/interface list member
add interface=ether1 list=WAN
add interface=bridge1 list=LAN
add interface=bridge2 list=LAN2
/ip firewall address-list
add address=192.168.1.0/24 list=Local-LAN
add address=192.168.2.0/24 list=Guest
add address=192.168.3.240-192.168.3.245 list=VPN
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input src-address-list=Local-LAN comment="Config Access"
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \
protocol=ipsec-esp
add action=drop chain=input comment="drop all else"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Access Internet From LAN" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Access Internet From LAN2" \
in-interface-list=LAN2 out-interface-list=WAN
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \
src-address-list=VPN
add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\
BarracudaIP-SMTP
add action=accept chain=forward dst-port=25 out-interface=WAN protocol=tcp
add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add arp=proxy-arp name=bridge1
So, when I try to access the mapped drive, or even access the unc path, I get that the credentials are not correct. The VPN credentials are being passed as the only authentication method, not the Windows one. Will this solve the issue? Thanks!Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffic to work correctly, we drop everything at the end of both the Input chain and Forward chain rules - add action=drop chain=forward comment="drop all else"
Firewall rules are executed from top to bottom. The sequence also matters.Code: Select all/interface list member add interface=ether1 list=WAN add interface=bridge1 list=LAN add interface=bridge2 list=LAN2 /ip firewall address-list add address=192.168.1.0/24 list=Local-LAN add address=192.168.2.0/24 list=Guest add address=192.168.3.240-192.168.3.245 list=VPN /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input src-address-list=Local-LAN comment="Config Access" add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \ in-interface-list=WAN protocol=udp add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \ protocol=ipsec-esp add action=drop chain=input comment="drop all else" add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=accept chain=forward comment="Access Internet From LAN" \ in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment="Access Internet From LAN2" \ in-interface-list=LAN2 out-interface-list=WAN add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\ BarracudaIP-SMTP add action=accept chain=forward dst-port=25 out-interface=WAN protocol=tcp add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat add action=drop chain=forward comment="drop all else" /ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN add arp=proxy-arp name=bridge1
Thanks!If the office has a network and a server on which AD works and your laptop is registered (join) in the domain, then by creating a vpn ipsec connection with the office you should be able to open network folders without authorization.
If this laptop is not "no join" to domain, then the access to the network folders will have to manage the authorization data.
But all this will work correctly only if the traffic flow is correct and all the necessary fw rules are used, properly configured l2tp ipsec with accesses to Local-LAN. If your configuration is currently exactly as shown in your example, then it will not work correctly. There will be no security either, because the traffic rules do not meet the basic standard of protection that is required.
f the connection of the network folders is interrupted as soon as you log in to the VPN, you need to see how the windows vpn client is configured. Whether to use ""use default gateway'' or not. It can also affect It has happened to see variants when the Office IP address subnet is the same as the home address subnet. The addresses must be different. There can be various reasons why there is no access to network folders.
I copied you an example of what the FW section should look like in order for it to work correctly.
Uses address-lists. Define your IP addresses (LAN, Wan, vpn, etc.)
As a small example (it can be seen in my copied list): when creating a vpn connection, this rule correctly indicates that your VPN address (or several) will go directly to your Local-LAN.
add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN
Every entry is important and so is the order. Do not mix Input and forward places. I think if you fix the FW then everything should start working
Mikrotik has two ways to configure traffic.
1) we allow everything and prohibit only what we need to prohibit
2) we drop everything and allow only what we need
The second option is the most popular and also the most correct. We prohibit everything and - if we do not reach a resource, etc., we look at the address-list and then create a roll - for example from VPN->LAN1 or LAN2, Guest or somewhere else.
add action=accept chain=input comment=L2TP dst-port=500,1701,4500 does not work: "failure: ports can be specified if proto is tcp,udp,udp-lite,dccp,sctp"Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffic to work correctly, we drop everything at the end of both the Input chain and Forward chain rules - add action=drop chain=forward comment="drop all else"
Firewall rules are executed from top to bottom. The sequence also matters.Code: Select all/interface list member add interface=ether1 list=WAN add interface=bridge1 list=LAN add interface=bridge2 list=LAN2 /ip firewall address-list add address=192.168.1.0/24 list=Local-LAN add address=192.168.2.0/24 list=Guest add address=192.168.3.240-192.168.3.245 list=VPN /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input src-address-list=Local-LAN comment="Config Access" add action=accept chain=input comment=L2TP dst-port=500,1701,4500 \ in-interface-list=WAN protocol=udp add action=accept chain=input comment="IKE IPSec" in-interface-list=WAN \ protocol=ipsec-esp add action=drop chain=input comment="drop all else" add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=accept chain=forward comment="Access Internet From LAN" \ in-interface-list=LAN out-interface-list=WAN add action=accept chain=forward comment="Access Internet From LAN2" \ in-interface-list=LAN2 out-interface-list=WAN add action=accept chain=forward comment=VPN dst-address-list=Local-LAN \ src-address-list=VPN add action=accept chain=forward dst-port=25 protocol=tcp src-address-list=\ BarracudaIP-SMTP add action=accept chain=forward dst-port=25 out-interface=WAN protocol=tcp add action=accept chain=forward comment="allow dst-nat from both WAN and LAN (including port forwarding)" connection-nat-state=dstnat add action=drop chain=forward comment="drop all else" /ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN add arp=proxy-arp name=bridge1
what do your firewall rules look like after the changes? It is not clear why your vpn does not work correctly. Do you have "interface list=Local-LAN" specified for your current Profile in PPP-profiles?
Sorry, I did, but since I encountered errors, I reverted back. I do appreciate your help, since I said before I am a complete noob using MikroTik, up until last year, did not have a clue about them. I have always used NetGear routers for home or either Cisco or Sonicwall firewall devices. Never had to configure one or the other, and this device was already configured when I took this job. A contractor was assisting my predecessor, and he had a lot of access and billable hours.https://help.mikrotik.com/docs/pages/vi ... eId=328435
I see that you have not fixed the firewall filter. Your existing configuration does not ensure the correct traffic flow. Your firewall rules are crap and not secure at all.
You will also have no security, because "Input chain" and "Forward chain" traffic termination Drop=All are not specified. As an example - if we scan your IP address from the outside, the scanner will show that you have a lot of ports open, which is basically completely wrong. Fix the firewall according to the example I copied for you earlier.
We do not specify vpn ports in the NAT section. Normal vpn will not work for you. See my example. They must be in the ""Input'' chain. In the Forward section we indicate everything needed for "Barracuda" with all ports, etc.
I already copied ready-made firewall rules for you and you have to correct your IP addresses in the address-list.
Example:
/ip firewall address-list
add address=10.10.1.10-10.10.1.199 comment="Local LAN" list=Local-LAN
add address=10.10.1.200 comment="AD server"
add address=10.10.1.201 comment="AD server2"
add address=10.10.1.202 comment="BarracudaIP-SMTP"
add address=10.10.2.0/24 comment="WIFI subnet" list=WIFI-LAN
going back would not be the best advice. You understand - you don't have correct firewall entries that affect firewall flow, security and the rest. If you have this mikrotik in the production environment as the primary one, then you absolutely need to arrange the traffic flow as shown in my example. Otherwise, your router can be hacked, your local LAN can be accessed and it will cause you a lot of other problems.Sorry, I did, but since I encountered errors, I reverted back.