https://blog.pessoft.com/2016/05/29/mik ... s-and-nat/
This works very stable (RB3011 - RB951), though the speed is not really high (which is probably caused by the RB951, which doesn't have a very fast processor), around 20 Mbps. The only problem I run into is that although I can reach all clients behind the router, I am not able to connect to the remote router. Not via WinBox, SSH or web. It does however respond to IGMP. I have no clue where to look at.
Is there a firewall rule blocking this?
My home router firewall looks like this (remote I can't reach at them moment):
Code: Select all
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=\
established,related
add action=accept chain=input comment="allow l2tp" dst-port=1701,500,4500 in-interface=WAN protocol=udp
add action=accept chain=input in-interface=WAN protocol=ipsec-esp
add chain=forward comment=vpnelcouders dst-address=192.168.50.0/24 in-interface=WAN ipsec-policy=in,ipse
src-address=192.168.60.0/24
add action=drop chain=input comment="Drop all except for LAN" protocol=tcp src-address=192.168.10.0/24
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related
add action=drop chain=forward comment="Block guest network except WAN" in-interface=vlan-guest out-inter
!WAN
add action=drop chain=forward comment="Block video network except LAN" in-interface=vlan-video out-inter
!bridge1
add action=accept chain=forward comment="defconf: accept established,related" connection-state=\
established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!d
connection-state=new in-interface=WAN
/ip firewall nat
add action=accept chain=srcnat comment=vpnelcouders dst-address=192.168.60.0/24 src-address=192.168.50.0
add action=accept chain=dstnat comment=vpnelcouders dst-address=192.168.50.0/24 src-address=192.168.60.0
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN
add action=dst-nat chain=dstnat dst-port=50022 in-interface=WAN protocol=tcp to-addresses=192.168.50.10
to-ports=22
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=0.89.168.192-255.89.168.192
add action=masquerade chain=srcnat comment="masq. vpn traffic" disabled=yes src-address=192.168.89.0/24