Hi i have problem.
I have VPN on L2TP with IP/Sec it working. I need to limit the connection to one ip internal network without blocking access to the Internet. Any ideas? I know how to block all except one ip but how to allow internet?
Re: Allow connect user to only one internal ip but allow internet connection
Code: Select all
/ip firewall filter
#only allow LAN access to a single address
add chain=forward action=drop src-address=<yourVPNrange> dst-address=!<the.allowed.ip.address> out-interface=<yourLANfacingInterface>
#probably another good idea to block router access for VPN clients
add chain=input action=accept src-address=<yourVPNrange> protocol=udp dst-port=53 #in case your router is DNS server for VPN clients
add chain=input action=drop src-address=<yourVPNrange> protocol=!icmp
/ip firewall nat
#allow internet access for your VPN guests
add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
Re: Allow connect user to only one internal ip but allow internet connection
Thx for fast anwser. I will test it asap and i give anwser.
-ChrisCode: Select all/ip firewall filter #only allow LAN access to a single address add chain=forward action=drop src-address=<yourVPNrange> dst-address=!<the.allowed.ip.address> out-interface=<yourLANfacingInterface> #probably another good idea to block router access for VPN clients add chain=input action=accept src-address=<yourVPNrange> protocol=udp dst-port=53 #in case your router is DNS server for VPN clients add chain=input action=drop src-address=<yourVPNrange> protocol=!icmp /ip firewall nat #allow internet access for your VPN guests add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
Re: Allow connect user to only one internal ip but allow internet connection
Internet access is not working-ChrisCode: Select all/ip firewall nat #allow internet access for your VPN guests add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
but allow connect to single ip in LAN is okRe: Allow connect user to only one internal ip but allow internet connection
Well, at least we're getting there :-)
Do you give out DNS servers for your VPN clients in /ppp profile?
Ideally, you post a compact export of your config, that would make it much easier to troubleshoot...
-Chris
Do you give out DNS servers for your VPN clients in /ppp profile?
Ideally, you post a compact export of your config, that would make it much easier to troubleshoot...
-Chris
Re: Allow connect user to only one internal ip but allow internet connection
Well, at least we're getting there
Do you give out DNS servers for your VPN clients in /ppp profile?
Ideally, you post a compact export of your config, that would make it much easier to troubleshoot...
-Chris
Code: Select all
# feb/08/2018 07:42:43 by RouterOS 6.40.1
# software id = K08Q-QN1P
#
# model = CCR1036-8G-2S+
# serial number = 742906BB430A
/interface ethernet
set [ find default-name=ether1 ] name="1 RENE"
set [ find default-name=ether2 ] name="2 WMC"
set [ find default-name=ether3 ] arp=reply-only name=ether3-1
set [ find default-name=ether4 ] name=ether4-20
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=reply-only
set [ find default-name=ether8 ] name=ether8-testowy
/interface l2tp-server
add name="L2TP Andrzej" user=Andrzej
add name="L2TP Simple" user=Simple
add name="L2TP Test123" user=Test123
add name="L2TP dla IT" user=It
/interface ovpn-server
add name=ovpn-dla-it user=""
/ip neighbor discovery
set "1 RENE" discover=no
set "2 WMC" discover=no
/interface vlan
add comment=Drukarki interface=ether7 name=Drukarki vlan-id=20
add comment=Kompy interface=ether7 name=Kompy vlan-id=10
add comment=Telefony interface=ether7 name=Telefony vlan-id=30
add comment=Xpertis interface=ether7 name=Xpertis vlan-id=29
/interface list
add name=WAN
add name=LAN
/ip firewall layer7-protocol
add name=Koparki regexp="^.+(coinhive.com).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.20.230-192.168.20.250
add name=dhcp_pool1 ranges=192.168.1.21-192.168.1.60
add name=Telefony ranges=192.168.30.2-192.168.30.250
add name=L2TP ranges=10.20.20.20-10.20.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
interface=ether4-20 lease-time=12h name=DHCP20
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
