Пропадает интернет при подключении vpn mikrotik

Пропадает интернет при подключении vpn mikrotik

I have an L2TP / IPSec VPN server configured and working (except for internet access) as per these instructions —

The VPN tunnel works and I can see the assets on the remote networks — as the firewall allows. The VPN network has a nat Masq rule.

Re: LT2P/IPSec VPN working no internet access

I assume you claim the fact that the client cannot access internet via the L2TP tunnel. If the client cannot access internet at all while the L2TP connection is active, the issue is at Mikrotik side; if it can access internet but bypassing the L2TP tunnel, it is the routing setting at client side which differs depending on client type.

The instructions on the Wiki cover the key subject, but cannot cover all individual environments, so the reader always has to implement the key subject into his local context. And referring to the Wiki doesn’t provide any information on how your actual firewall rules and routing look like. Don’t ask what it might be, post the configuration to let someone else find what it really is, as this is a much easier task.

Re: LT2P/IPSec VPN working no internet access

# jun/09/2019 17:49:01 by RouterOS 6.44.3 /interface vlan add interface=main_bridge name=main-v10 vlan-id=10 /interface list add name=WAN add name=LAN /ip pool add name=main ranges=192.168.254.50-192.168.254.199 add name=vpn ranges=192.168.50.50-192.168.50.80 /ip dhcp-server add address-pool=main dhcp-option-set="IP Phones" disabled=no interface=\ main-v10 lease-time=3d name=main_server /ppp profile set *FFFFFFFE dns-server=1.1.1.1,8.8.8.8 idle-timeout=15m local-address=\ 192.168.50.2 remote-address=vpn use-encryption=required /interface bridge port2 add bridge=main_bridge comment="Trunk #1" interface=ether2 add bridge=main_bridge comment="Trunk #2" interface=ether3 /ip settings set rp-filter=strict /interface bridge vlan add bridge=main_bridge comment=main_network tagged=main_bridge,ether2,ether3 \ vlan-ids=10 /interface l2tp-server server set authentication=mschap2 enabled=yes use-ipsec=required /interface list member add interface=ether1 list=WAN add interface=main-v10 list=LAN /ip address add address=192.168.254.1/24 comment="Main Network" interface=main-v10 \ network=192.168.254.0 add address=x.x.x.x comment="Modem" interface=ether1 \ network=x.x.x.x /ip cloud set ddns-enabled=yes /ip dns set allow-remote-requests=yes servers=\ 192.168.254.6,1.1.1.1,8.8.8.8,1.0.0.1,8.8.4.4 /ip firewall address-list add address=192.168.254.0/24 comment=Default list=main add address=192.168.50.0/24 comment=Default list=vpn /ip firewall filter add action=accept chain=input comment="Allow established,related,untracked" \ connection-state=established,related,untracked add action=drop chain=input comment="Drop invalid input" connection-state=\ invalid add action=accept chain=input comment="Allow L2TP/IPSec VPN connection" \ dst-port=500,1701,4500 in-interface-list=WAN protocol=udp add action=accept chain=input comment="Allow L2TP/IPSec VPN connection" \ in-interface-list=WAN protocol=ipsec-esp add action=accept chain=input comment=\ "Allow main list into router" src-address-list=main add action=drop chain=input comment=\ "drop all else" add action=fasttrack-connection chain=forward comment=\ "Allow forward fasttrack" connection-state=established,related add action=accept chain=forward comment=\ "Allow Forward established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="Drop invalid forward" \ connection-state=invalid add action=accept chain=forward comment=\ "Alllow LAN interface-list out wan interface-list" in-interface-list=LAN \ out-interface-list=WAN add action=accept chain=forward comment=\ "Allow VPN to main network connections" dst-address-list=main \ src-address-list=vpn add action=accept chain=forward comment="RFC 6092 - accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="RFC 6092 - accept out ipsec policy" \ ipsec-policy=out,ipsec add action=drop chain=forward comment=\ "Drop new connections from internet which are not dst-natted" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=drop chain=forward comment="Drop packets from LAN interface-list th\ at do not come from the LAN interface-list" in-interface-list=LAN \ out-interface-list=!LAN add action=drop chain=forward comment="should be out" /ip firewall nat add action=masquerade chain=srcnat comment="Masquerade all LAN traffic" \ ipsec-policy=out,none out-interface-list=WAN /ip route add distance=1 gateway=x.x.x.x /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /ip ssh set strong-crypto=yes /system ntp client set enabled=yes server-dns-names="0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org\ ,3.pool.ntp.org,time.google.com" /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server ping set enabled=no

Re: LT2P/IPSec VPN working no internet access

The only rule in the firewall chain of your «drop-all-but-exceptions» firewall which permits outbound connections through WAN is
action=accept chain=forward comment=»Alllow LAN interface-list out wan interface-list» in-interface-list=LAN out-interface-list=WAN ,
but as the VPN interfaces are not members of interface list LAN, this rule doesn’t allow packets coming from these interfaces to establish new connections to internet.
Another permissive rule is action=accept chain=forward comment=»Allow VPN to main network connections» dst-address-list=main src-address-list=vpn which refers to src-address-list=vpn but only the LAN subnet 192.168.254.0/24 is listed in the dst-address-list=main so this rule also doesn’t match packets from VPN clients to internet.
And that’s it, the two remaining permissive rules which refer to ipsec-policy are irrelevant because IPsec is only used to encrypt the transport packets of the L2TP, so the payload packets coming in via the L2TP tunnel do not match any IPsec policy.

Читайте также:  Интернет провод схема подключения

So either add an interface-list=LAN item to the /ppp profile , so that each dynamically created L2TP server interface would be added as a member to the interface list, or add another rule like action=accept chain=forward comment=»Allow VPN to internet» out-interface-list=WAN src-address-list=vpn before the last action=drop rule, and remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup. The first one permits dst-natted packets which came in via WAN to go further through the chain but the next rule ignores them and the last rule drops them; the second one drops anything from LAN to anywhere else but again, what this rule ignores is dropped by the last one.

Re: LT2P/IPSec VPN working no internet access

«So either add an interface-list=LAN item to the /ppp profile»
This looks like a cleaner way to do it. Should I add the interface-list=LAN to both the default and default-encryption profile? To test, I added it to the default-encryption profile and it worked. I did not realize you could dynamically add to an interface list — even thought it was right in front of me. Very neat feature.

«ipsec-policy are irrelevant because IPsec is only used to encrypt the transport packets of the L2TP»
To be honest I left these rules as they came in MTs default firewall rules. I did not have a clear understanding of when they would match. Now I mostly do. .

«remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup.»
The last drop rule needs to stay — it is these two that are useless?

add action=drop chain=forward comment=\ "Drop new connections from internet which are not dst-natted" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=drop chain=forward comment="Drop packets from LAN interface-list th\ at do not come from the LAN interface-list" in-interface-list=LAN \ out-interface-list=!LAN

Would the first rule be more effective (match) earlier in the chain? I assume it simply does not matter as it will hit the last rule and drop anyway. So perhaps there is no advantage to it.

Читайте также:  Скорость интернета google play

Last Question — Is it a best practice to have one catch all Masq rule, or to use multiple Masq rules for each network? I can be more granular with a rule for each, but is not as clean. What is your preference?

Thank you again for all your help.

Re: LT2P/IPSec VPN working no internet access [SOLVED]

It depends on which profile your /interface l2tp-server server , or your /ppp secret refer (the latter, if set, supersedes the former)

«remove the last-but-one and last-but-two action=drop rules because they are useless in the current setup.»
The last drop rule needs to stay — it is these two that are useless?

Would the first rule be more effective (match) earlier in the chain? I assume it simply does not matter as it will hit the last rule and drop anyway. So perhaps there is no advantage to it.

Exactly. That rule (drop what comes in via WAN unless dst-nated) remained there from the default firewall settings, and its effect in the default firewall settings is «accept any connection initiated from LAN side, accept any connection initiated from WAN side if dst-nated, drop the rest» because what is not dropped by that rule is accepted as it is the last rule in the forward chain and the default handling if no rule matches is hardcoded to «accept» (unlike in naked linux iptables where you can set default handling for each chain).

Is it a best practice to have one catch all Masq rule, or to use multiple Masq rules for each network? I can be more granular with a rule for each, but is not as clean. What is your preference?

Читайте также:  Контент анализ социальных сетей интернет

First of all, action=masquerade should only be used with interfaces whose address dynamically changes, because each change of address or interface going down causes all masqueraded connections to be dropped. Other than that, there is no actual preference — whereas in the mangle chain every packet is handled so you it is important to make the number of rules a packet has to pass through as low as possible, the nat chains only handle the initial packet of each connection so it is not so critical to have one rule per WAN interface. So after all it is the readability what matters most if you plan to modify your firewall now and then.

Источник

VPN туннель к удаленному серверу есть, интернета на клиенте нет. Почему?

Сегодня состоялось мое знакомство с Микротиком. Почти во всем разобрался. Основная цель — поднять VPN сервер. Это я сделал. Подключение происходит успешно, но на клиентской машине пропадает интернет.

Понимаю, что что то с маршрутами, но не могу осилить, поэтому прошу помощи более осведомленных коллег.

Тег spoiler почему то не работает, дабы не захламлять пост кучей букв/цифр прикладываю скрины маршрутов на клиентской машине и на микротике, до и после подключения

b91c4e40632156dfaa3d6d7aafa740b6.jpg747b50c652d77ca4f3b9506a373b650a.jpg 089c53deeb49b67c79746ad50346404a.jpg

@neonox Вам надо чтобы на клиентской машине был свой интернет (через впн доступ только к локальной сети за микротиком) или через микротик?

Щас у Вас прописано два маршрута по-умолчанию. тот который через впн имеет более высокий приоритет, а микротик впн-клиента не пускает в интернет (либо файерволл, либо нат)

@neonox тогда в свойствах ВПН подключения — вкладка Сеть — свойства Протокол Интернета версия 4 — Дополнительно — снять галку Использовать шлюз в удаленной сети.
После этого в инет будете ходить через свой инет, а в подсеть впн через микротик.

@kodi в файеволле нет ни одного правила. В настройках Наталья есть маскарад для бриджа. Пинги ходят, но на 192.168.88.1 (ИП микротика) пинги не ходят.

@neonox у Вас в впн две подсети (сама впн и локалка), впн-клиент видит только впн, поэтому он не знает о существовании локалки и трафик не идет туда.
либо надо все гнанать в микротик (использовать шлюз в удалеенной сети) и там разруливать трафик (впн,локалка, интернет). Либо использовать одну подсеть для локалки и для впн канала (proxy-arp). либо вручную на впн-клиенте прописать маршрут до 192.168.1.0/24 через 192.168.2.1

Источник

Оцените статью
Adblock
detector