I have a PPTP VPN connection between MIKROTIK 1 (server) and MIKROTIK 2 (client). In the LAN MIKROTIK2 there is a web server (port 8123) and I want to access it via WAN MIKROTIK1. I have a connection established between MIKROTIK 1 and MIKROTIK 2. From the VPN tunnel I can access the web server (port 8123). I cannot access the web server from outside via WAN MIKROTIK 1. What is missing in the configuration ? Help please.
MIKROTIK 1 - SERVER
Code: Select all
feb/01/2022 02:32:25 by RouterOS 7.1.1
# software id = A0MX-YB8P
#
# model = 951G-2HnD
# serial number = xxxxxxxxxxxxx
/interface bridge
add admin-mac=xxxxxxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] mac-address=xxxxxxxxxxxxxxx speed=100Mbps
set [ find default-name=ether2 ] name=ether2-master speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=poland disabled=no frequency=auto \
mode=ap-bridge ssid=ProCivili station-roaming=enabled wireless-protocol=802.11
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless channels
add band=5ghz-a/n/ac frequency=2412 list=List1 name=ch1 width=20
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=dhcp-pptp ranges=192.168.2.10-192.168.2.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay interface=bridge name=defconf
/ppp profile
add bridge=bridge local-address=192.168.2.1 name=pttp-p1 only-one=yes remote-address=192.168.2.2 use-encryption=yes
/routing bgp template
set default as=65530 disabled=no name=default output.network=bgp-networks
/routing ospf instance
add name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge nat
add action=accept chain=srcnat disabled=yes
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=ether2-master list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add interface=wlan1 list=discover
add interface=bridge list=discover
add interface=bridge list=mactel
add interface=bridge list=mac-winbox
add interface=ether1 list=WAN
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/interface wireless access-list
add mac-address=48:D6:D5:0A:B7:84
add mac-address=5C:C3:07:B3:10:DD
add mac-address=54:88:0E:67:98:28
add mac-address=78:02:F8:A9:6A:3D
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="PPTP Conf" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="Track Car" dst-port=8123 protocol=tcp
add action=accept chain=forward comment=WWW dst-port=80 protocol=tcp
add action=accept chain=forward comment="NMEA Con" dst-port=5002 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=ether1
add action=dst-nat chain=dstnat dst-address=xxxxxxxWAN ADDRxxxxxx dst-port=8123 log=yes log-prefix=Track protocol=tcp \
to-addresses=192.168.10.82 to-ports=8123
add action=masquerade chain=srcnat dst-address=192.168.10.82 dst-port=8123 log=yes log-prefix="hassio masq" protocol=tcp \
src-address=192.0.0.0/8
add action=masquerade chain=srcnat dst-address=192.168.10.1 dst-port=80 protocol=tcp src-address=192.0.0.0/8
add action=dst-nat chain=dstnat disabled=yes dst-address=xxxxxxxWAN ADDRxxxxxx dst-port=80 log=yes log-prefix=WWW protocol=tcp \
to-addresses=192.168.10.82
add action=dst-nat chain=dstnat disabled=yes dst-address=xxxxxxxWAN ADDRxxxxxx dst-port=5002 log=yes log-prefix=GPS_TRACK \
protocol=tcp to-addresses=192.168.1.100
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.1.100 dst-port=21 protocol=tcp src-address=\
192.0.0.0/8
add action=dst-nat chain=dstnat disabled=yes dst-address=xxxxxxxWAN ADDRxxxxxx dst-port=21 log-prefix=FTP protocol=tcp \
to-addresses=192.168.1.100
add action=accept chain=dstnat disabled=yes dst-port="" in-interface-list=*0 protocol=tcp
/ip route
add check-gateway=ping disabled=yes distance=1 dst-address=192.168.10.0/24 gateway=<pptp-SW> pref-src="" routing-table=\