disabled=no interface=ether3-1 lease-time=12h name=DHCP1
add address-pool=Telefony authoritative=after-2sec-delay disabled=no \
interface=Telefony lease-time=4h name=Telefony
/ppp profile
add dns-server=192.168.10.1 local-address=10.20.20.1 name=L2TP \
remote-address=L2TP use-encryption=required wins-server=192.168.10.1
/queue simple
add disabled=yes max-limit=10M/10M name=queue1 target=ovpn-dla-it
/system logging action
set 1 disk-file-count=30 disk-file-name=MT-log-1 disk-lines-per-file=500
set 3 bsd-syslog=yes remote=192.168.10.84
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=L2TP \
enabled=yes
/interface list member
add interface="1 RENE" list=WAN
add interface="2 WMC" list=WAN
add interface=ether4-20 list=LAN
add interface=ether3-1 list=LAN
add interface=ether6 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OVPN enabled=\
yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=WAN1/22 comment=RENE interface="1 RENE" network=\
WAN1
add address=192.168.20.1/24 comment="Net dla 20" interface=ether4-20 network=\
192.168.20.0
add address=WAN2 comment=WMC interface="2 WMC" network=\
WAN2
add address=192.168.1.1/24 disabled=yes interface=ether3-1 network=\
192.168.1.0
add address=192.168.10.254/24 comment="10 dla Dell-R510" interface=ether6 \
network=192.168.10.0
add address=192.168.30.1/24 comment="Net dla Telefony" interface=Telefony \
network=192.168.30.0
add address=192.168.10.1/24 disabled=yes interface=ether3-1 network=\
192.168.10.0
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=ether6 name=DELL-R510
/ip dhcp-server lease
add address=192.168.20.2 comment=SLICAN mac-address=B0:B3:2B:00:7B:E5 server=\
DHCP20
add address=192.168.20.21 comment="IBS A-1" mac-address=00:08:7B:0A:B0:3E \
server=DHCP20
add address=192.168.20.22 comment="IBS A-2" mac-address=00:08:7B:0A:B0:41 \
server=DHCP20
add address=192.168.20.23 comment="IBS A-3" mac-address=00:08:7B:0A:B0:44 \
server=DHCP20
add address=192.168.20.24 comment="IBS A-4" mac-address=00:08:7B:0A:B0:3C \
server=DHCP20
add address=192.168.20.25 comment="IBS A-5" mac-address=00:08:7B:0A:B0:3F \
server=DHCP20
add address=192.168.20.26 comment="IBS A-6" mac-address=00:08:7B:0A:B0:40 \
server=DHCP20
add address=192.168.20.27 comment="IBS B-1" mac-address=00:08:7B:0A:B0:45 \
server=DHCP20
add address=192.168.20.28 comment="IBS B-2" mac-address=00:08:7B:0A:AF:B8 \
server=DHCP20
add address=192.168.20.29 comment="IBS B-3" mac-address=00:08:7B:0A:AF:C7 \
server=DHCP20
add address=192.168.20.30 comment="IBS B-4" mac-address=00:08:7B:0A:AF:B7 \
server=DHCP20
add address=192.168.20.31 comment="IBS B-5" mac-address=00:08:7B:0A:AF:C5 \
server=DHCP20
add address=192.168.20.32 comment="IBS - B6" mac-address=00:08:7B:0A:AF:C6 \
server=DHCP20
add address=192.168.20.33 comment="IBS C-1" mac-address=00:08:7B:0A:AF:C8 \
server=DHCP20
add address=192.168.20.34 comment="IBS C-2" mac-address=00:08:7B:0A:AF:BF \
server=DHCP20
add address=192.168.20.35 comment="IBS C-3" mac-address=00:08:7B:0A:AF:C2 \
server=DHCP20
add address=192.168.20.36 comment="IBS C-4" mac-address=00:08:7B:0A:AF:C1 \
server=DHCP20
add address=192.168.20.37 comment="IBS CNC-1" mac-address=00:08:7B:0A:AF:C4 \
server=DHCP20
add address=192.168.20.38 comment="IBS E-1" mac-address=00:08:7B:0F:B1:3C \
server=DHCP20
add address=192.168.20.39 comment="IBS E-2" mac-address=00:08:7B:0F:B1:3F \
server=DHCP20
add address=192.168.20.40 comment="IBS Y-1-FRONT" mac-address=\
00:08:7B:10:BB:3C server=DHCP20
add address=192.168.20.41 comment="IBS Y-2-\8CRODEK" mac-address=\
00:08:7B:10:BB:0F server=DHCP20
add address=192.168.20.42 comment="IBS Y-3-TY\A3" mac-address=\
00:08:7B:10:BB:67 server=DHCP20
add address=192.168.1.201 comment="XPERTIS TEST" mac-address=\
00:25:22:71:E6:F2 server=DHCP1
add address=192.168.1.2 mac-address=00:07:E9:30:F0:11 server=DHCP1
add address=192.168.1.3 mac-address=00:04:23:E0:5D:61 server=DHCP1
add address=192.168.1.6 always-broadcast=yes comment=DELL-R510 disabled=yes \
mac-address=78:2B:CB:4B:A4:C6 server=DHCP1
add address=192.168.1.7 mac-address=00:10:74:61:22:7B server=DHCP1
add address=192.168.1.10 mac-address=60:67:20:6B:BF:24 server=DHCP1
