Jump to content
  • 0

L2TP+IPSec road-warrior не може да вижда VLANS


gkk

Question

Здравейте,

Имам следния проблем с нов рутер Mikrotik RB5009 - създавам L2TP+IPSEC и задавам статичен адрес на потребителя от някой vlan. Потребителя се свързва може да достъпи рутера, но няма връзка с никоя мрежа зад този рутер. Подобна конфигурация работи на 3-4 места вече, има само една разлика - версията на ROS е по-ниска (на другите рутери). Не съм downgrade-вал все още. 

Моля за насоки къде може да е проблема.

# 2024-09-24 18:58:00 by RouterOS 7.16
# software id = MEI6-DTKL
#
# model = RB5009UG+S+
# serial number =
/interface bridge
add arp=proxy-arp name=bridge1 pvid=18 vlan-filtering=yes
/interface eoip
add allow-fast-path=no local-address=xx.xx.xx.xx mac-address=\
    02:81:25:77:72:3A name=eoip-macedonia remote-address=yy.yy.yy.yy \
    tunnel-id=23
/interface vlan
add interface=bridge1 name=vlan17-SECURITY vlan-id=17
add interface=bridge1 name=vlan18-MANAGEMENT vlan-id=18
add interface=bridge1 name=vlan19-SHOP vlan-id=19
add interface=bridge1 name=vlan20-GUESTS vlan-id=20
/interface list
add name=VLANS
add name=WAN
/ip pool
add name=dhcp_pool0 ranges=192.168.17.2-192.168.17.126
add name=dhcp_pool1 ranges=192.168.18.2-192.168.18.126
add name=dhcp_pool2 ranges=192.168.19.2-192.168.19.126
add name=dhcp_pool3 ranges=192.168.20.2-192.168.20.126
/ip dhcp-server
add address-pool=dhcp_pool0 interface=vlan17-SECURITY lease-time=12h name=\
    dhcp1
add address-pool=dhcp_pool1 interface=vlan18-MANAGEMENT lease-time=12h name=\
    dhcp2
add address-pool=dhcp_pool2 interface=vlan19-SHOP lease-time=12h name=dhcp3
add address-pool=dhcp_pool3 interface=vlan20-GUESTS name=dhcp4
/interface bridge port
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=17
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=17
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=17
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=19
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=19
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether6 pvid=19
add bridge=bridge1 frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=18
add bridge=bridge1 interface=ether8 pvid=18
/ip settings
set accept-source-route=yes ipv4-multipath-hash-policy=l4 rp-filter=strict
/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=17
add bridge=bridge1 tagged=bridge1 vlan-ids=18
add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=19
add bridge=bridge1 tagged=bridge1,ether8 vlan-ids=20
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=yes
/interface list member
add interface=vlan17-SECURITY list=VLANS
add interface=vlan18-MANAGEMENT list=VLANS
add interface=vlan19-SHOP list=VLANS
add interface=vlan20-GUESTS list=VLANS
add interface=sfp-sfpplus1 list=WAN
/ip address
add address=192.168.17.1/25 interface=vlan17-SECURITY network=192.168.17.0
add address=192.168.19.1/25 interface=vlan19-SHOP network=192.168.19.0
add address=192.168.20.1/25 interface=vlan20-GUESTS network=192.168.20.0
add address=192.168.18.1/25 interface=vlan18-MANAGEMENT network=192.168.18.0
add address=192.168.250.2/25 interface=eoip-office network=192.168.250.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=WAN interface=sfp-sfpplus1
/ip dhcp-server network
add address=192.168.17.0/25 dns-server=1.1.1.1 gateway=192.168.17.1
add address=192.168.18.0/25 dns-server=1.1.1.1 gateway=192.168.18.1
add address=192.168.19.0/25 dns-server=1.1.1.1 gateway=192.168.19.1
add address=192.168.20.0/25 dns-server=1.1.1.1 gateway=192.168.20.1
/ip firewall address-list
add address=192.168.17.0/25 list=ADMIN
add address=192.168.250.0/25 list=ADMIN
add address=192.168.50.12 list=ADMIN
add address=10.0.0.0/24 list=ADMIN
/ip firewall filter
add action=accept chain=input connection-state=established,related,new
add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=\
    ADMIN
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=forward connection-state=established,related
add action=accept chain=forward connection-state=new in-interface-list=VLANS \
    out-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat dst-address=xx.xx.xx.xx dst-port=8000 \
    protocol=tcp to-addresses=192.168.17.100
/ip route
add disabled=no dst-address=192.168.49.0/24 gateway=192.168.250.1 \
    routing-table=main suppress-hw-offload=no
add disabled=no distance=1 dst-address=192.168.50.0/24 gateway=192.168.250.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.100.0/24 gateway=192.168.250.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=192.168.120.0/25 gateway=192.168.250.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.17.1 name=Georgi profile=default-encryption \
    remote-address=192.168.17.2 service=l2tp
add local-address=192.168.17.1 name=Stefan profile=default-encryption \
    remote-address=192.168.17.3 service=l2tp
/system clock
set time-zone-name=Europe/Sofia
/system note
set show-at-login=no

 

Edited by gkk
Link to comment
Share on other sites

5 answers to this question

Recommended Posts

  • 0
  • Administrator

Отдалечения адрес го задай от друга мрежа.

  • Like 1
Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0

Това направих снощи, но защо при другите рутери работи. Странно

Link to comment
Share on other sites

  • 0
  • Administrator

Разгледай промените от старите работещи до последната версия в случая 7.16

Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Link to comment
Share on other sites

  • 0

Само това ми се набива на очи - 

ipv4-multipath-hash-policy=l4

при другите я няма тази опция.

Link to comment
Share on other sites

  • 0

Така, намерих проблема. Трябва да се пусне proxy-arp на vlan-a на който искам да ползвам мрежата

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.