I am working to switch my VPN connectivity off of windows (due to other limitations) and move it over to SSTP through MIkroTIk.
Setup:
1. Certificate chain has been created - and appears - to validate fine upon attempted connection
2. SSTP server binding created [PPP-Interface]
3. Secret created for service SSTP and assigned to the profile SSTP server
4. SSTP server created as a profile connected to the primary dhcp (with local address of 10.0.0.1) - didn't want to use a new pool range - mpls is no - compression is default - encryption is yes
5. SSTP server is enabled on port 443 (against profile of sstp server). Certificate is set. Authentication is set to mschap2. TLS version is any and none of the check boxes are marked.
6. Three firewall rules have been created. [input, tcp, 443, WAN as in interface, accept], [input, tcp 53, WAN as in interface, accept], [input, udp 53, WAN as in interface, accept].
When attempt to connect via Windows 10 VPN settings I am getting the error:
A connection to the remote computer could not be established, so the port used for this connection was closed
I am seeing the bytes and packets on the 443 input increase when attempting to connect. So I am hitting the box but something is happening after this that I cannot determine.
Any help is appreciated!
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
Firstly, why incoming firewall rules for port 53? You are going to become a target for DNS amplification attacks.
Then read through below for SSTP config:
https://wiki.mikrotik.com/wiki/SSTP_step-by-step
https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
Then read through below for SSTP config:
https://wiki.mikrotik.com/wiki/SSTP_step-by-step
https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
At this point there have been numerous configuration attempts. One of the tutorials found included adding that connection and it just happens to be the most recent setup. I have removed it. In terms of the above tutorial nothing mentioned seems different then the configurations I have in place. I will continue to review it in case something has been missed.Firstly, why incoming firewall rules for port 53? You are going to become a target for DNS amplification attacks.
Then read through below for SSTP config:
https://wiki.mikrotik.com/wiki/SSTP_step-by-step
https://wiki.mikrotik.com/wiki/Manual:Interface/SSTP
Code: Select all
[ReichHub] > /interface sstp-server server print
enabled: yes
port: 443
max-mtu: 1500
max-mru: 1500
mrru: disabled
keepalive-timeout: 60
default-profile: SSTP Server
authentication: mschap2
certificate: Server-Cert-Updated
verify-client-certificate: no
force-aes: no
pfs: no
tls-version: any
Code: Select all
/interface sstp-server server
set authentication=mschap2 certificate=Server-Cert-Updated default-profile="SSTP Server" enabled=yes
/ip firewall filter
add action=accept chain=input comment="SSTP Connection Allow" disabled=yes dst-port=443 protocol=tcp
/ppp profile
add dns-server=10.0.0.3 local-address=10.0.0.1 name="SSTP Server" remote-address=dhcp use-encryption=\
yes use-mpls=no
/ppp secret
add name=sstp password=###### profile="SSTP Server" service=sstp
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
Attempted to follow this tutorial:
https://www.youtube.com/watch?v=9fIbLI59nPM
Still no luck on establishing SSTP connection. The tutorial fails to mention the firewall rule requirement. In addition I created:
[input, tcp, 443, accept]
Using Torch I can see that the VPN attempt on the machine hits the box sends a quick packet of data and then immediately goes to zero and soon after drops.
Still no luck...
https://www.youtube.com/watch?v=9fIbLI59nPM
Still no luck on establishing SSTP connection. The tutorial fails to mention the firewall rule requirement. In addition I created:
[input, tcp, 443, accept]
Using Torch I can see that the VPN attempt on the machine hits the box sends a quick packet of data and then immediately goes to zero and soon after drops.
Still no luck...
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
Progress has been made ... of sorts ...
I went ahead and abandoned SSTP for L2TP/IPSEC and got it up and running no problem. I was already using L2TP/IPSEC anyways for connecting multiple sites together. These connections are all MikroTik routers to router connections.
I went ahead and setup freeradius and got AD linked into MikroTik and I can now login no problem through the above method using my credentials. All of this works great.
I connect on 172.0.0.254 / 172.0.0.1 and my primary network is 10.0.0.0/24. However I do not seem to be able to communicate with anything other then 172.0.0.1. I cannot even reach other devices on the 127.0.0.0/24 range. Initially I thought this would be routes but I seem to be having a problem finding the right combination.
Thanks all!
I went ahead and abandoned SSTP for L2TP/IPSEC and got it up and running no problem. I was already using L2TP/IPSEC anyways for connecting multiple sites together. These connections are all MikroTik routers to router connections.
I went ahead and setup freeradius and got AD linked into MikroTik and I can now login no problem through the above method using my credentials. All of this works great.
I connect on 172.0.0.254 / 172.0.0.1 and my primary network is 10.0.0.0/24. However I do not seem to be able to communicate with anything other then 172.0.0.1. I cannot even reach other devices on the 127.0.0.0/24 range. Initially I thought this would be routes but I seem to be having a problem finding the right combination.
Thanks all!
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
If remote client is getting same IP range as per internal network where VPN server is, then you will need to enable proxy arp on LAN facing interface on VPN server.
Else post full export hide-sensitive here between code brackets
Else post full export hide-sensitive here between code brackets
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
It is on different subnets so that is not a resolve that works. Though I did switch the L2TP to the same subnet as the router and enabled proxy-arp. That worked brilliantly. But unfortunately I have a need to keep these subnets separate to meet the overall need.
Full export provided below.
Appreciate your time and help on this!
Full export provided below.
Code: Select all
ReichNet - Authorized administrators only. Access to this device is monitored.
