VPN Zugriff funktioniert nur in bestimmten IP Bereich
Hallo zusammen
Ich betreibe einen Mikrotik Router auf dem ich auch einen VPN Zugriff über OpenVPN eingerichtet habe den ich mit meinem Android Handy nutze. Der Zugriff funktionierte für meine Anforderungen bis jetzt ohne Probleme und ich konnte im 192.168.5.0 Netz auf alle Geräte zugreifen. Der VPN Client kriegt hier eine IP aus dem 192.168.179.0 Netz zugewiesen.
Jetzt benötige ich zusätzlich auch noch Zugriff auf Geräte oder vorerst nur auf ein Gerät aus dem 192.168.10.0 Netz. Hier bekomme ich aus dem VPN allerdings keinen Zugriff auf den Webserver im 10er Netz. Lokal funktioniert hier alles problemlos.
Ich habe bereits eine forward Regel in der Firewall eingerichtet allerdings hat auch dies keine Abhilfe gebracht.
Hier meine Config:
Ich betreibe einen Mikrotik Router auf dem ich auch einen VPN Zugriff über OpenVPN eingerichtet habe den ich mit meinem Android Handy nutze. Der Zugriff funktionierte für meine Anforderungen bis jetzt ohne Probleme und ich konnte im 192.168.5.0 Netz auf alle Geräte zugreifen. Der VPN Client kriegt hier eine IP aus dem 192.168.179.0 Netz zugewiesen.
Jetzt benötige ich zusätzlich auch noch Zugriff auf Geräte oder vorerst nur auf ein Gerät aus dem 192.168.10.0 Netz. Hier bekomme ich aus dem VPN allerdings keinen Zugriff auf den Webserver im 10er Netz. Lokal funktioniert hier alles problemlos.
Ich habe bereits eine forward Regel in der Firewall eingerichtet allerdings hat auch dies keine Abhilfe gebracht.
Hier meine Config:
# sep/15/2024 14:43:49 by RouterOS 7.3.1
# software id = B9WQ-CWMC
#
# model = RB4011iGS+
# serial number = D4440DFDB0A9
/interface bridge
add name="Bridge - Global-Lan"
add name="Bridge - G\E4ste"
add name="Bridge - SFP"
add name="Bridge : Haus-A"
add name="Bridge : Haus-B"
/interface ethernet
set [ find default-name=ether1 ] name="Port01 : Switch Global/Wan"
set [ find default-name=ether2 ] name="Port02 : Switch Global/Wan"
set [ find default-name=ether3 ] name="Port03 : Switch Global/Wan"
set [ find default-name=ether4 ] name="Port04 : Switch Global/Wan"
set [ find default-name=ether5 ] disabled=yes name=\
"Port05 : Switch Global/Wan"
set [ find default-name=ether6 ] name="Port06 : Wan"
set [ find default-name=ether7 ] name="Port07 : Haus-A"
set [ find default-name=ether8 ] name="Port08 : Haus-B"
set [ find default-name=ether9 ] disabled=yes name="Port09 : Gast"
set [ find default-name=ether10 ] name="Port10 : Wan/FTTH Modem" poe-out=off
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=1Gbps
/interface vlan
add interface="Port10 : Wan/FTTH Modem" name=\
"VLAN : FTTH-Grafschafter-Breitband" vlan-id=200
add interface="Port08 : Haus-B" name="VLAN : Gast-Haus A" vlan-id=30
add interface="Port07 : Haus-A" name="VLAN : Gast-Haus B" vlan-id=30
add interface="Port08 : Haus-B" name="VLAN : Global-Lan" vlan-id=60
add interface="Port08 : Haus-B" name="VLAN : Haus-A" vlan-id=10
add interface="Port07 : Haus-A" name="VLAN : Haus-B" vlan-id=20
add interface="Port07 : Haus-A" name="VLAN : Maintance" vlan-id=50
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1 enc-algorithms=\
aes-256-cbc,aes-256-gcm,aes-192-cbc,aes-128-cbc,aes-128-gcm,3des
/ip pool
add name=dhcp_pool_HausA ranges=192.168.5.50-192.168.5.149
add name=dhcp_pool_HausB ranges=192.168.100.10-192.168.100.200
add name=dhcp_pool_Guest ranges=192.168.178.10-192.168.178.254
add name=dhcp_pool_SFP ranges=192.168.1.50-192.168.1.99
add name=dhcp_pool_Global_Lan ranges=192.168.10.100-192.168.10.200
add name=dhcp_pool_VPN ranges=192.168.179.10-192.168.179.20
/ip dhcp-server
add address-pool=dhcp_pool_HausA interface="Bridge : Haus-A" lease-time=\
521w3d name="DHCP-Dark Desert"
add address-pool=dhcp_pool_HausB interface="Bridge : Haus-B" lease-time=\
521w3d name=DHCP-ZYG
add address-pool=dhcp_pool_Guest interface="Bridge - G\E4ste" lease-time=1d \
name=DHCP-Gast
add address-pool=dhcp_pool_SFP interface="Bridge - SFP" name=DHCP-SFP
add address-pool=dhcp_pool_Global_Lan interface="Bridge - Global-Lan" \
