Hi,
As i can see your configuration is as follow:
ether1 - WAN
ether2-5 - LAN with ether2 as master port
Your LAN address range is 10.160.100.0/24
- DHCP server pool: 10.160.100.2-120
- ether2 ip address is 10.160.100.1
- you have pptp-server/l2tp-server both enabled
I skip over filter rules ( which some of them you should refine ), just an observation regarding nat filter rules:
first nat rule
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
will masquerade also VPN pool and from this point of view i think you should disable last rule:
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
Also, pool VPN is defined wrong!
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
You defined address range
192.168.89.0/24, where
192.168.89.255 is broadcast address for network range.
It should be
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.254
Go to IP -> POOL -> click on "vpn" pool and make correct change.
From left menu select IP option, then below POOL. On the right, into the "pools" tab click on "vpn" name.
- into Addresses field type correct range: 192.168.89.2-192.168.89.254;
- hit ok button from above.
Now, back to VPN.
/ppp profile
- first profile you have local-address=192.168.89.1 but there is no interface/bridge with that ip defined.
- second profile has defined bridge=bridge1 but bridge1 has no ports attached to it.
I guess it remains so after you have tested variants with VPN.
So, in my opinion,try the following:
1. I see you have already defined a bridge ( bridge1 ); then assign it ports, ether2-master, and make sure that bridge1 ARP option is "proxy-arp".
New terminal
/interface bridge port
add bridge=bridge1 interface=ether2-master
/interface bridge1 set arp=proxy-arp
WebFig
From left menu select BRIDGE option.
1. Then, in the right, click on "ports" tab.
- click on "add new" button;
- interface: select from drop-down list "ether2-master";
- bridge: i presume that "bridge1" is already selected;
- hit "OK" button.
2. Click, in the right, on "bridge1" name
- scroll down and in front of "ARP" option select from drop-down list option: PROXY-ARP;
- hit "OK" button from above
2. make bridge1 default gateway for VPN pool 192.168.89.2-25, assigning it ip address 192.168.89.1
New terminal
/ip address
add address=192.168.89.1/24 interface=bridge1 network=192.168.89.0
WebFig
From left mene select IP option, then addresses. Click on "add new":
- address field type: 192.168.89.1/24 ;
- network ( click on arrow): 255.255.255.0 ;
- interface: select BRIDGE1.
- hit OK button from above.
3. Let's define a new PPP profile to be used in PPTP/L2TP Server; it should look like this
New terminal
/ppp profile
add bridge=bridge1 change-tcp-mss=yes dns-server=8.8.8.8 local-address=192.168.89.1 \
name="Default VPN" only-one=no remote-address=vpn use-encryption=yes use-compression=no use-mpls=no
WebFig
From left menu select PPP option; click, from the right, on the "Profiles" tab.
- click on button "Add new"; fill in the following:
- Name: Default VPN ;
- Local address: 192.168.89.1 ;
- Remote address: vpn ;
- Bridge: bridge1 ;
- DNS Server: 8.8.8.8 ;
- Change TCP MSS: yes ;
- Use Encryption: required ;
- Only One: no ;
- hit OK button from above.
4. Also, you have to go to PPTP/L2TP Server and point out that default profile is latest created.
New terminal
/interface pptp-server server set default-profile="Default VPN"
/interface l2tp-server server set default-profile="Default VPN"
WebFig
From left menu select PPP option; click on button "PPTP Server";
- Default profile: select from drop-down list "Default VPN" profile;
- Authentication: check only mschap2 and mschap1 ;
- hit OK button from above.
Do the same for L2TP Server.
5. Into Secrets option of profile, where you have defined username/passwords for VPN, you should change Profile to "Default VPN" also.
New terminal
/ppp secret set profile="Default VPN"
or for a specific user ( Ex.: test-user )
/ppp secret set test-user profile="Default VPN"
WebFig
From left menu select PPP option; click on Secrets tab.
- click on username(s) already defined;
- Profile: select from drop-down list "Default VPN";
- hit OK button from above.
6. Define a rule in firewall to accept pings from VPN ( move it before any drop rules)
New terminal
/ip firewall filter
add action=accept chain=input comment="Accept ping from VPN" in-interface=all-ppp log=yes log-prefix=VPN-ping protocol=icmp
WebFig
From left menu click on IP option, then on firewall, below.
- into "filter rules" tab click on "Add new" button ; Fill in the following:
- Chain: input ;
- Protocol: click on arrow and select from drop-down list "ICMP";
- In interface: click on arrow and select from drop-down list "all ppp" ;
scroll down until you'll find:
- Action: select from drop-down list "Accept";
- Log: check it ;
- Log prefix: click on arrow and type: VPN-ping;
- Comment ( last field): Accept ping from VPN.
Now you are ready to try again. After you have connected via VPN you should be able to:
- have internet throught your mikrotik device;
- ping and acces any device from 10.160.100.0/24 network range.
Hope it helps.
kind regards,