[38636@ReichHub] > export hide-sensitive
# aug/01/2019 15:05:01 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A24B654
/interface l2tp-server
add name=l2tp-jreich user=jreich
add name=reichnet-3978 user=3978
add name=reichnet-8794 user=8794
/interface bridge
add admin-mac=74:4D:28:2F:4E:2D arp=proxy-arp auto-mac=no name=bridge protocol-mode=none
add arp=proxy-arp name=guestbridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] arp=proxy-arp name=OutToHouse speed=100Mbps
set [ find default-name=ether1 ] name=OutToWAN speed=100Mbps
set [ find default-name=ether3 ] arp=proxy-arp name=ReichNet-GUEST speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
arp=proxy-arp auto-negotiation=no name=SFP-RackSwitch speed=10Gbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
/interface vlan
add interface=bridge name=srv-vlan vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=PPP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=ReichNet
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-maximum-failures=2 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.101-10.0.0.254
add name=VPN-L2TP ranges=172.0.0.10-172.0.0.254
add name=dhcp-guest ranges=20.0.0.10-20.0.0.75
add name=dhcp-server ranges=30.0.0.10-30.0.0.75
add name=dhcp-l2tp-remote ranges=40.0.0.51-40.0.0.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=rst
add address-pool=dhcp-guest disabled=no interface=guestbridge name=guest
add address-pool=dhcp-server disabled=no interface=srv-vlan name=srv
add address-pool=dhcp-l2tp-remote disabled=no interface=OutToWAN name=l2tpexternal
/ppp profile
add change-tcp-mss=yes local-address=172.0.0.1 name=VPN-L2TP remote-address=VPN-L2TP use-encryption=\
yes
/queue interface
set OutToWAN queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=OutToHouse
add bridge=guestbridge comment=defconf interface=ReichNet-GUEST
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=SFP-RackSwitch
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge vlan-ids=50
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes keepalive-timeout=disabled max-mtu=\
1500
/interface list member
add interface=bridge list=LAN
add comment=defconf interface=OutToWAN list=WAN
add interface=guestbridge list=LAN
/interface ovpn-server server
set certificate=reichnetwork_net.ca-bundle_2 cipher=blowfish128,aes128,aes192,aes256
/interface pptp-server server
set default-profile=default
/interface sstp-server server
set authentication=mschap1,mschap2 certificate=reichnetwork_net.crt_0
/ip address
add address=10.0.0.1/24 comment=defconf interface=OutToHouse network=10.0.0.0
add address=**REMOVED FOR UPLOAD**/24 interface=OutToWAN network=**REMOVED FOR UPLOAD**
add address=20.0.0.1/24 interface=guestbridge network=20.0.0.0
add address=30.0.0.1/24 interface=srv-vlan network=30.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=OutToWAN
/ip dhcp-server lease
add address=10.0.0.16 client-id=1:ec:71:db:f2:d8:7c comment=CAMBACKYARD-N mac-address=\
EC:71:DB:F2:D8:7C server=rst
add address=10.0.0.14 client-id=1:ec:71:db:15:5e:4 comment=CAMBACKYARD-S mac-address=\
EC:71:DB:15:5E:04 server=rst
add address=10.0.0.15 client-id=1:ec:71:db:c7:73:6a comment=CAMFRONTYARD-E mac-address=\
EC:71:DB:C7:73:6A server=rst
add address=10.0.0.3 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:88 server=rst
add address=10.0.0.2 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:89 server=rst
add address=10.0.0.74 client-id=1:a4:2b:b0:20:74:df comment=WIRELESS-ADAPTER-PRIVATE mac-address=\
A4:2B:B0:20:74:DF server=rst
add address=10.0.0.28 always-broadcast=yes client-id=1:d8:cb:8a:5f:15:cb comment=PD8CBCAMERA \
mac-address=D8:CB:8A:5F:15:CB server=rst
add address=10.0.0.11 client-id=1:0:15:5d:0:6:0 comment=V782BDOWNLOAD mac-address=00:15:5D:00:06:00 \
server=rst
add address=10.0.0.31 client-id=1:0:15:5d:0:6:3 comment=V782BMEDIA mac-address=00:15:5D:00:06:03 \
server=rst
add address=10.0.0.30 comment=V782BDROPBOX mac-address=00:15:5D:00:06:04 server=rst
add address=10.0.0.45 client-id=1:0:26:b9:62:27:e2 comment=P0026VIRTUAL mac-address=00:26:B9:62:27:E2 \
server=rst
add address=10.0.0.46 client-id=1:0:26:b9:62:27:e4 comment=P0026VIRTUAL mac-address=00:26:B9:62:27:E4 \
server=rst
add address=10.0.0.47 client-id=1:0:26:b9:62:27:e0 comment=P0026VIRTUAL mac-address=00:26:B9:62:27:E0 \
server=rst
add address=10.0.0.48 client-id=1:0:26:b9:62:27:de comment=P0026VIRTUAL mac-address=00:26:B9:62:27:DE \
server=rst
add address=10.0.0.51 client-id=1:34:97:f6:b7:2:43 comment=JORDAN-DESKTOP mac-address=\
34:97:F6:B7:02:43 server=rst
add address=10.0.0.34 comment=V0026CARLYWEBSRV mac-address=00:15:5D:00:2E:02 server=rst
add address=10.0.0.39 client-id=1:0:15:5d:0:2e:4 comment=V0026WEBHUB mac-address=00:15:5D:00:2E:04 \
server=rst
add address=10.0.0.4 comment=V0026PXEBOOT mac-address=00:15:5D:00:2E:0A server=rst
add address=10.0.0.49 client-id=1:98:5f:d3:5b:e5:6c comment=JORDAN-WORKPC mac-address=\
98:5F:D3:5B:E5:6C server=rst
add address=10.0.0.38 client-id=1:0:15:5d:0:2e:12 comment=V0026EXCHANGE mac-address=00:15:5D:00:2E:12 \
server=rst
add address=10.0.0.37 comment=V0026IRC mac-address=00:15:5D:00:2E:13 server=rst
add address=10.0.0.20 client-id=1:0:15:5d:0:2e:14 comment=V0026EXCHANGE mac-address=00:15:5D:00:2E:14 \
server=rst
add address=10.0.0.13 client-id=1:0:15:5d:0:2e:15 comment=V0026EMAIL mac-address=00:15:5D:00:2E:15 \
server=rst