add address=192.168.1.14 mac-address=A0:88:B4:16:E0:84 server=DHCP1
add address=192.168.1.20 mac-address=00:1D:AA:2F:C6:E0 server=DHCP1
add address=192.168.1.6 always-broadcast=yes comment=\
"DELL-R510 karta zewn\EAtrzna" disabled=yes mac-address=00:24:32:16:49:CC \
server=DHCP1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8,208.67.222.222,213.192.65.1
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 comment=\
"Ip Telefon\F3w podsieci 30 przekierowane na Rene" list=Telefony_na_rene
add address=10.10.10.2-10.10.10.255 comment="L2TP VPN IP" list=\
"L2TP VPN Lista"
add address=192.168.10.0/24 list=Podsieci
add address=192.168.20.0/24 list=Podsieci
add address=192.168.30.0/24 list=Podsieci
/ip firewall filter
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
# L2TP Test123 not ready
add action=drop chain=forward comment=\
"#only allow LAN access to a single address" dst-address=!192.168.10.10 \
in-interface="L2TP Test123" out-interface=ether6
add action=accept chain=input dst-port=53 protocol=udp src-address=\
10.20.20.0/24
add action=accept chain=input comment="Zezwolenie na VPN" dst-port=1194 \
protocol=tcp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.20.0/24
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.10.0/24
add action=accept chain=forward dst-address=192.168.20.250 src-address=\
212.122.223.98
add action=accept chain=forward connection-state=established,related
add action=accept chain=input protocol=icmp tcp-flags=""
add action=accept chain=input comment="Zezwolenie na L2TP" dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="Przychodz\B9ce IPsec" protocol=\
ipsec-ah
add action=accept chain=input comment=IPsec protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
10.10.10.0/24
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=\
192.168.10.0/24
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.1.0/24
# L2TP Test123 not ready
add action=accept chain=forward comment="Simple -> do 730" dst-address=\
192.168.10.10 dst-port=3389 in-interface="L2TP Test123" protocol=tcp
# L2TP Test123 not ready
add action=accept chain=forward comment="Simple -> do 730" dst-address=\
192.168.10.10 dst-port=3389 in-interface="L2TP Test123" protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
dst-address-list=Podsieci dst-port=!3389 in-interface="L2TP Test123" \
protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
dst-address-list=Podsieci dst-port=!3389 in-interface="L2TP Test123" \
protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 1" \
dst-address=192.168.30.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 10" \
dst-address=192.168.30.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 20" \
dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 10 przez 20" \
dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Blokada Forwardu mi\EAdzy 10 i 20" \
disabled=yes in-interface=ether6 out-interface=ether4-20
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 1" \
dst-address=192.168.1.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 10" \
dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 20" \
dst-address=192.168.20.0/24 src-address=192.168.30.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.20.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.20.0/24
# L2TP Simple not ready
add action=drop chain=forward comment="Simple -> do 730" dst-address=\
!192.168.10.10 dst-port=!3389 in-interface="L2TP Simple" protocol=tcp
# L2TP Simple not ready
add action=drop chain=forward comment="Simple -> do 730" dst-address=\
!192.168.10.10 dst-port=!3389 in-interface="L2TP Simple" protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
in-interface-list=*2000013 src-address=!192.168.10.10
add action=drop chain=input comment="Simple -> do 730" disabled=yes \
in-interface-list=*2000013 src-address=!192.168.10.10
add action=drop chain=forward comment="Komputer Ochroniarza - Dom-Komputer" \
src-mac-address=4C:80:93:65:D8:EE
add action=drop chain=forward comment="Blokowanie Koparki \"Coinhive\"" \
dst-port=80,443 layer7-protocol=Koparki protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=telefony_rene \
passthrough=yes src-address=192.168.30.0/24
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=\
