Hi i have problem.
I have VPN on L2TP with IP/Sec it working. I need to limit the connection to one ip internal network without blocking access to the Internet. Any ideas? I know how to block all except one ip but how to allow internet?
/ip firewall filter
#only allow LAN access to a single address
add chain=forward action=drop src-address=<yourVPNrange> dst-address=!<the.allowed.ip.address> out-interface=<yourLANfacingInterface>
#probably another good idea to block router access for VPN clients
add chain=input action=accept src-address=<yourVPNrange> protocol=udp dst-port=53 #in case your router is DNS server for VPN clients
add chain=input action=drop src-address=<yourVPNrange> protocol=!icmp
/ip firewall nat
#allow internet access for your VPN guests
add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
-ChrisCode: Select all/ip firewall filter #only allow LAN access to a single address add chain=forward action=drop src-address=<yourVPNrange> dst-address=!<the.allowed.ip.address> out-interface=<yourLANfacingInterface> #probably another good idea to block router access for VPN clients add chain=input action=accept src-address=<yourVPNrange> protocol=udp dst-port=53 #in case your router is DNS server for VPN clients add chain=input action=drop src-address=<yourVPNrange> protocol=!icmp /ip firewall nat #allow internet access for your VPN guests add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
Internet access is not working but allow connect to single ip in LAN is ok-ChrisCode: Select all/ip firewall nat #allow internet access for your VPN guests add chain=srcnat action=src-nat src-address=<yourVPNrange> dst-address=0.0.0.0/0 to-address=<yourWAN-IP> out-interface=<yourWANinterface>
Well, at least we're getting there
Do you give out DNS servers for your VPN clients in /ppp profile?
Ideally, you post a compact export of your config, that would make it much easier to troubleshoot...
-Chris
# feb/08/2018 07:42:43 by RouterOS 6.40.1
# software id = K08Q-QN1P
#
# model = CCR1036-8G-2S+
# serial number = 742906BB430A
/interface ethernet
set [ find default-name=ether1 ] name="1 RENE"
set [ find default-name=ether2 ] name="2 WMC"
set [ find default-name=ether3 ] arp=reply-only name=ether3-1
set [ find default-name=ether4 ] name=ether4-20
set [ find default-name=ether6 ] arp=proxy-arp
set [ find default-name=ether7 ] arp=reply-only
set [ find default-name=ether8 ] name=ether8-testowy
/interface l2tp-server
add name="L2TP Andrzej" user=Andrzej
add name="L2TP Simple" user=Simple
add name="L2TP Test123" user=Test123
add name="L2TP dla IT" user=It
/interface ovpn-server
add name=ovpn-dla-it user=""
/ip neighbor discovery
set "1 RENE" discover=no
set "2 WMC" discover=no
/interface vlan
add comment=Drukarki interface=ether7 name=Drukarki vlan-id=20
add comment=Kompy interface=ether7 name=Kompy vlan-id=10
add comment=Telefony interface=ether7 name=Telefony vlan-id=30
add comment=Xpertis interface=ether7 name=Xpertis vlan-id=29
/interface list
add name=WAN
add name=LAN
/ip firewall layer7-protocol
add name=Koparki regexp="^.+(coinhive.com).*\$"
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=0s \
pfs-group=none
/ip pool
add name=dhcp_pool0 ranges=192.168.20.230-192.168.20.250
add name=dhcp_pool1 ranges=192.168.1.21-192.168.1.60
add name=Telefony ranges=192.168.30.2-192.168.30.250
add name=L2TP ranges=10.20.20.20-10.20.20.254
/ip dhcp-server
add address-pool=dhcp_pool0 authoritative=after-2sec-delay disabled=no \
interface=ether4-20 lease-time=12h name=DHCP20
add add-arp=yes address-pool=dhcp_pool1 authoritative=after-2sec-delay \
disabled=no interface=ether3-1 lease-time=12h name=DHCP1
add address-pool=Telefony authoritative=after-2sec-delay disabled=no \
interface=Telefony lease-time=4h name=Telefony
/ppp profile
add dns-server=192.168.10.1 local-address=10.20.20.1 name=L2TP \
remote-address=L2TP use-encryption=required wins-server=192.168.10.1
/queue simple
add disabled=yes max-limit=10M/10M name=queue1 target=ovpn-dla-it
/system logging action
set 1 disk-file-count=30 disk-file-name=MT-log-1 disk-lines-per-file=500
