I have been using ROS for years so much that I made all my relatives and friends buy a Routerboard by creating a VPN connection for remote client management and RB itself.
After several years there are 3 situations that I have not been able to solve in any way
1. Is it possible to have layer2 connectivity between two RBs connected in L2TP while keeping the different subnets?
RB Server = 192.168.0.0/24
Remote RB = 192.168.50.0/24
I would like to be able to find my DLNA servers, printers or PCs simply by searching for them from the "network" in Windows from the remote LAN (192.168.50.0/24).
I have tried EOIP and BCP but to work they need the same subnets instead I would like to keep them diversified.
There is a solution ?
2. I would like my clients with L2TP VPN set up (Android and Windows) when connected to the LAN 192.168.0.0/24 to be able to reach my DLNA servers, printers etc as if they were physically inside the building.
I have read that to do this I have to set in the PPP profiles as Local IP and Remote IP an IP of the same subnet 192.168.0.0/24, indicate the local Bridge and set Proxy-ARP for the local Bridge. It's correct ?
I currently have separate IP pools for VPN clients (192.168.89.0/24), can I leave different IP class or do I need to unify them?
3. If a remote VPN client (Windows or Android) connects to my LAN (192.168.0.0/24) if I search for "\\ NAS_Home" on Windows it finds nothing, if I enter its IP it works. Is it possible to have DNS resolution for remote VPN clients?
If I use a second RB connected in VPN to the home LAN, I have to enter a static entry in the latter under IP> DNS but in doing so if I type "\\ NAS_Home" it does not work, I discovered that if I enter "NAS_Home.local" in IP> DNS then everything works.
Is there any way around this? In the RB server I have entered the IP of the RB as DNS server for both local and remote clients in VPN but it does not work anyway.
NAS_Home is a Synology NAS connected to my LAN (192.168.0.0/24) with IP 192.168.0.6
For now I would like to stay on ROS v6, I still don't trust v7 too much.
I read about Zerotier on v7 but I didn't understand if I could have Layer2 connectivity with different subnets (192.168.0.0/24 and 192.168.50.0/24)
I would be very happy if someone would help me to solve these three points because I'm going crazy: D
Sorry for my English
Config RB Server/home (192.168.0.0/24)
Code: Select all
# jul/14/2022 18:44:07 by RouterOS 6.48.6
# software id = [HIDE]
#
# model = RBD52G-5HacD2HnD
# serial number = [HIDE]
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn comment="Wlan 2.4 Ghz" \
country=no_country_set disabled=no distance=indoors frequency=auto \
frequency-mode=manual-txpower installation=indoor mode=ap-bridge ssid=\
Rete-Privata tx-power=18 tx-power-mode=all-rates-fixed wireless-protocol=\
802.11 wmm-support=enabled
set [ find default-name=wlan2 ] band=5ghz-n/ac channel-width=20/40/80mhz-XXXX \
comment="Wlan 5 Ghz" country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower installation=indoor mode=\
ap-bridge skip-dfs-channels=all ssid=Rete-Privata-5 tx-power=20 \
tx-power-mode=all-rates-fixed wireless-protocol=802.11 wmm-support=\
enabled
/interface bridge
add admin-mac=[HIDE] auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment="Switch Principale"
set [ find default-name=ether3 ] comment="Centralino VOIP"
set [ find default-name=ether4 ] comment="Camera Luca"
set [ find default-name=ether5 ] comment=NAS
/interface wireless manual-tx-power-table
set wlan1 comment="Wlan 2.4 Ghz"
set wlan2 comment="Wlan 5 Ghz"
/interface wireless nstreme
set wlan1 comment="Wlan 2.4 Ghz"
set wlan2 comment="Wlan 5 Ghz"
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys supplicant-identity=MikroTik
/ip kid-control
add fri=0s-1d mon=0s-1d name=system-dummy sat=0s-1d sun=0s-1d thu=0s-1d tue=\
0s-1d tur-fri=0s-1d tur-mon=0s-1d tur-sat=0s-1d tur-sun=0s-1d tur-thu=\
0s-1d tur-tue=0s-1d tur-wed=0s-1d wed=0s-1d
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp always-broadcast=yes authoritative=after-2sec-delay \
disabled=no interface=bridge name="DHCP Home"
/ppp profile
set *0 dns-server=192.168.0.1 local-address=dhcp remote-address=vpn
set *FFFFFFFE address-list="Indirizzi VPN" dns-server=192.168.0.1 \
