L2tp/ipsec no ve servidor truenas y pc de la red

Buenos dias

Primero muchas gracias por la gran labor que desarrollais en este foro, para gente que no estamos muy puestos en redes pero que queremos aprender.

Accedo correctamente a la red vpn pero no me ve ningun equipo. He visto muchos tutoriales pero creo que falta un direccionamineto estattico entre la red lan y la red remota asignada a la vpn.
Envio datos del router


# dec/09/2022 12:13:43 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add name=LAN
add arp=proxy-arp name=WAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=ether2 ] comment=LAN
set [ find default-name=ether3 ] comment=LAN
set [ find default-name=ether4 ] comment=LAN
set [ find default-name=ether5 ] comment=LAN
set [ find default-name=ether6 ] comment=LAN
set [ find default-name=ether7 ] comment=LAN
set [ find default-name=ether8 ] comment=LAN
/interface vlan
add interface=ether1 name="VLAN ORANGE" vlan-id=832
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp_pool0 ranges=192.168.100.80-192.168.100.254
add name=dhcp_pool2 ranges=192.168.200.60-192.168.200.79
/ip dhcp-server
add address-pool=dhcp_pool0 interface=LAN name=dhcp
/ppp profile
add dns-server=8.8.8.8 local-address=192.168.100.1 name=VPNS remote-address=\
dhcp_pool2 use-compression=yes use-encryption=yes
/interface bridge port
add bridge=WAN interface=ether1
add bridge=LAN interface=ether2
add bridge=LAN interface=ether3
add bridge=LAN interface=ether4
add bridge=LAN interface=ether5
add bridge=LAN interface=ether6
add bridge=LAN interface=ether7
add bridge=LAN interface=ether8
/interface l2tp-server server
set authentication=mschap2 default-profile=VPNS enabled=yes use-ipsec=\
required
/ip address
add address=192.168.100.1/24 interface=LAN network=192.168.100.0
add address=192.168.100.1/30 interface=WAN network=192.168.100.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-client
add interface="VLAN ORANGE"
/ip dhcp-server network
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1 \
netmask=24
/ip firewall filter
add action=accept chain=input comment="FTP REGLA FIREWALL" dst-port=21 \
in-interface=WAN protocol=tcp
add action=accept chain=input in-interface=LAN protocol=udp src-port=\
500,1701,4500
add action=accept chain=input in-interface=LAN protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat out-interface="VLAN ORANGE"
add action=masquerade chain=srcnat out-interface=WAN
add action=accept chain=srcnat dst-address=192.168.200.0/24 src-address=\
192.168.100.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=jmfj profile=VPNS service=l2tp
add name=mge profile=VPNS service=l2tp
add name=lgs profile=VPNS service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS

Mucha gracias de antemano por cualquier ayuda Subir imagen
 
Muchas Gracias por tu consejo. Ya veo que estaba todo mal. Si te no te es mucha molestia. Podrias mirar si ahora esta correcto?.
He probado la vpn el Lan y funciona pero no en remoto. Ni si quiera aparece en el Log. Por otra parte no se si falta alguna ruta para que
los usuarios vpn remotos vean el servidor truenas de la Lan.
Mucha gracias de antemano y por tu paciencia.

# dec/10/2022 21:27:27 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add admin-mac=DC:2C:6E:66:34:42 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.200.60-192.168.200.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add local-address=192.168.200.60 name=vpn remote-address=vpn use-compression=\
yes use-encryption=yes
set *FFFFFFFE local-address=192.168.200.1 remote-address=vpn
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap1,mschap2 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
add address=192.168.100.1/8 interface=ether1 network=192.0.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=VLAN832
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=8.8.8.8 domain=\
8.8.4.4 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow l2tp" connection-type="" \
dst-port=1701,4500,500 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" protocol=ipsec-esp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.200.0/24
add action=masquerade chain=srcnat out-interface=VLAN832
/ip service
set winbox disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=jmfj profile=vpn service=l2tp
add name=mge profile=vpn service=l2tp
add name=lgs profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Mucha gracias de nuevo
 
Tiene mucha mejor pinta de lo que tenías antes, pero aun así todavía tienes varios gazapos. Te dejo un manual básico donde te explica cómo montar una VPN de tipo L2TP, a partir de una config por defecto: https://www.adslzone.net/foro/mikrotik.199/manual-mikrotik-como-montar-servidor-vpn.498418/

Si quieres configurar tu WAN desde la configuración por defecto, es tan sencillo como dar estos pasos:
Código:
// Crear la vlan que te da salida a internet, 832 en tu caso
/interface vlan 
add name=internet vlan-id=832 interface=ether1

// Modificar el cliente dhcp por defecto para que actúe sobre dicha vlan, en lugar de ether1
/ip dhcp-client
set 0 interface=internet

// Meter la vlan en la lista WAN, para que le aplique el masquerade
/interface list member
add interface=internet list=WAN

Con esos sencillos pasos (da igual si los haces vía terminal o vía winbox) tienes internet funcionando. Actualmente tienes errores en los perfiles VPN y en un segmento /8 que te has inventado en ether1, duplicando la IP de tu LAN (cosa poco o nada recomendable).