yes src-address=10.20.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Telefony Rene -> dost\EAp do internetu (Maskarada)" out-interface=\
"1 RENE" src-address=192.168.30.0/24 src-address-list=Telefony_na_rene \
to-addresses=WAN1
# L2TP Simple not ready
add action=masquerade chain=srcnat out-interface="L2TP Simple"
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2
add action=masquerade chain=srcnat comment="WAN1 -> Maskarada" disabled=yes \
out-interface="1 RENE"
add action=masquerade chain=srcnat comment=WAN2 disabled=yes out-interface=\
"2 WMC"
add action=masquerade chain=srcnat comment="Maskarada (Internet) dla 20" \
disabled=yes src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment=\
"Maskarada (Internet) dla Zegara RCP" src-address=192.168.20.232
add action=masquerade chain=srcnat comment=\
"Maskarada (Internet) dla Centralki Slican" src-address=192.168.20.2
add action=masquerade chain=srcnat comment="Maskarada (Internet) 10" \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Maskarada 01" src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Maskarada dla VPN-OVPN" \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="Maskarada dla L2TP" src-address=\
10.20.20.0/24
add action=dst-nat chain=dstnat comment="XPERTIS R520 5580 RENE " dst-port=\
5580 in-interface="1 RENE" protocol=tcp to-addresses=192.168.10.89 \
to-ports=5580
add action=dst-nat chain=dstnat comment="XPERTIS R520 5580 WMC" dst-port=5580 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.89 to-ports=\
5580
add action=dst-nat chain=dstnat comment="IBS WMC" disabled=yes dst-port=\
13021-13042 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.20.21-192.168.20.42 to-ports=80
add action=dst-nat chain=dstnat comment="SIP 5060 dla fortel" dst-port=5060 \
in-interface="2 WMC" log=yes protocol=udp src-address=212.122.223.98 \
to-addresses=192.168.20.2 to-ports=5060
add action=dst-nat chain=dstnat comment="RTP8100-8200 dla Fortel" dst-port=\
8100-8200 in-interface="2 WMC" log=yes protocol=udp src-address=\
212.122.223.98 to-addresses=192.168.20.250 to-ports=8100-8200
add action=dst-nat chain=dstnat comment="IBS RENE" disabled=yes dst-port=\
13021-13042 in-interface="1 RENE" protocol=tcp to-addresses=\
192.168.20.21-192.168.20.42 to-ports=80
add action=dst-nat chain=dstnat comment="RDP SQLTEST" dst-port=14000 \
in-interface="2 WMC" log=yes protocol=tcp to-addresses=192.168.10.17 \
to-ports=3389
add action=dst-nat chain=dstnat comment="CENTRALA SLICAN" dst-port=5525 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.2 to-ports=5525
add action=dst-nat chain=dstnat comment="TESTOWY EXPERTIS 80" disabled=yes \
dst-port=12503 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.1.201 to-ports=80
add action=dst-nat chain=dstnat comment=SATEL dst-port=7090 in-interface=\
"2 WMC" protocol=tcp to-addresses=192.168.10.106 to-ports=7090
add action=dst-nat chain=dstnat comment="XPERTIS 80 WEB SERVICE" disabled=yes \
dst-port=12502 in-interface="2 WMC" protocol=tcp to-addresses=192.168.1.6 \
to-ports=12502
add action=dst-nat chain=dstnat comment="RDP AUXSERVER" dst-port=12500 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.90 to-ports=\
3389
add action=dst-nat chain=dstnat comment="RS812 SURV STATION" dst-port=5001 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.84 to-ports=\
5001
add action=dst-nat chain=dstnat comment="RDP TEST XPERTIS1" dst-port=12506 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.11 to-ports=\
3389
add action=dst-nat chain=dstnat comment=AXENCE dst-port=4436 in-interface=\
"2 WMC" protocol=tcp to-addresses=192.168.10.1 to-ports=4436
add action=dst-nat chain=dstnat comment="RDP DELL-R520" dst-port=3989 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.89 to-ports=\
3989
add action=dst-nat chain=dstnat comment="POE SWITCH" disabled=yes dst-port=\
13043-13048 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.20.11-192.168.20.16 to-ports=80
add action=dst-nat chain=dstnat comment="TESTOWY EXPERTIS 5580" dst-port=\
12501 in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.11 \
to-ports=5580
add action=dst-nat chain=dstnat comment="ZEWN\CATRZNE R730" dst-port=12505 \
