Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

VPN Issues with Autofailover

Post Reply
 
sambo521
just joined
Topic Author
Posts: 12
Joined: Thu Dec 06, 2012 11:09 pm

VPN Issues with Autofailover

Tue Nov 06, 2018 10:03 pm

Hey Guys,
Been beating myself up over why I cant get my VPN to work correctly after I setup a Three WAN autofailover.
I can open up a VPN connection to said router no problem. I do a whats my ip on the PC connected to the router via VPN and it reports the correct IP on said router. I can browse the internet also just fine.
What I cant do is make any local connections on said routers side as well as unable to connect to router itself using local address.
I really am not sure which way to go with this.

I have added my setup for you guys to see and see if I can get this working.
Thanks in advance.


# nov/06/2018 14:53:59 by RouterOS 6.43.4
# software id = 02I2-SBD9
#
# model = RB1100x4
# serial number = 91D80979CDFD
/interface ethernet
set [ find default-name=ether1 ] name=1-House speed=100Mbps
set [ find default-name=ether2 ] name=2-CODECS speed=100Mbps
set [ find default-name=ether3 ] name=3-Access-Points speed=100Mbps
set [ find default-name=ether11 ] auto-negotiation=no name=11-ATT-PRI-2nd \
speed=100Mbps
set [ find default-name=ether12 ] name=12-Broadwave-Main speed=100Mbps
set [ find default-name=ether13 ] name=13-ATT-FIBER-3rd speed=100Mbps
set [ find default-name=ether4 ] disabled=yes speed=100Mbps
set [ find default-name=ether5 ] disabled=yes speed=100Mbps
set [ find default-name=ether6 ] disabled=yes speed=100Mbps
set [ find default-name=ether7 ] disabled=yes speed=100Mbps
set [ find default-name=ether8 ] disabled=yes speed=100Mbps
set [ find default-name=ether9 ] disabled=yes speed=100Mbps
set [ find default-name=ether10 ] disabled=yes speed=100Mbps
/interface list
add name=wan
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
add enc-algorithms=aes-256-cbc,3des lifetime=8h name=proposal1 pfs-group=none
/ip pool
add name=House-DHCP ranges=172.16.1.200-172.16.1.240
add name=Access-Point-DHCP ranges=192.168.10.100-192.168.10.250
add name=CODECS ranges=192.168.1.200-192.168.1.250
/ip dhcp-server
add address-pool=House-DHCP disabled=no interface=1-House name=House
add address-pool=Access-Point-DHCP disabled=no interface=3-Access-Points \
name=Access-Point
add address-pool=CODECS disabled=no interface=2-CODECS name=CODECS
/ppp profile
add dns-server=172.16.0.1,8.8.8.8 local-address=172.16.0.1 name=L2TP-Profile \
remote-address=House-DHCP
set *FFFFFFFE dns-server=172.16.0.1,8.8.8.8 local-address=172.16.0.1 \
remote-address=House-DHCP
/interface l2tp-server server
set authentication=chap,mschap2 enabled=yes ipsec-secret=Engineering777XDX
/interface list member
add interface=11-ATT-PRI-2nd list=wan
add interface=12-Broadwave-Main list=wan
add interface=13-ATT-FIBER-3rd list=wan
/interface pptp-server server
set default-profile=L2TP-Profile enabled=yes
/ip address
add address=172.16.0.1/23 interface=1-House network=172.16.0.0
add address=192.168.10.1/24 interface=3-Access-Points network=192.168.10.0
add address=162.251.176.148/29 interface=12-Broadwave-Main network=\
162.251.176.144
add address=192.168.1.1/24 interface=2-CODECS network=192.168.1.0
add address=12.186.95.210/29 interface=11-ATT-PRI-2nd network=12.186.95.208
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no \
interface=13-ATT-FIBER-3rd
/ip dhcp-server network
add address=172.16.0.0/23 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.0.1
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1
add address=192.168.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.10.1
/ip dns
set servers=8.8.8.8,8.8.4.4