Saludos!
 
Gracias por tu respuesta. Intenernet ya estaba funcionando.
Entiendo loa 3 primeros pasos no lo tengo que hacer

1670715194812.png
 
Buenas disculpa
He eliminado el /8 y he recomfiguta la l2tp y la conesion vpn
Sigo sin poder acceder desde internet
Me da un error en el intento de conexion l2tp por nivel de seguridad.
he revisado todas las claves y estan bien
# dec/11/2022 01:09:50 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add admin-mac=DC:2C:6E:66:34:42 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.200.60-192.168.200.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add interface-list=LAN local-address=192.168.200.1 name=vpn remote-address=\
vpn use-compression=yes use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=VLAN832
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=8.8.8.8 domain=\
8.8.4.4 gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow ipsec" connection-type="" \
dst-port=4500,500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.200.0/24
add action=masquerade chain=srcnat out-interface=VLAN832
/ip service
set www address=192.168.100.0/24,192.168.100.0/24
set winbox address=192.168.100.0/24,192.168.200.0/24 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=jmfj profile=vpn service=l2tp
add name=mge profile=vpn service=l2tp
add name=lgs profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Buenos días,

te detallo los errores que aún tienes en la configuración, así como algunas cosas que puedes mejorar.
Sigues sin añadir la VLAN que te hace de WAN a la lista correspondiente.
Código:
/interface list member
add comment=internet interface=VLAN832 list=WAN

Sin lo anterior, estás forzado a meter esta segunda regla de NAT, totalmente prescindible, y que además no tiene en consideración el tráfico con políticas de encriptado de ipsec. Esta regla que metes en el NAT, es prescindible, si haces el paso anterior.
Código:
/ip firewall nat
add action=masquerade chain=srcnat out-interface=VLAN832

La definición de la subred del DHCP server la tienes mal hecha: el dns iría separado por coma, no en el campo "domain"
Código:
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=8.8.8.8 domain=\
8.8.4.4 gateway=192.168.100.1 netmask=24

Sin embargo, mucho más correcto que lo anterior, sería modificar esa regla para que el DNS atacase al propio router, y así te beneficies de la caché que hace el mismo, ya que tienes activado el servicio de caché del DNS en el router (flag allow-remote-requests=yes en IP -> DNS). La regla anterior, bien hecha, quedaría así:
Código:
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 gateway=192.168.100.1 netmask=24

Si además de eso prefieres usar los DNS de google en lugar de los que te entrega tu operadora, sería tan sencillo como dar estos dos pasos:
Primero: poner los DNS de google en el servicio de DNS del propio router
Código:
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

Segundo: deshabilitar que el cliente dhcp de la vlan de internet nos entregue DNS dinámicos (este paso no es requisito indispensable, puedes tener dinámicos y estáticos conviviendo en IP -> DNS)
Código:
/ip dhcp-client
set [find interface=VLAN832] use-peer-dns=no


Con respecto al error, ¿podrías hacer los cambios antes mencionados, y darme un pantallazo exacto del error o lo que te aparece en los logs del router? Recuerda que para conectar necesitas que el Mikrotik maneje IP pública, no puedes estar detrás de CG-NAT. Para comprobarlo, simplemente fíjate en el tipo de IP que recibe la interfaz VLAN832 en IP -> Addresses. Compárala con la que recibe el router en IP -> Cloud como externa: si son iguales, vamos por buen camino, y si no lo son, tienes un NAT encima que hay que quitar.

Puedes tratar también de editar el servidor L2TP y marcarle todas las opciones de autenticación (mschap1, pap, chap; además de la que ya tienes marcada), por si tu cliente estuviera tratando de usar algo distinto a mschap2. Y, como tienes IPSec como requerido, recuerda que ningún cliente que no informe el secreto precompartido de IPSec será capaz de conectar a la VPN. Te sugiero no poner caracteres extraños en este último, ya que hay veces que da la lata con algún cliente (prueba primero con una cadena de texto sencilla)

Saludos!
 
Gracias por tu respuesta


He modifcado todo pero si cambio

Segundo: deshabilitar que el cliente dhcp de la vlan de internet nos entregue DNS dinámicos (este paso no es requisito indispensable, puedes tener dinámicos y estáticos conviviendo en IP -> DNS)

/ip dhcp-client
set [find interface=VLAN832] use-peer-dns=no

Los equipos dejan de navegar. No se si seria mejor dejarlo como esta.