in-interface="2 WMC" log=yes protocol=tcp to-addresses=192.168.10.10 \
to-ports=3389
add action=dst-nat chain=dstnat comment="DELL R510 14283 WMC" dst-port=14283 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.1 to-ports=\
14283
add action=dst-nat chain=dstnat comment="DELL R510 14283 RENE" dst-port=14283 \
in-interface="1 RENE" protocol=tcp to-addresses=192.168.10.1 to-ports=\
3389
add action=dst-nat chain=dstnat comment="IBS WMC 1" disabled=yes dst-port=\
13021 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.21 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 2" disabled=yes dst-port=\
13022 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.22 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 3" disabled=yes dst-port=\
13023 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.23 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 4" disabled=yes dst-port=\
13024 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.24 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 5" disabled=yes dst-port=\
13025 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.25 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 6" disabled=yes dst-port=\
13026 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.26 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 7" disabled=yes dst-port=\
13027 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.27 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 8" disabled=yes dst-port=\
13028 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.28 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 9" disabled=yes dst-port=\
13029 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.29 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 10" disabled=yes dst-port=\
13030 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.30 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 11" disabled=yes dst-port=\
13031 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.31 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 12" disabled=yes dst-port=\
13032 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.32 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 13" disabled=yes dst-port=\
13033 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.33 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 14" disabled=yes dst-port=\
13034 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.34 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 15" disabled=yes dst-port=\
13035 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.35 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 16" disabled=yes dst-port=\
13036 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.36 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 17" disabled=yes dst-port=\
13037 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.37 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 18" disabled=yes dst-port=\
13038 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.38 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 19" disabled=yes dst-port=\
13039 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.39 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 20" disabled=yes dst-port=\
13040 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.40 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 21" disabled=yes dst-port=\
13041 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.41 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 1" disabled=yes dst-port=\
13021 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.21 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 2" disabled=yes dst-port=\
13022 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.22 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 3" disabled=yes dst-port=\
13023 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.23 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 4" disabled=yes dst-port=\
13024 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.24 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 5" disabled=yes dst-port=\
13025 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.25 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 6" disabled=yes dst-port=\