lease-time=521w3d name="DHCP-Global Lan"
/ipv6 pool
add name=ULA-Haus-A prefix=fd00:500::/64 prefix-length=64
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add change-tcp-mss=yes name=PPPOE-Standart on-down="/ipv6 nd\r\
\nset [find interface=\"Bridge : Haus-A\"] ra-lifetime=0\r\
\n\r\
\nset [find interface=\"Bridge : Haus-B\"] ra-lifetime=0\r\
\n\r\
\nset [find interface=\"Bridge - Global-Lan\"] ra-lifetime=0" on-up=":dela\
y 10000ms\r\
\n\r\
\n/ipv6 nd\r\
\nset [find interface=\"Bridge : Haus-A\"] ra-lifetime=1800\r\
\n\r\
\nset [find interface=\"Bridge : Haus-B\"] ra-lifetime=1800\r\
\n\r\
\nset [find interface=\"Bridge - Global-Lan\"] ra-lifetime=1800\r\
\n\r\
\n:delay 20000ms\r\
\n/system script run Strato-DynDNS"
add dns-server=192.168.179.254 local-address=192.168.179.254 name=vpn \
remote-address=dhcp_pool_VPN use-compression=no use-encryption=required
/interface pppoe-client
add add-default-route=yes allow=pap,chap,mschap2 disabled=no interface=\
"VLAN : FTTH-Grafschafter-Breitband" name=\
"PPPOE : Grafschafter-Breitband" profile=PPPOE-Standart user=\
XXXXXXXXXXXXXXXX@grafschafter-breitband.de
/queue simple
add name=Wan packet-marks=no-mark priority=6/6 target="Port06 : Wan"
add name=voip_tcp packet-marks=voip_tcp_pkt priority=2/2 target=\
"Port06 : Wan"
add name=voip_udp packet-marks=voip_udp_pkt priority=2/2 target=\
"Port06 : Wan"
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge="Bridge : Haus-A" ingress-filtering=no interface="Port07 : Haus-A"
add bridge="Bridge : Haus-A" ingress-filtering=no interface="VLAN : Haus-A"
add bridge="Bridge : Haus-B" ingress-filtering=no interface="Port08 : Haus-B"
add bridge="Bridge : Haus-B" ingress-filtering=no interface="VLAN : Haus-B"
add bridge="Bridge - G\E4ste" ingress-filtering=no interface=\
"VLAN : Gast-Haus B"
add bridge="Bridge - G\E4ste" ingress-filtering=no interface=\
"VLAN : Gast-Haus A"
add bridge="Bridge - G\E4ste" ingress-filtering=no interface="Port09 : Gast"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port06 : Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port01 : Switch Global/Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port02 : Switch Global/Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port03 : Switch Global/Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port04 : Switch Global/Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"Port05 : Switch Global/Wan"
add bridge="Bridge - Global-Lan" ingress-filtering=no interface=\
"VLAN : Maintance"
add bridge="Bridge - SFP" ingress-filtering=no interface=\
"Port10 : Wan/FTTH Modem"
add bridge="Bridge - SFP" ingress-filtering=no interface=sfp-sfpplus1
add bridge="Bridge - Global-Lan" interface="VLAN : Global-Lan"
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set max-neighbor-entries=8192 rp-filter=strict tcp-syncookies=yes
/ipv6 settings
set max-neighbor-entries=8192
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=*2 max-mru=\
1480 max-mtu=1480 one-session-per-host=yes use-ipsec=yes
/interface list member
add interface="PPPOE : Grafschafter-Breitband" list=WAN
add interface="Bridge - G\E4ste" list=LAN
add interface="Bridge - Global-Lan" list=LAN
add interface="Bridge : Haus-A" list=LAN
add interface="Bridge : Haus-B" list=LAN
/interface ovpn-server server
set auth=sha1 certificate="VPN Server" cipher=aes256 default-profile=vpn \
enabled=yes require-client-certificate=yes
/ip address
add address=192.168.5.1/24 interface="Bridge : Haus-A" network=192.168.5.0
add address=192.168.100.1/24 interface="Bridge : Haus-B" network=\
192.168.100.0
add address=192.168.10.1/24 interface="Bridge - Global-Lan" network=\
192.168.10.0
add address=192.168.178.1/24 interface="Bridge - G\E4ste" network=\
192.168.178.0
add address=192.168.1.2/24 interface="Bridge - SFP" network=192.168.1.0
add address=192.168.179.1/24 interface="Port09 : Gast" network=192.168.179.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=5m update-time=no
/ip dhcp-server lease
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.2
