Imam mali problem sa tikom Mikrotik RB2011UiAS-2HnD. Na njemu su dva WAN linka. Jedan ADSL (nije u bridge modu, vec je nakacen na lan interfejsa adsl rutera) a drugi je optika sa 10ak dmz adresa. Kod DMZ-a sam jednu adresu proglasio za rutabilnu i dodelio je jednom interfejsu. U principu sve radi ok, sem sto spolja ne mogu da pristupim ruteru preko winbox-a ili cega vec i ne mogu da namestim VPN ka njemu. Tacnije namestim VPN, nakacim se kako treba ali ne uspevam da prodjem "unutra". ADSL link je primaran a optika je sekundaran link i link koji se koristi za VPN tj treba da se koristi za to. Trenutno imam i neke servise koji idu preko optike (sto preko DMZ adresa sto direktno preko optickog WAN linka) i sve sljaka kako valja. Cak sam privremeno postavio VPN server iznutra kako bih omogucio pristup lokalnoj mrezi (na jednoj od DMZ adresa) i to radi ok. Zapravo sve je ok osim pristupa ruteru u input chain-u. Ovo ponasanje je identicno u oba slucaja - i sa povezanim primarnim linkom i bez. Sem sto u slucaju da sklonim primarni link mogu da pristupam winbox portu ali i dalje mi ne radi VPN pristup unutra. Ima li neko ideju sta bi moglo da bude u pitanju? Evo i konfiga:
Code:
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local
add l2mtu=2290 name=bridgeWLAN protocol-mode=none
add name=bridgeWLANGuest protocol-mode=none
/interface ethernet
set [ find default-name=ether3 ] name=DMZ
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] disabled=no ht-rxchains=0 ht-txchains=0 \
l2mtu=2290 mode=ap-bridge ssid=MYWIFI
/interface pptp-server
add name="VPN server MYcompany" user=""
/ip neighbor discovery
set WAN1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys wpa2-pre-shared-key=zzzzzzzzzzzzzz
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
GuestProfile wpa2-pre-shared-key=xxxxxxxxxxxxxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed name=hotspot supplicant-identity=""
/interface wireless
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:44:ED:27 master-interface=\
wlan1 name=wlan2 security-profile=hotspot ssid=MYWIFIHS wds-cost-range=0 \
wds-default-cost=0
/ip dhcp-server
add disabled=no interface=bridgeWLANGuest name=DHCPGuests
/ip hotspot profile
add hotspot-address=10.5.50.1 login-by=http-chap name=hsprof1 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d shared-users=10
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="VPN adrese" ranges=192.168.20.220-192.168.20.230
add name=WLANPool ranges=192.168.23.50-192.168.23.250
add name=hs-pool-18 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=WLANPool disabled=no interface=bridgeWLAN name=DHCP4LAN
add address-pool=hs-pool-18 disabled=no lease-time=1h name=dhcp1
add address-pool=hs-pool-18 disabled=no interface=wlan2 lease-time=1h name=\
dhcp2
/ip hotspot
add address-pool=hs-pool-18 disabled=no interface=wlan2 name=hotspot1 \
profile=hsprof1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.20.219 name="VPN profil" remote-address=\
"VPN adrese" use-encryption=no
/interface bridge port
add bridge=bridge-local interface=DMZ
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridgeWLAN interface=wlan1
add bridge=bridgeWLANGuest
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile="VPN profile" \
enabled=yes
/ip address
add address=192.168.20.1/24 comment=LAN interface=bridge-local network=\
192.168.20.0
add address=192.168.66.1/24 comment="Management address" interface=ether5 \
network=192.168.66.0
add address=a.b.c.x/30 comment="WAN2 - fiber" interface=WAN2 network=\
a.b.c.d
add address=z.q.x.y/28 comment="DMZ addresses" interface=DMZ network=\
z.q.x.x
add address=192.168.23.1/24 comment="Wifi LAN" interface=wlan1 \
network=192.168.23.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan2 network=\
10.5.50.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=WAN1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.22.0/24 comment="Guest WLAN pool" dns-server=\
192.168.22.1 gateway=192.168.22.1
