Zdravím,
už nějaký čas se trápím s nastavením rb750gl. Používám na něm VPN přes PPTP server a potřeboval bych následující:
- Jako hlavní router mám nastavený Apple Airport na který jsou napojeny počítače doma
- Do airportu mám připojený i Mikrotik na kterém mám vytvořený PPTP server
- Počítačem v kanceláři jsem připojený přes VPN na Mikrotik
Problém je ale v tom, že se z počítačů doma nedostanu na počítač v kanceláři. Poradí někdo s konfigurací?
❗️Toto je původní verze internetového fóra ISPforum.cz do února 2020 bez možnosti registrace nových uživatelů. Aktivní verzi fóra naleznete na adrese https://telekomunikace.cz
Přesměrování do VPN
/interface bridge
add name=Switch
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=VPN-pool ranges=1.1.1.10-1.1.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
default
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 local-address=1.1.1.1 remote-address=\
VPN-pool
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
/ip arp
add address=10.0.0.1 interface=ether1-gateway mac-address=24:AB:81:B7:C2:0A
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
nat-traversal=yes secret=hqtesting
/ip route
add check-gateway=ping distance=1 dst-address=1.0.0.0/32 gateway=10.0.0.1
/ip service
set api disabled=yes
/ppp secret
add local-address=1.1.1.1 name=ppp1 password=ppp1 profile=default-encryption \
remote-address=1.1.1.2 service=pptp
/system clock
set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes mode=unicast primary-ntp=17.72.148.53 secondary-ntp=\
17.72.148.52
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add name=Switch
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=VPN-pool ranges=1.1.1.10-1.1.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
default
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 local-address=1.1.1.1 remote-address=\
VPN-pool
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface l2tp-server server
set enabled=yes
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
/ip arp
add address=10.0.0.1 interface=ether1-gateway mac-address=24:AB:81:B7:C2:0A
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip ipsec peer
add exchange-mode=main-l2tp generate-policy=port-override hash-algorithm=sha1 \
nat-traversal=yes secret=hqtesting
/ip route
add check-gateway=ping distance=1 dst-address=1.0.0.0/32 gateway=10.0.0.1
/ip service
set api disabled=yes
/ppp secret
add local-address=1.1.1.1 name=ppp1 password=ppp1 profile=default-encryption \
remote-address=1.1.1.2 service=pptp
/system clock
set time-zone-name=Europe/Prague
/system ntp client
set enabled=yes mode=unicast primary-ntp=17.72.148.53 secondary-ntp=\
17.72.148.52
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
0 x
v mk pri pptp servery nemas nastavenu remote a local adresu nemozes tam mat 1.1.1.1.... normal si tma hod naprv 192.168.66.60 a druhu 192.168.66.61....
0 x
Je úplně jendo, co si dá o ppp profilu jako local a remote, dokud v tom neudělá pořádek.
Dle té cfg a tvrzení, že se dostane z VPN do LAN to provozuje tka, že RB je připojeno doté jeho LAN přes ether1. Na ether1 dostane přes DHCP adresu/masku/rpoutu od toho Applrouteru, co má ve VPN je fuk, do LAN se dostane, protože s emu to NATne na tom ether1 na vhodnou adreus. Naopak to nefunguje.
Jaký LAN segment používáš uvnitř té své sítě? Možnost je zrušit ten nat na ether1, na ether1 zapnout proxy arp, dále do ppp secret jako local a remote adresu dát nějakou volnou z toho LAN segmentu.
Přihoď výstup příkazu /ip dhcp-client print detail
Dle té cfg a tvrzení, že se dostane z VPN do LAN to provozuje tka, že RB je připojeno doté jeho LAN přes ether1. Na ether1 dostane přes DHCP adresu/masku/rpoutu od toho Applrouteru, co má ve VPN je fuk, do LAN se dostane, protože s emu to NATne na tom ether1 na vhodnou adreus. Naopak to nefunguje.
Jaký LAN segment používáš uvnitř té své sítě? Možnost je zrušit ten nat na ether1, na ether1 zapnout proxy arp, dále do ppp secret jako local a remote adresu dát nějakou volnou z toho LAN segmentu.
Přihoď výstup příkazu /ip dhcp-client print detail
0 x
Majklik píše:Je úplně jendo, co si dá o ppp profilu jako local a remote, dokud v tom neudělá pořádek.
Dle té cfg a tvrzení, že se dostane z VPN do LAN to provozuje tka, že RB je připojeno doté jeho LAN přes ether1. Na ether1 dostane přes DHCP adresu/masku/rpoutu od toho Applrouteru, co má ve VPN je fuk, do LAN se dostane, protože s emu to NATne na tom ether1 na vhodnou adreus. Naopak to nefunguje.
