Port 2,3,4,5 under a bridge, DHCP enabled
DHCP Pool 192.168.14.0/24, Gateway's IP (Bridge) 192.168.14.20, Proxy-ARP enabled
There's a server with IP 192.168.14.11. All internal clients can access just fine.
I have one PPTP setup, it can connect with IP 192.168.13.21 (through Mikrotik's PPPoE interface just fine), but cannot ping 192.168.14.11. It's supposed to be able to ping directly, right?
I will post specific config if requested. Please help.
Here's the general config:
Code: Select all
# may/04/2021 19:23:39 by RouterOS 6.48.2
# software id = XXX
#
# model = RB450Gx4
# serial number = XXX
/interface bridge
add admin-mac=XXXXX arp=proxy-arp auto-mac=no comment="Bridge for All LAN Interfaces" name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment="Internet Port for PPPoE"
set [ find default-name=ether2 ] arp=proxy-arp comment="LAN ports under Bridge"
set [ find default-name=ether4 ] arp=proxy-arp comment="Ether 4 -- Fingerprint 192.168.14.11"
/interface pppoe-client
add add-default-route=yes comment=Internet disabled=no interface=ether1 name="PPPoE" user=AAA
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=CK-DHCP ranges=192.168.14.60-192.168.14.254
add name=CK-VPN ranges=192.168.13.21-192.168.13.254
/ip dhcp-server
add address-pool=CK-DHCP disabled=no interface=bridge lease-time=1d10m name=defconf
/ppp profile
set *0 local-address=CK-VPN remote-address=CK-VPN
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface="PPPoE" list=WAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="Ethernet 2" disabled=yes interface=bridge network=192.168.88.0
add address=192.168.14.20/24 comment=defconf interface=bridge network=192.168.14.0
add address=192.168.13.20/24 comment=defconf interface=bridge network=192.168.13.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.14.0/24 comment=defconf gateway=192.168.14.20
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=203.142.82.222
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Allow PPTP" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Allow SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment="Allow Winbox from Internet" dst-port=8291 protocol=tcp
add chain=input comment="Accept Established / Related Input" connection-state=established,related
add action=accept chain=input comment="Allow Management Input" src-address=192.168.14.0/24
add chain=forward comment="Accept Established / Related Forward" connection-state=established,related
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
add action=fasttrack-connection chain=forward comment="Fast Track Established / Related Forward" connection-state=established,related disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.14.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=192.168.13.0/24