/ip firewall filter
add action=drop chain=input comment="RDC 3389 DROP" dst-port=3389 log=yes \
log-prefix="RDC 3389 DROP" protocol=tcp src-address-list=blacklist
add action=drop chain=input comment="Blacklist Drop Input" log-prefix=\
"Blacklist Drop Input" src-address-list=blacklist
add action=drop chain=forward comment="Blacklist Drop Forward" log-prefix=\
"Blacklist Drop Forward" src-address-list=blacklist
add action=drop chain=forward comment=\
"Drop invalid connections through router" connection-state=invalid
add action=drop chain=input dst-port=53 in-interface=11-ATT-PRI-2nd protocol=\
udp
add action=drop chain=input dst-port=53 in-interface=13-ATT-FIBER-3rd \
protocol=udp
add action=drop chain=input dst-port=53 in-interface=12-Broadwave-Main \
protocol=udp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=input protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input dst-port=53 in-interface=!11-ATT-PRI-2nd \
protocol=udp
add action=accept chain=input dst-port=53 in-interface=!12-Broadwave-Main \
protocol=udp
add action=accept chain=input dst-port=53 in-interface=!13-ATT-FIBER-3rd \
protocol=udp
add action=add-src-to-address-list address-list=blacklist \
address-list-timeout=4w2d chain=input connection-state=new dst-port=22-23 \
in-interface-list=wan protocol=tcp src-address-list=ssh
add action=add-src-to-address-list address-list=ssh address-list-timeout=10m \
chain=input connection-state=new dst-port=22-23 in-interface-list=wan \
protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat dst-address=172.16.0.0/23
add action=masquerade chain=srcnat dst-address=192.168.10.1
add action=masquerade chain=srcnat dst-address=192.168.1.1
add action=masquerade chain=srcnat out-interface=11-ATT-PRI-2nd
add action=masquerade chain=srcnat out-interface=12-Broadwave-Main
add action=masquerade chain=srcnat out-interface=13-ATT-FIBER-3rd \
out-interface-list=all
add action=dst-nat chain=dstnat comment="WKWF Tieline 8040" dst-port=8040 \
log=yes log-prefix="wkwf tieline" protocol=tcp to-addresses=192.168.1.40 \
to-ports=80
add action=dst-nat chain=dstnat comment="Sugarlaoaf PIRA 8107" dst-port=8107 \
log=yes log-prefix="Sugarloaf PIRA" protocol=tcp to-addresses=\
172.16.0.107 to-ports=8107
add action=dst-nat chain=dstnat comment="MODEM PC 9898" dst-port=9898 log=yes \
log-prefix="MODEM PC VNC" protocol=tcp to-addresses=172.16.0.107 \
to-ports=5900
add action=dst-nat chain=dstnat comment="Tanyas PC RDC 9939" dst-port=9939 \
log=yes log-prefix="Tanya's PC" protocol=tcp to-addresses=172.16.0.121 \
to-ports=3389
add action=dst-nat chain=dstnat comment="WWUS Comrex 8041" dst-port=8041 log=\
yes log-prefix="WWUS COMREX" protocol=tcp to-addresses=192.168.1.41 \
to-ports=80
add action=dst-nat chain=dstnat comment="WAVK Barix 8042" dst-port=8042 log=\
yes log-prefix="WAVK Barix" protocol=tcp to-addresses=192.168.1.42 \
to-ports=80
add action=dst-nat chain=dstnat comment="WCNK Barix 8043" dst-port=8043 \
protocol=tcp to-addresses=192.168.1.43 to-ports=80
add action=dst-nat chain=dstnat comment="TAV WCTH Barix 8044" dst-port=8044 \
log-prefix="WCTH Barix" protocol=tcp to-addresses=192.168.1.44 to-ports=\
80
add action=dst-nat chain=dstnat comment="TAV WFKZ Barix 8045" dst-port=8045 \
log-prefix="WFKZ Barix" protocol=tcp to-addresses=192.168.1.45 to-ports=\
80
add action=dst-nat chain=dstnat comment="TAV Air Mon TCP 8046" dst-port=8046 \
log=yes log-prefix="TAV AIR MON Barix" protocol=tcp to-addresses=\
192.168.1.46 to-ports=80
add action=dst-nat chain=dstnat comment="WFKZ Remote VNC 6184" dst-port=6184 \
log=yes log-prefix="WFKZ VNC " protocol=tcp to-addresses=172.16.0.184 \
to-ports=5900
add action=dst-nat chain=dstnat comment="MODEM PC VNC 6107" dst-port=6107 \
log=yes log-prefix="MODEM PC VNC " protocol=tcp to-addresses=172.16.0.107 \
to-ports=5900
/ip firewall raw
add action=drop chain=prerouting disabled=yes log=yes log-prefix=\
"Preroute Blacklist" src-address-list=blacklist
/ip ipsec peer
add address=0.0.0.0/0 exchange-mode=main-l2tp generate-policy=port-override \
passive=yes secret=Engineering777XDX
/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark=wan1
add check-gateway=ping distance=2 gateway=1.0.0.1 routing-mark=wan1
add check-gateway=ping distance=3 gateway=4.2.2.4 routing-mark=wan1
add distance=1 dst-address=172.16.0.0/23 gateway=1-House pref-src=172.16.0.1 \
routing-mark=wan1 scope=10
add distance=1 dst-address=192.168.1.0/24 gateway=2-CODECS pref-src=\
192.168.1.1 routing-mark=wan1 scope=10
add distance=1 dst-address=192.168.10.0/24 gateway=3-Access-Points pref-src=\
192.168.10.1 routing-mark=wan1 scope=10
