Community discussions

MikroTik App
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

Need Help with SSTP Connection into VLAN. Also L2TP

Wed May 12, 2021 11:17 pm

SSTP -

I recently upgraded our Mikrotik equipment to RB4011's and With the help of @anav, @mkx and @erlinden. I was able to setup some VLANS. I have an SSTP connection from my house back to the office. I am able to connect and I can ping Mikrotik to Mikrotik So I Think I have something wrong with the routing.

L2TP-
When I connect to the office over L2TP/IPSEC I can ping the Mikrotik but nothing else. I am sending data but not receiving, is this an encapsulation issue? Do I need to set up a different type of connection?

Learning as fast as I can :)

Office SSTP Server Config
# may/12/2021 10:20:55 by RouterOS 6.45.9
# software id = 
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] frequency=auto mode=ap-bridge ssid=Office
/interface ethernet
set [ find default-name=ether1 ] mac-address=bb:73:6a:ec:33:a0
/interface l2tp-server
add name=Frank_L2TP user=John
add name=Gary_L2TP user=Sally
add name=Walter_L2TP user=Stephan
/interface vlan
add interface=BR1 name=Guest_VLAN vlan-id=45
add arp=proxy-arp interface=BR1 name=Office_VLAN vlan-id=44
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=guest \
    supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan2 ] mode=ap-bridge security-profile=guest ssid=\
    Office_Guest
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc
add enc-algorithms=aes-256-cbc name=Home1
add enc-algorithms=aes-256-cbc name=Home
add enc-algorithms=aes-256-cbc name=Office
add enc-algorithms=aes-256-cbc,aes-256-ctr,3des name=L2TP/IpSec
/ip pool
add name=Office_POOL ranges=192.168.44.1-192.168.44.100
add name=Guest_POOL ranges=10.0.20.2-10.0.20.254
add name=L2TP-Pool ranges=192.168.44.180-192.168.44.189
add name=SSTP_Server_Pool ranges=10.0.0.1-10.0.0.5
add name="SSTP Remote Pool" ranges=10.0.0.10-10.0.0.15
add name=DMZ-Pool ranges=172.16.15.2-172.16.15.6
/ip dhcp-server
add address-pool=Office_POOL interface=Office_VLAN name=Office_DHCP
add address-pool=Guest_POOL disabled=no interface=Guest_VLAN name=Guest_DHCP
/ppp profile
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
    local-address=192.168.44.254 name=L2TP remote-address=L2TP-Pool \
    use-encryption=yes
add change-tcp-mss=yes dns-server=192.168.44.252,192.168.44.254 \
    local-address=192.168.44.254 name=SSTP-Profile remote-address=L2TP-Pool \
    use-encryption=yes
add local-address=SSTP_Server_Pool name=SSTP-VPN remote-address=\
    "SSTP Remote Pool" use-encryption=yes
add change-tcp-mss=yes local-address=10.0.0.1 name=SSTP-Video remote-address=\
    10.0.0.2 use-encryption=yes
add bridge=BR1 change-tcp-mss=yes local-address=10.0.0.1 name=profile1 \
    remote-address=10.0.0.4 use-encryption=yes
/system logging action
add disk-file-name=Attack disk-lines-per-file=50000 name=AttackLog target=\
    disk
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether2 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan1 pvid=44
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=45
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=wlan2 pvid=45
/interface bridge vlan
add bridge=BR1 tagged=BR1 untagged=ether2,ether3,wlan1 vlan-ids=44
add bridge=BR1 tagged=BR1 untagged=ether4,wlan2 vlan-ids=45
/interface l2tp-server server
set authentication=mschap2 default-profile=L2TP enabled=yes use-ipsec=\
    required
/interface list member
add interface=ether1 list=WAN
add interface=Office_VLAN list=VLAN
add interface=Guest_VLAN list=VLAN
/interface sstp-server server
set authentication=mschap2 default-profile=SSTP-Video enabled=yes port=4443
/ip address
add address=192.168.44.254/24 interface=Office_VLAN network=192.168.44.0
add address=10.0.20.1/24 interface=Guest_VLAN network=10.0.20.0
add address=12.34.167.189/30 interface=ether1 network=12.34.167.188
/ip dhcp-server network
add address=10.0.20.0/24 dns-server=192.168.44.254 gateway=10.0.20.1
add address=192.168.44.0/24 dns-server=192.168.44.254 gateway=192.168.44.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall address-list
