Community discussions

MikroTik App
  4. RouterOS
  5. General

LT2P IPSec only partly LAN Connection

Post Reply
 
Hitmare
just joined
Topic Author
Posts: 1
Joined: Mon Apr 10, 2023 10:49 pm

LT2P IPSec only partly LAN Connection

Mon Apr 10, 2023 11:05 pm

Hello

I have a LT2P VPN Server Setup on my RouterOS Router.
Today i've realized that only certain connections between the VPN Client and the LAN are established/possible


I'm able to connect to my VPN and get a designated (10.0.120.0/24) IP Address for the Client
I can access RDP and a Windows Network Drive from the VPN Client to the LAN without issues
I can ping/traceroute the VPN Client from the LAN Network
I can't ping/traceroute any LAN devices from my VPN Client

I've found some threads from this Forum with a similar issue, but wasn't able to find any solution for my issue
I'm quite a Novice in this matter. I've used WinBox to configure the LT2P Server

Did i miss some Firewall config that i need to add/modify?


BR
Hitmare

My current config
Code: Select all
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2GHz-01
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2417 name=2GHz-02
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2422 name=2GHz-03
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2427 name=2GHz-04
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2432 name=2GHz-05
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=2GHz-06
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2442 name=2GHz-07
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2447 name=2GHz-08
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2452 name=2GHz-09
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2457 name=2GHz-10
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=2GHz-11
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2467 name=2GHz-12
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=2GHz-13
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5160 name=5GHz-32
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5180 name=5GHz-36
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5200 name=5GHz-40
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5220 name=5GHz-44
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5240 name=5GHz-48
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5260 name=5GHz-52
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5280 name=5GHz-56
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5300 name=5GHz-60
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5320 name=5GHz-64
add band=5ghz-a/n/ac control-channel-width=20mhz frequency=5340 name=5GHz-68
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5280 name=5GHz-56-turbo
add band=5ghz-a/n/ac control-channel-width=40mhz-turbo frequency=5240 name=5GHz-48-turbo
add control-channel-width=20mhz frequency=5200,5220,5240,5260,5280 name=5GHz-40_44_48_52_56_20MHz
add control-channel-width=40mhz-turbo frequency=5200,5240,5280 name=5GHz-40_48_56_40MHz-turbo
/caps-man datapath
add client-to-client-forwarding=yes local-forwarding=yes name=datapath_lan
/interface bridge
add admin-mac=B8:69:F4:E7:F8:E3 auto-mac=no comment=defconf name=bridge
add name=bridge-wlan
add name=bridge_g-wlan
add name=bridge_isolated
/interface ethernet
set [ find default-name=ether1 ] speed=100Mbps
set [ find default-name=ether2 ] speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] speed=100Mbps
set [ find default-name=ether8 ] arp=proxy-arp speed=100Mbps
set [ find default-name=ether9 ] speed=100Mbps
set [ find default-name=ether10 ] speed=100Mbps
set [ find default-name=sfp1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/caps-man datapath
add bridge=bridge-wlan client-to-client-forwarding=yes local-forwarding=yes name=datapath_main
add bridge=bridge_g-wlan client-to-client-forwarding=no local-forwarding=no name=datapath-guest