Con repecto CG-NAT

No tengo CGNAT. La conexión con Orange. TenGo puesto en router livebox como ONT

La VLAN832 da 85.57.133.176/25

La ip cloud da 85.57.133.176


Con repecto a la no conexion externa de L2tp/ipsec

He probado Otro equipo desde el exterior y no conecta. Dar error de negociacion L2tp

No se puede conectar con Nombre de la VPN. Error en el intento de conexión L2TP porque el nivel de seguridad encontró un error de proceso durante las negociaciones iniciales con el equipo remoto

el log no registra nada



En mismo metido en red, conecta a la primera. El pantallazo es desde dentro de la red

1670768717525.png


Entiendo que le sobra o le falta algun protocolo a Firewall. ¿Quiza IKE?

Te envio de nuevo la configuracion


# dec/11/2022 15:35:21 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add admin-mac=DC:2C:6E:66:34:42 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.200.60-192.168.200.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add interface-list=LAN local-address=192.168.200.1 name=vpn remote-address=\
vpn use-compression=yes use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set default-profile=vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=internet interface=VLAN832 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=VLAN832
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 \
gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow ipsec" connection-type="" \
dst-port=4500,500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.200.0/24
add action=masquerade chain=srcnat out-interface=VLAN832
/ip firewall service-port
set ftp disabled=yes
/ip service
set www address=192.168.100.0/24,192.168.100.0/24
set winbox address=192.168.100.0/24,192.168.200.0/24 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=jmfj profile=vpn service=l2tp
add name=mge profile=vpn service=l2tp
add name=lgs profile=vpn service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Te agradezco mucho tu ayuda
 
Sigues teniendo una regla de NAT de más (si reseteas contadores, verás que la última no recibe ya paquetes). Y el DNS no te funciona porque no le metiste ningún servidor estático en IP > DNS (lee bien mi post anterior, verás que en la penúltima instrucción, se añaden los de google, antes de deshabilitarlos en el dhcp-client con la última instrucción).

Con respecto a la VPN, diría tienes todo lo necesario para que funcione. A simple vista, no veo nada raro.

Saludos!
 
He probado que
Si deshabilitas la casilla que te muesto el la foto
1670790405713.png

Me puedo conectar por vpn y ver la red desde fuera todo correcto
Si activo vpn desde dentro de la ref funciona todo.
Pero si desactivo la vpn de un pc desde dentro de la red no navego

Con respecto al NAT

1670790803549.png


No se cual esta de mas

Respecto a DNS
Lo he modificado asi

1670790928993.png


Gracias de nuevo
 

Adjuntos

  • 1670790306365.png
    1670790306365.png
    6.7 KB · Visitas: 23
Me puedo conectar por vpn y ver la red desde fuera todo correcto
Si activo vpn desde dentro de la ref funciona todo.
Pero si desactivo la vpn de un pc desde dentro de la red no navego
Ojo con tocar esa regla que es la que protege al router de la jungla de internet. Tocarla es abrir la caja de los truenos. El perfil ya debería meterte la interfaz nueva, dinámicamente en la lista LAN (para eso está la instrucción interface-list=LAN)
Crea un nuevo perfil, justo como este, a ver si se soluciona el problema:
Código:
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.200.1 \
name=vpn-new-profile remote-address=vpn use-encryption=yes

Y se lo asignas a los usuarios ppp.


Con respecto al NAT

1670790803549.png


No se cual esta de mas
Regla número 2 sobra. La 0 ya la cubre.

Respecto a DNS
Lo he modificado asi
Eso no está bien, en IP -> DNS van las DNS públicas, como ya te dije en el post previo (8.8.8.8, 8.8.4.4). La 192.168.100.1 va en IP -> DHCP Server -> Network. Es decir, el DNS del DHCP apunta al router, pero el router necesita beber de uno público (como los dos dinámicos que te mete el cliente dhcp de la vlan 832.

Saludos!
 
Gracias de nuevo. sigue sin funcionar
Realmente me sabe mal que me dediques tanto tiempo. Te pido disculpas

Te envio de nuevo la configuracion

# dec/11/2022 23:39:55 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add admin-mac=DC:2C:6E:66:34:42 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.200.60-192.168.200.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.200.1 name=\
vpn-new-profile remote-address=vpn use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set default-profile=*1 enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=internet interface=VLAN832 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=VLAN832
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 \
gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow ipsec" connection-type="" \
dst-port=4500,500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.200.0/24
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set www address=192.168.100.0/24,192.168.100.0/24
set ssh disabled=yes
set winbox address=192.168.100.0/24,192.168.200.0/24 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=jmfj profile=vpn-new-profile service=l2tp
add name=mge profile=vpn-new-profile service=l2tp
add name=lgs profile=vpn-new-profile service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Gracias y disculpas
 
Edita el servidor L2TP y apúntalo al perfil por defect: default-encription. Al haber borrado el otro, queda apuntando a la nada (mira el *1 en el export)
Código:
/interface l2tp-server server
set default-profile=*1 enabled=yes use-ipsec=required

No es necesario que desde el propio servidor apuntes al perfil VPN nuevo que has creado, ya que se lo asignas a los usuarios directamente.