add address=10.0.0.71 client-id=ff:76:3b:fc:74:0:2:0:0:ab:11:17:95:92:7b:86:4e:27:e4 comment=\
V0026CARLYTEST mac-address=00:15:5D:00:2E:16 server=rst
add address=10.0.0.52 client-id=1:d8:c4:97:a0:44:84 comment=CARLY-LAPTOP mac-address=\
D8:C4:97:A0:44:84 server=rst
add address=10.0.0.32 client-id=1:0:15:5d:0:2e:18 comment=V0026POLICYTEST mac-address=\
00:15:5D:00:2E:18 server=rst
add address=10.0.0.12 client-id=1:0:15:5d:0:2e:1a comment=V0026MONITOR mac-address=00:15:5D:00:2E:1A \
server=rst
add address=10.0.0.36 client-id=1:0:15:5d:0:2e:1b comment=V0026JCWIN2016 mac-address=\
00:15:5D:00:2E:1B server=rst
add address=10.0.0.50 client-id=1:1c:1b:d:ec:a7:b3 comment=CDELABARRE-PC mac-address=\
1C:1B:0D:EC:A7:B3 server=rst
add address=10.0.0.35 client-id=1:0:15:5d:0:2e:24 comment=V0026HOMEASSIST mac-address=\
00:15:5D:00:2E:24 server=rst
add address=10.0.0.53 client-id=1:0:15:5d:0:2e:25 comment=V0026WORKVPN mac-address=00:15:5D:00:2E:25 \
server=rst
add address=10.0.0.33 comment=V0026LIBCATALOG mac-address=00:15:5D:00:2E:27 server=rst
add address=10.0.0.10 client-id=ff:80:40:df:4e:0:2:0:0:ab:11:c:b8:8a:f8:1d:7e:9a:19 comment=\
V0026JITSI mac-address=00:15:5D:00:2E:28 server=rst
add address=10.0.0.101 client-id=1:0:4:4b:48:9b:27 comment=SHIELD-GSTNET mac-address=\
00:04:4B:48:9B:27 server=rst
add address=10.0.0.103 comment=TV-LVRM-GSTNET mac-address=C4:1C:FF:5B:6D:5B server=rst
add address=10.0.0.100 client-id=1:74:4d:28:18:a2:94 comment="SFP SWITCH CONN" mac-address=\
74:4D:28:18:A2:94 server=rst
add address=20.0.0.10 client-id=1:14:91:82:c7:7e:16 comment=REICHNET-GUEST mac-address=\
14:91:82:C7:7E:16 server=guest
add address=10.0.0.40 client-id=1:0:19:b9:d8:38:31 comment=P0019DEREK mac-address=00:19:B9:D8:38:31 \
server=rst
add address=10.0.0.5 comment=V0026RADIUS mac-address=00:15:5D:00:2E:2C server=rst
add address=10.0.0.29 client-id=ff:5d:0:28:4:0:1:0:1:24:b7:72:a7:0:15:5d:0:28:4 comment=\
"V0019DEREK - NEXTCLOUD" mac-address=00:15:5D:00:28:04 server=rst
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=20.0.0.0/24 gateway=20.0.0.1 netmask=24
add address=30.0.0.0/24 gateway=30.0.0.1 netmask=24
add address=40.0.0.0/24 gateway=40.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.3
/ip dns static
add address=10.0.0.1 name=router.lan
add address=10.0.0.1 name=router
/ip firewall address-list
add address=216.92.61.7 list=blacklist
add address=10.0.0.101 list=hardwire-block
add address=10.0.0.103 list=hardwire-block
add address=69.20.59.81 list=blacklist
add address=69.20.59.80 list=blacklist
/ip firewall filter
add action=fasttrack-connection chain=forward comment="38636: defconf fasttrack" connection-state=\
established,related
add action=accept chain=input comment="38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=forward comment="38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=input comment="38636: Allow PING from WAN" in-interface=OutToWAN protocol=\
icmp
add action=accept chain=input comment="38636: Winbox" dst-port=8291 protocol=tcp
add action=accept chain=forward comment="38636: NAT Traffic Permit" dst-port=\
443,1000,32400,8096,26555,81,80,8081,3000 in-interface=OutToWAN protocol=tcp
add action=accept chain=input comment="38636: L2TP 1701" dst-port=1701 protocol=udp
add action=accept chain=input comment="38636: L2TP 500" dst-port=500 protocol=udp
add action=accept chain=input comment="38636: L2TP 4500" dst-port=4500 protocol=udp
add action=accept chain=input comment="38636: L2TP PRTL 50" protocol=ipsec-esp
add action=accept chain=forward comment="8794: RouterOS netflow to ELK-Stack" dst-address=10.0.0.33 \
dst-port=2055 in-interface=reichnet-8794 protocol=udp
add action=accept chain=forward comment="3978: RouterOS netflow to ELK-Stack" dst-address=10.0.0.33 \
dst-port=2055 in-interface=reichnet-3978 protocol=udp
add action=accept chain=forward comment="PPP: accept machine PINGS" in-interface=all-ppp protocol=\
icmp
add action=accept chain=forward comment="PPP: Allow dynamic port ranges" dst-port="" in-interface=\
all-ppp protocol=tcp src-port=49152-65535
add action=accept chain=forward comment="PPP: Allow PXE server access" dst-port="" in-interface=\
all-ppp protocol=udp src-port=4011
add action=accept chain=forward comment="PPP: TCP allow for AD" dst-address=10.0.0.3 dst-port=\
53,88,135,139,389,445,464,636,3268,3269,5722,9389 in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: UDP allow for AD" dst-address=10.0.0.3 dst-port=\
53,67,88,123,137,138,389,123,445,2535 in-interface=all-ppp port="" protocol=udp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 TCP" dst-address=10.0.0.9 \
dst-port=135-139,445 in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 UDP" dst-address=10.0.0.9 \
dst-port=135-139,445 in-interface=all-ppp protocol=udp
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" in-interface=all-ppp \
log-prefix=VPNdrop
add action=drop chain=input comment="PPP: drop all INPUT from VPN" in-interface=all-ppp log-prefix=\
VPNdrop
add action=drop chain=forward comment="GUEST: Deny all to primary network" dst-address=10.0.0.0/24 \
in-interface=guestbridge src-address=20.0.0.0/24
add action=drop chain=forward comment="38636: drop all GST hardwire traffic to RST" dst-address=\
10.0.0.0/24 out-interface=bridge src-address-list=hardwire-block
add action=drop chain=forward comment="38636: TCP Address Blacklist" dst-address-list=blacklist \
protocol=tcp
add action=drop chain=forward comment="38636: defconf drop invalid" connection-state=invalid
add action=drop chain=forward comment="38636: defconf drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=OutToWAN
add action=drop chain=input comment="38636: drop all INPUT (WAN)" in-interface=OutToWAN log=yes \
log-prefix=Drop_Input_WAN
add action=drop chain=forward comment="38636: drop all FORWARD (WAN)" in-interface=OutToWAN log=yes \
log-prefix=Drop_Forward_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
out-interface-list=WAN
add action=masquerade chain=srcnat comment="SSTP masquerade" disabled=yes src-address=40.0.0.0/24
add action=masquerade chain=srcnat comment="8794: NAT L2TP/IPsec" disabled=yes src-address=\
10.0.1.0/24
add action=masquerade chain=srcnat comment="3978: NAT L2TP/IPsec" disabled=yes src-address=\
10.0.2.0/24
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 in-interface=all-ethernet \
protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="PLEX PORT 32400 TCP" dst-port=32400 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.31 to-ports=32400
add action=dst-nat chain=dstnat comment="EMBY PORT 8096 TCP" dst-port=8096 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.31 to-ports=8096
add action=dst-nat chain=dstnat comment=P0019DEREK-PLEX dst-port=26555 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.40 to-ports=32400
add action=dst-nat chain=dstnat comment=P0019DEREK-NEXTCLOUD dst-port=81 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.29 to-ports=81
add action=dst-nat chain=dstnat comment="HTTP WEBHUB TRAFFIC 80" dst-port=80 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.39 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS WEBHUB TRAFFIC 443" dst-port=443 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.2 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 in-interface=all-ethernet \
protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="SECURITY CAMERA SYSTEM 8081" dst-port=8081 in-interface=\
OutToWAN protocol=tcp to-addresses=10.0.0.28 to-ports=8081
add action=dst-nat chain=dstnat comment="HTTPS MAILTRAIN 3000" dst-port=3000 in-interface=OutToWAN \
protocol=tcp to-addresses=10.0.0.34 to-ports=3000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=47984 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 to-ports=47984
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=47989 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 to-ports=47989
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=48010 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 to-ports=48010
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=47998 \
in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 to-ports=47998
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=47999 \
in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 to-ports=47999
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=48000 \
in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 to-ports=48000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=48002 \
in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 to-ports=48002
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes dst-port=48010 \
in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 to-ports=48010
/ip firewall service-port
set ftp ports=212
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore
/ip route
add distance=1 gateway=**REMOVED FOR UPLOAD**
add distance=1 dst-address=10.0.1.0/24 gateway=reichnet-8794
add distance=1 dst-address=10.0.2.0/24 gateway=reichnet-3978
/ip service
set telnet disabled=yes
set ftp disabled=yes port=212
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=128k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.33
/ip upnp
set enabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=172.0.0.1 name=8794 profile=VPN-L2TP remote-address=172.0.0.240 service=l2tp
add local-address=172.0.0.1 name=3978 profile=VPN-L2TP remote-address=172.0.0.242 service=l2tp
/radius
add address=10.0.0.5 realm=reichnetwork service=ppp,login,ipsec src-address=10.0.0.1
/snmp
set enabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=ReichHub
/system logging
add disabled=yes topics=ipsec
add topics=sstp
/system note
set note="ReichNet - Authorized administrators only. Access to this device is monitored."
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
[38636@ReichHub] >
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
Not at laptop at the moment, will have deeper look into config tomorrow morning.
Off the bat I will change the 172.0.0.0/x IPs, these are outside the private IP range scope, use 172.16.x.x - 172.31.x.x instead
Off the bat I will change the 172.0.0.0/x IPs, these are outside the private IP range scope, use 172.16.x.x - 172.31.x.x instead
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
I have adjusted the ranges as you have suggested (I believe). I have also updated the adjusted configuration export. Thanks for your help on this.Not at laptop at the moment, will have deeper look into config tomorrow morning.
Off the bat I will change the 172.0.0.0/x IPs, these are outside the private IP range scope, use 172.16.x.x - 172.31.x.x instead
Code: Select all
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.44.5 (c) 1999-2019 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
ReichNet - Authorized administrators only. Access to this device is monitored.