add bridge=bridge_isolated client-to-client-forwarding=no local-forwarding=no name=datapath_isolated
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=Dragonforce-WLAN passphrase=Dragons4ever
add authentication-types=wpa2-psk encryption=aes-ccm name=Guest passphrase=Dragons4guest
add authentication-types=wpa2-psk encryption=aes-ccm name=SECOL passphrase=ICTBPSSEC
add authentication-types=wpa2-psk encryption=aes-ccm name=Dragonlair passphrase=Dragon4lair
add authentication-types=wpa2-psk encryption=aes-ccm name=Dragonlan passphrase=Dragons4lan
add authentication-types=wpa2-psk encryption=aes-ccm name=Logan passphrase=GeeJay89
add authentication-types=wpa2-psk encryption=aes-ccm name=GollnerMassagen2 passphrase=Undopathie2020
/caps-man configuration
add country=austria datapath=datapath_main installation=indoor mode=ap name=Dragonforce_2GHz security=Dragonforce-WLAN ssid=Dragonforce
add channel=5GHz-40_44_48_52_56_20MHz country=austria datapath=datapath_main installation=indoor mode=ap name=Dragonforce_5GHz security=Dragonforce-WLAN ssid=Dragonforce
add country=austria datapath=datapath-guest installation=indoor mode=ap name=Guest_2GHz security=Guest ssid=Dragonsguest
add channel=5GHz-64 country=austria datapath=datapath-guest installation=indoor mode=ap name=Guest_5GHz security=Guest ssid=Dragonsguest
add country=austria datapath=datapath-guest installation=indoor mode=ap name=SECOL security=SECOL ssid=SECOL
add country=austria datapath=datapath_isolated installation=indoor name=Wifi_Isolated security=Dragonlair ssid=Dragonlair
add country=austria datapath=datapath_lan installation=indoor mode=ap name=Dragonlan security=Dragonlan ssid=Dragonlan
add country=austria datapath=datapath-guest installation=indoor mode=ap name=Logan security=Logan ssid="Logan Len jr.1"
add country=austria datapath=datapath_main installation=indoor mode=ap name=GollnerMassagen2 security=GollnerMassagen2 ssid=GollnerMassagen2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=10.0.111.10-10.0.111.240
add name=ppp ranges=10.0.114.10-10.0.114.240
add name=wlan-dhcp ranges=10.0.112.10-10.0.112.240
add name=vpn-old ranges=192.168.89.2-192.168.89.255
add name=vpn ranges=10.0.120.2-10.0.120.254
add name=wlan-g-dhcp ranges=10.0.113.10-10.0.113.240
add name=wlan_isolated ranges=10.0.115.10-10.0.115.240
add name=dhcp_le ranges=10.0.111.241-10.0.111.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=wlan-dhcp disabled=no interface=bridge-wlan lease-script=dhcp-dns-lease-script name=wlan_server src-address=10.0.112.1
add address-pool=wlan_isolated disabled=no interface=bridge_isolated lease-script=dhcp-dns-lease-script name=wlan_isolated src-address=10.0.115.1
/ppp profile
add bridge-learning=yes change-tcp-mss=yes dns-server=10.0.111.2 local-address=10.0.120.1 name=ipsec remote-address=vpn use-encryption=required use-mpls=yes
set *FFFFFFFE local-address=dhcp remote-address=vpn use-upnp=yes
/queue simple
add disabled=yes limit-at=1M/20M max-limit=1M/20M name=10M-Guest_Wlan queue=wireless-default/wireless-default target=10.0.113.0/24 total-queue=wireless-default
/ip dhcp-server
add address-pool=wlan-g-dhcp disabled=no interface=bridge_g-wlan lease-script=dhcp-dns-lease-script name=wlan_g-server parent-queue=10M-Guest_Wlan src-address=10.0.113.1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=b,g,gn master-configuration=Dragonforce_2GHz radio-mac=C4:AD:34:D9:5C:B0 slave-configurations=SECOL,Wifi_Isolated,Logan
add action=create-dynamic-enabled hw-supported-modes=ac,an master-configuration=Dragonforce_5GHz radio-mac=C4:AD:34:D9:5C:B1 slave-configurations=Guest_5GHz
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=sfp1
add bridge=bridge-wlan interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set default-profile=ipsec enabled=yes ipsec-secret=<removed> use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface pptp-server server
