tunnel is established and connected to my public ip with RouterOS 6.45.2.
topology is basically similar to what IP/IPsec manual describes under the RoadWarrior client with NAT
all client's subnets can reach my public mikrotik, that is woking fine. i just can not figure out how to reach from my public ROS to my client behind NAT. as far as i could read, this should be possible once i have public ip available.
port forwarding? routing? firewall?
unfortunately i have log only from one ROS that is on public ip.
i'd appreciate support guys. thanks.
Code: Select all
# aug/01/2019 19:05:23 by RouterOS 6.45.2
# model = 951G-2HnD
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN" speed=100Mbps
set [ find default-name=ether2 ] arp=proxy-arp name="ether2-master & VU+" \
speed=100Mbps
set [ find default-name=ether3 ] name="ether3 Pracovna"
set [ find default-name=ether4 ] name="ether4 ObyvackaSwitch" speed=100Mbps
set [ find default-name=ether5 ] name="ether5 Lucinka" speed=100Mbps
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=disable-dpd \
enc-algorithm=aes-256,aes-128,3des
add enc-algorithm=aes-256,aes-128,3des name=ikev2
/ip ipsec peer
add exchange-mode=ike2 name=ikev2 passive=yes profile=ikev2
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-128-cbc,3des lifetime=1h
add auth-algorithms=sha256,sha1 enc-algorithms=aes-256-cbc,aes-128-cbc,3des \
lifetime=8h name=ikev2 pfs-group=none
/ip pool
add name=dhcp ranges=192.168.9.207-192.168.9.226
add name=ikev2 ranges=10.10.10.20/30
add name=dhcp_lucinka ranges=192.168.8.227-192.168.8.240
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12m name=\
"dhcp obyvacka"
add address-pool=dhcp_lucinka disabled=no interface="ether5 Lucinka" name=\
"dhcp lucinka"
/ip ipsec mode-config
add address-pool=ikev2 address-prefix-length=32 name=ikev2-conf \
split-include=192.168.9.0/24,192.168.8.0/24
system-dns=no
/snmp community
set [ find default=yes ] authentication-protocol=SHA1 encryption-protocol=AES
/system logging action
add email-start-tls=yes email-to=xxx@gmail.com name=eventsTOemail \
target=email
/interface bridge port
add bridge=bridge comment=defconf interface="ether2-master & VU+"
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge interface="ether3 Pracovna"
add bridge=bridge interface="ether4 ObyvackaSwitch"
add bridge=bridge disabled=yes interface="ether5 Lucinka"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 use-ipsec=yes
/interface list member
add interface="ether2-master & VU+" list=discover
add interface="ether3 Pracovna" list=discover
add interface="ether4 ObyvackaSwitch" list=discover
add interface="ether5 Lucinka" list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface="ether1 WAN" list=discover
add interface="ether2-master & VU+" list=mac-winbox
add interface=wlan1 list=mac-winbox
add interface="ether1 WAN" list=WAN
add interface=bridge list=LAN
/ip address
add address=192.168.9.1/24 comment=defconf interface="ether2-master & VU+" \
network=192.168.9.0
add address=192.168.8.1/24 interface="ether5 Lucinka" network=192.168.8.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
"ether1 WAN"
/ip dhcp-server network
add address=192.168.8.0/24 gateway=192.168.8.1
add address=192.168.9.0/24 comment=defconf dns-server=192.168.9.1 gateway=\
192.168.9.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=x.x.x.x
/ip dns static
add address=192.168.9.1 name=router
/ip firewall address-list
add address=192.168.8.0/23 list="dns ok"
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment="allow ikev2 VPN (500,4500/udp)" \
dst-port=500,4500 in-interface="ether1 WAN" protocol=udp
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
0.0.0.0/0 src-address=10.10.10.20/30
add action=accept chain=forward comment="VPN ikev2 allow" dst-address=\
10.10.10.20/30 src-address=0.0.0.0/0
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="blacklist spam addresses" \
src-address-list=blacklist
add action=accept chain=input comment=\
"allow winbox wan na vymedzenych IP (v ip services)" dst-port=8291 \
protocol=tcp
add action=drop chain=input comment=\
"_____________Zacatek pridaneho FW : DNS spoofing" connection-state=new \
dst-port=53 protocol=tcp src-address-list="!dns ok"
add action=drop chain=input comment="DNS spoofing" connection-state=new \
dst-port=53 protocol=udp src-address-list="!dns ok"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1 src-address-list=!trusted
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp src-address-list=!trusted tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
src-address-list=!trusted tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
src-address-list=!trusted tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp src-address-list=!trusted tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
src-address-list=!trusted tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
src-address-list=!trusted tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" \
src-address-list="port scanners"
add action=accept chain=icmp comment="Limited Ping Flood" icmp-options=\
0:0-255 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:3 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=3:4 limit=5,5:packet protocol=icmp
add action=accept chain=icmp icmp-options=8:0-255 limit=5,5:packet protocol=\
icmp
add action=accept chain=icmp icmp-options=11:0-255 limit=5,5:packet protocol=\
icmp
add action=drop chain=icmp comment="_____________Konec pridaneho FW" \
protocol=icmp
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface="ether1 WAN"
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface="ether1 WAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface="ether1 WAN"
/ip ipsec identity
add auth-method=digital-signature certificate=server1 comment="iOS Janka" \
generate-policy=port-strict match-by=certificate mode-config=ikev2-conf \
peer=ikev2 policy-template-group=ikev2-policies remote-certificate=\
rw-client3
add auth-method=digital-signature certificate=server1 comment=\
"S9 JM, MikrotikLazany, WIN10" generate-policy=port-strict mode-config=\
ikev2-conf peer=ikev2 policy-template-group=ikev2-policies
/ip ipsec policy
add dst-address=10.10.10.20/30 group=ikev2-policies proposal=ikev2 \
src-address=0.0.0.0/0 template=yes
/ip route
add disabled=yes distance=1 gateway=192.168.200.253