Назад | Перейти на главную страницу

Клиент Windows L2TP VPN не имеет Интернета

Сервер L2TP / IPSec VPN представляет собой маршрутизатор Mikrotik со следующими конфигурациями межсетевого экрана:

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; VPN L2TP port 500
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=500 

 2    ;;; VPN L2TP port 1701
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=1701 

 3    ;;; VPN L2TP port 4500
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=4500 

 4    ;;; VPN L2TP IPSec
      chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1 

 5    ;;; VPN L2TP AH
      chain=input action=accept protocol=ipsec-ah in-interface=pppoe-out1 

 6    ;;; Allow all from VPN
      chain=input action=accept src-address-type=local 

 7    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 8    ;;; defconf: accept establieshed,related
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 9    ;;; Drop SSH requests from outside
      chain=input action=drop protocol=tcp in-interface=pppoe-out1 
      dst-port=22 log=no log-prefix="" 

10    ;;; Drop Winbox connection from outside
      chain=input action=drop protocol=tcp in-interface=pppoe-out1 
      dst-port=8291 log=no log-prefix="" 

11    ;;; Drop UDP DNS requests from outside
      chain=input action=drop protocol=udp in-interface=pppoe-out1 
      dst-port=53 log=no log-prefix="" 

12    ;;; Drop TCP DNS requests from outside
      chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix="" 

13    ;;; Allow ping from outside
      chain=input action=accept protocol=icmp dst-address=103.12.163.90 
      log=no log-prefix="" 

14    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 

15    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

16    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

17    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

18    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix="" 

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no 
      log-prefix="" 

 1    ;;; HTTPS remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=900 
      protocol=tcp in-interface=pppoe-out1 dst-port=900 log=no log-prefix="" 

 2    ;;; HTTP remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443 
      protocol=tcp in-interface=pppoe-out1 dst-port=443 log=no log-prefix="" 

 3    ;;; HTTP remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix="" 

 4    ;;; Plex server remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=32400 
      protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no 
      log-prefix="" 

 5    ;;; HTTPS hairpin NAT
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443 
      protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix="" 

 6    ;;; HTTP hairpin NAT
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix="" 

 7    ;;; HTTPS hairpin NAT
      chain=srcnat action=masquerade to-addresses=10.0.0.2 protocol=tcp 
      src-address=10.0.0.0/24 dst-address=10.0.0.2 out-interface=bridge 
      dst-port=443 log=no log-prefix="" 

 8    ;;; HTTP hairpin NAT
      chain=srcnat action=masquerade to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.2 
      out-interface=bridge dst-port=80 log=no log-prefix="" 

Странно то, что клиенты iOS могут подключаться к этой VPN и подключаться как к локальной сети, так и к Интернету, но клиенты Windows могут подключаться только к локальной сети, а не к Интернету (не знаю о других платформах, поскольку у меня нет доступа прямо сейчас) . Я исключил проблемы с DNS и маршрутизацией, поскольку эти клиенты Windows могут пинговать глобальные IP-адреса и доменные имена, а также tracert. Я что-то упускаю? Я уже использовал ту же конфигурацию для многих маршрутизаторов Mikrotik, и что общего у маршрутизаторов с проблемами, так это то, что WAN-соединение - это PPPoE:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah

/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des