add address=119.60.5.37 list="Port Scanner"
add address=45.129.136.15 list="Port Scanner"
add address=89.248.165.6 list="Port Scanner"
/ip firewall filter
add action=log chain=forward log=yes log-prefix=Attack src-address=\
    89.187.171.246
add action=drop chain=forward src-address=89.187.171.246
add action=drop chain=forward disabled=yes src-address=75.143.105.46
add action=drop chain=input src-address=89.187.171.246
add action=drop chain=input in-interface-list=WAN src-address-list=\
    "Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Port scanners to block List" in-interface-list=WAN protocol=tcp psd=\
    20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=\
    tcp psd=20,3s,3,1 tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Block TCP Xmas scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="Drop TCP RST" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" \
    in-interface-list=WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping \
    in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
    in-interface-list=VLAN protocol=tcp
add action=drop chain=input comment="\"drop all else\""
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow port forwarding - optional rule\
    \_can be disabled if no port forwarding is used" connection-nat-state=\
    dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new disabled=yes in-interface-list=VLAN src-address=\
    192.168.254.100
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward disabled=yes out-interface-list=WAN protocol=\
    tcp src-address=192.168.9.2
add action=drop chain=forward comment=\
    "Drop all traffic that goes to multicast or broadcast addresses" \
    dst-address-type=broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment="Default masquerade" \
    out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 proposal=L2TP/IpSec
/ip route
add distance=1 gateway=12.34.167.188
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=Walter profile=L2TP service=l2tp
add name=Frank profile=L2TP service=l2tp
add name=SSTP profile=SSTP-Profile service=sstp
add name=User1 profile=profile1 service=sstp
/system clock
set time-zone-autodetect=no time-zone-name=America/Chicago
/system identity
set name=Office
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=AttackLog prefix=Attack topics=firewall
Home SSTP Client
# may/12/2021 10:47:10 by RouterOS 6.48.1
# software id = 
#
# model = RB4011iGS+5HacQ2HnD
# serial number = 
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik station-roaming=enabled
set [ find default-name=wlan2 ] ssid=MikroTik station-roaming=enabled
/caps-man interface
add disabled=no mac-address=ae:63:b7:0e:4d:cf master-interface=none name=\
    cap11 radio-mac=ae:63:b7:0e:4d:cf radio-name=744D28040D89
/interface vlan
add interface=BR1 name=APPLE_VLAN vlan-id=100
add interface=BR1 name=HOME_VLAN vlan-id=40
add interface=BR1 name=GUEST_VLAN vlan-id=50
add interface=BR1 name=IOT_VLAN vlan-id=70
add interface=BR1 name=MGMT_VLAN vlan-id=24
add interface=BR1 name=QNAP_VLAN vlan-id=80
add disabled=yes interface=BR1 name=Office_VLAN vlan-id=44
add interface=BR1 name=SECURITY_VLAN vlan-id=30
add interface=BR1 name=SONOS_VLAN vlan-id=90
add interface=BR1 name=TV_VLAN vlan-id=60
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest
add authentication-types=wpa2-psk encryption=aes-ccm name=IOT_Sec
add authentication-types=wpa2-psk encryption=aes-ccm name=TV_Sec
add authentication-types=wpa2-psk encryption=aes-ccm name="IP_Cam_Sec "
add authentication-types=wpa2-psk encryption=aes-ccm name=HOME_Sec
add authentication-types=wpa2-psk encryption=aes-ccm name=MGMT_Config
add authentication-types=wpa2-psk encryption=aes-ccm name=Apple_Sec
add authentication-types=wpa2-psk encryption=aes-ccm name=Sonos_Security
/caps-man configuration
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=40 \
    datapath.vlan-mode=use-tag installation=indoor mode=ap name=Config_Home \
    security=HOME_Sec ssid=HOME
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 \
    datapath.vlan-mode=use-tag hide-ssid=yes mode=ap name=Config_GUEST \
