[ Ivica Vujović @ 16.09.2014. 15:47 ] @
Zdravo svima, Imam mali problem sa tikom Mikrotik RB2011UiAS-2HnD. Na njemu su dva WAN linka. Jedan ADSL (nije u bridge modu, vec je nakacen na lan interfejsa adsl rutera) a drugi je optika sa 10ak dmz adresa. Kod DMZ-a sam jednu adresu proglasio za rutabilnu i dodelio je jednom interfejsu. U principu sve radi ok, sem sto spolja ne mogu da pristupim ruteru preko winbox-a ili cega vec i ne mogu da namestim VPN ka njemu. Tacnije namestim VPN, nakacim se kako treba ali ne uspevam da prodjem "unutra". ADSL link je primaran a optika je sekundaran link i link koji se koristi za VPN tj treba da se koristi za to. Trenutno imam i neke servise koji idu preko optike (sto preko DMZ adresa sto direktno preko optickog WAN linka) i sve sljaka kako valja. Cak sam privremeno postavio VPN server iznutra kako bih omogucio pristup lokalnoj mrezi (na jednoj od DMZ adresa) i to radi ok. Zapravo sve je ok osim pristupa ruteru u input chain-u. Ovo ponasanje je identicno u oba slucaja - i sa povezanim primarnim linkom i bez. Sem sto u slucaju da sklonim primarni link mogu da pristupam winbox portu ali i dalje mi ne radi VPN pristup unutra. Ima li neko ideju sta bi moglo da bude u pitanju? Evo i konfiga: Code: /interface bridge add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local add l2mtu=2290 name=bridgeWLAN protocol-mode=none add name=bridgeWLANGuest protocol-mode=none /interface ethernet set [ find default-name=ether3 ] name=DMZ set [ find default-name=ether1 ] name=WAN1 set [ find default-name=ether2 ] name=WAN2 set [ find default-name=ether6 ] name=ether6-master-local set [ find default-name=ether7 ] master-port=ether6-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether6-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether6-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether6-master-local name=\ ether10-slave-local /interface wireless set [ find default-name=wlan1 ] disabled=no ht-rxchains=0 ht-txchains=0 \ l2mtu=2290 mode=ap-bridge ssid=MYWIFI /interface pptp-server add name="VPN server MYcompany" user="" /ip neighbor discovery set WAN1 discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\ dynamic-keys wpa2-pre-shared-key=zzzzzzzzzzzzzz add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\ GuestProfile wpa2-pre-shared-key=xxxxxxxxxxxxxxx add authentication-types=wpa-psk,wpa2-psk eap-methods="" \ management-protection=allowed name=hotspot supplicant-identity="" /interface wireless add disabled=no l2mtu=2290 mac-address=4E:5E:0C:44:ED:27 master-interface=\ wlan1 name=wlan2 security-profile=hotspot ssid=MYWIFIHS wds-cost-range=0 \ wds-default-cost=0 /ip dhcp-server add disabled=no interface=bridgeWLANGuest name=DHCPGuests /ip hotspot profile add hotspot-address=10.5.50.1 login-by=http-chap name=hsprof1 use-radius=yes /ip hotspot user profile set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \ mac-cookie-timeout=3d shared-users=10 /ip ipsec proposal set [ find default=yes ] enc-algorithms=3des /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 add name="VPN adrese" ranges=192.168.20.220-192.168.20.230 add name=WLANPool ranges=192.168.23.50-192.168.23.250 add name=hs-pool-18 ranges=10.5.50.2-10.5.50.254 /ip dhcp-server add address-pool=default-dhcp interface=bridge-local name=default add address-pool=WLANPool disabled=no interface=bridgeWLAN name=DHCP4LAN add address-pool=hs-pool-18 disabled=no lease-time=1h name=dhcp1 add address-pool=hs-pool-18 disabled=no interface=wlan2 lease-time=1h name=\ dhcp2 /ip hotspot add address-pool=hs-pool-18 disabled=no interface=wlan2 name=hotspot1 \ profile=hsprof1 /port set 0 name=serial0 /ppp profile add local-address=192.168.20.219 name="VPN profil" remote-address=\ "VPN adrese" use-encryption=no /interface bridge port add bridge=bridge-local interface=DMZ add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 add bridge=bridge-local interface=ether6-master-local add bridge=bridge-local interface=sfp1 add bridge=bridgeWLAN interface=wlan1 add bridge=bridgeWLANGuest /interface pptp-server server set authentication=pap,chap,mschap1,mschap2 default-profile="VPN profile" \ enabled=yes /ip address