I be albe to connect via VPN but i cant reach other HOST in network, only the Router is reacheable
maby someone can help me to finde the failur or set the right rule
best regards
Code: Select all
# jun/29/2020 18:31:14 by RouterOS 6.45.7
# software id = 0YVW-DUP3
#
# model = RouterBOARD wAP R-2nD
# serial number = 86C409549322
/interface bridge
add comment="Externe Gast User" name=bridge-extern
add admin-mac=B8:69:F4:11:79:2C auto-mac=no comment="Interne Verteilung" \
name=bridge-intern
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
add apn=drei.at authentication=pap default-route-distance=1 name=Planet3
add apn=webaut default-route-distance=1 name="HoT Internet"
/interface lte
set [ find ] apn-profiles=Planet3 mac-address=AC:FF:FF:00:00:00 name=lte1
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=porfile-intern supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
comment=2,4GHz disconnect-timeout=5s frequency=auto mode=ap-bridge \
multicast-buffering=disabled multicast-helper=disabled name=wlan \
radio-name="LTE Router" security-profile=porfile-intern ssid=LKintern1 \
tx-power=19 tx-power-mode=all-rates-fixed wmm-support=required wps-mode=\
disabled
add default-ap-tx-limit=56000 default-client-tx-limit=56000 keepalive-frames=\
disabled mac-address=BA:69:F4:11:79:2D master-interface=wlan \
multicast-buffering=disabled multicast-helper=disabled name=wlan-Gast \
ssid="Loskrochn Gast" wds-cost-range=0 wds-default-cost=0 wps-mode=\
disabled
add keepalive-frames=disabled mac-address=BA:69:F4:11:79:2E master-interface=\
wlan multicast-buffering=disabled name=wlan-intern security-profile=\
porfile-intern ssid="LKintern test" wds-cost-range=0 wds-default-cost=0 \
wps-mode=disabled
/interface wireless nstreme
set wlan comment=2,4GHz
/interface wireless manual-tx-power-table
set wlan comment=2,4GHz
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=pool-intern ranges=192.168.0.1-192.168.3.254
add name=pool-extern ranges=192.169.0.1-192.169.2.250
add name=pool_PPTP ranges=192.168.3.241-192.168.3.250
/ip dhcp-server
add address-pool=pool-extern disabled=no interface=bridge-extern name=\
dhcp-extern
add address-pool=pool-intern disabled=no interface=bridge-intern name=\
dhcp-intern
/ppp profile
add bridge=bridge-intern change-tcp-mss=yes dns-server=192.168.0.1 \
local-address=192.168.0.1 name=PPTP remote-address=pool-intern \
use-encryption=yes
set *FFFFFFFE dns-server=192.168.0.1 local-address=192.168.0.1 \
remote-address=192.168.0.100
/system logging action
set 3 remote=192.168.0.199
/interface bridge port
add bridge=bridge-intern comment=defconf interface=ether1
add bridge=bridge-intern comment=defconf interface=wlan
add bridge=bridge-extern interface=wlan-Gast
add bridge=bridge-intern disabled=yes interface=wlan-intern
add bridge=bridge-intern disabled=yes interface=WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface=lte1 list=WAN
add interface=ether1 list=LAN
add interface=bridge-extern list=LAN
add interface=bridge-intern list=LAN
add interface=wlan-Gast list=LAN
add interface=wlan list=LAN
/interface pptp-server server
set default-profile=PPTP enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=\
bridge-intern network=192.168.88.0
add address=192.168.0.1/16 interface=bridge-intern network=192.168.0.0
add address=192.169.0.1/16 interface=bridge-extern network=192.169.0.0
add address=192.168.0.1/16 disabled=yes interface=ether1 network=192.168.0.0
add address=192.168.10.1/16 disabled=yes interface=wlan-Gast network=\
192.168.0.0
add address=192.168.0.1/16 disabled=yes interface=wlan network=192.168.0.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-server lease
add address=192.168.0.95 comment=Kasse mac-address=50:9A:4C:3C:0C:65 server=\
dhcp-intern
add address=192.168.0.90 comment="EC " mac-address=54:7F:54:C8:28:92 server=\
dhcp-intern
add address=192.168.3.200 client-id=1:0:f:0:53:34:56 comment=Terminal1 \
mac-address=00:0F:00:53:34:56 server=dhcp-intern
