I have a CCR1036-12G-4S. I use 3 subnets on it. These are:
172.19.0.0/22 - used for my network antennas an some of my office pcs.
192.168.96.0/19 - used for my pppoe and hotspot users.
192.168.10.0/24 - used for my pptp users.
Mikrotic Routerboard IP is: 172.19.0.1
The office pc that i use in order to check my network has as network setup:
ip: 172.19.0.5
subnet: 255.255.252.0
default gateway: 172.19.0.1
DNS: 172.19.0.1
My pc is connected on ether10. On ether11 and ether12 are connected the main AP (Ubiquiti) antennas of my wireless network.
On ether1 is connected one vdsl modem with ip: 192.168.1.1 and on ether2 is connected one vdsl modem with ip: 192.168.2.1.
My issues:
1. From my pc with ip: 172.19.0.5, I am able to connect to any interface of my antennas on 172.19.0.0/22 and 192.168.96.0/19 subnets, but I cannot connect to my vdsl modems interface with ips: 192.168.1.1 & 192.168.2.1. Below are the tracert results from my pc to these ips:
2. When I use pptp to connect to my router from my home pc, I'm able to connect to to any interface of my antennas on 192.168.96.0/19 subnet, but I'm not able to connect to my antennas on 172.19.0.0/22 subnet and of course, I'm not able to connect to my vdsl modems interfaces.C:\Users\mypc>tracert -d 192.168.1.1
Tracing route to 192.168.1.1 over a maximum of 30 hops
1 <1 ms <1 ms <1 ms 172.19.0.1
2 * * * Request timed out.
3 * * * Request timed out.
4 * * * Request timed out.
5 ^C
C:\Users\mypc>
3. I have DMA as radius software installed on an external server. My problem is that I can connect to my server with pptp connection either by using ppp secrets or with accounts created on radius which I would like to use only for pppoe connections and not both pppoe and pptp. I think that this is a serious security issue.
Any solution for my issues above will be appreciated. Below is my configuration (excuse me for the long post):
Firewall Filter Configuration:
Code: Select all
[admin@MikroTik] /ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=input action=accept protocol=gre
1 chain=input action=accept protocol=tcp dst-port=1723
2 chain=input action=add-src-to-address-list protocol=tcp address-list=knock address-list-timeout=15s dst-port=1337
3 chain=input action=add-src-to-address-list protocol=tcp src-address-list=knock address-list=safe address-list-timeout=15m dst-port=7331
4 ;;; accept established connection packets
chain=input action=accept connection-state=established
5 ;;; accept related connection packets
chain=input action=accept connection-state=related
6 X ;;; drop invalid packets
chain=input action=drop connection-state=invalid
7 X ;;; Allow access to router from known network
chain=input action=accept src-address-list=safe
8 X ;;; detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1
9 X ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list connection-limit=3,32
10 X ;;; detect DoS attack
chain=input action=add-src-to-address-list protocol=tcp address-list=black_list address-list-timeout=1d connection-limit=10,32
11 X ;;; jump to chain ICMP
chain=input action=jump jump-target=ICMP protocol=icmp
12 X ;;; jump to chain services
chain=input action=jump jump-target=services
13 X ;;; Allow Broadcast Traffic
chain=input action=accept dst-address-type=broadcast
14 X ;;; drop everything else
chain=input action=drop
15 X ;;; 0:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=0:0-255 limit=5,5
16 X ;;; 3:3 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:3 limit=5,5
17 X ;;; 3:4 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=3:4 limit=5,5
