Helo
I have a network VPN server on Windows Server 2012R2 . The network is behind a NAT . This is done to redirect to it and I can do it easily combined. After a few hours of the last connection to mikrotik or to VPNa , I lose the ability to connect . Winbox connection to Mikrotik don’t work too.
But as soon as I connect my computer to local network , and I will connect to mikrotik the local address via winbox , everything starts to work . I check VPN on my mobile phone which has Internet from 3G network and I can connect, but after 2-3 hours situation repeat itself. Please help me.
# jun/10/2016 09:58:16 by RouterOS 6.30.2
#
/ip firewall filter
add chain=input comment="WWW - Niepodtrzebne" disabled=yes dst-port=80 \
protocol=tcp
add chain=forward comment=\
"Allowe GRE (47) dla VPN - Niepodtrzebne" \
disabled=yes protocol=gre
add chain=forward comment=\
"Allowe port1723 for VPN - Niepodtrzebne" \
disabled=yes dst-port=1723 protocol=tcp
add chain=input comment="Pozwala na polaczenia TCP - Niepodtrzebne" disabled=\
yes protocol=tcp
add chain=input comment="Zezwolenie na UDP - Niepodtrzebne" disabled=yes \
protocol=udp
add chain=input comment="Winbox z Internetu" dst-port=8291 protocol=tcp
add chain=input comment="Dost\EAp do Winboxa z sieci wewn\EAtrznej" dst-port=\
8291 protocol=tcp src-address=172.16.0.0/20
add chain=input comment="Test accept ICMP" in-interface=ether4_local \
protocol=icmp
add action=jump chain=prerouting connection-state=new jump-target=\
tcp-services protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=\
udp-services protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=\
other-services
add action=jump chain=forward comment="Sanity Check Forward" jump-target=\
sanity-check
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" \
jump-target=drop packet-mark=nat-traversal
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment=\
"Block port scans !! Uwaga na to. Dodaje do listy zablokowanych" \
protocol=tcp psd=20,3s,3,1
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP Null scan" \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=blocked-addr \
address-list-timeout=1d chain=sanity-check comment="Block TCP Xmas scan" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check jump-target=drop protocol=tcp \
src-address-list=blocked-addr
add action=jump chain=sanity-check comment="Drop TCP RST" jump-target=drop \
protocol=tcp tcp-flags=rst
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" jump-target=\
drop protocol=tcp tcp-flags=fin,syn
add action=jump chain=sanity-check comment=\
"Dropping invalid connections at once" connection-state=invalid \
jump-target=drop
add chain=sanity-check comment="Accepting already established connections" \
connection-state=established
add chain=sanity-check comment="Also accepting related connections" \
connection-state=related
add action=jump chain=sanity-check comment=\
"Drop all traffic that goes to multicast or broadcast addresses" \
dst-address-type=broadcast,multicast jump-target=drop
add action=jump chain=sanity-check comment=\
"Drop illegal destination addresses" dst-address-list=illegal-addr \
dst-address-type=!local in-interface=ether4_local jump-target=drop
add action=jump chain=sanity-check comment="Drop everything that goes from loc\
al interface but not from local address" disabled=yes in-interface=\
ether4_local jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" \
in-interface=ether2_public jump-target=drop src-address-list=illegal-addr
add action=jump chain=sanity-check comment=\
"Drop all traffic that comes from multicast or broadcast addresses" \
jump-target=drop src-address-type=broadcast,multicast
add action=jump chain=forward jump-target=restrict-tcp protocol=tcp
add action=jump chain=forward jump-target=restrict-udp protocol=udp
add action=jump chain=forward jump-target=restrict-ip
add action=reject chain=restrict-tcp connection-mark=auth
add action=jump chain=restrict-tcp comment="anti-spam policy" \
connection-mark=smtp jump-target=smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp chain=\
smtp-first-drop src-address-list=first-smtp
add action=return chain=smtp-first-drop src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp chain=\
smtp-first-drop
add action=reject chain=smtp-first-drop
add action=jump chain=restrict-tcp connection-mark=other-tcp jump-target=drop
add action=jump chain=restrict-udp connection-mark=other-udp jump-target=drop
add action=jump chain=restrict-ip connection-mark=other jump-target=drop
add chain=input comment="Allow local traffic (between router applications)" \
dst-address-type=local src-address-type=local
add action=jump chain=input comment="Sanity Check" jump-target=sanity-check
add action=jump chain=input comment="Dropping packets not destined to the rout\
er itself, including all broadcast traffic" dst-address-type=!local \
jump-target=drop
add chain=input comment=\
"Allow pings, but at a very limited rate (5 packets per sec)" \
connection-mark=ping limit=5,5
add action=jump chain=input jump-target=drop
add chain=dhcp dst-address=255.255.255.255 src-address=0.0.0.0
