I have a 2 WAN - 1 LAN setup. WAN1 192.168.1.0 , WAN2 192.168.2.0 and LAN 192.168.10.0. Yesterday i configured SSTP vpn and its also using 192.168.10.2-250 pool. Clients can access the internet but can't access local network devices( only can ping to 192.168.10.1 ). This is my first time using 2 wan and mangle. I'm publishing exported config. Thanks in advance
Code: Select all
/interface bridge
add admin-mac=**.**.**.**.**.** auto-mac=no comment=defconf disabled=yes \
name=bridge
add name=bridge1_internet
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] name=ether3-LAN
/interface pptp-server
add disabled=yes name=pptp-in1 user=""
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool2 ranges=192.168.10.2-192.168.10.254
add name=L2TP_VPN_POOL ranges=192.168.10.241-192.168.10.253
add name=vpn_pool ranges=192.168.10.2-192.168.10.250
/ip dhcp-server
# DHCP server can not run on slave interface!
add address-pool=dhcp_pool2 disabled=no interface=ether3-LAN name=dhcp1
/ppp profile
add local-address=192.168.10.1 name=vpn_profile remote-address=vpn_pool
set *FFFFFFFE dns-server=8.8.8.8,8.8.4.4
/interface bridge port
add bridge=bridge comment=defconf disabled=yes interface=ether1-WAN1
add bridge=bridge comment=defconf disabled=yes interface=ether2-WAN2
add bridge=bridge comment=defconf disabled=yes interface=ether3-LAN
add bridge=bridge comment=defconf disabled=yes interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf disabled=yes interface=ether6
add bridge=bridge comment=defconf disabled=yes interface=ether7
add bridge=bridge comment=defconf disabled=yes interface=ether8
add bridge=bridge comment=defconf disabled=yes interface=sfp9
add bridge=bridge comment=defconf disabled=yes interface=sfp10
add bridge=bridge comment=defconf disabled=yes interface=sfp11
add bridge=bridge comment=defconf disabled=yes interface=sfp12
add bridge=bridge1_internet interface=ether3-LAN
/interface l2tp-server server
set one-session-per-host=yes use-ipsec=yes
/interface sstp-server server
set authentication=mschap2 certificate=Server enabled=yes force-aes=yes pfs=\
yes
/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=bridge \
network=192.168.88.0
add address=192.168.10.1/24 interface=ether3-LAN network=192.168.10.0
add address=192.168.1.50/24 interface=ether1-WAN1 network=192.168.1.0
add address=192.168.2.50/24 interface=ether2-WAN2 network=192.168.2.0
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.10.2-192.168.10.254 list=LAN_USERS
add address=192.168.1.0/24 list=WAN_SUBNET
add address=192.168.2.0/24 list=WAN_SUBNET
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related out-interface=ether1-WAN1
add action=accept chain=input dst-port=500,1701,4500 protocol=udp
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN_SUBNET
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN1 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 \
src-address-list=LAN_USERS src-address-type=!local
add action=mark-routing chain=prerouting new-routing-mark=TO_WAN2 \
passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 \
src-address-list=LAN_USERS src-address-type=!local
/ip firewall nat
add action=masquerade chain=srcnat src-address-list=LAN_USERS
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
protocol=tcp src-address=213.***.157.** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
protocol=tcp src-address=78.***.222.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
protocol=tcp src-address=94.***.215.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1-WAN1 \
protocol=tcp src-address=88.***.77.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
protocol=tcp src-address=213.***.157.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
protocol=tcp src-address=78.***.222.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
protocol=tcp src-address=94.***.215.*** to-addresses=192.168.10.102 \
to-ports=3389
add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether2-WAN2 \
protocol=tcp src-address=88.***.77.*** to-addresses=192.168.10.102 \
to-ports=3389
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=TO_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=TO_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=user1 profile=vpn_profile service=sstp
add disabled=yes name=linenetsis profile=default-encryption service=pptp