13026 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.26 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 7" disabled=yes dst-port=\
13027 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.27 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 8" disabled=yes dst-port=\
13028 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.28 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 9" disabled=yes dst-port=\
13029 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.29 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 10" disabled=yes dst-port=\
13030 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.30 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 11" disabled=yes dst-port=\
13031 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.31 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 12" disabled=yes dst-port=\
13032 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.32 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 13" disabled=yes dst-port=\
13033 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.33 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 14" disabled=yes dst-port=\
13034 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.34 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 15" disabled=yes dst-port=\
13035 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.35 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 16" disabled=yes dst-port=\
13036 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.36 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 17" disabled=yes dst-port=\
13037 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.37 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 18" disabled=yes dst-port=\
13038 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.38 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 19" disabled=yes dst-port=\
13039 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.39 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 20" disabled=yes dst-port=\
13040 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.40 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 21" disabled=yes dst-port=\
13041 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.41 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 22" disabled=yes dst-port=\
13042 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.42 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 22" disabled=yes dst-port=\
13042 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.42 \
to-ports=80
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des \
exchange-mode=main-l2tp generate-policy=port-override
/ip pool
add name=VPN-SIMPLE next-pool=VPN-IT ranges=10.10.10.21-10.10.10.50
add name=VPN-IT next-pool=VPN-SIMPLE ranges=10.10.10.10-10.10.10.20
/ip route
add check-gateway=ping comment="Rene tagowane - telefony" distance=1 gateway=\
WAN2 routing-mark=telefony_rene
add check-gateway=ping comment="WMC nie tagowane" distance=1 gateway=\
WAN1
add check-gateway=ping comment="Rene nie tagowane" distance=4 gateway=\
WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=xxxx
set ssh disabled=yes
set winbox address=0.0.0.0/0 port=xxxx
/mpls interface
add mpls-mtu=1522
/ppp profile
add dns-server=192.168.10.1,8.8.8.8 local-address=10.10.10.1 name=OVPN \
remote-address=VPN-IT use-encryption=required
set *FFFFFFFE local-address=192.168.1.1 remote-address=VPN-SIMPLE
/ppp secret
add name=vpn profile=default-encryption
add name=It profile=L2TP
add name=Grzegorz profile=OVPN service=ovpn
add name=Simple profile=L2TP service=l2tp
add name=Test123 profile=L2TP service=l2tp
add name=Andrzej profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=remote topics=ipsec
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes primary-ntp=80.50.231.226 secondary-ntp=194.29.130.252
#error exporting /system routerboard mode-button
/system scheduler
add comment="L2TP Secure" disabled=yes interval=5s name=\
"Skrypt Sprawdzajacy L2TP" on-event="# ------------------- header --------\
-----------\r\
\n# Script by Tomas Kirnak, version 1.0.2\r\
\n# If you use this script, or edit and\r\
\n# re-use it, please keep the header intact.\r\
