Community discussions

MikroTik App
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

i can't ping wan interface from LAN

Fri Aug 06, 2021 12:52 pm

hello friends

please i need help, i have a mikroutik hap ac2, i had plug it to an ISP modem that give to the WAN interface a DHCP address 192.168.1.25....
the probleme, i can't ping from my lan this address.
the config line are :
 ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                     
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    ether2                                                                        
 1   xx.xx.xx.xx/25     xx.xx.xx.xx     ether5                                                                        
 2 D 192.168.1.25/24    192.168.1.0     ether1
and also for ip route :
ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          192.168.1.1               1
 1 ADC  xx.xx.xx.xx/25     xx.xx.xx.xx     bridge                    0
 2 ADC  192.168.1.0/24     192.168.1.25    ether1                    0
 3 A S  192.168.1.1/32     0.0.0.0         ether1                    1
 4 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
and for nat firewall :
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=accept src-address=xx.xx.xx.xx/25 dst-address=xx.xx.xx.xx/16 log=no log-prefix="" 

 1    chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx/25 dst-address=xx.xx.xx.xx/16 

 2 X  chain=srcnat action=src-nat to-addresses=xx.xx.xx.xx/16 dst-address=xx.xx.xx.xx/25 

 3    chain=srcnat action=masquerade log=no log-prefix="" 

 4    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none 

and for firewall rules :
 ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    chain=input action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 2    chain=output action=accept protocol=udp dst-port=500 log=no log-prefix="" 

 3    chain=input action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 4    chain=output action=accept protocol=udp dst-port=4500 log=no log-prefix="" 

 5    chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 

 6    chain=output action=accept protocol=ipsec-esp log=no log-prefix="" 

 7    ;;; defconf: accept established,related,untracked
      chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 

 8    ;;; defconf: drop invalid
      chain=input action=drop connection-state=invalid 

 9    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp 

10    ;;; defconf: accept to local loopback (for CAPsMAN)
      chain=input action=accept dst-address=127.0.0.1 

11    ;;; defconf: drop all not coming from LAN
      chain=input action=drop in-interface-list=!LAN 

12    ;;; defconf: accept in ipsec policy
      chain=forward action=accept log=no log-prefix="" ipsec-policy=in,ipsec 

13    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

14    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection connection-state=established,related 

15    ;;; defconf: accept established,related, untracked
      chain=forward action=accept connection-state=established,related,untracked 

16    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid 

17    ;;; defconf: drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN 

thanks for advance for your help
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 12:58 pm

i can't ping from my lan this address.
What LAN?
The lan of ISP modem?


You must convert the hAP ac^2 from router to plain switch + access point, because already your router do NAT?

What is for, and where it come the censored IP on ether5?

do not use print, are useless,
use export instead
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:17 pm

i can't ping from my lan this address.
What LAN?
The lan of ISP modem?


You must convert the hAP ac^2 from router to plain switch + access point, because already your router do NAT?

What is for, and where it come the censored IP on ether5?

do not use print, are useless,
use export instead

thanks for your reply, i use it as a router for an IPSEC tunnel. and i need internet for the LAN also., i had shared a topic about my probleme with the tunnel and i think is because i can't ping the " either1 interface"
the link for the other topic is : viewtopic.php?f=13&t=177371

the export configuration is :
export
# aug/06/2021 12:05:22 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ to-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=P.P.P.P/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=AA.AA.AA.AA/25 interface=ether5 network=AA.AA.AA.AB
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=RR.RR.RR.RR/16 src-address=AA.AA.AA.AB/25
add action=src-nat chain=srcnat dst-address=RR.RR.RR.RR/16 to-addresses=AA.AA.AA.AB/25
add action=src-nat chain=srcnat disabled=yes dst-address=AA.AA.AA.AB/25 to-addresses=RR.RR.RR.RR/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=RR.RR.RR.RR/16 peer=OURPEER proposal=IPSec_Crypto src-address=AA.AA.AA.AB/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:24 pm