    security=Guest ssid=HOME_Guest
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=70 \
    datapath.vlan-mode=use-tag hide-ssid=yes name=Config_IOT security=IOT_Sec \
    ssid=IOT
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=60 \
    datapath.vlan-mode=use-tag hide-ssid=no mode=ap name=Config_TV security=\
    TV_Sec ssid=TV
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=24 \
    datapath.vlan-mode=use-tag hide-ssid=yes installation=indoor mode=ap \
    name=MGMT_Config security=MGMT_Config ssid=Linksys1492
add country="united states" datapath.local-forwarding=yes datapath.vlan-id=90 \
    datapath.vlan-mode=use-tag hide-ssid=yes installation=indoor mode=ap \
    name=Config_Sonos security=Sonos_Security ssid=Radio
/caps-man interface
add comment=5G configuration=MGMT_Config disabled=no l2mtu=1600 mac-address=\
    a3:ba:5e:5c:64:2e master-interface=none name=cap1 radio-mac=\
    a3:ba:5e:5c:64:2e radio-name=A3BA5E5C642E
add comment=HaP configuration=Config_IOT configuration.hide-ssid=yes \
    disabled=yes l2mtu=1600 mac-address=b6:99:ac:96:3e:21 master-interface=\
    none name=cap6 radio-mac=b6:99:ac:96:3e:21 radio-name=B699AC963E21
add comment=Home configuration=Config_Home disabled=no l2mtu=1600 \
    mac-address=f0:57:07:7d:37:e5 master-interface=none name=cap7 radio-mac=\
    f0:57:07:7d:37:e5 radio-name=F057077D37E5
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add name=WAN
add name=VLAN
add name=MGMT
/caps-man configuration
add country="united states" datapath.client-to-client-forwarding=yes \
    datapath.interface-list=VLAN datapath.local-forwarding=yes \
    datapath.vlan-id=100 datapath.vlan-mode=use-tag hide-ssid=yes \
    installation=indoor mode=ap name=Config_Apple security=Apple_Sec ssid=\
    Orange
/caps-man datapath
add bridge=BR1 interface-list=VLAN local-forwarding=yes name=HOME_Vlan \
    vlan-id=40 vlan-mode=use-tag
add bridge=BR1 interface-list=VLAN local-forwarding=yes name=TV_Vlan vlan-id=\
    60 vlan-mode=use-tag
/caps-man interface
add comment=WaP configuration=Config_Home configuration.installation=outdoor \
    datapath=HOME_Vlan disabled=no l2mtu=1600 mac-address=\
    43:e7:8f:32:26:cf master-interface=none name=cap5 radio-mac=\
    43:e7:8f:32:26:cf radio-name=43E78F3226CF
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=SECURITY_POOL ranges=192.168.1.2-192.168.1.50
add name=HOME_POOL ranges=192.168.222.1-192.168.222.100
add name=GUEST_POOL ranges=192.168.9.2-192.168.9.100
add name=TV_POOL ranges=192.168.253.2-192.168.253.100
add name=IOT_POOL ranges=192.168.254.2-192.168.254.100
add name=QNAP_POOL ranges=192.168.22.2-192.168.22.10
add name=SONOS_POOL ranges=192.168.100.2-192.168.100.10
add name=APPLE_POOL ranges=192.168.200.2-192.168.200.10
add name=MGMT_POOL ranges=10.8.12.10-10.8.12.20
/ip dhcp-server
add address-pool=SECURITY_POOL disabled=no interface=SECURITY_VLAN name=\
    SECURITY_DHCP
add address-pool=HOME_POOL disabled=no interface=HOME_VLAN name=\
    HOME_DHCP
add address-pool=GUEST_POOL disabled=no interface=GUEST_VLAN name=GUEST_DHCP
add address-pool=TV_POOL disabled=no interface=TV_VLAN name=TV_DHCP
add address-pool=IOT_POOL disabled=no interface=IOT_VLAN name=IOT_DHCP
add address-pool=SONOS_POOL disabled=no interface=SONOS_VLAN name=SONOS_DHCP
add address-pool=APPLE_POOL disabled=no interface=APPLE_VLAN name=APPLE_DHCP
add address-pool=MGMT_POOL disabled=no interface=MGMT_VLAN name=MGMT_DHCP
add address-pool=QNAP_POOL disabled=no interface=QNAP_VLAN name=QNAP_DHCP
/ppp profile
add bridge=BR1 interface-list=VLAN local-address=10.0.0.4 name=SSTP \
    remote-address=10.0.0.1 use-encryption=yes
/interface sstp-client
add authentication=chap,mschap2 connect-to=12.34.167.189:4443 disabled=no \
    name=Office-SSTP profile=SSTP user=User1 \
    verify-server-address-from-certificate=no
/system logging action
add disk-file-name=QNAP disk-lines-per-file=10000 name=Qnap target=disk
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes upgrade-policy=\
    suggest-same-version
/caps-man provisioning
add disabled=yes master-configuration=Config_Home
