Mikrotik ipsec tunnel

Тема в разделе "Вопросы начинающих", создана пользователем NeKrolik, 26 апр 2017.

  1. NeKrolik

    NeKrolik Новый участник

    Добрый день, возникла проблема.
    Настраивал ipsec между DFL и микротиком.
    Тунель поднялся все работает, но есть проблемы с устройствами за микротиком. К ним нет доступа по вебу, как к принтерам так и камерам. Но другие сервисы работают. Настраивал по этой статье http://sanotes.ru/vpn-ipsec-mikrotik-dfl-860e/
    При попытке конекта к этим устройствам по веб в логал микротика пишеться что соединение established, а потом close.
    Что можно попробовать сделать?
     
  2. Илья Князев

    Илья Князев Администратор Команда форума

    Как вариант файрволл на устройстве.
     
  3. NeKrolik

    NeKrolik Новый участник

    Тоже так думал, но если использовать связку DFL c DSR (Dlink) то доступ есть. Пробовал на mikrotike с выключенным файрволом тож не вышло.
    Это моя первая попытка настройки mikrotik.
    Настройки для файрволл смотрел тут)
    /interface bridge
    add arp=proxy-arp name=bridge1
    /interface ethernet
    set [ find default-name=ether1 ] mac-address=6C:3B:6B:20:6E:76
    set [ find default-name=ether2 ] mac-address=6C:3B:6B:20:6E:77
    set [ find default-name=ether3 ] mac-address=6C:3B:6B:20:6E:78 master-port=\
    ether2
    set [ find default-name=ether4 ] mac-address=6C:3B:6B:20:6E:79 master-port=\
    ether2
    set [ find default-name=ether5 ] mac-address=6C:3B:6B:20:6E:7A master-port=\
    ether2
    /interface pppoe-client
    add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
    password=1234 use-peer-dns=yes user=1234
    /ip neighbor discovery
    set pppoe-out1 discover=no
    /ip hotspot profile
    set [ find default=yes ] html-directory=flash/hotspot
    /ip ipsec policy group
    set
    /ip ipsec proposal
    set [ find default=yes ] enc-algorithms=des
    /ip pool
    add name=dhcp ranges=10.30.59.1-10.30.59.253
    /ip dhcp-server
    add address-pool=dhcp disabled=no interface=bridge1 name=dhcp1
    /interface bridge port
    add bridge=bridge1 interface=ether2
    /ip settings
    set accept-redirects=yes accept-source-route=yes
    /ip address
    add address=10.30.59.254/24 interface=ether2 network=10.30.59.0
    /ip arp
    add address=10.30.59.249 interface=bridge1 mac-address=28:10:7B:11:71:C9
    /ip dhcp-client
    add default-route-distance=0 dhcp-options=hostname,clientid interface=ether1
    /ip dhcp-server lease
    add address=10.30.59.252 client-id=1:74:27:ea:4f:19:81 mac-address=\
    74:27:EA:4F:19:81 server=dhcp1
    add address=10.30.59.251 client-id=1:78:e3:b5:fc:10:87 mac-address=\
    78:E3:B5:FC:10:87 server=dhcp1
    add address=10.30.59.250 client-id=1:98:4b:e1:3f:45:e4 mac-address=\
    98:4B:E1:3F:45:E4 server=dhcp1
    add address=10.30.59.249 always-broadcast=yes client-id=1:28:10:7b:11:71:c9 \
    mac-address=28:10:7B:11:71:C9 server=dhcp1
    add address=10.30.59.248 client-id=1:74:27:ea:4f:37:44 mac-address=\
    74:27:EA:4F:37:44 server=dhcp1
    /ip dhcp-server network
    add address=10.30.59.0/24 dns-server=10.30.10.200 \
    gateway=10.30.59.254 netmask=24 wins-server=10.30.10.200
    /ip firewall address-list
    add address=10.30.59.249 list=management-servers
    add address=0.0.0.0/8 list=BOGON
    add address=100.64.0.0/10 list=BOGON
    add address=127.0.0.0/8 list=BOGON
    add address=169.254.0.0/16 list=BOGON
    add address=172.16.0.0/12 list=BOGON
    add address=192.0.0.0/24 list=BOGON
    add address=192.0.2.0/24 list=BOGON
    add address=192.168.0.0/16 list=BOGON
    add address=198.18.0.0/15 list=BOGON
    add address=198.51.100.0/24 list=BOGON
    add address=203.0.113.0/24 list=BOGON
    add address=224.0.0.0/4 list=BOGON
    add address=240.0.0.0/4 list=BOGON
    /ip firewall filter
    add chain=input comment=Allow_limited_pings in-interface=pppoe-out1 limit=\
    50/5s,2:packet protocol=icmp
    add action=drop chain=input comment=Port_scanner_drop src-address-list=\
    "port scanners"
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=fin,syn
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=syn,rst