add address=192.168.5.0/24 dns-server=192.168.5.209 gateway=192.168.5.1
add address=192.168.10.0/24 dns-server=8.8.8.8 gateway=192.168.10.1
add address=192.168.18.1/32 gateway=192.168.18.2
add address=192.168.100.0/24 dns-server=8.8.8.8 gateway=192.168.100.1
add address=192.168.178.0/24 dns-server=8.8.8.8 gateway=192.168.178.1
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,1.1.1.1,fe80::6f07:1e68:895b:b427
/ip firewall address-list
add address=0.0.0.0/8 list=bogons
add address=10.0.0.0/8 list=bogons
add address=100.64.0.0/10 list=bogons
add address=127.0.0.0/8 list=bogons
add address=169.254.0.0/16 list=bogons
add address=172.16.0.0/12 list=bogons
add address=192.0.0.0/24 list=bogons
add address=192.0.2.0/24 list=bogons
add address=192.168.0.0/16 list=bogons
add address=198.18.0.0/15 list=bogons
add address=198.51.100.0/24 list=bogons
add address=203.0.113.0/24 list=bogons
add address=240.0.0.0/4 list=bogons
/ip firewall filter
add action=accept chain=input comment="Internet - accept established,related" \
connection-state=established,related
add action=accept chain=input comment="accept OpenVPN" dst-port=1194 \
protocol=tcp
add action=accept chain=input comment="accept DNS-from-OpenVPN-Clients" \
dst-port=53 protocol=udp src-address=192.168.179.0/24
add action=drop chain=input comment="Internet - drop invalid" \
connection-state=invalid
add action=accept chain=input comment=\
"Internet - accept ICMP echo reply->WAN" dst-address=!192.168.0.0/16 \
icmp-options=0:0 in-interface="PPPOE : Grafschafter-Breitband" protocol=\
icmp src-address=!192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP destination unreachable->WAN" dst-address=\
!192.168.0.0/16 icmp-options=3:0-1 in-interface=\
"PPPOE : Grafschafter-Breitband" protocol=icmp src-address=\
!192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP echo request->WAN" dst-address=!192.168.0.0/16 \
icmp-options=8:0 in-interface="PPPOE : Grafschafter-Breitband" protocol=\
icmp src-address=!192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP time exceeded->WAN" dst-address=!192.168.0.0/16 \
icmp-options=11:0 in-interface="PPPOE : Grafschafter-Breitband" protocol=\
icmp src-address=!192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP echo reply->LAN" dst-address=192.168.0.0/16 \
icmp-options=0:0 in-interface-list=LAN protocol=icmp src-address=\
192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP destination unreachable->LAN" dst-address=\
192.168.0.0/16 icmp-options=3:0-1 in-interface-list=LAN protocol=icmp \
src-address=192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP echo request->LAN" dst-address=192.168.0.0/16 \
icmp-options=8:0 in-interface-list=LAN protocol=icmp src-address=\
192.168.0.0/16
add action=accept chain=input comment=\
"Internet - accept ICMP time exceeded->LAN" dst-address=192.168.0.0/16 \
icmp-options=11:0 in-interface-list=LAN protocol=icmp src-address=\
192.168.0.0/16
add action=accept chain=input comment="Internet - accept DNS-UDP->LAN" \
dst-address=192.168.0.0/16 dst-port=53 in-interface-list=LAN protocol=udp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Internet - accept DNS-TCP->LAN" \
dst-address=192.168.0.0/16 dst-port=53 in-interface-list=LAN protocol=tcp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Internet - accept SSH->LAN" \
dst-address=192.168.0.0/16 dst-port=22 in-interface-list=LAN protocol=tcp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Internet - accept HTTPS->LAN" \
dst-address=192.168.0.0/16 dst-port=443 in-interface-list=LAN protocol=\
tcp src-address=192.168.0.0/16
add action=accept chain=input comment="Internet - accept HTTP->LAN" \
dst-address=192.168.0.0/16 dst-port=80 in-interface-list=LAN protocol=tcp \
src-address=192.168.0.0/16
add action=accept chain=input comment="Internet - accept WinBox->LAN" \
dst-address=192.168.0.0/16 dst-port=8291 in-interface-list=LAN protocol=\
tcp src-address=192.168.0.0/16
add action=accept chain=input comment="Zugriff auf DHCP Server erlauben" \
in-interface="!PPPOE : Grafschafter-Breitband" protocol=udp src-port=\
