Hello, friends!
I Have a little trouble…
I have three ISP and one static SIP. I made a pptp server, but clients just can connect, but the can’t do anything. And they can surf Internet through pptp, but i don’t need it. I just need them can to connect asterisk server. Using softphones or sip-phones.
/interface ethernet
set [ find default-name=ether3 ] name=ISP1
set [ find default-name=ether4 ] name=ISP2
set [ find default-name=ether1 ] disabled=yes name=ISPReserve
set [ find default-name=ether2 ] arp=proxy-arp name=LAN
/ip ipsec policy group
set
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-256-cbc,aes-256-ctr pfs-group=\
none
/ip pool
add name=dhcp_pool1 ranges=192.168.10.15-192.168.10.150
add name=dhcp_pool2 ranges=192.168.10.15-192.168.10.99
add name=vpn_pool ranges=192.68.10.201-192.168.10.221
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=LAN lease-time=3d \
name=dhcp1
/ppp profile
add change-tcp-mss=yes local-address=192.168.10.1 name=pptp-profile \
remote-address=vpn_pool use-encryption=yes
/interface bridge port
add interface=LAN
/ip firewall connection tracking
set enabled=yes
/interface l2tp-server server
set ipsec-secret=tumba-yumba-setebryaki
/interface ovpn-server server
set certificate=ca.crt_0 default-profile=l2p_profile \
require-client-certificate=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=pptp-profile \
enabled=yes keepalive-timeout=disabled
/ip address
add address=82.200.XX.XX/30 interface=ISP1 network=82.200.YY.YY
add address=82.200.XX.XX/30 interface=ISP2 network=82.200.YY.YY
add address=192.168.10.1/24 interface=LAN network=192.168.10.0
add address=192.168.0.18/30 interface=ether5 network=192.168.0.16
add address=212.94.ZZ.ZZ/24 disabled=yes interface=ISPReserve network=\
212.94.ZZZ.ZZ
/ip dhcp-server lease
...
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1,8.8.4.4,8.8.8.8 gateway=\
192.168.10.1 netmask=24
/ip dns
set servers=8.8.8.8,8.8.4.4,80.89.128.5
/ip firewall filter
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=output protocol=gre
add chain=input dst-port=1701,500,4500 protocol=udp
add chain=forward dst-address=192.168.10.66 dst-port=5060,10000-20000 \
in-interface=ether5 protocol=udp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=SIPtrunk passthrough=\
no protocol=udp src-address=192.168.10.0/24 src-port=5060,10000-20000
add action=mark-connection chain=input in-interface=ISP1 new-connection-mark=\
WAN1_conn
add action=mark-connection chain=input in-interface=ISP2 new-connection-mark=\
WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add chain=prerouting dst-address=82.200.XX.XX/30 in-interface=LAN
add chain=prerouting dst-address=82.200.XX.XX/30 in-interface=LAN
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN new-connection-mark=WAN1_conn per-connection-classifier=\
both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=LAN new-connection-mark=WAN2_conn per-connection-classifier=\
both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=LAN new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=LAN new-routing-mark=to_WAN2
/ip firewall nat
add action=dst-nat chain=dstnat disabled=yes dst-port=5060,10000-20000 \
in-interface=ISP1 protocol=udp to-addresses=192.168.10.66
add action=dst-nat chain=dstnat dst-port=5060,5678,10000-20000 in-interface=\
ether5 protocol=udp to-addresses=192.168.10.66
add action=dst-nat chain=dstnat dst-port=500,1701,4500 protocol=udp \
to-addresses=192.168.10.1
add action=masquerade chain=srcnat disabled=yes out-interface=*A
add action=masquerade chain=srcnat out-interface=ISP1
add action=masquerade chain=srcnat out-interface=ISP2
add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 out-interface=\
<pptp-u1> src-address=192.168.0.0/16
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.17 routing-mark=SIPtrunk
add check-gateway=ping distance=1 gateway=82.200.XX.XX routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=82.200.XX.XX routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.0.17 routing-mark=route_SIP
add check-gateway=ping distance=1 gateway=82.200.YY.YY
add check-gateway=ping distance=2 gateway=82.200.YY.YY
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/ppp secret
add name=u1 password=*********** profile=pptp-profile service=pptp
add local-address=192.168.10.200 name=u1 password=*********** profile=\
pptp-profile service=pptp
/system clock
set time-zone-name=Asia/Novosibirsk
/system logging
add action=disk topics=firewall
/system ntp client
set enabled=yes primary-ntp=213.141.136.201