set 3 bsd-syslog=yes remote=192.168.10.84
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
use-ip-firewall-for-vlan=yes
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap1,mschap2 default-profile=L2TP \
enabled=yes
/interface list member
add interface="1 RENE" list=WAN
add interface="2 WMC" list=WAN
add interface=ether4-20 list=LAN
add interface=ether3-1 list=LAN
add interface=ether6 list=LAN
/interface ovpn-server server
set auth=sha1 certificate=SERVER cipher=aes256 default-profile=OVPN enabled=\
yes require-client-certificate=yes
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=WAN1/22 comment=RENE interface="1 RENE" network=\
WAN1
add address=192.168.20.1/24 comment="Net dla 20" interface=ether4-20 network=\
192.168.20.0
add address=WAN2 comment=WMC interface="2 WMC" network=\
WAN2
add address=192.168.1.1/24 disabled=yes interface=ether3-1 network=\
192.168.1.0
add address=192.168.10.254/24 comment="10 dla Dell-R510" interface=ether6 \
network=192.168.10.0
add address=192.168.30.1/24 comment="Net dla Telefony" interface=Telefony \
network=192.168.30.0
add address=192.168.10.1/24 disabled=yes interface=ether3-1 network=\
192.168.10.0
/ip dhcp-relay
add dhcp-server=192.168.10.1 disabled=no interface=ether6 name=DELL-R510
/ip dhcp-server lease
add address=192.168.20.2 comment=SLICAN mac-address=B0:B3:2B:00:7B:E5 server=\
DHCP20
add address=192.168.20.21 comment="IBS A-1" mac-address=00:08:7B:0A:B0:3E \
server=DHCP20
add address=192.168.20.22 comment="IBS A-2" mac-address=00:08:7B:0A:B0:41 \
server=DHCP20
add address=192.168.20.23 comment="IBS A-3" mac-address=00:08:7B:0A:B0:44 \
server=DHCP20
add address=192.168.20.24 comment="IBS A-4" mac-address=00:08:7B:0A:B0:3C \
server=DHCP20
add address=192.168.20.25 comment="IBS A-5" mac-address=00:08:7B:0A:B0:3F \
server=DHCP20
add address=192.168.20.26 comment="IBS A-6" mac-address=00:08:7B:0A:B0:40 \
server=DHCP20
add address=192.168.20.27 comment="IBS B-1" mac-address=00:08:7B:0A:B0:45 \
server=DHCP20
add address=192.168.20.28 comment="IBS B-2" mac-address=00:08:7B:0A:AF:B8 \
server=DHCP20
add address=192.168.20.29 comment="IBS B-3" mac-address=00:08:7B:0A:AF:C7 \
server=DHCP20
add address=192.168.20.30 comment="IBS B-4" mac-address=00:08:7B:0A:AF:B7 \
server=DHCP20
add address=192.168.20.31 comment="IBS B-5" mac-address=00:08:7B:0A:AF:C5 \
server=DHCP20
add address=192.168.20.32 comment="IBS - B6" mac-address=00:08:7B:0A:AF:C6 \
server=DHCP20
add address=192.168.20.33 comment="IBS C-1" mac-address=00:08:7B:0A:AF:C8 \
server=DHCP20
add address=192.168.20.34 comment="IBS C-2" mac-address=00:08:7B:0A:AF:BF \
server=DHCP20
add address=192.168.20.35 comment="IBS C-3" mac-address=00:08:7B:0A:AF:C2 \
server=DHCP20
add address=192.168.20.36 comment="IBS C-4" mac-address=00:08:7B:0A:AF:C1 \
server=DHCP20
add address=192.168.20.37 comment="IBS CNC-1" mac-address=00:08:7B:0A:AF:C4 \
server=DHCP20
add address=192.168.20.38 comment="IBS E-1" mac-address=00:08:7B:0F:B1:3C \
server=DHCP20
add address=192.168.20.39 comment="IBS E-2" mac-address=00:08:7B:0F:B1:3F \
server=DHCP20
add address=192.168.20.40 comment="IBS Y-1-FRONT" mac-address=\
00:08:7B:10:BB:3C server=DHCP20
add address=192.168.20.41 comment="IBS Y-2-\8CRODEK" mac-address=\
00:08:7B:10:BB:0F server=DHCP20
add address=192.168.20.42 comment="IBS Y-3-TY\A3" mac-address=\
00:08:7B:10:BB:67 server=DHCP20
add address=192.168.1.201 comment="XPERTIS TEST" mac-address=\
00:25:22:71:E6:F2 server=DHCP1
add address=192.168.1.2 mac-address=00:07:E9:30:F0:11 server=DHCP1
add address=192.168.1.3 mac-address=00:04:23:E0:5D:61 server=DHCP1
add address=192.168.1.6 always-broadcast=yes comment=DELL-R510 disabled=yes \
mac-address=78:2B:CB:4B:A4:C6 server=DHCP1
add address=192.168.1.7 mac-address=00:10:74:61:22:7B server=DHCP1
add address=192.168.1.10 mac-address=60:67:20:6B:BF:24 server=DHCP1
add address=192.168.1.14 mac-address=A0:88:B4:16:E0:84 server=DHCP1
add address=192.168.1.20 mac-address=00:1D:AA:2F:C6:E0 server=DHCP1
add address=192.168.1.6 always-broadcast=yes comment=\
