Hello,
I have a problem with my ROS configuration. From my ISP i have a VPN service with a star topology and 192.168.0.0/16 address range on ISP equipments.
In site 1 i have a public address and a mikrotik rb4011 behind which has 192.168.1.0/24 lan address range.
Problem is: from 192.168.1.0/24 i can ping and access 192.168.2.0/24 and 192.168.9.0/24, but from 192.168.2.0/24 or 192.168.9.0/24 i can`t. What i do wrong?
I`m a newbie on mikrotik.
Please share your config:/export hide-sensitive file=whateveryoulike
My config file is:
# sep/07/2020 09:55:28 by RouterOS 6.47.2
# software id = 5560-LVVB
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D43B0C35DD63
/interface bridge
add admin-mac=48:8F:5A:69:22:4F arp=proxy-arp auto-mac=no name="LAN 1"
add arp=proxy-arp name=LAN_Guest
add arp=proxy-arp name=VPN_PPTP
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=TELEKOM_eth1
set [ find default-name=ether2 ] arp=proxy-arp name=VODAFONE_eth2
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether9 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=LAN1 ranges=192.168.1.150-192.168.1.200
add name=LAN_GUEST ranges=192.168.88.2-192.168.88.254
add name=VPN ranges=192.168.50.2-192.168.50.254
add name=Neutilizat ranges=192.168.1.210-192.168.1.254
/ip dhcp-server
add address-pool=LAN1 disabled=no interface="LAN 1" name=DHCP_LAN1
add address-pool=LAN_GUEST disabled=no interface=LAN_Guest name=\
"DHCP LAN_Guest"
add address-pool=VPN disabled=no interface=VPN_PPTP name=DHCP_PPTP
/ppp profile
add bridge=VPN_PPTP dns-server=192.168.50.1,193.231.100.134 local-address=\
192.168.50.1 name=PPTP_VPN only-one=yes remote-address=VPN \
use-encryption=yes
add local-address=192.168.50.1 name=IPSEC_VPN remote-address=VPN \
use-encryption=yes
/interface bridge filter
add action=drop chain=forward in-interface=wlan3
add action=drop chain=forward out-interface=wlan3
add action=drop chain=forward in-interface=wlan4
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge="LAN 1" interface=ether3
add bridge="LAN 1" interface=ether4
add bridge="LAN 1" interface=ether5
add bridge="LAN 1" interface=ether6
add bridge="LAN 1" interface=ether7
add bridge="LAN 1" interface=ether8
add bridge="LAN 1" interface=ether9
add bridge="LAN 1" interface=ether10
add bridge="LAN 1" interface=sfp-sfpplus1
add bridge="LAN 1" interface=wlan1
add bridge="LAN 1" interface=wlan2
add bridge=LAN_Guest interface=wlan3
add bridge=LAN_Guest interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set accept-redirects=yes accept-source-route=yes
#error exporting /interface detect-internet
/interface l2tp-server server
set default-profile=IPSEC_VPN enabled=yes use-ipsec=yes
/interface list member
add interface=TELEKOM_eth1 list=WAN
add interface="LAN 1" list=LAN
add interface=tiberiu.avram list=LAN
add interface=VODAFONE_eth2 list=WAN
add interface=VPN_PPTP list=LAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=PPTP_VPN enabled=\
yes
/ip address
add address=192.168.1.1/24 comment=LAN1 interface="LAN 1" network=192.168.1.0
add address=Public_address interface=TELEKOM_eth1 network=Public_network
add address=192.168.88.1/24 interface=LAN_Guest network=192.168.88.0
add address=Public_address interface=VODAFONE_eth2 network=Public_network
add address=Public_address interface=TELEKOM_eth1 network=Public_network
add address=192.168.50.1/24 interface=VPN_PPTP network=192.168.50.0
add address=192.168.3.3/24 interface="LAN 1" network=192.168.3.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=\
193.231.100.134,193.231.100.130,81.12.128.206,81.12.132.206 gateway=\
192.168.1.1 netmask=24
add address=192.168.50.0/24 dns-server=\
193.231.100.134,193.231.100.130,81.12.128.206,81.12.132.206 gateway=\
192.168.50.1
add address=192.168.88.0/24 dns-server=\
193.231.100.134,193.231.100.130,81.12.128.206,81.12.132.206 gateway=\
192.168.88.1
/ip dns
set allow-remote-requests=yes servers=\
193.231.100.134,193.231.100.130,81.12.128.206,81.12.132.206
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan type=A
/ip firewall filter
add action=drop chain=input comment="DROP UDP 389" dst-port=389,5060 \
protocol=udp
add action=drop chain=input comment="DROP TCP 2200,32320" dst-port=\
2200,32320,33333,32325 protocol=tcp
add action=accept chain=input comment="PPTP VPN" dst-port=1723 log-prefix=\
PPTP_VPN protocol=tcp
add action=accept chain=input comment="PPTP VPN" log-prefix=GRE protocol=gre
add action=accept chain=input comment=\
"defconf: accept established,related,untracked"
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=jump chain=forward comment="Detectie si blocare DDOS" \
connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address=192.168.0.0/16
add action=add-dst-to-address-list address-list=ddos-targets \
address-list-timeout=10m chain=detect-ddos
add action=add-src-to-address-list address-list=ddos-attackers \
address-list-timeout=10m chain=detect-ddos
add action=drop chain=forward connection-state=new dst-address-list=\
ddos-targets src-address-list=ddos-attackers
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid log=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="Respinge PING de la IP Public" log=yes \
protocol=icmp
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Connected \
src-address-list=Connected
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
TELEKOM_eth1 new-connection-mark=TELEKOM->RouterForestierului \
passthrough=yes
add action=mark-connection chain=input connection-mark=no-mark in-interface=\
VODAFONE_eth2 new-connection-mark=VODAFONE->RouterForestierului \
passthrough=yes
add action=mark-routing chain=output connection-mark=\
TELEKOM->RouterForestierului new-routing-mark=TELEKOM_Route passthrough=\
yes
add action=mark-routing chain=output connection-mark=\
VODAFONE->RouterForestierului new-routing-mark=VODAFONE_Route \
passthrough=yes
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=TELEKOM_eth1 new-connection-mark=TELEKOM->LANs passthrough=\
yes
add action=mark-connection chain=forward connection-mark=no-mark \
in-interface=VODAFONE_eth2 new-connection-mark=VODAFONE->LANs \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=TELEKOM->LANs \
new-routing-mark=TELEKOM_Route passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=VODAFONE->LANs \
new-routing-mark=VODAFONE_Route passthrough=yes src-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-list=!Connected dst-address-type=!local new-connection-mark=\
LAN->WAN passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting comment="Load-Balancing here" \
connection-mark=LAN->WAN new-routing-mark=TELEKOM_Route passthrough=yes \
src-address-list=LAN
add action=mark-connection chain=prerouting comment=STICKY connection-mark=\
LAN->WAN new-connection-mark=Sticky_TELEKOM passthrough=yes routing-mark=\
TELEKOM_Route
add action=mark-connection chain=prerouting connection-mark=LAN->WAN \
new-connection-mark=Sticky_VODAFONE passthrough=yes routing-mark=\
VODAFONE_Route
add action=mark-routing chain=prerouting connection-mark=Sticky_TELEKOM \
new-routing-mark=TELEKOM_Route passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=Sticky_VODAFONE \
new-routing-mark=VODAFONE_Route passthrough=yes src-address-list=LAN
/ip firewall nat
/ip firewall service-port
set ftp disabled=yes
set sip disabled=yes
/ip ipsec identity
add peer=Azure
add disabled=yes peer=RouterTEST
/ip route
add comment="Routing mark TELEKOM_Route" distance=1 gateway=TELEKOM_eth1 \
routing-mark=TELEKOM_Route
add comment="Routing mark VODAFONE_Route" distance=2 gateway=Public_gateway \
routing-mark=VODAFONE_Route
add check-gateway=ping comment=TELEKOM distance=1 gateway=Public_gateway
add check-gateway=ping comment=TELEKOM distance=1 gateway=Public_gateway
add check-gateway=ping comment=VODAFONE distance=2 gateway=Public_gateway
add distance=1 dst-address=10.0.0.0/23 gateway="LAN 1"
add distance=1 dst-address=10.11.0.0/24 gateway="LAN 1"
add disabled=yes distance=1 dst-address=192.168.0.0/16 gateway=192.168.3.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set winbox port=2891
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Bucharest
/system identity
set name=RouterForestierului
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool netwatch
add comment=TELEKOM down-script="/ip route disable [find comment=TELEKOM]" \
host=8.8.8.8 interval=10s up-script=\
"/ip route enable [find comment=TELEKOM]"
add comment=VODAFONE down-script="/ip route disable [find comment=VODAFONE]" \
host=8.8.4.4 interval=10s up-script=\
"/ip route enable [find comment=VODAFONE]"
/tool traffic-monitor
add interface=TELEKOM_eth1 name=LoadBalancingVODAFONE on-event="/ip firewall m\
agle set [find comment=\"Load-Balancing here\"] new-routing-mark=VODAFONE_\
Route" threshold=5242880 traffic=received
add interface=TELEKOM_eth1 name=LoadBalancingTELEKOM on-event="/ip firewall ma\
gle set [find comment=\"Load-Balancing here\"] new-routing-mark=TELEKOM_Ro\
ute" threshold=5242880 traffic=received trigger=below
CZFan
September 7, 2020, 9:17pm
4
Not even going to waste my time by looking at your configs.
Place config between code brackets, it is in the menu items
Hello,
Sorry, i edited it and put it on code brackets.