[38636@ReichHub] > export hide-sensitive
# aug/02/2019 17:22:36 by RouterOS 6.44.5
# software id = 1SBQ-KUIK
#
# model = RouterBOARD 3011UiAS
# serial number = 8EEE0A24B654
/interface l2tp-server
add name=l2tp-jreich user=jreich
add name=reichnet-3978 user=3978
add name=reichnet-8794 user=8794
/interface bridge
add admin-mac=74:4D:28:2F:4E:2D arp=proxy-arp auto-mac=no name=bridge \
protocol-mode=none
add arp=proxy-arp name=guestbridge protocol-mode=none
/interface ethernet
set [ find default-name=ether2 ] name=OutToHouse speed=100Mbps
set [ find default-name=ether1 ] name=OutToWAN speed=100Mbps
set [ find default-name=ether3 ] name=ReichNet-GUEST speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
auto-negotiation=no name=SFP-RackSwitch speed=10Gbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
/interface vlan
add interface=bridge name=srv-vlan vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=PPP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=ReichNet
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec peer
add name=peer1 passive=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp2048 dpd-maximum-failures=2 \
enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=none
/ip pool
add name=dhcp ranges=10.0.0.101-10.0.0.254
add name=VPN-L2TP ranges=172.16.0.10-172.16.0.254
add name=dhcp-guest ranges=20.0.0.10-20.0.0.75
add name=dhcp-server ranges=30.0.0.10-30.0.0.75
add name=dhcp-l2tp-remote ranges=40.0.0.51-40.0.0.100
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=rst
add address-pool=dhcp-guest disabled=no interface=guestbridge name=guest
add address-pool=dhcp-server disabled=no interface=srv-vlan name=srv
add address-pool=dhcp-l2tp-remote disabled=no interface=OutToWAN name=\
l2tpexternal
/ppp profile
add change-tcp-mss=yes dns-server=10.0.0.3 local-address=172.16.0.1 name=\
VPN-L2TP remote-address=VPN-L2TP use-encryption=yes
/queue interface
set OutToWAN queue=ethernet-default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=OutToHouse
add bridge=guestbridge comment=defconf interface=ReichNet-GUEST
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=SFP-RackSwitch
/ip neighbor discovery-settings
set discover-interface-list=none
/interface bridge vlan
add bridge=bridge vlan-ids=50
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled max-mtu=1500
/interface list member
add interface=bridge list=LAN
add comment=defconf interface=OutToWAN list=WAN
add interface=guestbridge list=LAN
add list=LAN
/interface ovpn-server server
set certificate=reichnetwork_net.ca-bundle_2 cipher=\
blowfish128,aes128,aes192,aes256
/interface pptp-server server
set default-profile=default
/interface sstp-server server
set authentication=mschap1,mschap2 certificate=reichnetwork_net.crt_0
/ip address
add address=10.0.0.1/24 comment=defconf interface=OutToHouse network=10.0.0.0
add address=**REMOVED FOR UPLOAD** interface=OutToWAN network=**REMOVED FOR UPLOADED**
add address=20.0.0.1/24 interface=guestbridge network=20.0.0.0
add address=30.0.0.1/24 interface=srv-vlan network=30.0.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=OutToWAN
/ip dhcp-server lease
add address=10.0.0.16 client-id=1:ec:71:db:f2:d8:7c comment=CAMBACKYARD-N \
mac-address=EC:71:DB:F2:D8:7C server=rst
add address=10.0.0.14 client-id=1:ec:71:db:15:5e:4 comment=CAMBACKYARD-S \
mac-address=EC:71:DB:15:5E:04 server=rst
add address=10.0.0.15 client-id=1:ec:71:db:c7:73:6a comment=CAMFRONTYARD-E \
mac-address=EC:71:DB:C7:73:6A server=rst
add address=10.0.0.3 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:88 server=\
rst
add address=10.0.0.2 comment=P000EPRIMARY mac-address=00:0E:B6:30:89:89 server=\
rst
add address=10.0.0.74 client-id=1:a4:2b:b0:20:74:df comment=\
WIRELESS-ADAPTER-PRIVATE mac-address=A4:2B:B0:20:74:DF server=rst
add address=10.0.0.28 always-broadcast=yes client-id=1:d8:cb:8a:5f:15:cb \
comment=PD8CBCAMERA mac-address=D8:CB:8A:5F:15:CB server=rst
add address=10.0.0.11 client-id=1:0:15:5d:0:6:0 comment=V782BDOWNLOAD \
mac-address=00:15:5D:00:06:00 server=rst
add address=10.0.0.31 client-id=1:0:15:5d:0:6:3 comment=V782BMEDIA mac-address=\
00:15:5D:00:06:03 server=rst
add address=10.0.0.30 comment=V782BDROPBOX mac-address=00:15:5D:00:06:04 \
server=rst
add address=10.0.0.45 client-id=1:0:26:b9:62:27:e2 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E2 server=rst
add address=10.0.0.46 client-id=1:0:26:b9:62:27:e4 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E4 server=rst
add address=10.0.0.47 client-id=1:0:26:b9:62:27:e0 comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:E0 server=rst
add address=10.0.0.48 client-id=1:0:26:b9:62:27:de comment=P0026VIRTUAL \
mac-address=00:26:B9:62:27:DE server=rst
add address=10.0.0.51 client-id=1:34:97:f6:b7:2:43 comment=JORDAN-DESKTOP \
mac-address=34:97:F6:B7:02:43 server=rst
add address=10.0.0.34 comment=V0026CARLYWEBSRV mac-address=00:15:5D:00:2E:02 \
server=rst
add address=10.0.0.39 client-id=1:0:15:5d:0:2e:4 comment=V0026WEBHUB \
mac-address=00:15:5D:00:2E:04 server=rst
add address=10.0.0.4 comment=V0026PXEBOOT mac-address=00:15:5D:00:2E:0A server=\
rst
add address=10.0.0.49 client-id=1:98:5f:d3:5b:e5:6c comment=JORDAN-WORKPC \
mac-address=98:5F:D3:5B:E5:6C server=rst
add address=10.0.0.38 client-id=1:0:15:5d:0:2e:12 comment=V0026EXCHANGE \