add check-gateway=ping distance=1 gateway=162.251.176.145
add check-gateway=ping distance=2 gateway=12.186.95.209
add check-gateway=ping distance=3 gateway=108.90.36.1
add distance=1 dst-address=1.0.0.1/32 gateway=12.186.95.209 scope=10
add distance=1 dst-address=1.1.1.1/32 gateway=162.251.176.145 scope=10
add distance=1 dst-address=4.2.2.4/32 gateway=108.90.36.1 scope=10
/ip route rule
add dst-address=0.0.0.0/0 src-address=172.16.0.0/23 table=wan1
add dst-address=0.0.0.0/0 src-address=192.168.0.0/16 table=wan1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add name=XXXXXXXXX password=XXXXXXXXXprofile=L2TP-Profile service=pptp
/system clock
set time-zone-name=America/New_York
/system identity
set name=KW-Sugarloaf-Router
/system routerboard settings
set silent-boot=no
/system scheduler
add comment="Download spamnaus list" interval=3d name=DownloadSpamhausList \
on-event=DownloadSpamhaus policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=18:59:43
add comment="Apply spamnaus List" interval=3d name=InstallSpamhausList \
on-event=ReplaceSpamhaus policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=19:04:43
add comment="Download dshield list" interval=3d name=DownloadDShieldList \
on-event=Download_dshield policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=19:09:43
add comment="Apply dshield List" interval=3d name=InstallDShieldList \
on-event=Replace_dshield policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=19:14:43
add comment="Download malc0de list" interval=3d name=Downloadmalc0deList \
on-event=Download_malc0de policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=19:09:43
add comment="Apply malc0de List" interval=3d name=Installmalc0deList \
on-event=Replace_malc0de policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=jan/01/1970 start-time=19:14:43
/system script
add dont-require-permissions=no name=DownloadSpamhaus owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/spamhaus.rsc\" mode=http;\
\n:log info \"Downloaded spamhaus.rsc from Joshaven.com\";\
\n"
add dont-require-permissions=no name=ReplaceSpamhaus owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/ip firewall address-list remove [find where comment=\"SpamHaus\"]\
\n/import file-name=spamhaus.rsc;\
\n:log info \"Removed old Spamhaus records and imported new list\";\
\n"
add dont-require-permissions=no name=Download_dshield owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/dshield.rsc\" mode=http;\
\n:log info \"Downloaded dshield.rsc from Joshaven.com\";\
\n"
add dont-require-permissions=no name=Replace_dshield owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/ip firewall address-list remove [find where comment=\"DShield\"]\
\n/import file-name=dshield.rsc;\
\n:log info \"Removed old dshield records and imported new list\";\
\n"
add dont-require-permissions=no name=Download_malc0de owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/malc0de.rsc\" mode=http;\
\n:log info \"Downloaded malc0de.rsc from Joshaven.com\";\
\n"
add dont-require-permissions=no name=Replace_malc0de owner=Engineer policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/ip firewall address-list remove [find where comment=\"malc0de\"]\
\n/import file-name=malc0de.rsc;\
\n:log info \"Removed old malc0de records and imported new list\";\
\n"
/tool e-mail
set address=209.209.217.166 from=KWROUTER@rpengmnro.com
/tool netwatch
add down-script="/tool e-mail send to=\"engineer@rpengmnro.com\" subject=\"KW \
Router Status Change\" body=\"ATT FIBER LINK DOWN\"\r\
\n:log info \"ATT FIBER LINK Email Notification\"" host=108.90.36.1 \
up-script="/tool e-mail send to=\"engineer@rpengmnro.com\" subject=\"KW Ro\
uter Status Change\" body=\"Main Link UP\"\r\
\n:log info \"Main Link UP Email notification\""
add down-script="/tool e-mail send to=\"engineer@rpengmnro.com\" subject=\"KW \
Router Status Change\" body=\"BROADWAVE LINK DOWN\"\r\
\n:log info \"BROADWAVE LINK DOWN Email notification\"" host=\
162.251.176.145 up-script="/tool e-mail send to=\"engineer@rpengmnro.com\"\
\_subject=\"KW Router Status Change\" body=\"BROADWAVE LINK UP\"\r\
\n:log info \"BROADWAVE LINK UP Email notification\""
add down-script="/tool e-mail send to=\"engineer@rpengmnro.com\" subject=\"KW \
Router Status Change\" body=\"ATT PRI LINK DOWN\"\r\
\n:log info \"ATT PRI LINK DOWN Email notification\"" host=12.186.95.209 \
up-script="/tool e-mail send to=\"engineer@rpengmnro.com\" subject=\"KW Ro\
uter Status Change\" body=\"ATT PRI LINK UP\"\r\
\n:log info \"ATT PRI LINK UP Email notification\""
Top
Post Reply
  4. RouterOS
  5. Forwarding Protocols