interface-list=LAN local-address=dhcp remote-address=vpn
/queue tree
add name=ALL_ELSE_IN packet-mark=ALL_ELSE_IN parent=global queue=default
add name=ALL_ELSE_OUT packet-mark=ALL_ELSE_OUT parent=global queue=default
add name=VOIP_IN packet-mark=VOIP_IN parent=global priority=1 queue=default
add name=VOIP_OUT packet-mark=VOIP_OUT parent=global priority=1 queue=default
add name=NAS_IN packet-mark=NAS_IN parent=global priority=3 queue=default
add name=NAS_OUT packet-mark=NAS_OUT parent=global priority=3 queue=default
add name=PS4_IN packet-mark=PS4_IN parent=global priority=2 queue=default
add name=PS4_OUT packet-mark=PS4_OUT parent=global priority=2 queue=default
/system logging action
add email-to=[HIDE] name=Email target=email
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface sstp-server server
set authentication=mschap2 certificate=[HIDE] default-profile=\
default-encryption enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server config
set store-leases-disk=1h
/ip dhcp-server lease
[HIDE]
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.0.1 name=router
/ip firewall address-list
add list="Indirizzi VPN"
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
# no interface
add action=accept chain=input comment=\
"Collegamento LAN -->> LAN locale" dst-address=192.168.0.0/24 \
in-interface=*F00096 src-address=192.168.51.0/24
add action=add-src-to-address-list address-list=Port_Scanner \
address-list-timeout=1w chain=input comment="Port Scanner Detect" \
disabled=yes protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" \
src-address-list=Port_Scanner
add action=drop chain=input comment="Blocco richieste DNS TCP da WAN" \
dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Blocco richieste DNS UDP da WAN" \
dst-port=53 in-interface=ether1 protocol=udp
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall mangle
add action=mark-packet chain=prerouting comment=ALL_ELSE_IN in-interface=\
ether1 new-packet-mark=ALL_ELSE_IN passthrough=no
add action=mark-packet chain=postrouting comment=ALL_ELSE_OUT \
new-packet-mark=ALL_ELSE_OUT out-interface=ether1 passthrough=no
add action=mark-packet chain=prerouting comment="VOIP IN" new-packet-mark=\
VOIP_IN passthrough=no src-address=192.168.0.8
add action=mark-packet chain=postrouting comment="VOIP OUT" dst-address=\
192.168.0.8 new-packet-mark=VOIP_OUT passthrough=no
add action=mark-packet chain=prerouting comment=NAS_IN new-packet-mark=NAS_IN \
passthrough=no src-address=192.168.0.6
add action=mark-packet chain=postrouting comment=NAS_OUT dst-address=\
192.168.0.6 new-packet-mark=NAS_OUT passthrough=no
add action=mark-packet chain=prerouting comment=PS4_VALE_IN new-packet-mark=\
PS4_IN passthrough=no src-address=192.168.0.34
add action=mark-packet chain=postrouting comment=PS4_VALE_OUT dst-address=\
192.168.0.34 new-packet-mark=PS4_OUT passthrough=no
add action=mark-packet chain=prerouting comment=PS4_LUCA_IN new-packet-mark=\
PS4_IN passthrough=no src-address=192.168.0.27
add action=mark-packet chain=postrouting comment=PS4_LUCA_OUT dst-address=\
192.168.0.27 new-packet-mark=PS4_OUT passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Rotta --> LAN 1" \
dst-address=192.168.50.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 2" \
dst-address=192.168.51.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 3" \
dst-address=192.168.52.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 4" \
dst-address=192.168.55.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 5" \
dst-address=192.168.53.0/24 src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="Rotta --> LAN 6" \
dst-address=192.168.54.0/24 src-address=192.168.0.0/24
add action=dst-nat chain=dstnat dst-port=2124 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.1 to-ports=2124
add action=dst-nat chain=dstnat comment="Porta1 UDP Centralino VOIP" \
dst-address=[HIDE] dst-port=5004 in-interface=ether1 protocol=udp \
to-addresses=192.168.0.8 to-ports=5004
add action=dst-nat chain=dstnat comment="Porta2 UDP Centralino VOIP" \
dst-address=[HIDE] dst-port=5060 in-interface=ether1 protocol=udp \
to-addresses=192.168.0.8 to-ports=5060
add action=dst-nat chain=dstnat comment="WinBox RB_HAP_AC2_Salotto" dst-port=\
8292 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
8292