18 X ;;; 8:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=8:0-255 limit=5,5
19 X ;;; 11:0 and limit for 5pac/s
chain=ICMP action=accept protocol=icmp icmp-options=11:0-255 limit=5,5
20 X ;;; Drop everything else
chain=ICMP action=drop protocol=icmp
21 X ;;; accept localhost
chain=services action=accept src-address=127.0.0.1 dst-address=127.0.0.1
22 ;;; allow MACwinbox
chain=services action=accept protocol=udp dst-port=20561
23 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
24 ;;; Bandwidth server
chain=services action=accept protocol=tcp dst-port=2000
25 ;;; MT Discovery Protocol
chain=services action=accept protocol=udp dst-port=5678
26 ;;; allow SNMP
chain=services action=accept protocol=tcp dst-port=161
27 ;;; Allow BGP
chain=services action=accept protocol=tcp dst-port=179
28 ;;; allow BGP
chain=services action=accept protocol=udp dst-port=5000-5100
29 ;;; Allow NTP
chain=services action=accept protocol=udp dst-port=123
30 ;;; Allow PPTP
chain=services action=accept protocol=tcp dst-port=1723
31 ;;; allow PPTP and EoIP
chain=services action=accept protocol=gre
32 ;;; allow DNS request
chain=services action=accept protocol=tcp dst-port=53
33 ;;; Allow DNS request
chain=services action=accept protocol=udp dst-port=53
34 ;;; UPnP
chain=services action=accept protocol=udp dst-port=1900
35 ;;; UPnP
chain=services action=accept protocol=tcp dst-port=2828
36 ;;; allow DHCP
chain=services action=accept protocol=udp dst-port=67-68
37 ;;; allow Web Proxy
chain=services action=accept protocol=tcp dst-port=8080
38 ;;; allow IPIP
chain=services action=accept protocol=ipencap
39 ;;; allow https for Hotspot
chain=services action=accept protocol=tcp dst-port=443
40 ;;; allow Socks for Hotspot
chain=services action=accept protocol=tcp dst-port=1080
41 ;;; allow IPSec connections
chain=services action=accept protocol=udp dst-port=500
42 ;;; allow IPSec
chain=services action=accept protocol=ipsec-esp
43 ;;; allow IPSec
chain=services action=accept protocol=ipsec-ah
44 ;;; allow RIP
chain=services action=accept protocol=udp dst-port=520-521
45 ;;; allow OSPF
chain=services action=accept protocol=ospf
46 chain=services action=return
47 ;;; Port scanners to list
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=port scanners address-list-timeout=2w
48 ;;; NMAP FIN Stealth scan
chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w
49 ;;; SYN/FIN scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=port scanners address-list-timeout=2w
50 ;;; SYN/RST scan
chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=port scanners address-list-timeout=2w
51 ;;; FIN/PSH/URG scan
chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=port scanners address-list-timeout=2w
52 ;;; ALL/ALL scan
chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=port scanners address-list-timeout=2w
53 ;;; NMAP NULL scan
chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=port scanners address-list-timeout=2w
54 X ;;; dropping port scanners
chain=input action=drop src-address-list=port scanners
55 X chain=forward action=drop src-address=172.19.0.0/22 layer7-protocol=BLOCKEDSITES
Code: Select all
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.10.0/24
1 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough to-addresses=0.0.0.0
2 chain=srcnat action=masquerade out-interface=pppoe-wan1
3 chain=srcnat action=masquerade out-interface=pppoe-wan2
4 I chain=srcnat action=masquerade out-interface=pppoe-wan3
5 I chain=srcnat action=masquerade out-interface=pppoe-wan4
6 I chain=srcnat action=masquerade out-interface=pppoe-wan5