"DELL-R510 karta zewn\EAtrzna" disabled=yes mac-address=00:24:32:16:49:CC \
server=DHCP1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
add address=192.168.20.0/24 gateway=192.168.20.1
add address=192.168.30.0/24 gateway=192.168.30.1
/ip dns
set servers=8.8.8.8,208.67.222.222,213.192.65.1
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 comment=\
"Ip Telefon\F3w podsieci 30 przekierowane na Rene" list=Telefony_na_rene
add address=10.10.10.2-10.10.10.255 comment="L2TP VPN IP" list=\
"L2TP VPN Lista"
add address=192.168.10.0/24 list=Podsieci
add address=192.168.20.0/24 list=Podsieci
add address=192.168.30.0/24 list=Podsieci
/ip firewall filter
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
# L2TP Test123 not ready
add action=drop chain=forward comment=\
"#only allow LAN access to a single address" dst-address=!192.168.10.10 \
in-interface="L2TP Test123" out-interface=ether6
add action=accept chain=input dst-port=53 protocol=udp src-address=\
10.20.20.0/24
add action=accept chain=input comment="Zezwolenie na VPN" dst-port=1194 \
protocol=tcp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.20.0/24
add action=accept chain=forward dst-address=192.168.20.0/24 src-address=\
192.168.10.0/24
add action=accept chain=forward dst-address=192.168.20.250 src-address=\
212.122.223.98
add action=accept chain=forward connection-state=established,related
add action=accept chain=input protocol=icmp tcp-flags=""
add action=accept chain=input comment="Zezwolenie na L2TP" dst-port=\
500,1701,4500 protocol=udp
add action=accept chain=input comment="Przychodz\B9ce IPsec" protocol=\
ipsec-ah
add action=accept chain=input comment=IPsec protocol=ipsec-esp
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
10.10.10.0/24
add action=accept chain=forward dst-address=10.10.10.0/24 src-address=\
192.168.10.0/24
add action=accept chain=forward dst-address=192.168.10.0/24 src-address=\
192.168.1.0/24
# L2TP Test123 not ready
add action=accept chain=forward comment="Simple -> do 730" dst-address=\
192.168.10.10 dst-port=3389 in-interface="L2TP Test123" protocol=tcp
# L2TP Test123 not ready
add action=accept chain=forward comment="Simple -> do 730" dst-address=\
192.168.10.10 dst-port=3389 in-interface="L2TP Test123" protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
dst-address-list=Podsieci dst-port=!3389 in-interface="L2TP Test123" \
protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
dst-address-list=Podsieci dst-port=!3389 in-interface="L2TP Test123" \
protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid protocol=tcp
add action=drop chain=forward comment="Drop invalid packets" \
connection-state=invalid
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 1" \
dst-address=192.168.30.0/24 src-address=192.168.1.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 10" \
dst-address=192.168.30.0/24 src-address=192.168.10.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 30 przez 20" \
dst-address=192.168.30.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Blokowanie wyszukiwania 10 przez 20" \
dst-address=192.168.10.0/24 src-address=192.168.20.0/24
add action=drop chain=forward comment="Blokada Forwardu mi\EAdzy 10 i 20" \
disabled=yes in-interface=ether6 out-interface=ether4-20
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 1" \
dst-address=192.168.1.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 10" \
dst-address=192.168.10.0/24 src-address=192.168.30.0/24
add action=drop chain=forward comment="Blokowanie 30 dost\EApu do 20" \
dst-address=192.168.20.0/24 src-address=192.168.30.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.20.0/24 \
src-address=192.168.1.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.10.0/24
add action=accept chain=forward disabled=yes dst-address=192.168.1.0/24 \
src-address=192.168.20.0/24
# L2TP Simple not ready
add action=drop chain=forward comment="Simple -> do 730" dst-address=\
!192.168.10.10 dst-port=!3389 in-interface="L2TP Simple" protocol=tcp
# L2TP Simple not ready
add action=drop chain=forward comment="Simple -> do 730" dst-address=\