add address=192.168.20.1/24 comment=LAN interface=bridge-local network=\ 192.168.20.0 add address=192.168.66.1/24 comment="Management address" interface=ether5 \ network=192.168.66.0 add address=a.b.c.x/30 comment="WAN2 - fiber" interface=WAN2 network=\ a.b.c.d add address=z.q.x.y/28 comment="DMZ addresses" interface=DMZ network=\ z.q.x.x add address=192.168.23.1/24 comment="Wifi LAN" interface=wlan1 \ network=192.168.23.0 add address=10.5.50.1/24 comment="hotspot network" interface=wlan2 network=\ 10.5.50.0 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=\ no interface=WAN1 /ip dhcp-server network add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1 add address=192.168.22.0/24 comment="Guest WLAN pool" dns-server=\ 192.168.22.1 gateway=192.168.22.1 add address=192.168.23.0/24 comment="WLAN pool" dns-server=192.168.23.1 \ gateway=192.168.23.1 add address=192.168.20.0/24 comment="LAN pool" dns-server=192.168.20.1 \ gateway=192.168.20.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.88.1 name=router /ip firewall filter add chain=input in-interface=WAN2 protocol=gre add chain=input dst-address=a.b.x.x dst-port=1723 in-interface=WAN2 \ protocol=tcp add chain=input dst-address=a.b.x.x dst-port=8291 protocol=tcp add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add action=drop chain=forward comment="SPAM port" dst-port=25 out-interface=\ WAN1 protocol=tcp add action=drop chain=forward dst-port=25 out-interface=WAN2 protocol=tcp add action=drop chain=input dst-address=192.168.20.0/24 src-address=\ 10.5.50.0/24 add action=drop chain=forward dst-address=192.168.23.0/24 routing-mark=\ WLANGuest add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add action=drop chain=input comment="Traffic outside to input" in-interface=WAN1 add action=drop chain=input in-interface=WAN2 add chain=forward comment="default configuration" connection-state=\ established add chain=forward comment="default configuration" connection-state=related add action=drop chain=forward comment="default configuration" \ connection-state=invalid /ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark="mail server" \ passthrough=no src-address=192.168.20.215 add action=mark-routing chain=prerouting new-routing-mark="DMZ addresses" \ passthrough=no src-address=z.q.x.x/28 add action=mark-routing chain=prerouting new-routing-mark=WLANGuest \ passthrough=no routing-mark=WLANGuest src-address=10.5.50.0/24 /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="default configuration" \ out-interface=WAN1 src-address=192.168.20.0/24 add action=masquerade chain=srcnat out-interface=WAN2 src-address=\ 192.168.20.0/24 add action=masquerade chain=srcnat out-interface=WAN1 src-address=\ 192.168.23.0/24 add action=masquerade chain=srcnat out-interface=WAN2 src-address=\ 192.168.23.0/24 add action=masquerade chain=srcnat out-interface=WAN1 src-address=\ 192.168.22.0/24 add action=masquerade chain=srcnat out-interface=WAN2 src-address=\ 192.168.22.0/24 add action=masquerade chain=srcnat comment="masquerade hotspot network" \ src-address=10.5.50.0/24 /ip hotspot user add name=admin password=* add name=guest password=* /ip ipsec policy add template=yes /ip route add distance=1 gateway=a.b.c.x routing-mark="mail server" add distance=1 gateway=a.b.c.x routing-mark="DMZ addresses" add distance=2 gateway=a.b.c.x /ip upnp set allow-disable-external-interface=no /ppp secret add name=ssssssssss password=xxxxxx profile="VPN profile" service=pptp /radius add address=10.5.50.1 secret=* service=hotspot /radius incoming set accept=yes /system clock set time-zone-name=Europe/Belgrade /system ntp client set enabled=yes primary-ntp=134.130.4.17 secondary-ntp=134.130.5.17 /tool mac-server set [ find default=yes ] disabled=yes add interface=WAN2 add interface=DMZ add interface=ether4 add interface=ether5 add interface=ether6-master-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=sfp1 add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=WAN2 add interface=DMZ add interface=ether4 add interface=ether5 add interface=ether6-master-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=sfp1 add interface=wlan1 add interface=bridge-local |