\n#\r\
\n# For more information and details about\r\
\n# this script please visit the wiki page at\r\
\n# http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec\r\
\n# ------------------- header -------------------\r\
\n{\r\
\n:local InAL 0\r\
\n:local InRP 0\r\
\n:local rawIp 0\r\
\n:local CurrentPeerIP 0\r\
\n\r\
\n:foreach i1 in [/ip ipsec remote-peers find] do={\r\
\n :set rawIp [/ip ipsec remote-peers get \$i1 remote-address]\r\
\n \r\
\n :if ([:len [:find \$rawIp \":\"]] = 0) do={\r\
\n :set CurrentPeerIP \$rawIp\r\
\n } else={\r\
\n :set CurrentPeerIP [:pick \$rawIp 0 [:find \$rawIp \":\"]]\r\
\n }\r\
\n\r\
\n :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed addre\
ss=\$CurrentPeerIP] do={\r\
\n :set InAL 1\r\
\n }\r\
\n if (\$InAL = 0) do={/ip firewall address-list add list=L2TP_Allowed ad\
dress=\$CurrentPeerIP}\r\
\n :set InAL 0\r\
\n}\r\
\n\r\
\n:foreach i1 in [/ip firewall address-list find list=L2TP_Allowed] do={\r\
\n :set CurrentPeerIP [/ip firewall address-list get \$i1 address]\r\
\n\r\
\n :foreach i2 in [/ip ipsec remote-peers find] do={\r\
\n :set rawIp [/ip ipsec remote-peers get \$i2 remote-address]\r\
\n\t\r\
\n :if ([:len [:find \$rawIp \":\"]] = 0) do={\r\
\n :set CurrentPeerIP \$rawIp\r\
\n } else={\r\
\n :set CurrentPeerIP [:pick \$rawIp 0 [:find \$rawIp \":\"]]\r\
\n }\r\
\n \r\
\n :if (\$CurrentPeerIP = [/ip firewall address-list get \$i1 address])\
\_do={\r\
\n :set InRP 1\r\
\n\t}\r\
\n }\r\
\n :if (\$InRP = 0) do={/ip firewall address-list remove \$i1}\r\
\n :set InRP 0\r\
\n}\r\
\n}\r\
\n" policy=read,write,policy,test,sensitive start-date=nov/27/2017 \
start-time=09:43:29
Re: Allow connect user to only one internal ip but allow internet connection
Now that config is a bit more complex than I expected it to be :-)
On first sight I found two issues:
I don't understand that one. It does not have any src- or dst-address matcher and as it's pretty up high in your NAT section, it catches a lot of traffic.
Do you really want to have all traffic going out via that L2TP interface?
I guess you replaced the real address by WAN2 yourself, right?
If so, move that rule up. Currently all traffic is caught be the rule above - that's why it doesn't work.
-Chris
On first sight I found two issues:
Code: Select all
add action=masquerade chain=srcnat out-interface="L2TP Simple"
Do you really want to have all traffic going out via that L2TP interface?
Code: Select all
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2If so, move that rule up. Currently all traffic is caught be the rule above - that's why it doesn't work.
-Chris
Re: Allow connect user to only one internal ip but allow internet connection
Im a beginner, so sometimes I make mistakes 
I had hope use i add internet to that interface- it was just for test.
Here WAN2 was my adress - i change it manualy
what I wanted to achieve? gani access similar to open vpn - get access to lan by L2TP without route all traffic by this interface. it would be great for users to use their own internet not this in company..
I had hope use
Code: Select all
add action=masquerade chain=srcnat out-interface="L2TP Simple"
Code: Select all
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2what I wanted to achieve? gani access similar to open vpn - get access to lan by L2TP without route all traffic by this interface. it would be great for users to use their own internet not this in company..
Now that config is a bit more complex than I expected it to be
On first sight I found two issues:
I don't understand that one. It does not have any src- or dst-address matcher and as it's pretty up high in your NAT section, it catches a lot of traffic.Code: Select alladd action=masquerade chain=srcnat out-interface="L2TP Simple"
Do you really want to have all traffic going out via that L2TP interface?
I guess you replaced the real address by WAN2 yourself, right?Code: Select alladd action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \ src-address=10.20.20.0/24 to-addresses=WAN2
If so, move that rule up. Currently all traffic is caught be the rule above - that's why it doesn't work.
-Chris
Who is online
Users browsing this forum: Amazon [Bot], VMX and 67 guests