67,68
add action=accept chain=forward comment="accept OpenVPN Clients to Network" \
dst-address=192.168.5.0/24 src-address=192.168.179.0/24
add action=accept chain=forward comment=\
"accept OpenVPN Clients to Global-Lan"
dst-address=192.168.10.0/24 src-address=192.168.179.0/24
add action=drop chain=input comment=drop
add action=fasttrack-connection chain=forward comment=\
"fasttrack established,related" connection-state=established,related \
hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop bogons<-WAN" in-interface=\
"PPPOE : Grafschafter-Breitband" src-address-list=bogons
add action=drop chain=forward comment="drop ->WAN w/o DSTNAT" \
connection-nat-state=!dstnat connection-state=new in-interface=\
"PPPOE : Grafschafter-Breitband"
add action=reject chain=forward comment="reject SMTP->WAN" dst-port=25 \
out-interface="PPPOE : Grafschafter-Breitband" protocol=tcp reject-with=\
icmp-network-unreachable
add action=accept chain=forward comment="accept LAN->WAN" dst-address=\
!192.168.0.0/16 in-interface-list=LAN out-interface=\
"PPPOE : Grafschafter-Breitband" src-address=192.168.0.0/16
add action=drop chain=forward comment="drop IP Bereich 192.168.0.0/16 als Au\
snahme in SRC / DEST genommen damit Maintance Wlan zugriff auf Ger\E4te fu\
nktioniert bzw Vlan Port\FCbergreifend funktioniert" dst-address=\
!192.168.0.0/16 src-address=!192.168.0.0/16
add action=drop chain=output comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="Ddos Schutz" connection-state=invalid
add action=drop chain=input connection-state=new protocol=tcp tcp-flags=!syn
add action=drop chain=input connection-state=new protocol=tcp tcp-mss=\
!536-65535
add action=drop chain=input protocol=tcp psd=20,3s,10,2
add action=drop chain=input limit=2,2:packet protocol=tcp tcp-flags=rst
add action=reject chain=forward comment=192.168.5.0 in-interface=\
"Bridge : Haus-A" out-interface="Bridge - G\E4ste" reject-with=\
icmp-network-unreachable
add action=reject chain=forward in-interface="Bridge : Haus-A" out-interface=\
"Bridge : Haus-B" reject-with=icmp-network-unreachable
add action=reject chain=input dst-address=192.168.5.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.100.0/24
add action=reject chain=input dst-address=192.168.5.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.178.0/24
add action=reject chain=output dst-address=192.168.100.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.5.0/24
add action=reject chain=output dst-address=192.168.178.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.5.0/24
add action=reject chain=forward comment=192.168.100.0 in-interface=\
"Bridge : Haus-B" out-interface="Bridge - G\E4ste" reject-with=\
icmp-network-unreachable
add action=reject chain=forward in-interface="Bridge : Haus-B" out-interface=\
"Bridge : Haus-A" reject-with=icmp-network-unreachable
add action=reject chain=input dst-address=192.168.100.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.5.0/24
add action=reject chain=input dst-address=192.168.100.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.178.0/24
add action=reject chain=output dst-address=192.168.5.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.100.0/24
add action=reject chain=output dst-address=192.168.178.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.100.0/24
add action=reject chain=forward comment=192.168.178.0 in-interface=\
"Bridge - G\E4ste" out-interface="!Bridge - G\E4ste" reject-with=\
icmp-network-unreachable
add action=reject chain=input dst-address=192.168.178.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.5.0/24
add action=reject chain=input dst-address=192.168.178.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.100.0/24
add action=reject chain=output dst-address=192.168.5.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.178.0/24
add action=reject chain=output dst-address=192.168.100.0/24 reject-with=\
icmp-network-unreachable src-address=192.168.178.0/24
/ip firewall mangle
add action=mark-connection chain=prerouting new-connection-mark=voip_tcp_con \