main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ppp secret
add name=gontash profile=pttp-p1 remote-address=192.168.2.3 service=pptp
add local-address=192.168.2.1 name=SW profile=pttp-p1 remote-address=192.168.2.2 routes=192.168.10.0/24,192.168.2.2 \
service=pptp
/system clock
set time-zone-name=Europe/Warsaw
/system leds
set 0 interface=wlan1
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
/tool netwatch
add host=192.168.1.100
/tool sniffer
set filter-direction=tx filter-interface=ether2-master
/tool traffic-monitor
add interface=ether1 name=tmon1 threshold=0 trigger=always
Code: Select all
# feb/01/2022 10:44:18 by RouterOS 7.1
# software id = 2FVK-KQSX
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = xxxxxxxxxxxxxxxxxx
/interface pptp-client
add add-default-route=yes comment="Link To Router Obywatelska" connect-to=\
xxxxxxxxxxx keepalive-timeout=disabled name=Obywatelska user=SW
add connect-to=xxxxxxxxxxxxx disabled=no name=Obywatelska2 user=SW
/interface bridge
add admin-mac=xxxxxxxxxxxxx arp=proxy-arp auto-mac=no comment=defconf name=\
bridge
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp name=ether1-WAN
/interface wireless
set [ find default-name=wlan1 ] disabled=no mode=ap-bridge ssid=xxxxxxxxxxx \
wireless-protocol=802.11
set [ find default-name=wlan2 ] disabled=no mode=ap-bridge ssid=xxxxxxxxxxx \
wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp ranges=192.168.10.3-192.168.10.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=LAN
/routing table
add fib name=VPN
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2
add bridge=bridge disabled=yes ingress-filtering=no interface=ether1-WAN
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add interface=ether1-WAN list=WAN
/ip address
add address=192.168.10.1/24 interface=ether2 network=192.168.10.0
/ip dhcp-client
add interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.10.112 client-id=1:28:ee:52:9c:16:4c comment=AP2 \
mac-address=28:EE:52:9C:16:4C server=LAN
add address=192.168.10.251 client-id=1:24:28:fd:10:76:a0 comment=REJESTRATOR \
mac-address=24:28:FD:10:76:A0 server=LAN
add address=192.168.10.2 comment=NETGEAR mac-address=CC:40:D0:56:98:64 server=\
LAN
add address=192.168.10.111 client-id=1:28:ee:52:9c:14:62 comment=AP1 \
mac-address=28:EE:52:9C:14:62 server=LAN
add address=192.168.10.244 client-id=1:1c:4d:70:5d:21:59 comment=GETAC \
mac-address=1C:4D:70:5D:21:59 server=LAN
add address=192.168.10.100 client-id=1:94:c6:91:11:1d:dd comment=NUC \
mac-address=94:C6:91:11:1D:DD server=LAN
/ip dhcp-server network
add address=192.168.10.0/24 comment=defconf gateway=192.168.10.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.10.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
dst-port=80 ipsec-policy=out,ipsec protocol=tcp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=input comment="PPTP Conf" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="accept HASSIO" dst-port=8123 protocol=\
tcp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat disabled=yes dst-address=192.168.10.82 \
dst-port=8123 log=yes log-prefix=MASQ protocol=tcp src-address=192.0.0.0/8
add action=dst-nat chain=dstnat dst-address=192.168.2.2 dst-port=8123 log=yes \
log-prefix=Przekierowaniue protocol=tcp to-addresses=192.168.10.82 \
to-ports=8123
/ip route
add disabled=yes dst-address=0.0.0.0/0 gateway=Obywatelska routing-table=VPN
add comment="Dost\EAp do LAN ROUTER 1" disabled=no distance=1 dst-address=\
192.168.0.0/24 gateway=192.168.2.1 pref-src=0.0.0.0 routing-table=main \
scope=30 suppress-hw-offload=no target-scope=10
/system clock
set time-zone-name=Europe/Warsaw
/system package update
set channel=long-term
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN