VPN Issues with Autofailover

sambo521 · November 6, 2018, 8:03pm

Hey Guys,
Been beating myself up over why I cant get my VPN to work correctly after I setup a Three WAN autofailover.
I can open up a VPN connection to said router no problem. I do a whats my ip on the PC connected to the router via VPN and it reports the correct IP on said router. I can browse the internet also just fine.
What I cant do is make any local connections on said routers side as well as unable to connect to router itself using local address.
I really am not sure which way to go with this.

I have added my setup for you guys to see and see if I can get this working.
Thanks in advance.

\

nov/06/2018 14:53:59 by RouterOS 6.43.4

software id = 02I2-SBD9

model = RB1100x4

serial number = 91D80979CDFD

/interface ethernet
set [ find default-name=ether1 ] name=1-House speed=100Mbps
set [ find default-name=ether2 ] name=2-CODECS speed=100Mbps
set [ find default-name=ether3 ] name=3-Access-Points speed=100Mbps
set [ find default-name=ether11 ] auto-negotiation=no name=11-ATT-PRI-2nd
speed=100Mbps
set [ find default-name=ether12 ] name=12-Broadwave-Main speed=100Mbps
set [ find default-name=ether13 ] name=13-ATT-FIBER-3rd speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
/interface list
add name=wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,3des lifetime=8h name=proposal1 pfs-group=none
/ip pool
add name=House-DHCP ranges=172.16.1.200-172.16.1.240
add name=Access-Point-DHCP ranges=192.168.10.100-192.168.10.250
add name=CODECS ranges=192.168.1.200-192.168.1.250
/ip dhcp-server
add address-pool=House-DHCP disabled=no interface=1-House name=House
add address-pool=Access-Point-DHCP disabled=no interface=3-Access-Points
name=Access-Point
add address-pool=CODECS disabled=no interface=2-CODECS name=CODECS
/ppp profile
add dns-server=172.16.0.1,8.8.8.8 local-address=172.16.0.1 name=L2TP-Profile
remote-address=House-DHCP
set *FFFFFFFE dns-server=172.16.0.1,8.8.8.8 local-address=172.16.0.1
remote-address=House-DHCP
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes ipsec-secret=Engineering777XDX
/interface list member
add interface=11-ATT-PRI-2nd list=wan
add interface=12-Broadwave-Main list=wan
add interface=13-ATT-FIBER-3rd list=wan
/interface pptp-server server
set default-profile=L2TP-Profile enabled=yes
/ip address
add address=172.16.0.1/23 interface=1-House network=172.16.0.0
add address=192.168.10.1/24 interface=3-Access-Points network=192.168.10.0
add address=162.251.176.148/29 interface=12-Broadwave-Main network=
162.251.176.144
add address=192.168.1.1/24 interface=2-CODECS network=192.168.1.0
add address=12.186.95.210/29 interface=11-ATT-PRI-2nd network=12.186.95.208
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no
interface=13-ATT-FIBER-3rd
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=drop chain=input comment=“RDC 3389 DROP” dst-port=3389 log=yes
log-prefix=“RDC 3389 DROP” protocol=tcp src-address-list=blacklist
add action=drop chain=input comment=“Blacklist Drop Input” log-prefix=
“Blacklist Drop Input” src-address-list=blacklist
add action=drop chain=forward comment=“Blacklist Drop Forward” log-prefix=
“Blacklist Drop Forward” src-address-list=blacklist
add action=drop chain=forward comment=
“Drop invalid connections through router” connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=11-ATT-PRI-2nd protocol=
udp
add action=drop chain=input dst-port=53 in-interface=13-ATT-FIBER-3rd
protocol=udp
add action=drop chain=input dst-port=53 in-interface=12-Broadwave-Main
protocol=udp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input dst-port=53 in-interface=!11-ATT-PRI-2nd
protocol=udp
add action=accept chain=input dst-port=53 in-interface=!12-Broadwave-Main
protocol=udp
add action=accept chain=input dst-port=53 in-interface=!13-ATT-FIBER-3rd
protocol=udp
add action=add-src-to-address-list address-list=blacklist
