Hi all,
I’m trying to setup Pure VPN as described in the directions in the link provided https://support.purevpn.com/mikrotik-sstp
I have a mangle rule for 192.168.2.81 that is suppose to send that client to the Pure VPN service, however that client is not able to get internet connectivity.
I am also unable to access this client from my remote access VPN unless I turn the mangle rule off.
Hoping some experts may have a suggestion.
# oct/05/2018 09:15:28 by RouterOS 6.43
# software id =
#
#
#
/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2412 name=2.4
add band=5ghz-onlyac control-channel-width=20mhz extension-channel=eCee name=\
5
/interface bridge
add fast-forward=no name=HomeNet
/interface ethernet
set [ find default-name=ether1 ] comment=Wan disable-running-check=no
set [ find default-name=ether2 ] comment="Lan #1" disable-running-check=no
/interface vlan
add interface=ether2 name=Clients vlan-id=30
add interface=ether2 name=IOT vlan-id=10
add interface=ether2 name=Servers vlan-id=20
/caps-man datapath
add bridge=HomeNet client-to-client-forwarding=yes name=datapath1
/caps-man security
add authentication-types=wpa-psk,wpa2-psk comment="" encryption=\
aes-ccm,tkip name=security1 passphrase=
/caps-man configuration
add channel=2.4 country="united states3" datapath=datapath1 \
datapath.client-to-client-forwarding=yes mode=ap name=homenet security=\
security1 ssid=myster24
add channel=5 country="united states3" datapath=datapath1 \
datapath.client-to-client-forwarding=yes mode=ap name=homenet2 rx-chains=\
0,1,2 security=security1 ssid=mystery5 tx-chains=0,1,2
/caps-man interface
add configuration=homenet disabled=no l2mtu=1600 mac-address=\
CC:2D:E0:1D:6A:BB master-interface=none name=cap12 radio-mac=\
CC:2D:E0:1D:6A:BB
add configuration=homenet2 disabled=no l2mtu=1600 mac-address=\
CC:2D:E0:1D:6A:BA master-interface=none name=cap13 radio-mac=\
CC:2D:E0:1D:6A:BA
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des name=proposal1
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
add name=dhcp ranges=192.168.2.65-192.168.2.95
add name=IOT ranges=192.168.10.20-192.168.10.30
/ip dhcp-server
add address-pool=dhcp disabled=no interface=HomeNet name=dhcp1
add address-pool=IOT disabled=no interface=IOT name=IOT
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface sstp-client
add add-default-route=yes connect-to=usil1.pointtoserver.com dial-on-demand=\
yes disabled=no name=PureVPN password= profile=\
default-encryption user=purevpn0s7110146
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn master-configuration=\
homenet
add action=create-dynamic-enabled hw-supported-modes=ac master-configuration=\
homenet2
/interface bridge port
add bridge=HomeNet interface=ether2 trusted=yes
/interface l2tp-server server
set enabled=yes ipsec-secret= use-ipsec=yes
/interface list member
add interface=ether1 list=WAN
add interface=HomeNet list=LAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.10.1/24 interface=IOT network=192.168.10.0
add address=192.168.30.1/24 interface=Clients network=192.168.30.0
add address=192.168.20.1/24 interface=Servers network=192.168.20.0
/ip dhcp-client
add disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.1 netmask=24
add address=192.168.2.1/32 dns-server=192.168.2.1 gateway=192.168.2.1 \
netmask=24
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=192.168.2.1,192.168.10.1
/ip dns static
add address=192.168.2.12 name=
add address=192.168.2.12 name=
add address=192.168.2.12 name=
add address=192.168.2.12 name=
/ip firewall filter
add action=drop chain=forward comment=\
"Block IOT Devices and IOT Network from communicating with LAN" \
in-interface=IOT out-interface=HomeNet
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="VPN MGMT" in-interface=ether1 \
ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add chain=input comment="Accept established and related packets" \
connection-state=established,related
add action=accept chain=input comment=\
"Accept all connections from local network" in-interface=HomeNet
add action=accept chain=input dst-port=81 in-interface=ether1 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=drop chain=input comment="Drop invalid packets" connection-state=\
invalid
add action=drop chain=input comment=\
"Drop all packets which are not destined to routes IP address" \
dst-address-type=!local
add action=drop chain=input comment=\
"Drop all packets which does not have unicast source IP address" \
src-address-type=!unicast
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment=\
"Drop new connections from internet which are not dst-natted" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop all packets in local network which\
\_does not have local network address" in-interface=HomeNet src-address=\
!192.168.2.0/24
add action=drop chain=input comment="Drop Everything Else" connection-state=\
"" in-interface=ether1 log=yes
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes new-routing-mark=\
PureVPN passthrough=yes src-address=192.168.2.81
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=\
WAN
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=20500 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=20500
add action=masquerade chain=srcnat comment="Pure VPN MASQ NAT RULE" \
out-interface=PureVPN
add action=dst-nat chain=dstnat comment="Open Vpn" dst-port=20500 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=20500
add action=dst-nat chain=dstnat comment=Next-cloud-https dst-port=443 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.12 to-ports=443
add action=dst-nat chain=dstnat comment="Collabra office " dst-port=9980 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.12 to-ports=9980
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=\
ether1 protocol=tcp to-addresses=192.168.2.4 to-ports=32400
add action=dst-nat chain=dstnat comment=Subsonic dst-port=4040 in-interface=\
ether1 protocol=tcp to-addresses=192.168.2.13
add action=dst-nat chain=dstnat comment=HA dst-port=8124 in-interface=ether1 \
protocol=tcp to-addresses=192.168.2.8
add action=dst-nat chain=dstnat comment=HA dst-port=8124 in-interface=ether1 \
protocol=udp to-addresses=192.168.2.8
add action=masquerade chain=srcnat comment="masq. vpn traffic" \
out-interface-list=LAN src-address=192.168.89.0/24
add action=dst-nat chain=dstnat comment="Cloud Server" dst-port=80 \
in-interface=ether1 protocol=tcp to-addresses=192.168.2.12
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=PureVPN routing-mark=PureVPN
/ip service
set www port=81
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
/ppp secret
add name=vpn password=
/system clock
set time-zone-name=America/Toronto
/system script
add dont-require-permissions=no name="restore firewall rules" owner=admin \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="/ip firewall nat\
\nadd action=dst-nat chain=dstnat comment=\"Open Vpn\" dst-port=20500 \\\
\n in-interface=ether1 protocol=tcp to-addresses=192.168.2.2 to-ports=2\
0500\
\nadd action=dst-nat chain=dstnat comment=Next-cloud-https dst-port=443 \\\
\n in-interface=ether1 protocol=tcp to-addresses=192.168.2.12 to-ports=\
443\
\nadd action=dst-nat chain=dstnat comment=\"Collabra office \" dst-port=99\
80 \\\
\n in-interface=ether1 protocol=tcp to-addresses=192.168.2.12 to-ports=\
9980\
\nadd action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface\
=\\\
\n ether1 protocol=tcp to-addresses=192.168.2.4 to-ports=32400\
\nadd action=dst-nat chain=dstnat comment=Subsonic dst-port=4040 in-interf\
ace=\\\
\n ether1 protocol=tcp to-addresses=192.168.2.13\
\nadd action=dst-nat chain=dstnat comment=HA dst-port=8124 in-interface=et\
her1 \\\
\n protocol=tcp to-addresses=192.168.2.8\
\nadd action=dst-nat chain=dstnat comment=HA dst-port=8124 in-interface=et\
her1 \\\
\n protocol=udp to-addresses=192.168.2.8\
\nadd action=dst-nat chain=dstnat comment=HA2 disabled=yes dst-port=8124 \
\\\
\n in-interface=ether1 protocol=tcp to-addresses=192.168.2.8 to-ports=8\
124\
\nadd action=dst-nat chain=dstnat disabled=yes dst-port=8124 in-interface=\
\\\
\n ether1 protocol=udp to-addresses=192.168.2.8 to-ports=8124\
\nadd action=masquerade chain=srcnat comment=\"masq. vpn traffic\" src-add\
ress=\\\
\n 192.168.89.0/24\
\nadd action=dst-nat chain=dstnat comment=\"Cloud Server\" dst-port=80 \\\
\n in-interface=ether1 protocol=tcp to-addresses=192.168.2.12\
\nadd action=dst-nat chain=dstnat disabled=yes dst-port=500 in-interface=e\
ther1 \\\
\n protocol=udp to-addresses=192.168.2.81\
\nadd action=dst-nat chain=dstnat disabled=yes dst-port=4500 in-interface=\
\\\
\n ether1 protocol=udp to-addresses=192.168.2.81\
\nadd action=dst-nat chain=dstnat disabled=yes dst-port=5555 in-interface=\
\\\
\n ether1 protocol=tcp to-addresses=192.168.2.81\
\n"