Y dime cómo estás probando desde fuera (no hace falta que me digas que desde dentro funciona, proque desde dentro en verdad no estás probando absolutamente nada en una vpn de este tipo).

Saludos!
 
Gracias de nuevo
Sigue sin funcionar
Accedo desde
Otra con red fija con fibra (movistar) con un portatil con win10.
Otra con red movil (movistar) con un portatil usado datos moviles.

Ninguna de las dos funciona.


# dec/12/2022 22:39:31 by RouterOS 7.6
# software id = 9N2H-YIJV
#
# model = RB5009UG+S+
# serial number = EC190F4D45B5
/interface bridge
add admin-mac=DC:2C:6E:66:34:42 auto-mac=no comment=defconf name=bridge
/interface vlan
add interface=ether1 name=VLAN832 vlan-id=832
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.100.60-192.168.100.254
add name=vpn ranges=192.168.200.60-192.168.200.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.200.1 name=\
vpn-new-profile remote-address=vpn use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=sfp-sfpplus1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=WAN
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add comment=internet interface=VLAN832 list=WAN
/ip address
add address=192.168.100.1/24 comment=defconf interface=bridge network=\
192.168.100.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
add interface=VLAN832
/ip dhcp-server network
add address=192.168.100.0/24 comment=defconf dns-server=192.168.100.1 \
gateway=192.168.100.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=192.168.100.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow ipsec" connection-type="" \
dst-port=4500,500 protocol=udp
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=input comment="allow IPsec NAT" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.200.0/24
/ip firewall service-port
set ftp disabled=yes
/ip service
set telnet disabled=yes
set www address=192.168.100.0/24,192.168.100.0/24
set ssh disabled=yes
set winbox address=192.168.100.0/24,192.168.200.0/24 disabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=jmfj profile=vpn-new-profile service=l2tp
add name=mge profile=vpn-new-profile service=l2tp
add name=lgs profile=vpn-new-profile service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=LazarejoOS
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Saludos
 
Pues esa configuración es correcta compi. Además, antes ya comentaste que conectar conecta, así que vas a tener que explicarte un poco mejor con el “no funciona”. ¿Qué no funciona concretamente? ¿Qué esperas que haga un equipo conectado a la vpn?

Saludos!
 
Buenos dias
Cuando te dije que conectaba era desde la misma red local. Desde fuera no ha conectado nunca.
Este es error que da

1670934877406.png

El log no muestra nada. Luego entiendo que el cortafuegos esta rechazando la conexion.
Una vez conectado deberia poder acceder a los equipos de la red.
Quiza deberiamos empezar de cero o probar con wireguard.
 
Buenos dias
Cuando te dije que conectaba era desde la misma red local. Desde fuera no ha conectado nunca.
Este es error que da

Ver el adjunto 101982
El log no muestra nada. Luego entiendo que el cortafuegos esta rechazando la conexion.
Una vez conectado deberia poder acceder a los equipos de la red.
Quiza deberiamos empezar de cero o probar con wireguard.
¿Sabrías mandarme una foto del log del router, para ver si llegas a negociar la clave de encriptado, cuando se produce ese error? En el firewall de mikrotik lo tienes todo bien puesto, y a menos que no tengas ip pública, o que tengas otro firewall por encima, eso debería tirar sin problema.

Si quieres que te lance una prueba yo mismo, genera un nuevo usuario y contraseña en “ppp” y pásame el detalle de conexión por privado. Puedes modificar también la clave psk del IPSec, en caso de no querer compartirla (totalmente normal).

Saludos!
 
Gracias
Esta tarde te envio una foto del log. Pero ya te digo que no negocia nada.
El mikrotik se conecta a una livebox de orange que esta configurada como ONT luego no hay ningun
cortafuegos.
Te paso la ip publica esta tarde con los datos que me pides por privado
Gracias mil de nuevo
 
Gracias
Esta tarde te envio una foto del log. Pero ya te digo que no negocia nada.
El mikrotik se conecta a una livebox de orange que esta configurada como ONT luego no hay ningun
cortafuegos.
Te paso la ip publica esta tarde con los datos que me pides por privado
Gracias mil de nuevo
Venga, a ver si damos con la tecla. Debe de ser una auténtica chorrada que tengamos delante de las narices, pero no consigo verlo, por más que reviso la configuración.

Saludos!
 
Arriba