Just in case my config:
Code: Select all
/interface bridge
add name=br-lo
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] comment=SOLVER
set [ find default-name=ether2 ] comment=VAK
/interface l2tp-client
add allow=mschap2 comment=VAK connect-to=VPN_server_IP name=l2tp-out1 \
src-address=192.168.60.140 use-ipsec=yes user=User1
add allow=mschap2 comment=Solver connect-to=VPN_server_IP name=l2tp-out2 \
src-address=192.168.10.173 use-ipsec=yes user=User2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country="united states" \
disabled=no mode=ap-bridge ssid=MikroTik
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip ipsec peer
add address=VPN_server_IP/32 disabled=yes local-address=192.168.60.140 name=VAK
add address=VPN_server_IP/32 disabled=yes local-address=192.168.10.173 name=\
Solver
/ip pool
add name=dhcp_pool0 ranges=192.168.99.2-192.168.99.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/interface bridge port
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=wlan1
/interface l2tp-server server
set authentication=mschap2 enabled=yes one-session-per-host=yes use-ipsec=\
required
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=WAN
/ip address
add address=192.168.60.140/24 comment=VAK interface=ether2 network=\
192.168.60.0
add address=192.168.99.1/24 interface=bridge1 network=192.168.99.0
add address=192.168.10.173/24 comment=Solver interface=ether1 network=\
192.168.10.0
/ip dhcp-server network
add address=192.168.99.0/24 dns-server=1.1.1.1 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip firewall address-list
add address=192.168.99.253 disabled=yes list=VAK
add address=0.0.0.0/8 comment="\"This\" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=\
BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment=\
"Network Interconnect Device Benchmark Testing" list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
/ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=ether1 \
new-connection-mark=con_solver
add action=mark-connection chain=input disabled=yes in-interface=ether2 \
new-connection-mark=con_VAK
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether1 new-connection-mark=con_solver
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface=ether2 new-connection-mark=con_VAK
add action=mark-routing chain=prerouting connection-mark=con_solver \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=\
rout_solver
add action=mark-routing chain=prerouting connection-mark=con_VAK \
dst-address-type=!local in-interface-list=!WAN new-routing-mark=rout_VAK \
tcp-flags=""
add action=mark-routing chain=output connection-mark=con_solver \
dst-address-type=!local new-routing-mark=rout_solver
add action=mark-routing chain=output connection-mark=con_VAK \
dst-address-type=!local new-routing-mark=rout_VAK
add action=mark-routing chain=prerouting disabled=yes dst-address-list=\
!BOGONS new-routing-mark=rout_VAK src-address-list=VAK
/ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2
add action=dst-nat chain=dstnat dst-address=192.168.60.140 dst-port=21 \
in-interface=ether1 protocol=udp to-addresses=192.168.99.254 to-ports=\
2221
add action=dst-nat chain=dstnat dst-address=192.168.60.140 dst-port=45698 \
in-interface=ether1 protocol=tcp to-addresses=192.168.99.253 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-address=192.168.10.242 \
dst-port=2356 in-interface=ether2 protocol=tcp to-addresses=\
192.168.99.254 to-ports=2221
add action=dst-nat chain=dstnat dst-address=192.168.10.242 dst-port=2356 \
in-interface=ether2 protocol=tcp to-addresses=192.168.99.253 to-ports=80
/ip ipsec identity
add disabled=yes peer=VAK
add disabled=yes peer=Solver
/ip ipsec policy
add disabled=yes dst-port=1701 peer=VAK src-port=1701
add disabled=yes dst-port=1701 peer=Solver src-port=1701
/ip route
add distance=1 gateway=8.8.8.8 routing-mark=rout_solver target-scope=11
add distance=1 gateway=1.1.1.1 routing-mark=rout_VAK target-scope=11
add check-gateway=ping comment="Unmarked via Solver" distance=1 gateway=\
8.8.8.8 target-scope=11
add check-gateway=ping comment="Unmarked via VAK" distance=2 gateway=1.1.1.1 \
target-scope=11
add comment="Emergency route" distance=254 gateway=br-lo
add check-gateway=ping comment="For recursion via VAK" distance=1 \
dst-address=1.1.1.1/32 gateway=192.168.60.25 scope=11
add check-gateway=ping comment="For recursion via Solver" distance=1 \
dst-address=8.8.8.8/32 gateway=192.168.10.25 scope=11
add check-gateway=ping distance=1 dst-address=192.168.131.0/24 gateway=\
172.16.1.1%l2tp-out2 pref-src=192.168.99.1
add check-gateway=ping distance=2 dst-address=192.168.131.0/24 gateway=\
172.16.1.1%l2tp-out1 pref-src=192.168.99.1
add check-gateway=ping distance=3 dst-address=192.168.131.0/24 type=\
unreachable
/ip route rule
add comment="to LAN" dst-address=192.168.0.0/16 table=main
add comment="to LAN" dst-address=172.16.0.0/16 table=main
add comment=VAK src-address=192.168.60.140/32 table=rout_VAK
add comment=Solver src-address=192.168.10.173/32 table=rout_solver