!192.168.10.10 dst-port=!3389 in-interface="L2TP Simple" protocol=udp
add action=drop chain=forward comment="Simple -> do 730" disabled=yes \
in-interface-list=*2000013 src-address=!192.168.10.10
add action=drop chain=input comment="Simple -> do 730" disabled=yes \
in-interface-list=*2000013 src-address=!192.168.10.10
add action=drop chain=forward comment="Komputer Ochroniarza - Dom-Komputer" \
src-mac-address=4C:80:93:65:D8:EE
add action=drop chain=forward comment="Blokowanie Koparki \"Coinhive\"" \
dst-port=80,443 layer7-protocol=Koparki protocol=tcp
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=telefony_rene \
passthrough=yes src-address=192.168.30.0/24
add action=mark-routing chain=prerouting new-routing-mark=L2TP passthrough=\
yes src-address=10.20.20.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=\
"Telefony Rene -> dost\EAp do internetu (Maskarada)" out-interface=\
"1 RENE" src-address=192.168.30.0/24 src-address-list=Telefony_na_rene \
to-addresses=WAN1
# L2TP Simple not ready
add action=masquerade chain=srcnat out-interface="L2TP Simple"
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2
add action=masquerade chain=srcnat comment="WAN1 -> Maskarada" disabled=yes \
out-interface="1 RENE"
add action=masquerade chain=srcnat comment=WAN2 disabled=yes out-interface=\
"2 WMC"
add action=masquerade chain=srcnat comment="Maskarada (Internet) dla 20" \
disabled=yes src-address=192.168.20.0/24
add action=masquerade chain=srcnat comment=\
"Maskarada (Internet) dla Zegara RCP" src-address=192.168.20.232
add action=masquerade chain=srcnat comment=\
"Maskarada (Internet) dla Centralki Slican" src-address=192.168.20.2
add action=masquerade chain=srcnat comment="Maskarada (Internet) 10" \
src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Maskarada 01" src-address=\
192.168.1.0/24
add action=masquerade chain=srcnat disabled=yes src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="Maskarada dla VPN-OVPN" \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="Maskarada dla L2TP" src-address=\
10.20.20.0/24
add action=dst-nat chain=dstnat comment="XPERTIS R520 5580 RENE " dst-port=\
5580 in-interface="1 RENE" protocol=tcp to-addresses=192.168.10.89 \
to-ports=5580
add action=dst-nat chain=dstnat comment="XPERTIS R520 5580 WMC" dst-port=5580 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.89 to-ports=\
5580
add action=dst-nat chain=dstnat comment="IBS WMC" disabled=yes dst-port=\
13021-13042 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.20.21-192.168.20.42 to-ports=80
add action=dst-nat chain=dstnat comment="SIP 5060 dla fortel" dst-port=5060 \
in-interface="2 WMC" log=yes protocol=udp src-address=212.122.223.98 \
to-addresses=192.168.20.2 to-ports=5060
add action=dst-nat chain=dstnat comment="RTP8100-8200 dla Fortel" dst-port=\
8100-8200 in-interface="2 WMC" log=yes protocol=udp src-address=\
212.122.223.98 to-addresses=192.168.20.250 to-ports=8100-8200
add action=dst-nat chain=dstnat comment="IBS RENE" disabled=yes dst-port=\
13021-13042 in-interface="1 RENE" protocol=tcp to-addresses=\
192.168.20.21-192.168.20.42 to-ports=80
add action=dst-nat chain=dstnat comment="RDP SQLTEST" dst-port=14000 \
in-interface="2 WMC" log=yes protocol=tcp to-addresses=192.168.10.17 \
to-ports=3389
add action=dst-nat chain=dstnat comment="CENTRALA SLICAN" dst-port=5525 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.2 to-ports=5525
add action=dst-nat chain=dstnat comment="TESTOWY EXPERTIS 80" disabled=yes \
dst-port=12503 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.1.201 to-ports=80
add action=dst-nat chain=dstnat comment=SATEL dst-port=7090 in-interface=\
"2 WMC" protocol=tcp to-addresses=192.168.10.106 to-ports=7090
add action=dst-nat chain=dstnat comment="XPERTIS 80 WEB SERVICE" disabled=yes \
dst-port=12502 in-interface="2 WMC" protocol=tcp to-addresses=192.168.1.6 \
to-ports=12502
add action=dst-nat chain=dstnat comment="RDP AUXSERVER" dst-port=12500 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.90 to-ports=\
3389