passthrough=yes port=5060 protocol=tcp
add action=mark-connection chain=prerouting new-connection-mark=voip_udp_con \
passthrough=yes port=5060 protocol=udp
add action=mark-packet chain=prerouting connection-mark=voip_tcp_con \
new-packet-mark=voip_tcp_pkt passthrough=yes
add action=mark-packet chain=prerouting connection-mark=voip_udp_con \
new-packet-mark=voip_udp_pkt passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="masquerade LAN->WAN" dst-address=\
!192.168.0.0/16 out-interface="PPPOE : Grafschafter-Breitband" \
src-address=192.168.0.0/16
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=tcp src-port=5060 \
to-ports=5060
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=5060 \
to-ports=5060
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7070 \
to-ports=7070
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7071 \
to-ports=7071
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7072 \
to-ports=7072
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7073 \
to-ports=7073
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7074 \
to-ports=7074
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7075 \
to-ports=7075
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7076 \
to-ports=7076
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7077 \
to-ports=7077
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7078 \
to-ports=7078
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7079 \
to-ports=7079
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7080 \
to-ports=7080
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7081 \
to-ports=7081
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7082 \
to-ports=7082
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7083 \
to-ports=7083
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7084 \
to-ports=7084
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7085 \
to-ports=7085
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7086 \
to-ports=7086
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7087 \
to-ports=7087
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7088 \
to-ports=7088
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7089 \
to-ports=7089
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7090 \
to-ports=7090
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7091 \
to-ports=7091
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7092 \
to-ports=7092
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7093 \
to-ports=7093
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7094 \
to-ports=7094
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7095 \
to-ports=7095
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7096 \
to-ports=7096
add action=accept chain=dstnat comment=\
"WAN -> LAN | SIP-Anbieter zu FritzBox fr Telefonie" disabled=yes \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=7097 \
to-ports=7097
/ip firewall raw
add action=drop chain=prerouting limit=!1,1:packet protocol=icmp
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.0.0/16 port=2200
set api disabled=yes
set winbox address=192.168.0.0/16
set api-ssl disabled=yes
/ipv6 address
add disabled=yes from-pool=pool-ipv6 interface="Bridge : Haus-A"
add disabled=yes from-pool=pool-ipv6 interface="Bridge : Haus-B"
add disabled=yes from-pool=pool-ipv6 interface="Bridge - Global-Lan"
add address=::1 disabled=yes from-pool=pool-ipv6 interface=\
"PPPOE : Grafschafter-Breitband"
add address=::1 disabled=yes from-pool=ULA-Haus-A interface="Bridge : Haus-A"
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=\
"PPPOE : Grafschafter-Breitband" pool-name=pool-ipv6 request=prefix \
use-peer-dns=no
/ipv6 firewall filter
add action=accept chain=input comment=\
"ALLG. | Aufgebaute Verbindungen erlauben" connection-state=\
established,related
add action=accept chain=input comment="accept OpenVPN" dst-port=1194 \
protocol=tcp
add action=accept chain=input comment="ALLG. | DHCPv6 per WAN erlauben. Wenn m\