7 I chain=srcnat action=masquerade out-interface=pppoe-wan6
8 I chain=srcnat action=masquerade out-interface=pppoe-wan7
9 I chain=srcnat action=masquerade out-interface=pppoe-wan8
10 I chain=srcnat action=masquerade out-interface=pppoe-wan9
11 I chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=pppoe-wan10
Code: Select all
[admin@MikroTik] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=prerouting action=accept src-address=192.168.10.0/24 dst-address=172.19.0.0/22 in-interface=pptp-in1
1 chain=prerouting action=accept src-address=172.19.0.0/22 dst-address=192.168.96.0/19 in-interface=br_hs
2 chain=prerouting action=accept dst-address=192.168.1.0/24 in-interface=br_hs
3 chain=prerouting action=accept dst-address=192.168.2.0/24 in-interface=br_hs
4 X chain=prerouting action=accept dst-address=192.168.3.0/24 in-interface=br_hs
5 X chain=prerouting action=accept dst-address=192.168.4.0/24 in-interface=br_hs
6 X chain=prerouting action=accept dst-address=192.168.5.0/24 in-interface=br_hs
7 X chain=prerouting action=accept dst-address=192.168.6.0/24 in-interface=br_hs
8 X chain=prerouting action=accept dst-address=192.168.7.0/24 in-interface=br_hs
9 X chain=prerouting action=accept dst-address=192.168.8.0/24 in-interface=br_hs
10 X chain=prerouting action=accept dst-address=192.168.9.0/24 in-interface=br_hs
11 X chain=prerouting action=accept dst-address=192.168.10.0/24 in-interface=br_hs
12 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes in-interface=pppoe-wan1 connection-mark=no-mark
13 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes in-interface=pppoe-wan2 connection-mark=no-mark
14 X chain=prerouting action=mark-connection new-connection-mark=wan3_conn passthrough=yes in-interface=pppoe-wan3 connection-mark=no-mark
15 X chain=prerouting action=mark-connection new-connection-mark=wan4_conn passthrough=yes in-interface=pppoe-wan4 connection-mark=no-mark
16 X chain=prerouting action=mark-connection new-connection-mark=wan5_conn passthrough=yes in-interface=pppoe-wan5 connection-mark=no-mark
17 X chain=prerouting action=mark-connection new-connection-mark=wan6_conn passthrough=yes in-interface=pppoe-wan6 connection-mark=no-mark
18 X chain=prerouting action=mark-connection new-connection-mark=wan7_conn passthrough=yes in-interface=pppoe-wan7 connection-mark=no-mark
19 X chain=prerouting action=mark-connection new-connection-mark=wan8_conn passthrough=yes in-interface=pppoe-wan8 connection-mark=no-mark
20 X chain=prerouting action=mark-connection new-connection-mark=wan9_conn passthrough=yes in-interface=pppoe-wan9 connection-mark=no-mark
21 X chain=prerouting action=mark-connection new-connection-mark=wan10_conn passthrough=yes in-interface=pppoe-wan10 connection-mark=no-mark
22 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=dst-address-and-port:2/0
23 chain=prerouting action=mark-connection new-connection-mark=wan1_conn passthrough=yes dst-address-type=!local src-address-list=bypass hotspot="" in-interface=br_hs connection-mark=no-mark per-connection-classifier=dst-address-and-port:2/0
24 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=dst-address-and-port:2/1
25 chain=prerouting action=mark-connection new-connection-mark=wan2_conn passthrough=yes dst-address-type=!local src-address-list=bypass hotspot="" in-interface=br_hs connection-mark=no-mark per-connection-classifier=dst-address-and-port:2/1
26 X chain=prerouting action=mark-connection new-connection-mark=wan3_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/2
