Community discussions

MikroTik App
 
lozio84
just joined
Topic Author
Posts: 7
Joined: Thu Dec 31, 2020 11:14 am

Routing between VPN

Thu Dec 31, 2020 12:52 pm

Hello, happy ending 2020 and happy new year!!
I open this post to ask you for help on what might be the optimal configuration in my situation.
I have several devices (rb 750) connected via eoip over sstp to a vpn server (RB 2011). I have clients who connect to RB2011 through the ovpn connections made by windows and each have to reach their own network behind rb750.
so i wish each opvn could only connect to a certain rb 750 and connected devices under it.
Can I do this with firewall rules or static routes?
Thank you all!!

ip lan RB750_1 192.168.250.1/24 ip eoip 10.10.10.2
ip lan RB750_2 192.168.250.1/24 ip eoip 10.10.10.3
ovpn_1 ip 20.20.20.2
ovpn_2 ip 20.20.20.3
# model = RB2011UiAS
/interface bridge
add name=bridge-S1
add name=bridge-S2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 password=xx user=xx
/interface eoip
add local-address=10.10.10.1 mac-address=02:AD:EC:5F:AC:A1 name=eoip-S1 remote-address=10.10.10.2 tunnel-id=100
add local-address=10.10.10.1 mac-address=02:24:02:98:DB:C0 name=eoip-S2 remote-address=10.10.10.3 tunnel-id=101
/ip pool
add name=dhcp_pool0 ranges=192.168.1.1-192.168.1.200
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=ether5 name=dhcp1
/ppp profile
add name=vpn-profile use-compression=no use-encryption=required
set *FFFFFFFE local-address=20.20.20.1
/interface bridge port
add bridge=bridge-S1 interface=ether10
add bridge=bridge-S1 interface=eoip-S1
add bridge=bridge-S2 interface=eoip-S2
/interface ovpn-server server
set auth=sha1 certificate=server cipher=blowfish128,aes128,aes192,aes256 default-profile=vpn-profile enabled=yes require-client-certificate=yes
/interface sstp-server server
set enabled=yes port=5443
/ip address
add address=192.168.1.200/24 disabled=yes interface=ether1 network=192.168.1.0
add address=192.168.250.190/24 disabled=yes interface=bridge-S1 network=192.168.250.0
add address=192.168.1.251/24 interface=ether5 network=192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=8.8.8.8,46.23.197.135 gateway=192.168.1.251
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=1723 protocol=udp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input dst-port=500 protocol=udp
add action=accept chain=input dst-port=4500 protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.1.0/24
/ip route
add distance=1 gateway=192.168.1.251
/ppp secret
add local-address=10.10.10.1 name=xx password=xx remote-address=10.10.10.2 service=sstp
add local-address=10.10.10.1 name=xx password=xx remote-address=10.10.10.3 service=sstp
add local-address=20.20.20.1 name=yy password=yy profile=vpn-profile remote-address=20.20.20.2 service=ovpn
add local-address=20.20.20.1 name=yy password=yy profile=vpn-profile remote-a

Who is online

Users browsing this forum: ib254254 and 191 guests