I have one problem. I'm using RB750GL and 2 WAN connections. Also I have configured VPN server L2TP with IPsec. PCC is working fine, but the main problem with VPN users.
When user connected to VPN, he can't see any local resource, can't connect to local web server, use remote desktop.
The configuration is following:
Code: Select all
[admin@Mikrotik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow Ping
chain=input action=accept protocol=icmp
1 chain=forward action=accept protocol=icmp
2 ;;; Allow Remote Desktop from VPN clients
chain=forward action=accept protocol=tcp out-interface=LAN
3 ;;; Accept established connections
chain=input action=accept connection-state=established
4 chain=forward action=accept connection-state=established
5 ;;; Accept related connections
chain=input action=accept connection-state=related
6 chain=forward action=accept connection-state=related
7 ;;; Allow UDP
chain=input action=accept protocol=udp
8 chain=forward action=accept protocol=udp
9 ;;; Access to Internet from local network
chain=forward action=accept src-address=192.168.1.0/24 in-interface=LAN
10 ;;; Access to Mikrotik only from our local network
chain=input action=accept src-address=192.168.1.0/24
11 ;;; Drop invalid connections
chain=input action=drop connection-state=invalid
12 chain=forward action=drop connection-state=invalid
13 ;;; All other drop
chain=input action=drop
14 chain=forward action=drop
Code: Select all
[admin@Mikrotik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=ISP1
1 chain=srcnat action=masquerade out-interface=ISP2
Code: Select all
[admin@Mikrotik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=prerouting action=accept dst-address=149.255.118.210/24 in-interface=LAN
1 chain=prerouting action=accept dst-address=137.43.101.210/24 in-interface=LAN
2 chain=prerouting action=mark-connection new-connection-mark=ISP1_conn passthrough=yes in-interface=ISP1 connection-mark=no-mark
3 chain=prerouting action=mark-connection new-connection-mark=ISP2_conn passthrough=yes in-interface=ISP2 connection-mark=no-mark
4 chain=prerouting action=mark-connection new-connection-mark=ISP1_conn passthrough=yes dst-address-type=!local in-interface=LAN
connection-mark=no-mark per-connection-classifier=both-addresses:2/0
5 chain=prerouting action=mark-connection new-connection-mark=ISP2_conn passthrough=yes dst-address-type=!local in-interface=LAN
connection-mark=no-mark per-connection-classifier=both-addresses:2/1
6 chain=prerouting action=mark-routing new-routing-mark=to_ISP1 passthrough=yes in-interface=LAN connection-mark=ISP1_conn
7 chain=prerouting action=mark-routing new-routing-mark=to_ISP2 passthrough=yes in-interface=LAN connection-mark=ISP2_conn
8 chain=output action=mark-routing new-routing-mark=to_ISP1 passthrough=yes connection-mark=ISP1_conn
9 chain=output action=mark-routing new-routing-mark=to_ISP2 passthrough=yes connection-mark=ISP2_conn
Code: Select all
[admin@Mikrotik] > interface bridge print
Flags: X - disabled, R - running
0 R name="LAN" mtu=1500 l2mtu=1598 arp=proxy-arp mac-address=D4:CA:6D:4D:E0:25 protocol-mode=none priority=0x8000 auto-mac=yes
admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s transmit-hold-count=6 ageing-time=5m
Code: Select all
admin@Mikrotik] > ppp profile print
Flags: * - default
0 * name="default" use-mpls=default use-compression=default use-vj-compression=default use-encryption=default only-one=default change-tcp-mss=yes
address-list=""
1 name="vpn-l2tp" local-address=192.168.1.1 remote-address=vpn_pool bridge=LAN use-mpls=default use-compression=default
use-vj-compression=default use-encryption=default only-one=yes change-tcp-mss=yes address-list="" dns-server=192.168.1.1
wins-server=192.168.1.5
2 * name="default-encryption" use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default
change-tcp-mss=yes address-list=""