add address=192.168.23.0/24 comment="WLAN pool" dns-server=192.168.23.1 \
gateway=192.168.23.1
add address=192.168.20.0/24 comment="LAN pool" dns-server=192.168.20.1 \
gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input in-interface=WAN2 protocol=gre
add chain=input dst-address=a.b.x.x dst-port=1723 in-interface=WAN2 \
protocol=tcp
add chain=input dst-address=a.b.x.x dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="SPAM port" dst-port=25 out-interface=\
WAN1 protocol=tcp
add action=drop chain=forward dst-port=25 out-interface=WAN2 protocol=tcp
add action=drop chain=input dst-address=192.168.20.0/24 src-address=\
10.5.50.0/24
add action=drop chain=forward dst-address=192.168.23.0/24 routing-mark=\
WLANGuest
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="Traffic outside to input" in-interface=WAN1
add action=drop chain=input in-interface=WAN2
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark="mail server" \
passthrough=no src-address=192.168.20.215
add action=mark-routing chain=prerouting new-routing-mark="DMZ addresses" \
passthrough=no src-address=z.q.x.x/28
add action=mark-routing chain=prerouting new-routing-mark=WLANGuest \
passthrough=no routing-mark=WLANGuest src-address=10.5.50.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=WAN1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.20.0/24
add action=masquerade chain=srcnat out-interface=WAN1 src-address=\
192.168.23.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.23.0/24
add action=masquerade chain=srcnat out-interface=WAN1 src-address=\
192.168.22.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.22.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/24
/ip hotspot user
add name=admin password=*
add name=guest password=*
/ip ipsec policy
add template=yes
/ip route
add distance=1 gateway=a.b.c.x routing-mark="mail server"
add distance=1 gateway=a.b.c.x routing-mark="DMZ addresses"
add distance=2 gateway=a.b.c.x
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=ssssssssss password=xxxxxx profile="VPN profile" service=pptp
/radius
add address=10.5.50.1 secret=* service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Belgrade
/system ntp client
set enabled=yes primary-ntp=134.130.4.17 secondary-ntp=134.130.5.17
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=WAN2
add interface=DMZ
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=WAN2
add interface=DMZ
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no l2mtu=1598 name=bridge-local
add l2mtu=2290 name=bridgeWLAN protocol-mode=none
add name=bridgeWLANGuest protocol-mode=none
/interface ethernet
set [ find default-name=ether3 ] name=DMZ
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] disabled=no ht-rxchains=0 ht-txchains=0 \
l2mtu=2290 mode=ap-bridge ssid=MYWIFI
/interface pptp-server
add name="VPN server MYcompany" user=""
/ip neighbor discovery
set WAN1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
dynamic-keys wpa2-pre-shared-key=zzzzzzzzzzzzzz
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
GuestProfile wpa2-pre-shared-key=xxxxxxxxxxxxxxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" \
management-protection=allowed name=hotspot supplicant-identity=""
/interface wireless
add disabled=no l2mtu=2290 mac-address=4E:5E:0C:44:ED:27 master-interface=\
wlan1 name=wlan2 security-profile=hotspot ssid=MYWIFIHS wds-cost-range=0 \
wds-default-cost=0
/ip dhcp-server
add disabled=no interface=bridgeWLANGuest name=DHCPGuests
/ip hotspot profile
add hotspot-address=10.5.50.1 login-by=http-chap name=hsprof1 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d shared-users=10
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name="VPN adrese" ranges=192.168.20.220-192.168.20.230
add name=WLANPool ranges=192.168.23.50-192.168.23.250
add name=hs-pool-18 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local name=default
add address-pool=WLANPool disabled=no interface=bridgeWLAN name=DHCP4LAN