27 X chain=prerouting action=mark-connection new-connection-mark=wan4_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/3
28 X chain=prerouting action=mark-connection new-connection-mark=wan5_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/4
29 X chain=prerouting action=mark-connection new-connection-mark=wan6_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/5
30 X chain=prerouting action=mark-connection new-connection-mark=wan7_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/6
31 X chain=prerouting action=mark-connection new-connection-mark=wan8_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/7
32 X chain=prerouting action=mark-connection new-connection-mark=wan9_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/8
33 X chain=prerouting action=mark-connection new-connection-mark=wan10_conn passthrough=yes dst-address-type=!local hotspot=auth in-interface=br_hs connection-mark=no-mark per-connection-classifier=both-addresses:10/9
34 chain=prerouting action=mark-routing new-routing-mark=to_wan1 passthrough=yes in-interface=br_hs connection-mark=wan1_conn
35 chain=prerouting action=mark-routing new-routing-mark=to_wan2 passthrough=yes in-interface=br_hs connection-mark=wan2_conn
36 X chain=prerouting action=mark-routing new-routing-mark=to_wan3 passthrough=yes in-interface=br_hs connection-mark=wan3_conn
37 X chain=prerouting action=mark-routing new-routing-mark=to_wan4 passthrough=yes in-interface=br_hs connection-mark=wan4_conn
38 X chain=prerouting action=mark-routing new-routing-mark=to_wan5 passthrough=yes in-interface=br_hs connection-mark=wan5_conn
39 X chain=prerouting action=mark-routing new-routing-mark=to_wan6 passthrough=yes in-interface=br_hs connection-mark=wan6_conn
40 X chain=prerouting action=mark-routing new-routing-mark=to_wan7 passthrough=yes in-interface=br_hs connection-mark=wan7_conn
41 X chain=prerouting action=mark-routing new-routing-mark=to_wan8 passthrough=yes in-interface=br_hs connection-mark=wan8_conn
42 X chain=prerouting action=mark-routing new-routing-mark=to_wan9 passthrough=yes in-interface=br_hs connection-mark=wan9_conn
43 X chain=prerouting action=mark-routing new-routing-mark=to_wan10 passthrough=yes in-interface=br_hs connection-mark=wan10_conn
44 chain=output action=mark-routing new-routing-mark=to_wan1 passthrough=yes connection-mark=wan1_conn
45 chain=output action=mark-routing new-routing-mark=to_wan2 passthrough=yes connection-mark=wan2_conn
46 X chain=output action=mark-routing new-routing-mark=to_wan3 passthrough=yes connection-mark=wan3_conn
47 X chain=output action=mark-routing new-routing-mark=to_wan4 passthrough=yes connection-mark=wan4_conn
48 X chain=output action=mark-routing new-routing-mark=to_wan5 passthrough=yes connection-mark=wan5_conn
49 X chain=output action=mark-routing new-routing-mark=to_wan6 passthrough=yes connection-mark=wan6_conn
50 X chain=output action=mark-routing new-routing-mark=to_wan7 passthrough=yes connection-mark=wan7_conn
51 X chain=output action=mark-routing new-routing-mark=to_wan8 passthrough=yes connection-mark=wan8_conn
52 X chain=output action=mark-routing new-routing-mark=to_wan9 passthrough=yes connection-mark=wan9_conn
53 X chain=output action=mark-routing new-routing-mark=to_wan10 passthrough=yes connection-mark=wan10_conn
Code: Select all
[admin@MikroTik] > ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 pppoe-wan1 1
1 A S 0.0.0.0/0 pppoe-wan2 1
2 S 0.0.0.0/0 pppoe-wan3 1
3 S 0.0.0.0/0 pppoe-wan4 1
4 S 0.0.0.0/0 pppoe-wan5 1
5 S 0.0.0.0/0 pppoe-wan6 1
6 S 0.0.0.0/0 pppoe-wan7 1
7 S 0.0.0.0/0 pppoe-wan8 1
8 S 0.0.0.0/0 pppoe-wan9 1