glich bei Src. Address den DHCP-Server angeben!" dst-port=546 \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp src-port=547
add action=drop chain=input comment="ALLG. | Ping von WAN verbieten" \
in-interface="PPPOE : Grafschafter-Breitband" protocol=icmpv6
add action=drop chain=input comment="ALLG. | Ungltige Verbindungen verbieten" \
connection-state=invalid
add action=drop chain=input comment="WAN -> FW | Neue Verbindungen verbieten" \
connection-state=new in-interface="PPPOE : Grafschafter-Breitband"
add action=accept chain=forward comment="ALLG. | Ping erlauben" protocol=\
icmpv6
add action=accept chain=forward comment=\
"ALLG. | Aufgebaute Verbindungen gestatten" connection-state=\
established,related
add action=accept chain=forward comment=\
"ALLG. | Aufgebaute Verbindungen von intern erlauben" connection-state=\
new in-interface-list=LAN
add action=drop chain=forward comment=\
"ALLG. | Ungltige Verbindungen verwerfen" connection-state=invalid
add action=drop chain=forward comment=\
"WAN -> FW | Neue Verbindungen verwerfen" connection-state=new \
in-interface="PPPOE : Grafschafter-Breitband"
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
in-interface="PPPOE : Grafschafter-Breitband" protocol=udp
add action=accept chain=input comment="defconf: accept IPSec AH" \
in-interface="PPPOE : Grafschafter-Breitband" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept IPSec ESP" \
in-interface="PPPOE : Grafschafter-Breitband" protocol=ipsec-esp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment=\
"defconf: accept all that matches IPSec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" \
dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" \
protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ipv6 nd
set [ find default=yes ] disabled=yes dns=fe80::6f07:1e68:895b:b427 \
interface="Bridge : Haus-A" other-configuration=yes
add disabled=yes interface="Bridge : Haus-B"
add disabled=yes interface="Bridge - Global-Lan"
/ipv6 nd prefix default
set preferred-lifetime=12h valid-lifetime=1d
/ppp secret
add name=vpnuser profile=vpn service=ovpn
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=MikroTik-RB4011
/system leds
set 0 type=off
/system ntp client
set enabled=yes
/system ntp server
set manycast=yes
/system ntp client servers
add address=85.10.240.253
add address=88.99.86.9
/system package update
set channel=testing
/system resource irq rps
set sfp-sfpplus1 disabled=no
/system scheduler
add interval=6h name="DynDNS abrufen" on-event=\
"/system script run Strato-DynDNS" policy=\
ftp,read,write,policy,test,password,sniff,sensitive,romon start-date=\
dec/31/2020 start-time=09:00:00
add interval=1d name="Internet Zwangstrennung" on-event=\
"/system script run Internet-Zwangstrennung" policy=read,write \
start-date=jul/20/2022 start-time=03:30:00
add interval=2h name=Prefix-update on-event=\
"/system script run Prefix-update" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=aug/03/2022 start-time=00:00:00
/system script
add dont-require-permissions=no name=Strato-DynDNS owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
global ddnsuser \"dXXXdXXXXX.de\"\r\
\n:global ddnspass \"XXXXXXXXXX\"\r\
\n:global theinterface \"PPPOE : Grafschafter-Breitband\"\r\
\n:global ddnshost1 \"dXXXdXXXXX.de\"\r\
\n\r\
\n\r\
\n:global ipddns\r\
\n:global ipfresh [/ip address get [find where interface=\$theinterface] v\
alue-name=address] \r\
\n\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n\r\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
\n\r\
\n} else={\r\
\n\r\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
\n\r\
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
\n\r\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n\r\
\n } \r\
\n }\r\
\n\r\
\n :if (\$ipddns != \$ipfresh) do={\r\
\n\r\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
\n\r\
\n :global str1 \"/nic/update\\\?hostname=\$ddnshost1&myip=\$ipfres\
h\"\r\
\n /tool fetch address=dyndns.strato.com src-path=\$str1 user=\$ddn\
suser password=\$ddnspass mode=https dst-path=(\"/DynDNS.\".\$ddnshost1)\r\
\n\r\