set authentication=chap,mschap1,mschap2 default-profile=default
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.111.1/24 comment=defconf interface=ether2 network=10.0.111.0
add address=10.0.112.1/24 interface=bridge-wlan network=10.0.112.0
add address=10.0.113.1/24 interface=bridge_g-wlan network=10.0.113.0
add address=10.0.115.1/24 interface=bridge_isolated network=10.0.115.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=10.0.111.11 mac-address=00:21:B7:2F:89:7C
add address=10.0.111.201 mac-address=00:22:4D:54:BD:1E
add address=10.0.111.103 client-id=1:4c:b:be:3d:9:54 mac-address=4C:0B:BE:3D:09:54 server=defconf
add address=10.0.111.222 client-id=ff:29:b4:5a:89:0:1:0:1:25:ff:f8:32:0:c:29:b4:5a:89 mac-address=00:0C:29:B4:5A:89 server=defconf
add address=10.0.112.232 client-id=1:b8:27:eb:13:98:72 mac-address=B8:27:EB:13:98:72 server=wlan_server
add address=10.0.112.2 client-id=1:c4:ad:34:d9:5c:ae mac-address=C4:AD:34:D9:5C:AE server=wlan_server
add address=10.0.111.14 mac-address=44:37:E6:9A:3D:8C server=defconf
add address=10.0.111.19 mac-address=6C:62:6D:44:3F:BA server=defconf
add address=10.0.111.2 client-id=ff:4e:8c:b0:79:0:4:d2:ea:7e:80:6e:f1:11:e1:86:c8:e0:cb:4e:8c:b0:79 mac-address=E0:CB:4E:8C:B0:79 server=defconf
add address=10.0.112.201 mac-address=C8:2B:96:C9:C1:70 server=wlan_server
add address=10.0.112.202 mac-address=C8:2B:96:C9:89:C6 server=wlan_server
add address=10.0.112.203 mac-address=F4:CF:A2:08:E1:86 server=wlan_server
add address=10.0.112.204 mac-address=E0:98:06:CA:94:61 server=wlan_server
add address=10.0.111.16 mac-address=E0:D5:5E:CA:1D:8F server=defconf
add address=10.0.111.20 mac-address=00:01:80:7C:93:C5 server=defconf
add address=10.0.111.10 client-id=1:2c:f0:5d:7a:7c:ea mac-address=2C:F0:5D:7A:7C:EA server=defconf
add address=10.0.111.200 client-id=1:5e:67:51:82:90:c5 mac-address=5E:67:51:82:90:C5 server=defconf
add address=10.0.111.202 mac-address=F6:CE:74:54:FE:3B server=defconf
add address=10.0.112.192 mac-address=C4:4F:33:D2:FB:EC server=wlan_server
add address=10.0.112.191 mac-address=C4:4F:33:D3:F0:89 server=wlan_server
add address=10.0.112.190 mac-address=D8:F1:5B:FE:D4:92 server=wlan_server
add address=10.0.112.189 mac-address=D8:F1:5B:FE:D6:C5 server=wlan_server
add address=10.0.111.17 mac-address=26:67:CC:9B:5B:DD server=defconf
add address=10.0.112.208 mac-address=E8:68:E7:5C:5B:8E server=wlan_server
add address=10.0.112.207 mac-address=8C:CE:4E:EE:15:2E server=wlan_server
add address=10.0.112.206 mac-address=50:02:91:54:A0:8C server=wlan_server
add address=10.0.112.205 mac-address=94:B9:7E:0A:48:24 server=wlan_server
add address=10.0.112.209 mac-address=8C:CE:4E:EE:30:8A server=wlan_server
add address=10.0.112.210 mac-address=8C:CE:4E:EE:31:45 server=wlan_server
add address=10.0.112.212 mac-address=50:02:91:54:93:2E server=wlan_server
add address=10.0.112.211 mac-address=BC:DD:C2:A8:CD:DB server=wlan_server
add address=10.0.112.213 mac-address=24:A1:60:12:D8:65 server=wlan_server
add address=10.0.111.199 client-id=ff:3e:4a:28:3b:0:1:0:1:29:71:9a:f5:56:18:3e:4a:28:3b mac-address=56:18:3E:4A:28:3B server=defconf
add address=10.0.111.15 mac-address=1A:C8:3A:6B:8C:F9 server=defconf
add address=10.0.112.172 mac-address=94:DE:B8:69:3B:08 server=wlan_server
/ip dhcp-server network
add address=10.0.111.0/24 caps-manager=10.0.111.1 comment=defconf dns-server=10.0.111.2 domain=local gateway=10.0.111.1 netmask=24
add address=10.0.112.0/24 caps-manager=10.0.111.1 dns-server=10.0.111.2 domain=wifi.local gateway=10.0.112.1 netmask=24
add address=10.0.113.0/24 caps-manager=10.0.111.1 dns-server=10.0.111.2 domain=guest.local gateway=10.0.113.1 netmask=24
add address=10.0.115.0/24 caps-manager=10.0.111.1 dns-server=10.0.111.2 domain=isolated.local gateway=10.0.115.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.0.111.1 name=router.local
add address=10.0.111.11 comment=#DHCP name=TonerPrinter.local ttl=10m
add address=10.0.111.10 comment=#DHCP name=HITMARE-PC.local ttl=10m
add address=10.0.112.2 comment=#DHCP name=MikroTik.wifi.local ttl=10m
add address=10.0.112.204 comment=#DHCP name=smart-plug-4.wifi.local ttl=10m
add address=10.0.112.202 comment=#DHCP name=smart-plug-2.wifi.local ttl=10m
add address=10.0.112.192 comment=#DHCP name=tasmota_D2FBEC-7148.wifi.local ttl=10m
add address=10.0.112.210 comment=#DHCP name=tasmota-EE3145-4421.wifi.local ttl=10m
add address=10.0.112.206 comment=#DHCP name=tasmota-LP2-0140.wifi.local ttl=10m
add address=10.0.112.209 comment=#DHCP name=tasmota-EE308A-4234.wifi.local ttl=10m
add address=10.0.112.201 comment=#DHCP name=smart_plug_1.wifi.local ttl=10m
add address=10.0.112.203 comment=#DHCP name=smart-plug-3.wifi.local ttl=10m
add address=10.0.112.190 comment=#DHCP name=tasmota_FED492-5266.wifi.local ttl=10m
add address=10.0.112.207 comment=#DHCP name=tasmota-LP3-5422.wifi.local ttl=10m
add address=10.0.112.213 comment=#DHCP name=tasmota-12D865-6245.wifi.local ttl=10m
add address=10.0.112.189 comment=#DHCP name=tasmota_FED6C5-5829.wifi.local ttl=10m
add address=10.0.112.205 comment=#DHCP name=tasmota-LP1-2084.wifi.local ttl=10m
add address=10.0.112.191 comment=#DHCP name=tasmota_D3F089-4233.wifi.local ttl=10m
add address=10.0.112.208 comment=#DHCP name=tasmota-LP4-7054.wifi.local ttl=10m
add address=10.0.112.212 comment=#DHCP name=tasmota-54932E-4910.wifi.local ttl=10m
add address=10.0.112.232 comment=#DHCP name=octopi.wifi.local ttl=10m
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="allow l2tp" dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=forward comment="Block 115" out-interface=ether1 src-address=10.0.115.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related dst-address=!10.0.113.0/24 src-address=!10.0.113.0/24
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="Hairpin https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT" out-interface=bridge src-address=10.0.111.0/24
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 protocol=tcp to-addresses=10.0.111.200 to-ports=32400
add action=dst-nat chain=dstnat comment=HomeAssistan dst-port=30318 log=yes protocol=tcp to-addresses=10.0.111.202 to-ports=8123
add action=dst-nat chain=dstnat comment="HomeAssistan Hairpin" disabled=yes dst-address=80.108.17.149 dst-port=30318 log=yes protocol=tcp to-addresses=10.0.111.202 to-ports=8123
add action=dst-nat chain=dstnat comment="HTTP Linux Zoneminder" dst-port=16666 log=yes protocol=tcp to-addresses=10.0.111.222 to-ports=80
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=80
add action=dst-nat chain=dstnat comment="HTTP Hairpin" dst-address=80.108.17.149 dst-port=81 protocol=tcp to-addresses=10.0.111.200 to-ports=80
add action=dst-nat chain=dstnat comment=HTTPS dst-port=443 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=443
add action=dst-nat chain=dstnat comment="SOCKS CCProxy" dst-port=1080 protocol=tcp to-addresses=10.0.111.200 to-ports=1080
add action=dst-nat chain=dstnat comment="FTP Directory" dst-port=20 protocol=tcp to-addresses=10.0.111.200 to-ports=20
add action=dst-nat chain=dstnat comment=FTP dst-port=5707 protocol=tcp to-addresses=10.0.111.200 to-ports=21
add action=dst-nat chain=dstnat comment="FTP Dynamic" dst-port=50000-51000 protocol=tcp to-addresses=10.0.111.200 to-ports=50000-51000
add action=dst-nat chain=dstnat comment="Rustdesk TCP " dst-port=21115-21119 protocol=tcp to-addresses=10.0.111.15 to-ports=21115-21119
add action=dst-nat chain=dstnat comment="Rustdesk TCP " dst-port=21116 protocol=udp to-addresses=10.0.111.15 to-ports=21116
add action=dst-nat chain=dstnat comment="Rustdesk TCP " dst-port=8000 protocol=tcp to-addresses=10.0.111.15 to-ports=8000
add action=dst-nat chain=dstnat comment="RDP Winsrv" disabled=yes dst-port=8839 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=3389