mac-address=00:15:5D:00:2E:12 server=rst
add address=10.0.0.37 comment=V0026IRC mac-address=00:15:5D:00:2E:13 server=rst
add address=10.0.0.20 client-id=1:0:15:5d:0:2e:14 comment=V0026EXCHANGE \
mac-address=00:15:5D:00:2E:14 server=rst
add address=10.0.0.13 client-id=1:0:15:5d:0:2e:15 comment=V0026EMAIL \
mac-address=00:15:5D:00:2E:15 server=rst
add address=10.0.0.71 client-id=\
ff:76:3b:fc:74:0:2:0:0:ab:11:17:95:92:7b:86:4e:27:e4 comment=V0026CARLYTEST \
mac-address=00:15:5D:00:2E:16 server=rst
add address=10.0.0.52 client-id=1:d8:c4:97:a0:44:84 comment=CARLY-LAPTOP \
mac-address=D8:C4:97:A0:44:84 server=rst
add address=10.0.0.32 client-id=1:0:15:5d:0:2e:18 comment=V0026POLICYTEST \
mac-address=00:15:5D:00:2E:18 server=rst
add address=10.0.0.12 client-id=1:0:15:5d:0:2e:1a comment=V0026MONITOR \
mac-address=00:15:5D:00:2E:1A server=rst
add address=10.0.0.36 client-id=1:0:15:5d:0:2e:1b comment=V0026JCWIN2016 \
mac-address=00:15:5D:00:2E:1B server=rst
add address=10.0.0.50 client-id=1:1c:1b:d:ec:a7:b3 comment=CDELABARRE-PC \
mac-address=1C:1B:0D:EC:A7:B3 server=rst
add address=10.0.0.35 client-id=1:0:15:5d:0:2e:24 comment=V0026HOMEASSIST \
mac-address=00:15:5D:00:2E:24 server=rst
add address=10.0.0.53 client-id=1:0:15:5d:0:2e:25 comment=V0026WORKVPN \
mac-address=00:15:5D:00:2E:25 server=rst
add address=10.0.0.33 comment=V0026LIBCATALOG mac-address=00:15:5D:00:2E:27 \
server=rst
add address=10.0.0.10 client-id=\
ff:80:40:df:4e:0:2:0:0:ab:11:c:b8:8a:f8:1d:7e:9a:19 comment=V0026JITSI \
mac-address=00:15:5D:00:2E:28 server=rst
add address=10.0.0.101 client-id=1:0:4:4b:48:9b:27 comment=SHIELD-GSTNET \
mac-address=00:04:4B:48:9B:27 server=rst
add address=10.0.0.103 comment=TV-LVRM-GSTNET mac-address=C4:1C:FF:5B:6D:5B \
server=rst
add address=10.0.0.100 client-id=1:74:4d:28:18:a2:94 comment="SFP SWITCH CONN" \
mac-address=74:4D:28:18:A2:94 server=rst
add address=20.0.0.10 client-id=1:14:91:82:c7:7e:16 comment=REICHNET-GUEST \
mac-address=14:91:82:C7:7E:16 server=guest
add address=10.0.0.40 client-id=1:0:19:b9:d8:38:31 comment=P0019DEREK \
mac-address=00:19:B9:D8:38:31 server=rst
add address=10.0.0.5 comment=V0026RADIUS mac-address=00:15:5D:00:2E:2C server=\
rst
add address=10.0.0.29 client-id=ff:5d:0:28:4:0:1:0:1:24:b7:72:a7:0:15:5d:0:28:4 \
comment="V0019DEREK - NEXTCLOUD" mac-address=00:15:5D:00:28:04 server=rst
/ip dhcp-server network
add address=10.0.0.0/24 gateway=10.0.0.1 netmask=24
add address=20.0.0.0/24 gateway=20.0.0.1 netmask=24
add address=30.0.0.0/24 gateway=30.0.0.1 netmask=24
add address=172.0.0.0/24 gateway=172.0.0.1
/ip dns
set allow-remote-requests=yes servers=10.0.0.3
/ip dns static
add address=10.0.0.1 name=router.lan
add address=10.0.0.1 name=router
/ip firewall address-list
add address=216.92.61.7 list=blacklist
add address=10.0.0.101 list=hardwire-block
add address=10.0.0.103 list=hardwire-block
add address=69.20.59.81 list=blacklist
add address=69.20.59.80 list=blacklist
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"38636: defconf fasttrack" connection-state=established,related
add action=accept chain=input comment=\
"38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=forward comment=\
"38636: defconf accept established,related" connection-state=\
established,related
add action=accept chain=input comment="38636: Winbox" dst-port=8291 protocol=\
tcp
add action=accept chain=forward comment="38636: NAT Traffic Permit" dst-port=\
443,1000,32400,8096,26555,81,80,8081,3000 in-interface=OutToWAN protocol=\
tcp
add action=accept chain=input comment="38636: L2TP 1701" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="38636: L2TP 500" dst-port=500 protocol=\
udp
add action=accept chain=input comment="38636: L2TP 4500" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="38636: L2TP PRTL 50" protocol=ipsec-esp
add action=accept chain=forward comment="PPP: RouterOS netflow to ELK-Stack" \
dst-address=10.0.0.33 dst-port=2055 in-interface=all-ppp protocol=udp
add action=accept chain=forward comment="PPP: accept machine PINGS" \
in-interface=all-ppp protocol=icmp
add action=accept chain=forward comment="PPP: Allow dynamic port ranges" \
dst-port="" in-interface=all-ppp protocol=tcp src-port=49152-65535
add action=accept chain=forward comment="PPP: Allow PXE server access" \
dst-port="" in-interface=all-ppp protocol=udp src-port=4011
add action=accept chain=forward comment="PPP: TCP allow for AD" dst-address=\
10.0.0.3 dst-port=53,88,135,139,389,445,464,636,3268,3269,5722,9389 \
in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: UDP allow for AD" dst-address=\
10.0.0.3 dst-port=53,67,88,123,137,138,389,123,445,2535 in-interface=\
all-ppp port="" protocol=udp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 TCP" \
dst-address=10.0.0.9 dst-port=135-139,445 in-interface=all-ppp protocol=tcp
add action=accept chain=forward comment="PPP: Storage access 10.0.0.9 UDP" \
dst-address=10.0.0.9 dst-port=135-139,445 in-interface=all-ppp protocol=udp
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
add action=drop chain=input comment="PPP: drop all INPUT from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
add action=drop chain=forward comment="GUEST: Deny all to primary network" \
dst-address=10.0.0.0/24 in-interface=guestbridge src-address=20.0.0.0/24
add action=drop chain=forward comment=\