add action=create-dynamic-enabled comment=951 master-configuration=Config_TV \
    radio-mac=80:2d:0d:91:01:6c slave-configurations=\
    Config_Apple,Config_Sonos
add action=create-dynamic-enabled comment=5G master-configuration=MGMT_Config \
    radio-mac=9d:35:b7:84:f7:ec
add action=create-dynamic-enabled comment=HaP master-configuration=Config_IOT \
    radio-mac=e1:d8:a2:c7:c9:4f
add action=create-dynamic-enabled comment=Cloud9 master-configuration=\
    Config_Home radio-mac=57:f9:19:d3:4c:5a
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether5
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether6
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether7
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=80
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=80
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether10 pvid=100
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface bridge vlan
add bridge=BR1 tagged=ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=30
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=40
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=50
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=60
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7 vlan-ids=\
    80
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=90
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=100
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=24
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5,ether6,ether7,ether8 \
    vlan-ids=70
/interface list member
add interface=ether1 list=WAN
add interface=GUEST_VLAN list=VLAN
add interface=IOT_VLAN list=VLAN
add interface=MGMT_VLAN list=VLAN
add interface=SECURITY_VLAN list=VLAN
add interface=TV_VLAN list=VLAN
add interface=MGMT_VLAN list=MGMT
add interface=QNAP_VLAN list=VLAN
add interface=APPLE_VLAN list=VLAN
add interface=SONOS_VLAN list=VLAN
add interface=HOME_VLAN list=VLAN
/ip address
add address=10.8.12.254/24 interface=MGMT_VLAN network=10.8.12.0
add address=192.168.1.1/24 interface=SECURITY_VLAN network=192.168.1.0
add address=192.168.222.254/24 interface=HOME_VLAN network=192.168.222.0
add address=192.168.44.50/24 interface=Office_VLAN network=192.168.44.0
add address=192.168.9.254/24 interface=GUEST_VLAN network=192.168.9.0
add address=192.168.253.254/24 interface=TV_VLAN network=192.168.253.0
add address=192.168.254.254/24 interface=IOT_VLAN network=192.168.254.0
add address=192.168.22.254/24 interface=QNAP_VLAN network=192.168.22.0
add address=192.168.100.254/24 interface=SONOS_VLAN network=192.168.100.0
add address=192.168.200.254/24 interface=APPLE_VLAN network=192.168.200.0
/ip dhcp-client
add !dhcp-options disabled=no interface=ether1 use-peer-dns=no use-peer-ntp=\
    no
/ip dhcp-server lease
/ip dhcp-server network
add address=10.8.12.0/24 dns-server=10.8.12.254 gateway=10.8.12.254
add address=192.168.1.0/24 dns-server=192.168.1.254 gateway=192.168.1.254
add address=192.168.9.0/24 dns-server=192.168.9.254 gateway=192.168.9.254
add address=192.168.22.0/24 dns-server=192.168.22.254 gateway=192.168.22.254
add address=192.168.100.0/24 dns-server=192.168.100.254 gateway=\
    192.168.100.254
add address=192.168.200.0/24 dns-server=192.168.200.254 gateway=\
    192.168.200.254
add address=192.168.222.0/24 dns-server=192.168.222.254 gateway=\
    192.168.222.254
add address=192.168.253.0/24 dns-server=192.168.253.254 gateway=\
    192.168.253.254
add address=192.168.254.0/24 dns-server=192.168.254.254 gateway=\
    192.168.254.254
/ip dns
set allow-remote-requests=yes servers=208.67.220.220,208.67.222.222
/ip firewall filter
add action=drop chain=input in-interface-list=WAN src-address-list=\
    "Port Scanner"
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Port scanners to block List" in-interface-list=WAN protocol=tcp psd=\
    20,3s,3,1 tcp-flags=""
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "NMAP FIN Stealth scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/FIN scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="SYN/RST scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "FIN/PSH/URG scan - Block TCP Null scan" in-interface-list=WAN protocol=\