I'm reading, meanwhile the IP and all other things related to the interfaces on the bridge, must be put on bridge!!!
the admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ of the bridge must be equal to the ether2 (original) mac address
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:34 pm

I'm reading, meanwhile the IP and all other things related to the interfaces on the bridge, must be put on bridge!!!
the admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ of the bridge must be equal to the ether2 (original) mac address

yes, my IP interfaces :

export
# aug/06/2021 12:05:22 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=ZZ.ZZ.ZZ.ZZ.ZZ to-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:41 pm

Is like you do not understand: set both IP to bridge, not to etherX
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9


If you have a dhcp-client, why set a fixed route?
[...]
2 ADC 192.168.1.0/24 192.168.1.25 ether1 0
3 A S 192.168.1.1/32 0.0.0.0 ether1 1
[...]

remove this:
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0


the first rule make perfectly useless the second
Remove the first rule
/ip firewall nat
1) add action=accept chain=srcnat dst-address=RR.RR.RR.RR/16 src-address=AA.AA.AA.AB/25
2) add action=src-nat chain=srcnat dst-address=RR.RR.RR.RR/16 to-addresses=AA.AA.AA.AB/25

the fourth rule make perfectly useless the fifth
Remove the fourth rule
/ip firewall nat
4) add action=masquerade chain=srcnat
5) add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:49 pm


remove this:
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0

==> i had delete it
Is like you do not understand: set both IP to bridge, not to etherX
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
add address=10.10.10.10/25 interface=ether5 network=10.10.10.9
sorry i hadn't understood, can you help me please
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 1:51 pm

Really??????????????

Copy & Paste this on terminal
/ip address
set [find where interface=ether2] interface=bridge
set [find where interface=ether5] interface=bridge
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 2:01 pm

Really??????????????

Copy & Paste this on terminal
/ip address
set [find where interface=ether2] interface=bridge
set [find where interface=ether5] interface=bridge

thanks, but it still doesn't work :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 2:04 pm

Did you do the other things too?
Reread my previous post, I probably wrote something you didn't read because I added it later.

My first goal is to make your setup clear of nonsense.
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 2:15 pm

Did you do the other things too?
Reread my previous post, I probably wrote something you didn't read because I added it later.
I think so, I had read and corrected my errors, take a look at my new export:
 export
# aug/06/2021 13:09:35 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=zz:zz:zz:zz:zz:zz auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=\
    auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors \
    frequency=auto installation=indoor mode=ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=\
    IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.10/25 interface=bridge network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=masquerade chain=srcnat comment="\"defconf: masquerad\"ipsec-policy=out,none out-interface-list=WAN"
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 2:39 pm

Little detail, remove b (leaving only 2ghz-g/n)
and something strange happen on NAT: masquerad\"ipsec
output is traffic GENERATED from rotuerboard, not from any devices on all the networks!

Paste this, fix all what I have easily noticed, do not omit the { } !!!
{
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n
/ip firewall nat
remove [find]
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}

after fixing it, try again, if not work post again the config, for search if any other problem.

You can't ping ether1 192.168.1.25 from 192.168.88.x/24 network or from the remote 10.x.x.x/x?
Last edited by rextended on Fri Aug 06, 2021 3:22 pm, edited 1 time in total.
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:19 pm

Little detail, remove b (leaving only 2ghz-g/n)
and something strange happen on NAT: masquerad\"ipsec
on the firewall filter the output chain should be ignored, except on rare occasions.
output is traffic GENERATED from rotuerboard, not from any devices on all the networks!

Paste this, fix all what I have easily noticed, do not omit the { } !!!
{
/interface wireless set [ find default-name=wlan1 ] band=2ghz-g/n
/ip firewall nat
remove [find]
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip firewall filter
remove [find where chain=output]
}

after fixing it, try again, if not work post again the config, for search if any other problem.