add address=192.168.2.201 client-id=1:0:f:0:4f:ce:e9 comment="Terminal 2" \
mac-address=00:0F:00:4F:CE:E9 server=dhcp-intern
add address=192.168.0.3 client-id=1:24:18:1d:d9:d:a2 mac-address=\
24:18:1D:D9:0D:A2
add address=192.168.0.100 client-id=1:40:9f:38:45:42:85 comment=Lasertag \
mac-address=40:9F:38:45:42:85 server=dhcp-intern
add address=192.168.0.150 comment=CAM mac-address=00:11:14:15:55:D9
add address=192.168.0.180 client-id=1:b8:27:eb:fd:2f:86 comment=\
Haftungsausschluss mac-address=B8:27:EB:FD:2F:86 server=dhcp-intern
add address=192.168.0.4 client-id=1:24:18:1d:5f:3e:e mac-address=\
24:18:1D:5F:3E:0E server=dhcp-intern
add address=192.168.0.102 client-id=1:b8:27:eb:b6:6e:3e comment=\
"Raspy Lasertag Monitor" mac-address=B8:27:EB:B6:6E:3E server=dhcp-intern
add address=192.168.0.199 client-id=1:b8:27:eb:fa:4f:ab comment=Syslog \
mac-address=B8:27:EB:FA:4F:AB server=dhcp-intern
add address=192.168.0.181 client-id=1:b8:27:eb:8d:c9:82 mac-address=\
B8:27:EB:8D:C9:82 server=dhcp-intern use-src-mac=yes
/ip dhcp-server network
add address=192.168.0.0/16 dns-server=192.168.0.1,8.8.8.8,8.8.4.4 gateway=\
192.168.0.1 netmask=16
add address=192.169.0.0/16 dns-server=192.169.0.1,8.8.8.8,8.8.4.4 gateway=\
192.169.0.1 netmask=16
/ip dns
set allow-remote-requests=yes cache-max-ttl=2d servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf disabled=yes name=router.lan
/ip firewall address-list
add address=192.168.0.200-192.168.3.250 list="Block Internet"
add address=192.168.10.1-192.168.15.250 list="Block Local"
/ip firewall filter
add action=accept chain=forward disabled=yes dst-address=192.168.0.150 \
dst-port=8080 log-prefix=alex protocol=tcp
add action=accept chain=forward disabled=yes dst-address=192.168.0.150 \
dst-port=8080 protocol=udp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked log=yes log-prefix=Internet
add action=accept chain=input comment="DNS GAST" dst-port=53 in-interface=\
bridge-extern log=yes log-prefix="DNS Gast" protocol=udp src-address=\
192.169.0.0/16
add action=log chain=input disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN log=yes
add action=reject chain=forward comment="Block Local" in-interface=\
bridge-extern log=yes log-prefix=block out-interface=bridge-intern \
reject-with=icmp-network-unreachable src-address-list="Block Local"
add action=reject chain=forward comment="Block Internet" log-prefix=\
"Block Internet" reject-with=icmp-network-unreachable src-address-list=\
"Block Internet"
add action=accept chain=forward comment="Internet f\FCr GAST" dst-address=\
!192.168.0.0/16 dst-port=80,443 in-interface=bridge-extern ipsec-policy=\
in,ipsec log=yes log-prefix="Gast Internet" out-interface-list=WAN \
protocol=tcp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=rolle12
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked log-prefix=rolle13
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting comment=\
"Maske f\EF\BF\BDr Subnetze zu Drei" disabled=yes new-ttl=set:65 \
out-interface=lte1 passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-port=8080 in-interface=lte1 log-prefix=\
alex2 protocol=tcp to-addresses=192.168.0.150 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8080 in-interface=lte1 log-prefix=\
alex3 protocol=udp to-addresses=192.168.0.150 to-ports=8080
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ppp secret
add disabled=yes name=michi profile=PPTP service=pptp
add name=gaigg.alexander profile=PPTP service=pptp
/system clock
set time-zone-name=Europe/Vienna
/system identity
set name=LoskrochnLTE
/system logging
add action=disk disabled=yes prefix=LTE topics=lte
add action=remote topics=firewall
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes
/system scheduler
add disabled=yes interval=1d name=Restart on-event="/system reboot" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=nov/16/2019 start-time=02:00:00
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set allowed-number="" port=lte1 receive-enabled=yes