Jaký LAN segment používáš uvnitř té své sítě? Možnost je zrušit ten nat na ether1, na ether1 zapnout proxy arp, dále do ppp secret jako local a remote adresu dát nějakou volnou z toho LAN segmentu.
Přihoď výstup příkazu /ip dhcp-client print detail
sorry som to narychlo pozeral a nenapadlo ma ze to ma takto komplikovane zapojene....
a ako pise majklik troska viac info by si do toho obrazku mohol dat.. ip aj toho air a vsetky jeho porty co robi dhcp a pak sa bude dat lepsie v tom vyznat..
0 x
Diky.
vypis:
[admin@MikroTik] > /ip dhcp-client print detail
Flags: X - disabled, I - invalid
0 ;;; default configuration
interface=ether1-gateway add-default-route=yes default-route-distance=1
use-peer-dns=yes use-peer-ntp=yes dhcp-options=hostname,clientid
status=bound address=10.0.0.3/24 gateway=10.0.0.1 dhcp-server=10.0.0.1
primary-dns=10.0.0.1 expires-after=17h17m29s
vypis:
[admin@MikroTik] > /ip dhcp-client print detail
Flags: X - disabled, I - invalid
0 ;;; default configuration
interface=ether1-gateway add-default-route=yes default-route-distance=1
use-peer-dns=yes use-peer-ntp=yes dhcp-options=hostname,clientid
status=bound address=10.0.0.3/24 gateway=10.0.0.1 dhcp-server=10.0.0.1
primary-dns=10.0.0.1 expires-after=17h17m29s
0 x
Zrusil jsem NAT na ether1, zapl na nem proxy-arp a nastavil jsem local i remote adresu. Nyni uz se nedostanu z VPN do sve lokalni site a ani naopak.
/interface bridge
add name=Switch
/interface ethernet
set 0 arp=proxy-arp name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
default
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 remote-address=0.0.0.0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes keepalive-timeout=\
disabled
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
/ip arp
add address=10.0.0.1 interface=ether1-gateway mac-address=24:AB:81:B7:C2:0A
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=10.0.0.1 disabled=no interface=ether2-master-local name=\
relay1
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add check-gateway=ping distance=1 dst-address=1.0.0.0/32 gateway=10.0.0.1
/ip service
set api disabled=yes
/ppp secret
add local-address=10.0.0.60 name=ppp1 password=xxx profile=\
default-encryption remote-address=10.0.0.60 service=pptp
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=pptp
/system ntp client
set enabled=yes mode=unicast primary-ntp=17.72.148.53 secondary-ntp=\
17.72.148.52
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/interface bridge
add name=Switch
/interface ethernet
set 0 arp=proxy-arp name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] pfs-group=none
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether2-master-local name=\
default
/ppp profile
set 1 dns-server=8.8.8.8,8.8.4.4 remote-address=0.0.0.0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface pptp-server server
set authentication=pap,chap,mschap1,mschap2 enabled=yes keepalive-timeout=\
disabled
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
/ip arp
add address=10.0.0.1 interface=ether1-gateway mac-address=24:AB:81:B7:C2:0A
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-relay
add dhcp-server=10.0.0.1 disabled=no interface=ether2-master-local name=\
relay1
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add chain=input comment="default configuration" in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes out-interface=ether1-gateway to-addresses=0.0.0.0
/ip route
add check-gateway=ping distance=1 dst-address=1.0.0.0/32 gateway=10.0.0.1
/ip service
set api disabled=yes
/ppp secret
add local-address=10.0.0.60 name=ppp1 password=xxx profile=\
default-encryption remote-address=10.0.0.60 service=pptp
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=pptp
/system ntp client
set enabled=yes mode=unicast primary-ntp=17.72.148.53 secondary-ntp=\
17.72.148.52
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
0 x
Musíš zrušit i ten default firewall pod /ip firewall filter.
Potom nemůžeš mít na PPTP lince local i remote adresu stejnou, takže spíše něco jako:
/ppp secret
add local-address=10.0.0.60 name=ppp1 password=xxx profile=\
default-encryption remote-address=10.0.0.61 service=pptp
Bylo by vhodné, aby ten jablečnej router ty IP 10.0.0.60 a .61 nepřiděloval přes DHCP nějakým dalším krabicím.
Potom nemůžeš mít na PPTP lince local i remote adresu stejnou, takže spíše něco jako:
/ppp secret
add local-address=10.0.0.60 name=ppp1 password=xxx profile=\
default-encryption remote-address=10.0.0.61 service=pptp
Bylo by vhodné, aby ten jablečnej router ty IP 10.0.0.60 a .61 nepřiděloval přes DHCP nějakým dalším krabicím.
0 x