add action=dst-nat chain=dstnat comment="RS812 SURV STATION" dst-port=5001 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.84 to-ports=\
5001
add action=dst-nat chain=dstnat comment="RDP TEST XPERTIS1" dst-port=12506 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.11 to-ports=\
3389
add action=dst-nat chain=dstnat comment=AXENCE dst-port=4436 in-interface=\
"2 WMC" protocol=tcp to-addresses=192.168.10.1 to-ports=4436
add action=dst-nat chain=dstnat comment="RDP DELL-R520" dst-port=3989 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.89 to-ports=\
3989
add action=dst-nat chain=dstnat comment="POE SWITCH" disabled=yes dst-port=\
13043-13048 in-interface="2 WMC" protocol=tcp to-addresses=\
192.168.20.11-192.168.20.16 to-ports=80
add action=dst-nat chain=dstnat comment="TESTOWY EXPERTIS 5580" dst-port=\
12501 in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.11 \
to-ports=5580
add action=dst-nat chain=dstnat comment="ZEWN\CATRZNE R730" dst-port=12505 \
in-interface="2 WMC" log=yes protocol=tcp to-addresses=192.168.10.10 \
to-ports=3389
add action=dst-nat chain=dstnat comment="DELL R510 14283 WMC" dst-port=14283 \
in-interface="2 WMC" protocol=tcp to-addresses=192.168.10.1 to-ports=\
14283
add action=dst-nat chain=dstnat comment="DELL R510 14283 RENE" dst-port=14283 \
in-interface="1 RENE" protocol=tcp to-addresses=192.168.10.1 to-ports=\
3389
add action=dst-nat chain=dstnat comment="IBS WMC 1" disabled=yes dst-port=\
13021 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.21 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 2" disabled=yes dst-port=\
13022 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.22 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 3" disabled=yes dst-port=\
13023 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.23 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 4" disabled=yes dst-port=\
13024 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.24 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 5" disabled=yes dst-port=\
13025 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.25 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 6" disabled=yes dst-port=\
13026 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.26 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 7" disabled=yes dst-port=\
13027 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.27 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 8" disabled=yes dst-port=\
13028 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.28 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 9" disabled=yes dst-port=\
13029 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.29 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 10" disabled=yes dst-port=\
13030 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.30 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 11" disabled=yes dst-port=\
13031 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.31 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 12" disabled=yes dst-port=\
13032 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.32 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 13" disabled=yes dst-port=\
13033 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.33 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 14" disabled=yes dst-port=\
13034 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.34 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 15" disabled=yes dst-port=\
13035 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.35 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 16" disabled=yes dst-port=\
13036 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.36 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 17" disabled=yes dst-port=\
13037 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.37 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 18" disabled=yes dst-port=\
13038 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.38 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 19" disabled=yes dst-port=\