\n :delay 1\r\
\n\r\
\n :global str1 [/file find name=\"DynDNS.\$ddnshost1\"];\r\
\n /file remove \$str1\r\
\n :global ipddns \$ipfresh\r\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
\n\r\
\n } else={\r\
\n\r\
\n :log info \"DynDNS: dont need changes\";\r\
\n\r\
\n }\r\
\n}"
add dont-require-permissions=no name=Internet-Zwangstrennung owner=admin \
policy=read,write source="/interface pppoe-client disable [find name=\"PPP\
OE : Grafschafter-Breitband\"]\r\
\n\r\
\n:delay 10000ms\r\
\n\r\
\n/interface pppoe-client enable [find name=\"PPPOE : Grafschafter-Breitba\
nd\"]"
add dont-require-permissions=no name=Prefix-update owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
log info \"IPv6 Check Start\";\r\
\n# run this script 2 hour at most for remove any address old;\r\
\n# till MikroTik fix [ipv6 fir add timeout] bug\r\
\n:do {\r\
\n :ipv6 fir addr remove [/ipv6 fir addr find timeout=0s and list=oldV6]\
\r\
\n} on-error={}\r\
\n\r\
\n# poolname is the name of the IPv6 pool that contained the prefix you go\
t from the ISP.\r\
\n:local poolname \"pool-ipv6\";\r\
\n# intname is the interface where the pool is advertised.\r\
\n:local intname \"Bridge : Haus-A\";\r\
\n\r\
\n:global oldV6;\r\
\n:local newV6;\r\
\n:set newV6 [/ipv6 pool get \$poolname prefix];\r\
\n\r\
\n:if ([ :typeof \$oldV6 ] = \"nothing\") do={\r\
\n :set oldV6 \$newV6\r\
\n}\r\
\n\r\
\n:if (\$newV6 != \$oldV6) do={\r\
\n :log info \"Mismatch -- killing old prefix\";\r\
\n :log info \"Current -- \$newV6\";\r\
\n :log info \"Previous -- \$oldV6\";\r\
\n :do {\r\
\n :ipv6 fir add add list=oldV6 address=\$oldV6 timeout=2h;\r\
\n } on-error={}\r\
\n :set oldV6 \$newV6;\r\
\n}\r\
\n\r\
\n:do {\r\
\n :ipv6 nd prefix remove [/ipv6 nd prefix find (!dynamic)];\r\
\n} on-error={}\r\
\n:foreach oldipv6s in=[/ipv6 fir add find list=oldV6] do={\r\
\n :do {\r\
\n :ipv6 nd prefix add autonomous=yes disabled=no interface=\$intname o\
n-link=yes preferred-lifetime=0s prefix=[/ipv6 fir add get \$oldipv6s addr\
ess] valid-lifetime=0s;\r\
\n } on-error={}\r\
\n}\r\
\n\r\
\n:log info \"IPv6 Check Stop\";"
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool sniffer
set filter-interface="Bridge - Global-Lan"
Bitte markiere auch die Kommentare, die zur Lösung des Beitrags beigetragen haben
Content-ID: 668136
Url: https://administrator.de/contentid/668136
Ausgedruckt am: 21.11.2024 um 09:11 Uhr
3 Kommentare
Neuester Kommentar
Das hiesige OpenVPN Tutorial hast du zu der Thematik gelesen?? 🤔
Stichwort push "route 192.168.5.0 255.255.255.0" Kommando was um das .10.0 /24er Netz erweitert werden muss damit der VPN Server diese Route auf den OVPN Client pusht. Natürlich nur sofern du im Split Tunneling Mode unter OpenVPN arbeitest und nicht mit Gateway Redirect?!
https://forum.mikrotik.com/viewtopic.php?t=208191
Vielleicht auch einmal eine günstige Gelegenheit vom etwas in die Jahre gekommenen OVPN auf das deutlich performantere Wireguard umzusteigen wo die obige Lösung nur ein simpler Netzwerk Eintrag ist. 😉
Nebenbei: Google DNS Server die alle deine persönlichen Surfgewohnheiten abschnorcheln und mit Dritten weltweit vermarkten verwenden nicht einmal mehr Dummies heutzutage.
Stichwort push "route 192.168.5.0 255.255.255.0" Kommando was um das .10.0 /24er Netz erweitert werden muss damit der VPN Server diese Route auf den OVPN Client pusht. Natürlich nur sofern du im Split Tunneling Mode unter OpenVPN arbeitest und nicht mit Gateway Redirect?!
https://forum.mikrotik.com/viewtopic.php?t=208191
Vielleicht auch einmal eine günstige Gelegenheit vom etwas in die Jahre gekommenen OVPN auf das deutlich performantere Wireguard umzusteigen wo die obige Lösung nur ein simpler Netzwerk Eintrag ist. 😉
Nebenbei: Google DNS Server die alle deine persönlichen Surfgewohnheiten abschnorcheln und mit Dritten weltweit vermarkten verwenden nicht einmal mehr Dummies heutzutage.
Da die Frage ja gelöst ist, bitte noch den Beitrag als gelöst markieren. Und fairerweise dann die Antwort von @aqui als Lösung markieren, und nicht Deine eigene 😉