add action=dst-nat chain=dstnat comment="7DTD TCP" dst-port=26900 protocol=tcp to-addresses=10.0.111.200 to-ports=26900
add action=dst-nat chain=dstnat comment="7DTD UDP" dst-port=26900-26902 protocol=udp to-addresses=10.0.111.200 to-ports=26900-26902
add action=dst-nat chain=dstnat comment="SIP 5160" disabled=yes dst-port=5160 in-interface=ether1 protocol=udp to-addresses=10.0.111.19 to-ports=5160
add action=dst-nat chain=dstnat comment="SIP 10000-20000" disabled=yes dst-port=10000-20000 in-interface=ether1 protocol=udp to-addresses=10.0.111.19 to-ports=10000-20000
add action=dst-nat chain=dstnat comment="Project Zomboid Server" disabled=yes dst-port=8766 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=8766
add action=dst-nat chain=dstnat comment="Project Zomboid Server" dst-port=16261 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=16261
add action=dst-nat chain=dstnat comment="Project Zomboid Server" dst-port=16262-16267 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=16262-16267
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=61111 in-interface=ether1 protocol=udp to-addresses=10.0.111.10 to-ports=61111
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=61111 in-interface=ether1 protocol=tcp to-addresses=10.0.111.10 to-ports=61111
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=36895 in-interface=ether1 protocol=udp to-addresses=10.0.111.10 to-ports=36895
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=36895 in-interface=ether1 protocol=tcp to-addresses=10.0.111.10 to-ports=36895
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=36975 in-interface=ether1 protocol=tcp to-addresses=10.0.111.10 to-ports=36975
add action=dst-nat chain=dstnat comment="Guild 3" disabled=yes dst-port=36975 in-interface=ether1 protocol=udp to-addresses=10.0.111.10 to-ports=36975
add action=dst-nat chain=dstnat comment=Unturned disabled=yes dst-port=27015-27017 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=27015-27017
add action=dst-nat chain=dstnat comment=Unturned disabled=yes dst-port=27015-27017 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=27015-27017
add action=dst-nat chain=dstnat comment=MInecraft disabled=yes dst-port=25565 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=25565
add action=dst-nat chain=dstnat comment=Minecraft disabled=yes dst-port=25565 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=25565
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=4838 in-interface=ether1 protocol=udp to-addresses=10.0.111.103 to-ports=4838
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=5050 in-interface=ether1 protocol=udp to-addresses=10.0.111.103 to-ports=5050
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=4900-6500 in-interface=ether1 protocol=udp to-addresses=10.0.111.103 to-ports=4900-6500
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=49000-65000 in-interface=ether1 protocol=udp to-addresses=10.0.111.103 to-ports=49000-65000
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=4838 in-interface=ether1 protocol=tcp to-addresses=10.0.111.103 to-ports=4838
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=5050 in-interface=ether1 protocol=tcp to-addresses=10.0.111.103 to-ports=5050
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=4900-6500 in-interface=ether1 protocol=tcp to-addresses=10.0.111.103 to-ports=4900-6500
add action=dst-nat chain=dstnat comment="Xbox One - Remote Play" disabled=yes dst-port=49000-65000 in-interface=ether1 protocol=tcp to-addresses=10.0.111.103 to-ports=49000-65000
add action=dst-nat chain=dstnat comment="WIN SRV VPN PPTP" disabled=yes dst-port=1723 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=1723
add action=dst-nat chain=dstnat comment="WIN SRV VPN L2TP" disabled=yes dst-port=1701 in-interface=ether1 protocol=tcp to-addresses=10.0.111.200 to-ports=1701