13039 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.39 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 20" disabled=yes dst-port=\
13040 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.40 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS WMC 21" disabled=yes dst-port=\
13041 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.41 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 1" disabled=yes dst-port=\
13021 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.21 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 2" disabled=yes dst-port=\
13022 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.22 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 3" disabled=yes dst-port=\
13023 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.23 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 4" disabled=yes dst-port=\
13024 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.24 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 5" disabled=yes dst-port=\
13025 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.25 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 6" disabled=yes dst-port=\
13026 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.26 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 7" disabled=yes dst-port=\
13027 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.27 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 8" disabled=yes dst-port=\
13028 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.28 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 9" disabled=yes dst-port=\
13029 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.29 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 10" disabled=yes dst-port=\
13030 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.30 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 11" disabled=yes dst-port=\
13031 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.31 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 12" disabled=yes dst-port=\
13032 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.32 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 13" disabled=yes dst-port=\
13033 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.33 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 14" disabled=yes dst-port=\
13034 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.34 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 15" disabled=yes dst-port=\
13035 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.35 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 16" disabled=yes dst-port=\
13036 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.36 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 17" disabled=yes dst-port=\
13037 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.37 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 18" disabled=yes dst-port=\
13038 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.38 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 19" disabled=yes dst-port=\
13039 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.39 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 20" disabled=yes dst-port=\
13040 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.40 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 21" disabled=yes dst-port=\
13041 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.41 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 22" disabled=yes dst-port=\
13042 in-interface="1 RENE" protocol=tcp to-addresses=192.168.20.42 \
to-ports=80
add action=dst-nat chain=dstnat comment="IBS RENE 22" disabled=yes dst-port=\
13042 in-interface="2 WMC" protocol=tcp to-addresses=192.168.20.42 \
to-ports=80
/ip ipsec peer
add address=0.0.0.0/0 dh-group=modp2048 enc-algorithm=aes-256,aes-128,3des \
exchange-mode=main-l2tp generate-policy=port-override
/ip pool
add name=VPN-SIMPLE next-pool=VPN-IT ranges=10.10.10.21-10.10.10.50
add name=VPN-IT next-pool=VPN-SIMPLE ranges=10.10.10.10-10.10.10.20
/ip route
add check-gateway=ping comment="Rene tagowane - telefony" distance=1 gateway=\
WAN2 routing-mark=telefony_rene