    tcp psd=20,3s,3,1 tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="ALL/ALL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment=\
    "Block TCP Xmas scan" in-interface-list=WAN protocol=tcp psd=20,3s,3,1 \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="NMAP NULL scan" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanner" \
    address-list-timeout=none-static chain=input comment="Drop TCP RST" \
    in-interface-list=WAN protocol=tcp psd=20,3s,3,1 tcp-flags=rst
add action=drop chain=input comment="dropping port scanners" \
    in-interface-list=WAN src-address-list="Port Scanner"
add action=drop chain=input comment="Drop pings" connection-mark=ping \
    in-interface-list=WAN
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment=\
    "only admin should be able to fully access the router" protocol=icmp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=udp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=53 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="(only provide access to lan users for s\
    pecific services, most common -DNS SERVICES, NTP services" dst-port=8291 \
    in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow MGMT_Vlan Full Access" \
    in-interface=MGMT_VLAN
add action=drop chain=input comment="\"drop all else\""
add action=accept chain=forward comment=\
    "defconf: accept all that matches IPSec policy" disabled=yes \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=forward comment="allow port forwarding - optional rule\
    \_can be disabled if no port forwarding is used" connection-nat-state=\
    dstnat connection-state=new disabled=yes in-interface-list=WAN
add action=drop chain=forward comment="Block IOT out of WAN" disabled=yes \
    in-interface=IOT_VLAN out-interface-list=WAN
add action=drop chain=forward comment="Block QNAP out of WAN" in-interface=\
    QNAP_VLAN log=yes log-prefix=QNAP_Out out-interface-list=WAN
add action=accept chain=forward comment="Allow  TV out of WAN .99" disabled=\
    yes in-interface=TV_VLAN out-interface-list=WAN src-address=\
    192.168.253.99
add action=drop chain=forward comment="Block TV out of WAN" disabled=yes \
    in-interface=TV_VLAN out-interface-list=WAN
add action=accept chain=forward comment="VLAN inter-VLAN routing" \
    connection-state=new in-interface-list=VLAN src-address=192.168.254.100
add action=accept chain=forward comment="Allow access to Server on HOME_VLAN" \
    connection-state=new dst-port=8080 in-interface-list=VLAN out-interface=\
    HOME_VLAN protocol=tcp
add action=accept chain=forward comment="Allow access to Server on QNAP_VLAN" \
    connection-state=new in-interface=HOME_VLAN out-interface=QNAP_VLAN
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=forward out-interface-list=WAN protocol=tcp \
    src-address=192.168.9.2
add action=drop chain=forward comment=\
    "Drop all traffic that goes to multicast or broadcast addresses" \
    dst-address-type=broadcast,multicast
add action=drop chain=forward comment=Drop
add action=drop chain=input comment="drop all else"
/ip firewall nat
add action=masquerade chain=srcnat comment=Masquerade out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=192.168.44.0/24 gateway=10.0.0.1
add distance=1 dst-address=192.168.44.0/24 gateway=Office-SSTP
/ppp secret
add name=ppp1
add name=John
add name=Serra
add name=Stephan
add name=Liz
add name=Pierce
add disabled=yes name=Taylor
/system clock
set time-zone-name=America/New_York
/system identity
set name=4011
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
    d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/system logging
add action=Qnap disabled=yes prefix=QNAP_Out
Last edited by Pisanisavich on Sun Jun 06, 2021 5:59 am, edited 1 time in total.
 
Pisanisavich
just joined
Topic Author
Posts: 13
Joined: Mon Jan 12, 2015 9:10 pm

Re: Need Help with SSTP Connection into VLAN. Also L2TP

Thu May 13, 2021 4:26 pm

Do I need to set up an EoIP Tunnel?

Who is online

Users browsing this forum: Bing [Bot], rolling and 38 guests