I have enabled proxy-arp on LAN interface.
My PPTP client connects just fine to Mikrotik. PPTP client can also access LAN resources normally.
Mikrotik can ping PPTP client, but LAN cannot even ping PPTP client. I want PC/laptop on LAN to be able to ping/access PPTP clients.
What am I doing wrong?
Config below
Code: Select all
/interface ethernet
set [ find default-name=ether3 ] name=Backup
set [ find default-name=ether1 ] name=Internet
set [ find default-name=ether2 ] arp=proxy-arp name=LAN
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
set 12 default-vlan-id=0
set 13 default-vlan-id=0
set 14 default-vlan-id=0
set 15 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server
add add-arp=yes disabled=no interface=LAN lease-time=1d10m name=9_dhcp
/ip firewall layer7-protocol
add name=sosialMedia regexp="^.+(facebook.com|twitter.com|instagram.com).*\$"
/ip pool
add name=gadgetPool ranges=192.168.11.1-192.168.11.250
add name=pc_pool next-pool=gadgetPool ranges=192.168.12.60-192.168.12.210
/system logging action
set 0 memory-lines=100
/ip settings
set allow-fast-path=no
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface ovpn-server server
set certificate=10YearCA
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface sstp-server server
set authentication=mschap2 certificate=10YearCA enabled=yes force-aes=yes
/ip address
add address=112.78.139.3/27 interface=Internet network=112.78.139.0
add address=112.78.139.4/27 interface=Internet network=112.78.139.0
add address=112.78.139.5/27 interface=Internet network=112.78.139.0
add address=112.78.139.6/27 interface=Internet network=112.78.139.0
add address=192.168.11.20/24 interface=LAN network=192.168.11.0
add address=192.168.12.20/24 interface=LAN network=192.168.12.0
add address=112.78.139.2/27 interface=Internet network=112.78.139.0
add address=192.168.13.20/24 disabled=yes interface=LAN network=192.168.13.0
/ip firewall filter
add action=accept chain=input connection-state=established in-interface=\
Internet
add action=accept chain=input comment="Accept Established / Related Input" \
connection-state=established,related,untracked
add action=accept chain=forward comment="Allow Social Media for some clients" \
layer7-protocol=sosialMedia protocol=tcp src-address-list=\
Allowed_Internal_Clients
add action=accept chain=input dst-port=53 in-interface=LAN protocol=tcp \
src-address=192.168.12.0/24
add action=accept chain=input dst-port=53 in-interface=LAN protocol=udp \
src-address=192.168.12.0/24
add action=accept chain=input comment="Allow ping" in-interface=Internet \
protocol=icmp
add action=accept chain=input comment="Allow SSTP" dst-port=443 protocol=tcp
add action=accept chain=input comment="Allow PPTP" dst-port=1723 \
in-interface=Internet protocol=tcp
add action=accept chain=input comment="allow L2TP VPN (ipsec-esp)" \
in-interface=Internet protocol=ipsec-esp
add action=accept chain=input comment="allow L2TP VPN (500,4500,1701/udp)" \
dst-port=500,1701,4500 in-interface=Internet protocol=udp
add action=accept chain=input comment="Allow Winbox from Internet interface" \
dst-port=8291 in-interface=Internet protocol=tcp
add chain=input comment="Allow Management Input" src-address=192.168.12.0/24
add action=accept chain=input src-address=192.168.11.0/24
add action=accept chain=input src-address=192.168.13.0/24
add chain=forward comment="Allow client LAN traffic out WAN" out-interface=\
Internet src-address=192.168.12.0/24
add action=accept chain=forward out-interface=Internet src-address=\
192.168.11.0/24
add chain=forward comment="Accept Established / Related Forward" \
connection-state=established,related
add action=drop chain=input comment=\
"Block request for DNS and Proxy port from Internet" dst-port=53,8080 \
in-interface=Internet protocol=udp
add action=drop chain=input dst-port=53,8080 in-interface=Internet protocol=\
tcp
add action=drop chain=forward comment="Block all rogue DHCP servers on /24" \
dst-port=68 protocol=udp src-address=!192.168.12.20 src-port=67