You can't ping ether1 192.168.1.25 from 192.168.88.x/24 network or from the remote 10.x.x.x/x?


yesss yesss yesss, , now i can ping but my VPN IPSec still Down,
ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER             TUNNEL SRC-ADDRESS                                      DST-ADDRESS                                            PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0      OURPEER           yes   10.10.10.9/25                                      10.14.10.10/16                                          all        encrypt require          0
 1 T X*                         ::/0                                             ::/0                                                   all       

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:21 pm

paste this, but do not move the rules on top:
/ip firewall filter
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=output protocol=ipsec-esp
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:28 pm

paste this, but do not move the rules on top:
/ip firewall filter
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=output protocol=ipsec-esp

i had added it, and not move it on top, but still don't UP, :? :(
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:29 pm

export again
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:37 pm

export again
yes my dear,
 export
# aug/06/2021 14:33:18 by RouterOS 6.47.10
# software id = 
#
# model = RBD52G-5HacD2HnD
# serial number = 
/interface bridge
add admin-mac=zz:zz:zz:zz:zz:zz auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge \
    ssid=MikroTik-77D1EA wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=\
    ap-bridge ssid=MikroTik-77D1EB wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec mode-config
set [ find default=yes ] use-responder-dns=no
/ip ipsec profile
add dh-group=modp1024 dpd-interval=5s dpd-maximum-failures=100 enc-algorithm=aes-256,aes-128 lifetime=6h name=IKE_Crypto
/ip ipsec peer
add address=80.14.XX.XX/32 exchange-mode=aggressive name=OURPEER passive=yes profile=IKE_Crypto
/ip ipsec proposal
set [ find default=yes ] disabled=yes
add enc-algorithms=aes-128-cbc lifetime=1h name=IPSec_Crypto
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
add address=10.10.10.10/25 interface=bridge network=10.10.10.9
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=output protocol=ipsec-esp
/ip firewall nat
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip ipsec identity
add my-id=user-fqdn:admin@contact.com peer=OURPEER secret=password
/ip ipsec policy
add dst-address=10.14.10.10/16 peer=OURPEER proposal=IPSec_Crypto src-address=10.10.10.9/25 tunnel=yes
set 1 disabled=yes
/ip ipsec settings
set accounting=no
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=OURPEER
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

thanks
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:44 pm

Ok the key is the NAT

what output you have to
/interface print
?
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:53 pm

Ok the key is the NAT

what output you have to
/interface print
?
for address :
ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                                                                                                                                                                                          
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                                                                                                                                                                             
 1   10.10.10.10/25     10.10.10.9      bridge                                                                                                                                                                                                             
 2 D 192.168.1.25/24    192.168.1.0     ether1 

for interface :

interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU  MAX-L2MTU MAC-ADDRESS      
 0  R  ether1                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E5
 1  RS ether2                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E6
 2   S ether3                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E7
 3   S ether4                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E8
 4   S ether5                              ether            1500  1598       9214 zz:zz:zz:zz:zz:E9
 5   S wlan1                               wlan             1500  1600       2290 zz:zz:zz:zz:zz:EA
 6  RS wlan2                               wlan             1500  1600       2290 zz:zz:zz:zz:zz:EB
 7  R  ;;; defconf
       bridge                              bridge           1500  1598            zz:zz:zz:zz:zz:E6

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 3:57 pm

ok paste this, do not omit { }

this restore previous rules on first export
try to disable / enable one at time on winbox the first two rules (do not disable the last)
the third are already disabled on first export
{
/ip firewall nat
remove [find]
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:10 pm

ok paste this, do not omit { }

this restore previous rules on first export
try to disable / enable one at time on winbox the first two rules (do not disable the last)
the third are already disabled on first export
{
/ip firewall nat
remove [find]
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}
i did it,
now i have :
the 1st enable
the 2nd enable
the 3rd disable
the 4th enable

and still the VPN IPSEC Down
PH2 State : no phase 2
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:14 pm

Image
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:21 pm

The other side come from wlan1?

restore the original NAT of first export and reboot the device,
no other change can influence this!
paste this on terminal
{
/ip firewall nat
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade"
}
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:26 pm

The other side come from wlan1?

restore the original NAT of first export and reboot the device,
no other change can influence this!
paste this on terminal
{
/ip firewall nat
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat comment="defconf: masquerade"
}
past in terminal = OK
restart = OK
the other side is

