I made server and root certificates, configured SSTP, and forwarded the port 443 to the MikroTik.
Users can connect, but I they don't see local network and can't connect to NAS over IP.
I tried turning off the Firewall for testing, and tried to compare configuration with another MikroTik but couldn't find out what is wrong. I am pretty sure something stupid in Q, but don't know what.
Any help appreciated, config below:
Code: Select all
/interface bridge
add admin-mac=64:D1:54:5D:D7:7E auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=ether2-master
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=2 band=2ghz-onlyn basic-rates-a/g=12Mbps basic-rates-b="" disabled=no \
distance=indoors frequency=2452 installation=indoor mode=ap-bridge rate-set=configured ssid=PRIJATELJI \
supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b="" wireless-protocol=802.11 wps-mode=\
disabled
set [ find default-name=wlan2 ] antenna-gain=2 band=5ghz-n/ac basic-rates-a/g=12Mbps channel-width=20/40mhz-Ce disabled=\
no distance=indoors frequency=5200 installation=indoor mode=ap-bridge rate-set=configured ssid=PRIJATELJI \
supported-rates-a/g=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps wireless-protocol=802.11 wps-mode=disabled
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.13.100-192.168.13.200
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=defconf
/ppp profile
add dns-server=192.168.5.1,192.168.5.42 local-address=192.168.5.13 name=VPN on-down=\
":for i from=1000 to=40 step=-20 do={\r\
\n :beep frequency=\$i length=11ms;\r\
\n :delay 11ms;\r\
\n}" on-up=":beep frequency=660 length=100ms;\r\
\n:delay 150ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=510 length=100ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=660 length=100ms;\r\
\n:delay 300ms;\r\
\n:beep frequency=770 length=100ms;\r\
\n:delay 550ms;" remote-address=vpn
/interface bridge port
add bridge=bridge interface=ether2-master
add bridge=bridge interface=wlan1
add bridge=bridge interface=wlan2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
add bridge=bridge interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface=wlan2 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
/interface sstp-server server
set authentication=mschap2 certificate=Server default-profile=VPN enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.5.2/24 comment=defconf interface=ether2-master network=192.168.5.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=bridge
/ip dhcp-server network
add address=192.168.5.0/24 comment=defconf gateway=192.168.5.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.5.2 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related \
disabled=yes
add action=accept chain=input comment="SSTP in (443)" disabled=yes dst-port=443 log=yes log-prefix="SSTP in (443)" \
protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=\
yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related \
disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether1
/ip firewall nat
# in/out-interface matcher not possible when interface (ether1) is slave - use master instead (bridge)
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
/ppp secret
add name=prijateljivpn profile=VPN
/system clock
set time-zone-name=Europe/Zagreb
/system logging
add topics=sstp
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