9 S 0.0.0.0/0 pppoe-wan10 1
10 A S 0.0.0.0/0 pppoe-wan1 1
11 S 0.0.0.0/0 pppoe-wan2 2
12 S 0.0.0.0/0 pppoe-wan3 3
13 S 0.0.0.0/0 pppoe-wan4 4
14 S 0.0.0.0/0 pppoe-wan5 5
15 S 0.0.0.0/0 pppoe-wan6 6
16 S 0.0.0.0/0 pppoe-wan7 7
17 S 0.0.0.0/0 pppoe-wan8 8
18 S 0.0.0.0/0 pppoe-wan9 9
19 S 0.0.0.0/0 pppoe-wan10 10
20 ADC 80.106.108.42/32 94.64.223.131 pppoe-wan2 0
pppoe-wan1
21 ADC 172.19.0.0/22 172.19.0.1 br_hs 0
22 ADC 192.168.1.0/24 192.168.1.254 ether1-wan1 0
23 ADC 192.168.2.0/24 192.168.2.254 ether2-wan2 0
24 ADC 192.168.10.1/32 192.168.10.0 <pptp-user10> 0
25 A S 192.168.90.0/24 192.168.90.1 1
26 ADC 192.168.90.1/32 192.168.90.200 radius 0
27 ADC 192.168.96.0/19 192.168.96.1 br_hs 0
28 ADC 192.168.96.26/32 172.19.0.1 <pppoe-user1... 0
29 ADC 192.168.96.27/32 172.19.0.1 <pppoe-user2... 0
30 ADC 192.168.96.28/32 172.19.0.1 <pppoe-user3... 0
31 ADC 192.168.96.29/32 172.19.0.1 <pppoe-user4... 0
32 ADC 192.168.96.30/32 172.19.0.1 <pppoe-user5... 0
Code: Select all
[admin@MikroTik] > ip pool print
# NAME RANGES
0 dhcp_pool1 192.168.96.2-192.168.127.254
1 vpn-pool1 192.168.10.0/24
Code: Select all
[admin@MikroTik] /ppp> export
# jan/22/2014 23:23:14 by RouterOS 6.2
# software id = 36J8-TKAS
#
/ppp profile
set 0 dns-server=172.19.0.1 local-address=172.19.0.1 remote-address=dhcp_pool1 use-encryption=no
add dns-server=8.8.8.8,8.8.4.4 local-address=vpn-pool1 name=vpn-profile only-one=yes remote-address=vpn-pool1 use-compression=yes use-encryption=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=10.0.0.1 name=**** password=**** profile=default-encryption remote-address=10.0.0.2 service=l2tp
add name=**** password=**** profile=vpn-profile service=pptp
Code: Select all
[admin@MikroTik] /interface> print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU MAX-L2MTU MAC-ADDRESS
0 R ether1-wan1 ether 1500 1590 10226 D4:CA:6D:88:F1:34
1 R ether2-wan2 ether 1500 1590 10226 D4:CA:6D:88:F1:35
2 X ether3-wan3 ether 1500 1590 10226 D4:CA:6D:88:F1:36
3 X ether4-wan4 ether 1500 1590 10226 D4:CA:6D:88:F1:37
4 X ether5-wan5 ether 1500 1590 10226 D4:CA:6D:88:F1:38
5 X ether6-wan6 ether 1500 1590 10226 D4:CA:6D:88:F1:39
6 X ether7-wan7 ether 1500 1590 10226 D4:CA:6D:88:F1:3A
7 X ether8-wan8 ether 1500 1590 10226 D4:CA:6D:88:F1:3B
8 X ether9-wan9 ether 1500 1590 10226 D4:CA:6D:88:F1:3C
9 RS ether10-wan10 ether 1500 1590 10226 D4:CA:6D:88:F1:3D
10 RS ether11 ether 1500 1590 10226 D4:CA:6D:88:F1:3E
11 RS ether12 ether 1500 1590 10226 D4:CA:6D:88:F1:3F
12 X sfp1 ether 1500 1590 10226 D4:CA:6D:88:F1:30
13 X sfp2 ether 1500 1590 10226 D4:CA:6D:88:F1:31
14 X sfp3 ether 1500 1590 10226 D4:CA:6D:88:F1:32
15 X sfp4 ether 1500 1590 10226 D4:CA:6D:88:F1:33
16 DR <pppoe-user1001> pppoe-in 1480
17 DR <pppoe-user1002> pppoe-in 1480
18 DR <pppoe-user1003> pppoe-in 1480
19 DR <pppoe-user1005> pppoe-in 1480
20 DR <pppoe-user1006> pppoe-in 1480
21 DR <pppoe-user1007> pppoe-in 1480
22 DR <pppoe-user1008> pppoe-in 1480
23 DR <pppoe-useri1009> pppoe-in 1480
24 DR <pppoe-user1010> pppoe-in 1480
25 DR <pppoe-user1012> pppoe-in 1480
26 DR <pppoe-user1013> pppoe-in 1480
27 DR <pptp-useroffice> pptp-in 1400
28 R br_hs bridge 1500 1590 D4:CA:6D:88:F1:3F
29 R pppoe-wan1 pppoe-out 1480
30 R pppoe-wan2 pppoe-out 1480
31 X pppoe-wan3 pppoe-out
32 X pppoe-wan4 pppoe-out
33 X pppoe-wan5 pppoe-out
34 X pppoe-wan6 pppoe-out
35 X pppoe-wan7 pppoe-out
36 X pppoe-wan8 pppoe-out
37 X pppoe-wan9 pppoe-out
38 X pppoe-wan10 pppoe-out
39 X pptp-in1 pptp-in
40 R radius pptp-out 1450
Thank you for reading all this long post. I'm waiting for your replies.