add chain=dhcp dst-address-type=local src-address=0.0.0.0
add chain=dhcp dst-address-type=local src-address-list=local-addr
add chain=local-services comment="SSH (22/TCP)" connection-mark=ssh
add chain=local-services comment=DNS connection-mark=dns
add chain=local-services comment="HTTP Proxy (3128/TCP)" connection-mark=\
proxy
add chain=local-services comment="Winbox (8291/TCP)" connection-mark=winbox
add action=log chain=local-services comment="Log & Drop Other Local Services"
add action=drop chain=local-services
add chain=public-services comment="SSH (22/TCP)" connection-mark=ssh
add chain=public-services comment="PPTP (1723/TCP)" connection-mark=pptp
add chain=public-services comment="Winbox (8291/TCP)" connection-mark=winbox
add chain=public-services comment="GRE for PPTP" connection-mark=gre
add action=log chain=public-services comment=\
"Log & Drop Other Public Services"
add action=drop chain=public-services
add action=log chain=drop
add action=drop chain=drop
/ip firewall mangle
add action=mark-connection chain=tcp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=80 \
new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=110 \
new-connection-mark=pop3 passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=113 \
new-connection-mark=auth passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=119 \
new-connection-mark=nntp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=143 \
new-connection-mark=imap passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=161-162 \
new-connection-mark=snmp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=443 \
new-connection-mark=https passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=465 \
new-connection-mark=smtps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=993 \
new-connection-mark=imaps passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=995 \
new-connection-mark=pop3s passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1723 \
new-connection-mark=pptp passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=2379 \
new-connection-mark=kgs passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3128 \
new-connection-mark=proxy passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=3389 \
new-connection-mark=win-ts passthrough=no protocol=tcp src-port=\
1024-65535
add action=mark-connection chain=tcp-services dst-port=4242-4243 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=tcp src-port=\
4661-4662
add action=mark-connection chain=tcp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services dst-port=5900-5901 \
new-connection-mark=vnc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=6667-6669 \
new-connection-mark=irc passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=6881-6889 \
new-connection-mark=bittorrent passthrough=no protocol=tcp src-port=\
1024-65535
add action=mark-connection chain=tcp-services dst-port=8080 \
new-connection-mark=http passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=tcp-services dst-port=8291 \
new-connection-mark=winbox passthrough=no protocol=tcp src-port=\
1024-65535
add action=mark-connection chain=tcp-services new-connection-mark=other-tcp \
passthrough=no protocol=tcp
add action=mark-connection chain=udp-services dst-port=53 \
new-connection-mark=dns passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=123 \
new-connection-mark=ntp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1701 \
new-connection-mark=l2tp passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4665 \
new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=4672 \
new-connection-mark=emule passthrough=no protocol=udp src-port=1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=emule passthrough=no protocol=udp src-port=4672
add action=mark-connection chain=udp-services dst-port=12053 \
new-connection-mark=overnet passthrough=no protocol=udp src-port=\
1024-65535
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=overnet passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services dst-port=1024-65535 \
new-connection-mark=skype passthrough=no protocol=udp src-port=36725
add action=mark-connection chain=udp-services connection-state=new \
new-connection-mark=other-udp passthrough=no protocol=udp
add action=mark-connection chain=other-services icmp-options=8 \
new-connection-mark=ping passthrough=no protocol=icmp
add action=mark-connection chain=other-services new-connection-mark=gre \
passthrough=no protocol=gre
add action=mark-connection chain=other-services new-connection-mark=other \
passthrough=no
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" \
dst-address-list=nat-addr in-interface=ether4_local new-packet-mark=\
nat-traversal passthrough=no
#
/ip firewall nat
add action=dst-nat chain=dstnat comment=\
"Mikrotik from Internet" \
dst-address=Public dst-port=8291 protocol=tcp to-addresses=\
Public to-ports=8291
add action=dst-nat chain=dstnat comment=\
"VPN server" dst-address=\
Public to-addresses=172.16.0.10
add chain=srcnat comment=Routing out-interface=ether3_routing
add action=masquerade chain=srcnat comment="Zamaskowanie sieci wewn\EAtrznej" \
out-interface=ether2_public