add action=dst-nat chain=dstnat comment="WIN SRV VPN L2TP" disabled=yes dst-port=1701 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=1701
add action=dst-nat chain=dstnat comment="WIN SRV VPN L2TP" disabled=yes dst-port=4500 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=4500
add action=dst-nat chain=dstnat comment="WIN SRV VPN L2TP" disabled=yes dst-port=500 in-interface=ether1 protocol=udp to-addresses=10.0.111.200 to-ports=500
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1 type=external
add interface=bridge type=internal
/lcd
set time-interval=hour
/lcd pin
set pin-number=<removed>
/ppp secret
add name=<removed> password=<removed> profile=ipsec service=l2tp
/system clock
set time-zone-name=Europe/Vienna
/system script
add dont-require-permissions=no name=dhcp-dns-lease-script owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local DHCPtag\r\
    \n:set DHCPtag \"#DHCP\"\r\
    \n\r\
    \n:if ( [ :len \$leaseActIP ] <= 0 ) do={ :error \"empty lease address\" }\r\
    \n\r\
    \n:if ( \$leaseBound = 1 ) do=\\\r\
    \n{\r\
    \n    :local ttl\r\
    \n    :local domain\r\
    \n    :local hostname\r\
    \n    :local fqdn\r\
    \n    :local leaseId\r\
    \n    :local comment\r\
    \n\r\
    \n    /ip dhcp-server\r\
    \n    :set ttl [ get [ find name=\$leaseServerName ] lease-time ]\r\
    \n    network \r\
    \n    :set domain [ get [ find \$leaseActIP in address ] domain ]\r\
    \n\r\
    \n    .. lease\r\
    \n    :set leaseId [ find address=\$leaseActIP ]\r\
    \n\r\
    \n    # Check for multiple active leases for the same IP address. It's weird and it shouldn't be, but just in case.\r\
    \n\r\
    \n    :if ( [ :len \$leaseId ] != 1) do={\r\
    \n        :log info \"DHCP2DNS: not registering domain name for address \$leaseActIP because of multiple active leases for \$leaseActIP\"\r\
    \n        :error \"multiple active leases for \$leaseActIP\"\r\
    \n    }  \r\
    \n\r\
    \n    :set hostname [ get \$leaseId host-name ]\r\
    \n    :set comment [ get \$leaseId comment ]\r\
    \n    /\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={ :set hostname \$comment }\r\
    \n\r\
    \n    :if ( [ :len \$hostname ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty lease host-name or comment\"\r\
    \n        :error \"empty lease host-name or comment\"\r\
    \n    }\r\
    \n    :if ( [ :len \$domain ] <= 0 ) do={\r\
    \n        :log error \"DHCP2DNS: not registering domain name for address \$leaseActIP because of empty network domain name\"\r\
    \n        :error \"empty network domain name\"\r\
    \n    }\r\
    \n\r\
    \n    :set fqdn \"\$hostname.\$domain\"\r\
    \n\r\
    \n    /ip dns static\r\
    \n    :if ( [ :len [ find name=\$fqdn and address=\$leaseActIP and disabled=no ] ] = 0 ) do={\r\
    \n        :log info \"DHCP2DNS: registering static domain name \$fqdn for address \$leaseActIP with ttl \$ttl\"\r\
    \n        add address=\$leaseActIP name=\$fqdn ttl=\$ttl comment=\$DHCPtag disabled=no\r\
    \n    } else={\r\
    \n        :log error \"DHCP2DNS: not registering domain name \$fqdn for address \$leaseActIP because of existing active static DNS entry with this name or address\"\r\
    \n    }\r\
    \n    /\r\
    \n} else={\r\
    \n    /ip dns static\r\
    \n    :local dnsDhcpId\r\
    \n    :set dnsDhcpId [ find address=\$leaseActIP and comment=\$DHCPtag ]\r\
    \n    :if ( [ :len \$dnsDhcpId ] > 0 ) do={\r\
    \n        :log info \"DHCP2DNS: removing static domain name(s) for address \$leaseActIP\"\r\
    \n        remove \$dnsDhcpId\r\
    \n    }\r\
    \n    /\r\
    \n}"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=ether1 name=tmon2 threshold=0
add interface=ether1 name=tmon1 threshold=0 traffic=received
Top
Post Reply

Who is online

Users browsing this forum: BoraHorza, Google [Bot], own3r1138, Pilo2710 and 106 guests
  4. RouterOS
  5. General