LAN ==> Mikrotik ==> modem internet ==> VPN IPSec ==> Palo-alto ==> LAN

Image
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:33 pm

now for the VPN IPSec, it's says : invalid :? :(

 ip ipsec policy print
Flags: T - template, B - backup, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 #      PEER    TUNNEL SRC-ADDRESS                        DST-ADDRESS                           PROTOCOL   ACTION  LEVEL    PH2-COUNT
 0   I  OURPEER  yes   10.10.10.9/25                     10.14.10.10/16                         all        encrypt require          0
 1 T X*                ::/0                                   ::/0                              all       

 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:37 pm

protocol b on wifi can't be,
assigned IP to interface instead of the bridge where interface is, can't be
useless route 192.168.1.1/32 can't be

paste this for restore exactly the config of filters and NAT at the start of this topic
warning: copy also the { } and check if you have copied that!!!
{
/ip firewall filter
remove [find]
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
remove [find]
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}

The IPs on the nat are correct? 10.14.10.10/16 and 10.10.10.9/25
For censore too much you do not replace it wit fake values?

If the VPN does not restart it cannot be due to filters and NAT, because it is exactly the same as before...
You have to look for the cause elsewhere, but for the IP sec I cannot help you.
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:44 pm

i had past it, but still " invalid VPN IPSec "
before, you had help me to be valide VPN IPSec, but not connected. now is came back to " invalide VPN IPSec " :( :?

protocol b on wifi can't be,
assigned IP to interface instead of the bridge where interface is, can't be
useless route 192.168.1.1/32 can't be

paste this for restore exactly the config of filters and NAT at the start of this topic
warning: copy also the { } and check if you have copied that!!!
{
/ip firewall filter
remove [find]
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=output dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
add action=accept chain=output dst-port=4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=output protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
remove [find]
add action=accept chain=srcnat dst-address=10.14.10.10/16 src-address=10.10.10.9/25
add action=src-nat chain=srcnat dst-address=10.14.10.10/16 to-addresses=10.10.10.9/25
add action=src-nat chain=srcnat disabled=yes dst-address=10.10.10.9/25 to-addresses=10.14.10.10/16
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
}

The IPs on the nat are correct? 10.14.10.10/16 and 10.10.10.9/25
For censore too much you do not replace it wit fake values?

If the VPN does not restart it cannot be due to filters and NAT, because it is exactly the same as before...
You have to look for the cause elsewhere, but for the IP sec I cannot help you.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:50 pm

paste this and if you compare the export with first, are identical
this undo all what done on this topic
{
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n
/ip address
set [find where address="192.168.88.1/24"] set interface=ether2
set [find where address="10.10.10.10/25"] set interface=ether5
/ip route
add distance=1 dst-address=192.168.1.1/32 gateway=ether1 pref-src=0.0.0.0
}
Last edited by rextended on Fri Aug 06, 2021 4:53 pm, edited 2 times in total.
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:51 pm


The IPs on the nat are correct? 10.14.10.10/16 and 10.10.10.9/25
For censore too much you do not replace it wit fake values?

If the VPN does not restart it cannot be due to filters and NAT, because it is exactly the same as before...
You have to look for the cause elsewhere, but for the IP sec I cannot help you.
my need of help is about VPN IPSec,
st was invalid, with you in start, is became valide, but only not connected
now is became againe invalid
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11968
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:55 pm

I first help you to remove the nonsense,
and about "the probleme, i can't ping from my lan this address."

and now you write about "help is about VPN IPSec"

I can't help you on that.
 
mo8a
newbie
Topic Author
Posts: 27
Joined: Thu Aug 05, 2021 5:12 pm

Re: i can't ping wan interface from LAN

Fri Aug 06, 2021 4:56 pm

I first help you to remove the nonsense,
and about "the probleme, i can't ping from my lan this address."

and now you write about "help is about VPN IPSec"

I can't help you on that.
yes, i understand, tank you a lot for your time and your help, i will wait other personne, may be can help me
have a great nice day

Who is online

Users browsing this forum: No registered users and 45 guests