov

Moduly
· AvantGo
· Downloads
· FAQ
· News
· Recommend Us
· Reviews
· Search
· Sections
· Stats
· Topics
· Top List
· Web Links
· Forum

Jazyk
Výber jazykovej mutácie:



The time now is 21.09.2020 - 00:48


pptp vpn - dostupnost lokalnych hostov

Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Author Message
kamen
Post subject: pptp vpn - dostupnost lokalnych hostov  PostPosted: 20.03.2014 - 17:41 #106223
Basic


Joined: Mar 20, 2014
Posts: 5

Ahojte.

Uz 2 den sa trapim s PPTP vpnkou. vpn klient sa mi normalne pripoji, pingam mikrotik, ale neprepingam sa za mikrotik na lokalnu IP. Tak isto z lokalky pingnem mikrotik ale klienta uz nie...
Je tam nahodene pcc s dual wan. apr proxy je samozrejme na lokale zapnute.

Predpokladam, ze je problem vo firewalle. Ale uz fakt netusim kde...

Code: ›
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add action=drop chain=input connection-state=invalid disabled=yes
add chain=input dst-port=53,123 in-interface=LAN protocol=udp
add chain=input dst-port=53 in-interface=LAN protocol=tcp
add chain=input in-interface=LAN src-address-list=admin_hosts
add action=drop chain=input src-address=!10.0.0.0/24
add action=log chain=forward dst-port=25 in-interface=LAN log-prefix=DROP_25 protocol=tcp src-address=!192.168.1.111
add action=drop chain=forward dst-port=25 in-interface=LAN protocol=tcp src-address=!192.168.1.111
add chain=forward connection-state=established
add chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add chain=forward in-interface=LAN
add chain=forward dst-address=192.168.1.111 dst-port=80,443 protocol=tcp
add chain=forward dst-address=192.168.1.222 dst-port=3389 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=22 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=25 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=110 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=143 protocol=tcp
add chain=forward dst-address=192.168.1.111 dst-port=993 protocol=tcp
add chain=forward src-address=10.0.0.0/24
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=input in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.82.0/24 in-interface=LAN
add chain=prerouting dst-address=192.168.55.0/24 in-interface=LAN
add action=mark-connection chain=prerouting connection-state=new dst-port=80,443 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=22 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=25 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=110 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=143 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=993 in-interface=WAN1 new-connection-mark=WAN1_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=3389 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=22 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=25 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=110 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=143 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting connection-state=new dst-port=993 in-interface=WAN2 new-connection-mark=WAN2_conn protocol=tcp
add action=mark-connection chain=prerouting disabled=yes dst-address=1.1.1.1 in-interface=LAN new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting disabled=yes dst-address=2.2.2.2 in-interface=LAN new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn per-connection-classifier=\
    both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN new-routing-mark=to_WAN2
add action=mark-connection chain=prerouting in-interface=LAN new-connection-mark=111 protocol=tcp src-address=192.168.1.111
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=80,443 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=222 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.222 to-ports=3389
add action=dst-nat chain=dstnat dst-port=222 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.222 to-ports=3389
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=22 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=25 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=110 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=110 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=143 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=143 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN1 protocol=tcp to-addresses=192.168.1.111
add action=dst-nat chain=dstnat dst-port=993 in-interface=WAN2 protocol=tcp to-addresses=192.168.1.111
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2 to-addresses=0.0.0.0


Vdaka za napady.


Last edited by kamen on 24.03.2014 - 15:24; edited 1 time in total
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kotol
Post subject: RE: pptp vpn - dostupnost lokalnych hostov  PostPosted: 21.03.2014 - 07:27 #106227
Guru


Joined: Júl 14, 2005
Posts: 1586

mas v tom firewalle action: accept ?
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
lukinomt
Post subject: RE: pptp vpn - dostupnost lokalnych hostov  PostPosted: 23.03.2014 - 13:19 #106233
Basic


Joined: Mar 17, 2014
Posts: 2

Nezabudni zaskrtnut PROXY ARP REQUESTS inak nevie klient na aku mac adresu ma ping poslat...
 
 View user's profile Send private message  
Reply with quote Back to top
kamen
Post subject: RE: pptp vpn - dostupnost lokalnych hostov  PostPosted: 24.03.2014 - 13:20 #106234
Basic


Joined: Mar 20, 2014
Posts: 5

lukinomt wrote: ›Nezabudni zaskrtnut PROXY ARP REQUESTS inak nevie klient na aku mac adresu ma ping poslat...

to samozrejme mam...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kamen
Post subject: RE: pptp vpn - dostupnost lokalnych hostov  PostPosted: 24.03.2014 - 15:22 #106236
Basic


Joined: Mar 20, 2014
Posts: 5

kotol wrote: ›mas v tom firewalle action: accept ?

ano, mam to tam.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
pixall
Post subject: pptp vpn - dostupnost lokalnych hostov  PostPosted: 24.03.2014 - 15:47 #106237
Majster


Joined: Okt 21, 2003
Posts: 4238

... pptp nie je moja silna stranka ktoru by som mal celu v malicku, ale nie je to nahodu bod-bod tunel, ktory neprenasa ARP? teda tym padom proxyarp nema zmysel, kedze arp paket do tunela odproxyuje, ale tunel ho uz neprenesie?

v takom pripade by cez pptp tunel bolo treba spravit routing, teda nastavit si routovaciu tabulku a proxyarp vypnut..

alebo treba pouzit namiesto pptp napriklad eoip, ktory je schopny arp prenasat, ale tam by som uz tiez neriesil proxyarp, ale bohapuste zbridgovanie eoip a ethernetu....
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kamen
Post subject: pptp vpn - dostupnost lokalnych hostov  PostPosted: 24.03.2014 - 18:51 #106241
Basic


Joined: Mar 20, 2014
Posts: 5

pixall wrote: ›... pptp nie je moja silna stranka ktoru by som mal celu v malicku, ale nie je to nahodu bod-bod tunel, ktory neprenasa ARP? teda tym padom proxyarp nema zmysel, kedze arp paket do tunela odproxyuje, ale tunel ho uz neprenesie?

v takom pripade by cez pptp tunel bolo treba spravit routing, teda nastavit si routovaciu tabulku a proxyarp vypnut..

alebo treba pouzit namiesto pptp napriklad eoip, ktory je schopny arp prenasat, ale tam by som uz tiez neriesil proxyarp, ale bohapuste zbridgovanie eoip a ethernetu....

proxy-arp samozrejme na lokalnom interface-i musi byt.
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
kamen
Post subject: RE: pptp vpn - dostupnost lokalnych hostov  PostPosted: 24.03.2014 - 18:52 #106242
Basic


Joined: Mar 20, 2014
Posts: 5

bolo to banalne:
ip firewall add action=masquerade chain=srcnat src-address=10.0.0.0/24

vyriesene...
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
Display posts from previous:     
All times are GMT
Post new topic Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
 
Jump to:  

Powered by PNphpBB2 © 2003-2005 The PNphpBB Group
Credits

(C) SKFree 2002-2010: Powered by POSTNUKE. Môžete prebera? naše správy vo formáte XML(RSS)