Имам следния проблем с нов рутер Mikrotik RB5009 - създавам L2TP+IPSEC и задавам статичен адрес на потребителя от някой vlan. Потребителя се свързва може да достъпи рутера, но няма връзка с никоя мрежа зад този рутер. Подобна конфигурация работи на 3-4 места вече, има само една разлика - версията на ROS е по-ниска (на другите рутери). Не съм downgrade-вал все още.
Question
gkk
Здравейте,
Имам следния проблем с нов рутер Mikrotik RB5009 - създавам L2TP+IPSEC и задавам статичен адрес на потребителя от някой vlan. Потребителя се свързва може да достъпи рутера, но няма връзка с никоя мрежа зад този рутер. Подобна конфигурация работи на 3-4 места вече, има само една разлика - версията на ROS е по-ниска (на другите рутери). Не съм downgrade-вал все още.
Моля за насоки къде може да е проблема.
# 2024-09-24 18:58:00 by RouterOS 7.16 # software id = MEI6-DTKL # # model = RB5009UG+S+ # serial number = /interface bridge add arp=proxy-arp name=bridge1 pvid=18 vlan-filtering=yes /interface eoip add allow-fast-path=no local-address=xx.xx.xx.xx mac-address=\ 02:81:25:77:72:3A name=eoip-macedonia remote-address=yy.yy.yy.yy \ tunnel-id=23 /interface vlan add interface=bridge1 name=vlan17-SECURITY vlan-id=17 add interface=bridge1 name=vlan18-MANAGEMENT vlan-id=18 add interface=bridge1 name=vlan19-SHOP vlan-id=19 add interface=bridge1 name=vlan20-GUESTS vlan-id=20 /interface list add name=VLANS add name=WAN /ip pool add name=dhcp_pool0 ranges=192.168.17.2-192.168.17.126 add name=dhcp_pool1 ranges=192.168.18.2-192.168.18.126 add name=dhcp_pool2 ranges=192.168.19.2-192.168.19.126 add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.126 /ip dhcp-server add address-pool=dhcp_pool0 interface=vlan17-SECURITY lease-time=12h name=\ dhcp1 add address-pool=dhcp_pool1 interface=vlan18-MANAGEMENT lease-time=12h name=\ dhcp2 add address-pool=dhcp_pool2 interface=vlan19-SHOP lease-time=12h name=dhcp3 add address-pool=dhcp_pool3 interface=vlan20-GUESTS name=dhcp4 /interface bridge port add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether1 pvid=17 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether2 pvid=17 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether3 pvid=17 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether4 pvid=19 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether5 pvid=19 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether6 pvid=19 add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \ interface=ether7 pvid=18 add bridge=bridge1 interface=ether8 pvid=18 /ip settings set accept-source-route=yes ipv4-multipath-hash-policy=l4 rp-filter=strict /interface bridge vlan add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=17 add bridge=bridge1 tagged=bridge1 vlan-ids=18 add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=19 add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=20 /interface l2tp-server server set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes /interface list member add interface=vlan17-SECURITY list=VLANS add interface=vlan18-MANAGEMENT list=VLANS add interface=vlan19-SHOP list=VLANS add interface=vlan20-GUESTS list=VLANS add interface=sfp-sfpplus1 list=WAN /ip address add address=192.168.17.1/25 interface=vlan17-SECURITY network=192.168.17.0 add address=192.168.19.1/25 interface=vlan19-SHOP network=192.168.19.0 add address=192.168.20.1/25 interface=vlan20-GUESTS network=192.168.20.0 add address=192.168.18.1/25 interface=vlan18-MANAGEMENT network=192.168.18.0 add address=192.168.250.2/25 interface=eoip-office network=192.168.250.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=WAN interface=sfp-sfpplus1 /ip dhcp-server network add address=192.168.17.0/25 dns-server=1.1.1.1 gateway=192.168.17.1 add address=192.168.18.0/25 dns-server=1.1.1.1 gateway=192.168.18.1 add address=192.168.19.0/25 dns-server=1.1.1.1 gateway=192.168.19.1 add address=192.168.20.0/25 dns-server=1.1.1.1 gateway=192.168.20.1 /ip firewall address-list add address=192.168.17.0/25 list=ADMIN add address=192.168.250.0/25 list=ADMIN add address=192.168.50.12 list=ADMIN add address=10.0.0.0/24 list=ADMIN /ip firewall filter add action=accept chain=input connection-state=established,related,new add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\ ADMIN add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp add action=accept chain=forward connection-state=established,related add action=accept chain=forward connection-state=new in-interface-list=VLANS \ out-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=8000 \ protocol=tcp to-addresses=192.168.17.100 /ip route add disabled=no dst-address=192.168.49.0/24 gateway=192.168.250.1 \ routing-table=main suppress-hw-offload=no add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=192.168.250.1 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=192.168.250.1 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 add disabled=no distance=1 dst-address=192.168.120.0/25 gateway=192.168.250.1 \ routing-table=main scope=30 suppress-hw-offload=no target-scope=10 /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /ppp secret add local-address=192.168.17.1 name=Georgi profile=default-encryption \ remote-address=192.168.17.2 service=l2tp add local-address=192.168.17.1 name=Stefan profile=default-encryption \ remote-address=192.168.17.3 service=l2tp /system clock set time-zone-name=Europe/Sofia /system note set show-at-login=no
Link to comment
Share on other sites
5 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now