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input in-interface=pppoe-out1 protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input comment=Perebor_portov_list_drop in-interface=\
    pppoe-out1 src-address-list=perebor_portov_drop
    add action=add-src-to-address-list address-list=perebor_portov_drop \
    address-list-timeout=30m chain=input comment=Perebor_portov_add_list \
    dst-port=22 in-interface=pppoe-out1 log=yes log-prefix=Attack protocol=\
    tcp
    add action=drop chain=input comment=Perebor_53_drop dst-port=53 protocol=udp \
    src-address-list=dnsflood
    add action=add-src-to-address-list address-list=dnsflood \
    address-list-timeout=1h chain=input comment=Perebor_53_add_list dst-port=\
    53 protocol=udp
    add action=drop chain=input comment=Drop_winbox_black_list dst-port=8291,22 \
    in-interface=pppoe-out1 protocol=tcp src-address-list=black_list
    add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=5m chain=input comment=Winbox_add_black_list \
    connection-state=new dst-port=8291,22 in-interface=pppoe-out1 protocol=\
    tcp src-address-list=Winbox_Ssh_stage3
    add action=add-src-to-address-list address-list=Winbox_Ssh_stage3 \
    address-list-timeout=1m chain=input comment=Winbox_Ssh_stage3 \
    connection-state=new dst-port=8291,22 in-interface=pppoe-out1 protocol=\
    tcp src-address-list=Winbox_Ssh_stage2
    add action=add-src-to-address-list address-list=Winbox_Ssh_stage2 \
    address-list-timeout=1m chain=input comment=Winbox_Ssh_stage2 \
    connection-state=new dst-port=8291,22 in-interface=pppoe-out1 protocol=\
    tcp src-address-list=Winbox_Ssh_stage1
    add action=add-src-to-address-list address-list=Winbox_Ssh_stage1 \
    address-list-timeout=1m chain=input comment=Winbox_Ssh_stage1 \
    connection-state=new dst-port=8291,22 in-interface=pppoe-out1 protocol=\
    tcp
    add chain=input comment=Accept_Winbox_Ssh dst-port=8291,22 in-interface=\
    pppoe-out1 protocol=tcp
    add chain=input comment="Accept input connections My Network"
    add chain=forward comment="Accept established connections My Network" \
    connection-state=established
    add chain=forward comment="Allow Ping My Network" protocol=icmp
    add chain=input connection-state=established
    add chain=forward comment="Accept related connections My Network" \
    connection-state=related
    add chain=input connection-state=related
    add chain=forward comment="Allow GRE" protocol=gre
    add action=drop chain=forward connection-state=invalid
    add action=drop chain=input comment=Drop_all_WAN in-interface=pppoe-out1
    add action=drop chain=input comment=Bogon_Wan_Drop in-interface=pppoe-out1 \
    src-address-list=BOGON
    /ip firewall nat
    add chain=srcnat dst-address=10.0.0.0/8 src-address=10.30.59.0/24
    add action=masquerade chain=srcnat disabled=yes out-interface=pppoe-out1
    add action=masquerade chain=srcnat dst-address=!10.0.0.0/8 out-interface=\
    pppoe-out1 src-address=10.30.59.0/24
    /ip firewall service-port
    set ftp disabled=yes
    set tftp disabled=yes
    set irc disabled=yes
    set h323 disabled=yes
    set sip disabled=yes
    /ip ipsec peer
    add address=1.1.1.1/32 enc-algorithm=des mode-config=request-only \
    nat-traversal=no secret=12345
    /ip ipsec policy
    add dst-address=10.0.0.0/8 priority=1 sa-dst-address=1.1.1.1 \
    sa-src-address=2.2.2.2 src-address=10.30.59.0/24 tunnel=yes
    /ip route
    add distance=1 dst-address=10.0.0.0/8 gateway=10.30.10.254
    /ip upnp
    set enabled=yes
    /ip upnp interfaces
    add interface=bridge1 type=internal
    add interface=ether1 type=external
    /system clock
    set time-zone-name=Europe/Volgograd
    /system identity
    /system routerboard settings
    set cpu-frequency=850MHz protected-routerboot=disabled
    /tool mac-server
    set [ find default=yes ] disabled=yes
    add interface=bridge1
    /tool mac-server mac-winbox
    set [ find default=yes ] disabled=yes
    add interface=bridge1
     
  4. Илья Князев

    Илья Князев Администратор Команда форума

    Попробуйте уменьшить в Mangle MSS для TCP где-то в 1360 и дальше тюнить.