add check-gateway=ping comment="WMC nie tagowane" distance=1 gateway=\
WAN1
add check-gateway=ping comment="Rene nie tagowane" distance=4 gateway=\
WAN2
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=xxxx
set ssh disabled=yes
set winbox address=0.0.0.0/0 port=xxxx
/mpls interface
add mpls-mtu=1522
/ppp profile
add dns-server=192.168.10.1,8.8.8.8 local-address=10.10.10.1 name=OVPN \
remote-address=VPN-IT use-encryption=required
set *FFFFFFFE local-address=192.168.1.1 remote-address=VPN-SIMPLE
/ppp secret
add name=vpn profile=default-encryption
add name=It profile=L2TP
add name=Grzegorz profile=OVPN service=ovpn
add name=Simple profile=L2TP service=l2tp
add name=Test123 profile=L2TP service=l2tp
add name=Andrzej profile=L2TP service=l2tp
/system clock
set time-zone-name=Europe/Warsaw
/system logging
add action=remote topics=ipsec
add action=remote topics=critical
add action=remote topics=error
add action=remote topics=info
add action=remote topics=warning
/system ntp client
set enabled=yes primary-ntp=80.50.231.226 secondary-ntp=194.29.130.252
#error exporting /system routerboard mode-button
/system scheduler
add comment="L2TP Secure" disabled=yes interval=5s name=\
"Skrypt Sprawdzajacy L2TP" on-event="# ------------------- header --------\
-----------\r\
\n# Script by Tomas Kirnak, version 1.0.2\r\
\n# If you use this script, or edit and\r\
\n# re-use it, please keep the header intact.\r\
\n#\r\
\n# For more information and details about\r\
\n# this script please visit the wiki page at\r\
\n# http://wiki.mikrotik.com/wiki/Securing_L2TP_Server_for_IPSec\r\
\n# ------------------- header -------------------\r\
\n{\r\
\n:local InAL 0\r\
\n:local InRP 0\r\
\n:local rawIp 0\r\
\n:local CurrentPeerIP 0\r\
\n\r\
\n:foreach i1 in [/ip ipsec remote-peers find] do={\r\
\n :set rawIp [/ip ipsec remote-peers get \$i1 remote-address]\r\
\n \r\
\n :if ([:len [:find \$rawIp \":\"]] = 0) do={\r\
\n :set CurrentPeerIP \$rawIp\r\
\n } else={\r\
\n :set CurrentPeerIP [:pick \$rawIp 0 [:find \$rawIp \":\"]]\r\
\n }\r\
\n\r\
\n :foreach i2 in [/ip firewall address-list find list=L2TP_Allowed addre\
ss=\$CurrentPeerIP] do={\r\
\n :set InAL 1\r\
\n }\r\
\n if (\$InAL = 0) do={/ip firewall address-list add list=L2TP_Allowed ad\
dress=\$CurrentPeerIP}\r\
\n :set InAL 0\r\
\n}\r\
\n\r\
\n:foreach i1 in [/ip firewall address-list find list=L2TP_Allowed] do={\r\
\n :set CurrentPeerIP [/ip firewall address-list get \$i1 address]\r\
\n\r\
\n :foreach i2 in [/ip ipsec remote-peers find] do={\r\
\n :set rawIp [/ip ipsec remote-peers get \$i2 remote-address]\r\
\n\t\r\
\n :if ([:len [:find \$rawIp \":\"]] = 0) do={\r\
\n :set CurrentPeerIP \$rawIp\r\
\n } else={\r\
\n :set CurrentPeerIP [:pick \$rawIp 0 [:find \$rawIp \":\"]]\r\
\n }\r\
\n \r\
\n :if (\$CurrentPeerIP = [/ip firewall address-list get \$i1 address])\
\_do={\r\
\n :set InRP 1\r\
\n\t}\r\
\n }\r\
\n :if (\$InRP = 0) do={/ip firewall address-list remove \$i1}\r\
\n :set InRP 0\r\
\n}\r\
\n}\r\
\n" policy=read,write,policy,test,sensitive start-date=nov/27/2017 \
start-time=09:43:29
add action=masquerade chain=srcnat out-interface="L2TP Simple"
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2
add action=masquerade chain=srcnat out-interface="L2TP Simple"
add action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \
src-address=10.20.20.0/24 to-addresses=WAN2
Now that config is a bit more complex than I expected it to be
On first sight I found two issues:
I don't understand that one. It does not have any src- or dst-address matcher and as it's pretty up high in your NAT section, it catches a lot of traffic.Code: Select alladd action=masquerade chain=srcnat out-interface="L2TP Simple"
Do you really want to have all traffic going out via that L2TP interface?
I guess you replaced the real address by WAN2 yourself, right?Code: Select alladd action=src-nat chain=srcnat dst-address=0.0.0.0/0 out-interface="2 WMC" \ src-address=10.20.20.0/24 to-addresses=WAN2
If so, move that rule up. Currently all traffic is caught be the rule above - that's why it doesn't work.
-Chris