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=3h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Drop Input" log-prefix="Input Drop"
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.13.200 protocol=icmp \
src-address=192.168.12.0/24
/ip firewall nat
add action=src-nat chain=srcnat comment="Outbound to ip .5 TV Conference." \
out-interface=Internet src-address=192.168.12.1 to-addresses=112.78.139.5
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.13.200 \
out-interface=Internet src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment=masquerade out-interface=Internet \
src-address=192.168.11.0/24
add action=masquerade chain=srcnat comment=masquerade out-interface=Internet
add action=redirect chain=dstnat comment=\
"DIRECT ALL DNS REQUESTS TO MIKROTIK INTERNAL DNS SERVER." dst-port=53 \
protocol=udp to-addresses=192.168.12.20 to-ports=53
add action=dst-nat chain=dstnat comment="TV Conference Ports" dst-address=\
112.78.135.5 dst-port=80 protocol=tcp to-addresses=192.168.12.1 to-ports=\
80
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=1503 \
protocol=tcp to-addresses=192.168.12.1 to-ports=1503
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=1718 \
protocol=tcp to-addresses=192.168.12.1 to-ports=1718
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=1719 \
protocol=tcp to-addresses=192.168.12.1 to-ports=1719
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=1720 \
protocol=tcp to-addresses=192.168.12.1 to-ports=1720
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=5060 \
protocol=tcp to-addresses=192.168.12.1 to-ports=5060
add action=dst-nat chain=dstnat dst-address=112.78.139.5 dst-port=8443 \
protocol=tcp to-addresses=192.168.12.1 to-ports=8443
add action=masquerade chain=srcnat comment="Hairpin Port 110 Email Server" \
dst-address=192.168.12.19 dst-port=110 out-interface=LAN protocol=tcp \
src-address=192.168.12.0/24
add action=masquerade chain=srcnat dst-address=192.168.12.19 dst-port=25 \
out-interface=LAN protocol=tcp src-address=192.168.12.0/24
add action=masquerade chain=srcnat dst-address=192.168.12.19 dst-port=26 \
out-interface=LAN protocol=tcp src-address=192.168.12.0/24
add action=masquerade chain=srcnat dst-address=192.168.12.19 dst-port=80 \
out-interface=LAN protocol=tcp src-address=192.168.12.0/24
add action=masquerade chain=srcnat dst-address=192.168.12.19 dst-port=443 \
out-interface=LAN protocol=tcp src-address=192.168.12.0/24
add action=masquerade chain=srcnat comment="Hairpin Port 443/SSL STI-NAS" \
dst-address=192.168.12.6 dst-port=443 out-interface=LAN protocol=tcp \
src-address=192.168.12.0/24
add action=masquerade chain=srcnat dst-address=192.168.12.6 dst-port=80 \
out-interface=LAN protocol=tcp src-address=192.168.12.0/24
add action=dst-nat chain=dstnat comment="SMTP + POP mail.9.co.id" \
dst-address=112.78.139.4 dst-port=26 protocol=tcp to-addresses=\
192.168.12.19 to-ports=26
add action=dst-nat chain=dstnat dst-address=112.78.139.4 dst-port=25 \
protocol=tcp to-addresses=192.168.12.19 to-ports=25
add action=dst-nat chain=dstnat dst-address=112.78.139.4 dst-port=110 \
protocol=tcp to-addresses=192.168.12.19 to-ports=110
add action=dst-nat chain=dstnat dst-address=112.78.139.4 dst-port=443 \
protocol=tcp to-addresses=192.168.12.19 to-ports=443
add action=dst-nat chain=dstnat dst-address=112.78.139.4 dst-port=80 \
protocol=tcp to-addresses=192.168.12.19 to-ports=80
add action=redirect chain=dstnat comment="Transparent Web Proxy" dst-port=80 \
protocol=tcp src-address=192.168.12.0/24 to-ports=8080
add action=dst-nat chain=dstnat comment="NAS from Internet" disabled=yes \
dst-address=112.78.139.6 dst-port=443 protocol=tcp to-addresses=\
192.168.12.6 to-ports=443
/ip proxy
set enabled=yes src-address=192.168.12.20
/ip route
add distance=1 gateway=112.78.139.1 pref-src=112.78.139.3 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=LAN
/ip smb users
add name=zero read-only=no
/ppp secret
add local-address=192.168.12.20 name=nasremote remote-address=192.168.13.200
/system clock
set time-zone-name=Asia/Jakarta
/system ntp client
set enabled=yes primary-ntp=203.114.225.252 secondary-ntp=82.219.4.30