address-list-timeout=4w2d chain=input connection-state=new dst-port=22-23
in-interface-list=wan protocol=tcp src-address-list=ssh
add action=add-src-to-address-list address-list=ssh address-list-timeout=10m
chain=input connection-state=new dst-port=22-23 in-interface-list=wan
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.0.0/23
add action=masquerade chain=srcnat dst-address=192.168.10.1
add action=masquerade chain=srcnat dst-address=192.168.1.1
add action=masquerade chain=srcnat out-interface=11-ATT-PRI-2nd
add action=masquerade chain=srcnat out-interface=12-Broadwave-Main
add action=masquerade chain=srcnat out-interface=13-ATT-FIBER-3rd
out-interface-list=all
add action=dst-nat chain=dstnat comment=“WKWF Tieline 8040” dst-port=8040
log=yes log-prefix=“wkwf tieline” protocol=tcp to-addresses=192.168.1.40
to-ports=80
add action=dst-nat chain=dstnat comment=“Sugarlaoaf PIRA 8107” dst-port=8107
log=yes log-prefix=“Sugarloaf PIRA” protocol=tcp to-addresses=
172.16.0.107 to-ports=8107
add action=dst-nat chain=dstnat comment=“MODEM PC 9898” dst-port=9898 log=yes
log-prefix=“MODEM PC VNC” protocol=tcp to-addresses=172.16.0.107
to-ports=5900
add action=dst-nat chain=dstnat comment=“Tanyas PC RDC 9939” dst-port=9939
log=yes log-prefix=“Tanya’s PC” protocol=tcp to-addresses=172.16.0.121
to-ports=3389
add action=dst-nat chain=dstnat comment=“WWUS Comrex 8041” dst-port=8041 log=
yes log-prefix=“WWUS COMREX” protocol=tcp to-addresses=192.168.1.41
to-ports=80
add action=dst-nat chain=dstnat comment=“WAVK Barix 8042” dst-port=8042 log=
yes log-prefix=“WAVK Barix” protocol=tcp to-addresses=192.168.1.42
to-ports=80
add action=dst-nat chain=dstnat comment=“WCNK Barix 8043” dst-port=8043
protocol=tcp to-addresses=192.168.1.43 to-ports=80
add action=dst-nat chain=dstnat comment=“TAV WCTH Barix 8044” dst-port=8044
log-prefix=“WCTH Barix” protocol=tcp to-addresses=192.168.1.44 to-ports=
80
add action=dst-nat chain=dstnat comment=“TAV WFKZ Barix 8045” dst-port=8045
log-prefix=“WFKZ Barix” protocol=tcp to-addresses=192.168.1.45 to-ports=
80
add action=dst-nat chain=dstnat comment=“TAV Air Mon TCP 8046” dst-port=8046
log=yes log-prefix=“TAV AIR MON Barix” protocol=tcp to-addresses=
192.168.1.46 to-ports=80
add action=dst-nat chain=dstnat comment=“WFKZ Remote VNC 6184” dst-port=6184
log=yes log-prefix=“WFKZ VNC " protocol=tcp to-addresses=172.16.0.184
to-ports=5900
add action=dst-nat chain=dstnat comment=“MODEM PC VNC 6107” dst-port=6107
log=yes log-prefix=“MODEM PC VNC " protocol=tcp to-addresses=172.16.0.107
to-ports=5900
/ip firewall raw
add action=drop chain=prerouting disabled=yes log=yes log-prefix=
“Preroute Blacklist” src-address-list=blacklist
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override
passive=yes secret=Engineering777XDX
/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark=wan1
add check-gateway=ping distance=2 gateway=1.0.0.1 routing-mark=wan1
add check-gateway=ping distance=3 gateway=4.2.2.4 routing-mark=wan1
add distance=1 dst-address=172.16.0.0/23 gateway=1-House pref-src=172.16.0.1
routing-mark=wan1 scope=10
add distance=1 dst-address=192.168.1.0/24 gateway=2-CODECS pref-src=
192.168.1.1 routing-mark=wan1 scope=10
add distance=1 dst-address=192.168.10.0/24 gateway=3-Access-Points pref-src=
192.168.10.1 routing-mark=wan1 scope=10
add check-gateway=ping distance=1 gateway=162.251.176.145
add check-gateway=ping distance=2 gateway=12.186.95.209
add check-gateway=ping distance=3 gateway=108.90.36.1
add distance=1 dst-address=1.0.0.1/32 gateway=12.186.95.209 scope=10
add distance=1 dst-address=1.1.1.1/32 gateway=162.251.176.145 scope=10
add distance=1 dst-address=4.2.2.4/32 gateway=108.90.36.1 scope=10
/ip route rule
add dst-address=0.0.0.0/0 src-address=172.16.0.0/23 table=wan1
add dst-address=0.0.0.0/0 src-address=192.168.0.0/16 table=wan1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=XXXXXXXXX password=XXXXXXXXXprofile=L2TP-Profile service=pptp
/system clock