add action=dst-nat chain=dstnat comment="WebFig RB_HAP_AC2_Salotto" dst-port=\
8082 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
8082
add action=dst-nat chain=dstnat comment="FTP RB_HAP_AC2_Salotto" dst-port=\
2191 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
2191
add action=dst-nat chain=dstnat comment="SSH RB_HAP_AC2_Salotto" dst-port=\
2296 in-interface=ether1 protocol=tcp to-addresses=192.168.0.4 to-ports=\
2296
add action=dst-nat chain=dstnat comment=\
"Accesso Web HTTP interfaccia DSM NAS_Casa" dst-port=8080 in-interface=\
ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=8080
add action=dst-nat chain=dstnat comment=\
"Accesso Web HTTPS interfaccia DSM NAS_Casa" dst-port=5001 in-interface=\
ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=5001
add action=dst-nat chain=dstnat comment="SFTP NAS_Casa" dst-port=2224 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=2224
add action=dst-nat chain=dstnat comment="FTP/FTPS 1\B0 NAS_Casa" dst-port=\
2121 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=\
2121
add action=dst-nat chain=dstnat comment="FTP/FTPS 2\B0 NAS_Casa" dst-port=\
55536-55599 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 \
to-ports=55536-55599
add action=dst-nat chain=dstnat comment="SSH NAS_Casa" disabled=yes dst-port=\
2240 in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=\
2240
add action=dst-nat chain=dstnat comment="Torrent NAS_Casa" dst-port=16881 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=16881
add action=dst-nat chain=dstnat comment="Torrent NAS_Casa" dst-port=6881 \
in-interface=ether1 protocol=udp to-addresses=192.168.0.6 to-ports=6881
add action=dst-nat chain=dstnat comment="eMule NAS_Casa" dst-port=4662 \
in-interface=ether1 protocol=tcp to-addresses=192.168.0.6 to-ports=4662
add action=dst-nat chain=dstnat comment="eMule NAS_Casa" dst-port=4672 \
in-interface=ether1 protocol=udp to-addresses=192.168.0.6 to-ports=4672
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
/ip route
add comment="Rotta -->> LAN 1" distance=1 dst-address=\
192.168.50.0/24 gateway=192.168.89.200
add comment="Rotta -->> LAN 2" distance=1 dst-address=192.168.51.0/24 \
gateway=192.168.89.201
add comment="Rotta -->> LAN 3" distance=1 dst-address=192.168.52.0/24 \
gateway=192.168.89.202
add comment="Rotta -->> LAN 4" distance=1 dst-address=\
192.168.53.0/24 gateway=192.168.89.203
add comment="Rotta -->> LAN 5" distance=1 dst-address=\
192.168.54.0/24 gateway=192.168.89.204
add comment="Rotta -->> LAN 6" distance=1 dst-address=\
192.168.55.0/24 gateway=192.168.89.205
/ip service
set telnet disabled=yes
set ftp port=2190
set www port=8081
set ssh port=2295
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set comment=USB_RB_HAP domain=WORKGROUP enabled=yes interfaces=bridge
/ip smb shares
add directory=/disk1 name=USB_RB_HAP
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/ppp secret
add name=[HIDE]
add local-address=192.168.0.200 name=LAN1 remote-address=\
192.168.89.200
add local-address=192.168.0.201 name=LAN2 remote-address=192.168.89.201
add local-address=192.168.0.202 name=LAN3 remote-address=\
192.168.89.202
add local-address=192.168.0.203 name=LAN4 remote-address=\
192.168.89.203
add local-address=192.168.0.204 name=LAN5 remote-address=\
192.168.89.204
add local-address=192.168.0.205 name=LAN6 remote-address=\
192.168.89.205
/system clock
set time-zone-name=Europe
/system identity
set name=HAP_AC2
/system leds
add interface=wlan1 leds=user-led type=interface-activity
/system logging
add action=Email disabled=yes prefix="[RB_HAP_AC2-Casa]" topics=account
/system package update
set channel=long-term
/system routerboard settings
set cpu-frequency=565MHz
/system scheduler
add comment="Abilita il wireless" interval=1d name=Wlan-on on-event=\
"/interface wireless enable wlan1\r\
\n/interface wireless enable wlan2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/15/2016 start-time=06:30:00
add comment="Disabilita il wireless" interval=1d name=Wlan-off on-event=\
"/interface wireless disable wlan1\r\
\n/interface wireless disable wlan2" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
jan/15/2016 start-time=01:30:00
/tool e-mail
set address=smtp.gmail.com from=<RB951> port=587 start-tls=yes user=\
[HIDE]
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN