Сервер L2TP / IPSec VPN представляет собой маршрутизатор Mikrotik со следующими конфигурациями межсетевого экрана:
/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; VPN L2TP port 500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=500
2 ;;; VPN L2TP port 1701
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=1701
3 ;;; VPN L2TP port 4500
chain=input action=accept protocol=udp in-interface=pppoe-out1
dst-port=4500
4 ;;; VPN L2TP IPSec
chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1
5 ;;; VPN L2TP AH
chain=input action=accept protocol=ipsec-ah in-interface=pppoe-out1
6 ;;; Allow all from VPN
chain=input action=accept src-address-type=local
7 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
8 ;;; defconf: accept establieshed,related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
9 ;;; Drop SSH requests from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=22 log=no log-prefix=""
10 ;;; Drop Winbox connection from outside
chain=input action=drop protocol=tcp in-interface=pppoe-out1
dst-port=8291 log=no log-prefix=""
11 ;;; Drop UDP DNS requests from outside
chain=input action=drop protocol=udp in-interface=pppoe-out1
dst-port=53 log=no log-prefix=""
12 ;;; Drop TCP DNS requests from outside
chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix=""
13 ;;; Allow ping from outside
chain=input action=accept protocol=icmp dst-address=103.12.163.90
log=no log-prefix=""
14 ;;; defconf: drop all from WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
15 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection
connection-state=established,related log=no log-prefix=""
16 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
17 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
18 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new
connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix=""
/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface=pppoe-out1 log=no
log-prefix=""
1 ;;; HTTPS remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=900
protocol=tcp in-interface=pppoe-out1 dst-port=900 log=no log-prefix=""
2 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp in-interface=pppoe-out1 dst-port=443 log=no log-prefix=""
3 ;;; HTTP remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix=""
4 ;;; Plex server remote access
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=32400
protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no
log-prefix=""
5 ;;; HTTPS hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443
protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix=""
6 ;;; HTTP hairpin NAT
chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80
protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix=""
7 ;;; HTTPS hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 protocol=tcp
src-address=10.0.0.0/24 dst-address=10.0.0.2 out-interface=bridge
dst-port=443 log=no log-prefix=""
8 ;;; HTTP hairpin NAT
chain=srcnat action=masquerade to-addresses=10.0.0.2 to-ports=80
protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.2
out-interface=bridge dst-port=80 log=no log-prefix=""
Странно то, что клиенты iOS могут подключаться к этой VPN и подключаться как к локальной сети, так и к Интернету, но клиенты Windows могут подключаться только к локальной сети, а не к Интернету (не знаю о других платформах, поскольку у меня нет доступа прямо сейчас) . Я исключил проблемы с DNS и маршрутизацией, поскольку эти клиенты Windows могут пинговать глобальные IP-адреса и доменные имена, а также tracert
. Я что-то упускаю? Я уже использовал ту же конфигурацию для многих маршрутизаторов Mikrotik, и что общего у маршрутизаторов с проблемами, так это то, что WAN-соединение - это PPPoE:
/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah
/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes
/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any
/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes
/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des