set time-zone-name=America/New_York
/system identity
set name=KW-Sugarloaf-Router
/system routerboard settings
set silent-boot=no
/system scheduler
add comment=“Download spamnaus list” interval=3d name=DownloadSpamhausList
on-event=DownloadSpamhaus policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=18:59:43
add comment=“Apply spamnaus List” interval=3d name=InstallSpamhausList
on-event=ReplaceSpamhaus policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=19:04:43
add comment=“Download dshield list” interval=3d name=DownloadDShieldList
on-event=Download_dshield policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=19:09:43
add comment=“Apply dshield List” interval=3d name=InstallDShieldList
on-event=Replace_dshield policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=19:14:43
add comment=“Download malc0de list” interval=3d name=Downloadmalc0deList
on-event=Download_malc0de policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=19:09:43
add comment=“Apply malc0de List” interval=3d name=Installmalc0deList
on-event=Replace_malc0de policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
start-date=jan/01/1970 start-time=19:14:43
/system script
add dont-require-permissions=no name=DownloadSpamhaus owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=”
\n/tool fetch url="http://joshaven.com/spamhaus.rsc\” mode=http;
\n:log info "Downloaded spamhaus.rsc from Joshaven.com";
\n"
add dont-require-permissions=no name=ReplaceSpamhaus owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
\n/ip firewall address-list remove [find where comment="SpamHaus"]
\n/import file-name=spamhaus.rsc;
\n:log info "Removed old Spamhaus records and imported new list";
\n"
add dont-require-permissions=no name=Download_dshield owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
\n/tool fetch url="http://joshaven.com/dshield.rsc\" mode=http;
\n:log info "Downloaded dshield.rsc from Joshaven.com";
\n"
add dont-require-permissions=no name=Replace_dshield owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
\n/ip firewall address-list remove [find where comment="DShield"]
\n/import file-name=dshield.rsc;
\n:log info "Removed old dshield records and imported new list";
\n"
add dont-require-permissions=no name=Download_malc0de owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
\n/tool fetch url="http://joshaven.com/malc0de.rsc\" mode=http;
\n:log info "Downloaded malc0de.rsc from Joshaven.com";
\n"
add dont-require-permissions=no name=Replace_malc0de owner=Engineer policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="
\n/ip firewall address-list remove [find where comment="malc0de"]
\n/import file-name=malc0de.rsc;
\n:log info "Removed old malc0de records and imported new list";
\n"
/tool e-mail
set address=209.209.217.166 from=KWROUTER@rpengmnro.com
/tool netwatch
add down-script=“/tool e-mail send to="engineer@rpengmnro.com" subject="KW
Router Status Change" body="ATT FIBER LINK DOWN"\r
\n:log info "ATT FIBER LINK Email Notification"” host=108.90.36.1
up-script=“/tool e-mail send to="engineer@rpengmnro.com" subject="KW Ro
uter Status Change" body="Main Link UP"\r
\n:log info "Main Link UP Email notification"”
add down-script=“/tool e-mail send to="engineer@rpengmnro.com" subject="KW
Router Status Change" body="BROADWAVE LINK DOWN"\r
\n:log info "BROADWAVE LINK DOWN Email notification"” host=
162.251.176.145 up-script=“/tool e-mail send to="engineer@rpengmnro.com"
_subject="KW Router Status Change" body="BROADWAVE LINK UP"\r
\n:log info "BROADWAVE LINK UP Email notification"”
add down-script=“/tool e-mail send to="engineer@rpengmnro.com" subject="KW
Router Status Change" body="ATT PRI LINK DOWN"\r
\n:log info "ATT PRI LINK DOWN Email notification"” host=12.186.95.209
up-script=“/tool e-mail send to="engineer@rpengmnro.com" subject="KW Ro
uter Status Change" body="ATT PRI LINK UP"\r
\n:log info "ATT PRI LINK UP Email notification"”