"38636: drop all GST hardwire traffic to RST" dst-address=10.0.0.0/24 \
out-interface=bridge src-address-list=hardwire-block
add action=drop chain=forward comment="38636: TCP Address Blacklist" \
dst-address-list=blacklist protocol=tcp
add action=drop chain=forward comment="38636: defconf drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"38636: defconf drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface=OutToWAN
add action=drop chain=input comment="38636: drop all INPUT (WAN)" in-interface=\
OutToWAN log=yes log-prefix=Drop_Input_WAN
add action=drop chain=forward comment="38636: drop all FORWARD (WAN)" \
in-interface=OutToWAN log=yes log-prefix=Drop_Forward_WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface=OutToWAN
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 \
in-interface=all-ethernet protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="PLEX PORT 32400 TCP" dst-port=32400 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.31 to-ports=32400
add action=dst-nat chain=dstnat comment="EMBY PORT 8096 TCP" dst-port=8096 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.31 to-ports=8096
add action=dst-nat chain=dstnat comment=P0019DEREK-PLEX dst-port=26555 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.40 to-ports=32400
add action=dst-nat chain=dstnat comment=P0019DEREK-NEXTCLOUD dst-port=81 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.29 to-ports=81
add action=dst-nat chain=dstnat comment="HTTP WEBHUB TRAFFIC 80" dst-port=80 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.39 to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS WEBHUB TRAFFIC 443" dst-port=443 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.2 to-ports=443
add action=dst-nat chain=dstnat comment="HTTPS PASSWORD 1000" dst-port=1000 \
in-interface=all-ethernet protocol=tcp to-addresses=10.0.0.2 to-ports=1000
add action=dst-nat chain=dstnat comment="SECURITY CAMERA SYSTEM 8081" dst-port=\
8081 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.28 to-ports=\
8081
add action=dst-nat chain=dstnat comment="HTTPS MAILTRAIN 3000" dst-port=3000 \
in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.34 to-ports=3000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47984 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=47984
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47989 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=47989
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48010 in-interface=OutToWAN protocol=tcp to-addresses=10.0.0.51 \
to-ports=48010
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47998 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=47998
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=47999 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=47999
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48000 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48000
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48002 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48002
add action=dst-nat chain=dstnat comment="MOONLIGHT - JORDAN PC" disabled=yes \
dst-port=48010 in-interface=OutToWAN protocol=udp to-addresses=10.0.0.51 \
to-ports=48010
/ip firewall service-port
set ftp ports=212
/ip ipsec identity
add generate-policy=port-override peer=peer1 remote-id=ignore
/ip route
add distance=1 gateway=**REMOVED FOR UPLOAD**
add distance=1 dst-address=10.0.1.0/24 gateway=reichnet-8794
add distance=1 dst-address=10.0.2.0/24 gateway=reichnet-3978
add distance=1 dst-address=172.16.0.0/24 gateway=bridge
/ip service
set telnet disabled=yes
set ftp disabled=yes port=212
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set cache-entries=128k enabled=yes
/ip traffic-flow target
add dst-address=10.0.0.33
/ip upnp
set enabled=yes
/ppp aaa
set use-radius=yes
/ppp secret
add local-address=172.16.0.1 name=8794 profile=VPN-L2TP remote-address=\
172.16.0.240 service=l2tp
add local-address=172.16.0.1 name=3978 profile=VPN-L2TP remote-address=\
172.16.0.242 service=l2tp
/radius
add address=10.0.0.5 realm=reichnetwork service=ppp,login,ipsec src-address=\
10.0.0.1
/snmp
set enabled=yes
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=ReichHub
/system logging
add disabled=yes topics=ipsec
add topics=sstp
/system note
set note="ReichNet - Authorized administrators only. Access to this device is mo\
nitored."
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/user aaa
set use-radius=yes
[38636@ReichHub] >
- I have three site locations including myself. Each with their own private ISP. With MikroTik routers at each location. (172.16.0.0/24)
- I also allow people to VPN into the house through the same connection using radius through AD (172.16.0.0/24)
- The primary hub location runs off a subnet (10.0.0.0/24)
- One of the site locations has a subnet (10.0.1.0/24)
- The other site location has a subnet (10.0.2.0/24)
- I have a guest network at the primary location (20.0.0.0/24)
- I have a VLAN setup between the hub and SwOS (30.0.0.0/24)
- I can communicate between all of the 10.X addresses both directions from the house locations. The VPN from a windows client appears to not be able to communicate with those locations. Might be due to the fact that I have the routes built on both sides when two routers are involved.