add address-pool=hs-pool-18 disabled=no lease-time=1h name=dhcp1
add address-pool=hs-pool-18 disabled=no interface=wlan2 lease-time=1h name=\
dhcp2
/ip hotspot
add address-pool=hs-pool-18 disabled=no interface=wlan2 name=hotspot1 \
profile=hsprof1
/port
set 0 name=serial0
/ppp profile
add local-address=192.168.20.219 name="VPN profil" remote-address=\
"VPN adrese" use-encryption=no
/interface bridge port
add bridge=bridge-local interface=DMZ
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridgeWLAN interface=wlan1
add bridge=bridgeWLANGuest
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile="VPN profile" \
enabled=yes
/ip address
add address=192.168.20.1/24 comment=LAN interface=bridge-local network=\
192.168.20.0
add address=192.168.66.1/24 comment="Management address" interface=ether5 \
network=192.168.66.0
add address=a.b.c.x/30 comment="WAN2 - fiber" interface=WAN2 network=\
a.b.c.d
add address=z.q.x.y/28 comment="DMZ addresses" interface=DMZ network=\
z.q.x.x
add address=192.168.23.1/24 comment="Wifi LAN" interface=wlan1 \
network=192.168.23.0
add address=10.5.50.1/24 comment="hotspot network" interface=wlan2 network=\
10.5.50.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=WAN1
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" gateway=10.5.50.1
add address=192.168.22.0/24 comment="Guest WLAN pool" dns-server=\
192.168.22.1 gateway=192.168.22.1
add address=192.168.23.0/24 comment="WLAN pool" dns-server=192.168.23.1 \
gateway=192.168.23.1
add address=192.168.20.0/24 comment="LAN pool" dns-server=192.168.20.1 \
gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input in-interface=WAN2 protocol=gre
add chain=input dst-address=a.b.x.x dst-port=1723 in-interface=WAN2 \
protocol=tcp
add chain=input dst-address=a.b.x.x dst-port=8291 protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="SPAM port" dst-port=25 out-interface=\
WAN1 protocol=tcp
add action=drop chain=forward dst-port=25 out-interface=WAN2 protocol=tcp
add action=drop chain=input dst-address=192.168.20.0/24 src-address=\
10.5.50.0/24
add action=drop chain=forward dst-address=192.168.23.0/24 routing-mark=\
WLANGuest
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="Traffic outside to input" in-interface=WAN1
add action=drop chain=input in-interface=WAN2
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark="mail server" \
passthrough=no src-address=192.168.20.215
add action=mark-routing chain=prerouting new-routing-mark="DMZ addresses" \
passthrough=no src-address=z.q.x.x/28
add action=mark-routing chain=prerouting new-routing-mark=WLANGuest \
passthrough=no routing-mark=WLANGuest src-address=10.5.50.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=WAN1 src-address=192.168.20.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.20.0/24
add action=masquerade chain=srcnat out-interface=WAN1 src-address=\
192.168.23.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.23.0/24
add action=masquerade chain=srcnat out-interface=WAN1 src-address=\
192.168.22.0/24
add action=masquerade chain=srcnat out-interface=WAN2 src-address=\
192.168.22.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/24
/ip hotspot user
add name=admin password=*
add name=guest password=*
/ip ipsec policy
add template=yes
/ip route
add distance=1 gateway=a.b.c.x routing-mark="mail server"
add distance=1 gateway=a.b.c.x routing-mark="DMZ addresses"
add distance=2 gateway=a.b.c.x
/ip upnp
set allow-disable-external-interface=no
/ppp secret
add name=ssssssssss password=xxxxxx profile="VPN profile" service=pptp
/radius
add address=10.5.50.1 secret=* service=hotspot
/radius incoming
set accept=yes
/system clock
set time-zone-name=Europe/Belgrade
/system ntp client
set enabled=yes primary-ntp=134.130.4.17 secondary-ntp=134.130.5.17
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=WAN2
add interface=DMZ
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=WAN2
add interface=DMZ
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local