- From the primary location, I also appear unable to communicate with the 20 and 30 subnet ranges. Although I can assign computers to them and they appear to get internet connectivity.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
I dont know if you are trying to setup L2TP manually over IPSec, but I don't see "ipsec-secret="My-Preshared-Secret" one-session-per-host=yes use-ipsec=required" in config line as per export:
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled max-mtu=1500
Then it seems like you are dropping traffic from all-ppp interfaces in firewall bar a couple of ports / IPs:
/ip firewall filter
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
Is your VPN AC behind another device, if so, there is also a registry change you will need to make on Windows, see
https://support.microsoft.com/en-gb/hel ... in-windows
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled max-mtu=1500
Then it seems like you are dropping traffic from all-ppp interfaces in firewall bar a couple of ports / IPs:
/ip firewall filter
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
Is your VPN AC behind another device, if so, there is also a registry change you will need to make on Windows, see
https://support.microsoft.com/en-gb/hel ... in-windows
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
Thanks for the review!I dont know if you are trying to setup L2TP manually over IPSec, but I don't see "ipsec-secret="My-Preshared-Secret" one-session-per-host=yes use-ipsec=required" in config line as per export:
/interface l2tp-server server
set authentication=mschap2 default-profile=VPN-L2TP enabled=yes \
keepalive-timeout=disabled max-mtu=1500
Then it seems like you are dropping traffic from all-ppp interfaces in firewall bar a couple of ports / IPs:
/ip firewall filter
add action=drop chain=forward comment="PPP: drop all FORWARD from VPN" \
in-interface=all-ppp log-prefix=VPNdrop
Is your VPN AC behind another device, if so, there is also a registry change you will need to make on Windows, see
https://support.microsoft.com/en-gb/hel ... in-windows
No the VPN is within this device. I followed a tutorial on how to setup L2TP/IPSEC VPN for this device and it worked afterward so I never gave it much additional thought. The preshared key is stored in IP - IPSEC - IDENTITIES under a new PEER. Setup as an auth method of pre-shared key. Which does appear to be working.
You are also correct the intention is to allow the connection to establish (allow everything to respond to a PING) but block most other non-essential traffic only opening up the ports that are necessary to make the intended reason for the connection work.
I think I account for that in the 'PPP: accept machine PINGS' for all ppp connection prior to the drop-all.
As the problem right now is when I join the VPN from a windows machine I cannot ping any of the addresses even from the VPN into the main 10.0.0.0/24 subnet.
You can see in the example I am getting the IP assigned on the remote machine. But when attempting to PING I get a destination is unavailable. If I change the VPN settings to assign an IP address to the VPN in the 10.0.0.0/24 range with proxy-arp enabled I get a response. But in this configuration I do not appear to be bridging from one to the other.
Hope that helps provide some additional clarity!
You do not have the required permissions to view the files attached to this post.
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
Change proxy-arp back to enable
On Windows 10 VPN client config, is "Use default gateway on remote network" enabled / ticked? if not, enable it and test again.
If still problems, post results of "tracert -d 10.0.0.1" from Windows client with VPN established
On Windows 10 VPN client config, is "Use default gateway on remote network" enabled / ticked? if not, enable it and test again.
If still problems, post results of "tracert -d 10.0.0.1" from Windows client with VPN established
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection
If I enable default gateway it works fine.
I have tried this in the past. But I do not want to allow VPN connections the ability to use my internet connection if possible.
Which is where that limitation came into play but maybe there is no way around this scenario?
Thanks again!
I have tried this in the past. But I do not want to allow VPN connections the ability to use my internet connection if possible.
Which is where that limitation came into play but maybe there is no way around this scenario?
Thanks again!
-
-
CZFan
Forum Guru
- Posts: 2098
- Joined:
- Location: South Africa, Krugersdorp (Home town of Brad Binder)
- Contact:
Re: Issues with SSTP connection
IIRC, RoS can inject routes if you connecting from a Mikrotik client, but don't think it can for Windows client. You will have to disable remote gateway and add routes manually to Windows clients for split tunneling.
For me personally routing all traffic via VPN while VPN is active is safer
For me personally routing all traffic via VPN while VPN is active is safer
-
-
JordanReich
Frequent Visitor
- Posts: 91
- Joined:
Re: Issues with SSTP connection [SOLVED]
Just to update this post and outline what I implemented as a solution. Allowing the default gateway was not an acceptable solution for our implementation. But we had to allow RDP connections to pass from one subnet range to the next without being able to set the routes or allow the gateway.
The solution was to setup a Remote Desktop Gateway. To establish a connection first to the RDG (which was in the original connect subnet range) and allow it to negotiate a connection with another subnet range as it had the default gateway setup. This allowed RDP access across all of the internal ranges.
The next issue was the inability to load webpages (same problem). We setup a wingate proxy server on the same box which allow us to load the internal webpages in external locations.
This will meet the need and for sure is outside of the scope of the router itself. But figured it was always good to end a post with the solution.
Thanks for all your help walking through the initial stages of this!
The solution was to setup a Remote Desktop Gateway. To establish a connection first to the RDG (which was in the original connect subnet range) and allow it to negotiate a connection with another subnet range as it had the default gateway setup. This allowed RDP access across all of the internal ranges.
The next issue was the inability to load webpages (same problem). We setup a wingate proxy server on the same box which allow us to load the internal webpages in external locations.
This will meet the need and for sure is outside of the scope of the router itself. But figured it was always good to end a post with the solution.
Thanks for all your help walking through the initial stages of this!
Who is online
Users browsing this forum: Google [Bot], ShindigNZ and 75 guests