Hi I have set up an IPSEC conecction between a headoffice and a couple of other store locations
I also have created a l2tp + ipsec conecction for people who work remotely.
But I have one issue, everyone can ping the server in the headoffice. The devices in the other locations who are connect by IPSEC site to site, the remote laptop which connects via l2tp, and the other PCs in the headoffice.
headoffice has a server and several PCs for workers
But i don't know why i cannot ping the other devices of the headquarters. I cannot ping them from outside (other locations, remote) nor from the inside (cannot ping from server to PC1 in the same location but i can ping from pc1 to server).
I must have somethng wrong with the routes or the firewall but cannot figure out what.
This is relevant configuration
/interface bridge
add name=lan-ofic
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-pc1
set [ find default-name=ether3 ] name=ether3-SERVER
set [ find default-name=ether4 ] name=ether4-pc2
set [ find default-name=ether5 ] name=ether5-AP
/interface bridge port
add bridge=lan-ofic interface=ether2-pc1
add bridge=lan-ofic interface=ether3-SERVER
add bridge=lan-ofic interface=ether4-pc2
add bridge=lan-ofic interface=ether5-AP
/ip address
add address=xx.xxx.xx.xx/24 (public ip) comment="wan" interface=ether1-wan \
network=xxx.xxx.xxx.x
add address=192.168.1.1/24 comment=bridge interface=lan-ofic network=\
192.168.1.0
add address=192.168.1.2 comment="ether2" interface=ether2-pc1\
network=192.168.1.0
add address=192.168.1.3 comment="server ether3" interface=ether3-SERVER network=\
192.168.1.0
add address=192.168.1.4 comment="POS ether4" interface=ether4-pc2 network=\
192.168.1.0
add address=192.168.1.5 comment="AP TP LINK ether5" interface=ether5-AP \
network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 protocol=icmp \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 protocol=icmp \
src-address=192.168.1.97
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.1.100
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
ssh-allowed
add action=accept chain=input dst-port=8728 protocol=tcp src-address-list=\
api-allowed
add action=drop chain=input dst-port=8728 protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp
add action=log chain=forward log-prefix="ICMP-from server" protocol=icmp \
src-address=192.168.1.97
/ip firewall nat
add action=accept chain=srcnat dst-address-list=192.168.1.0/24 src-address-list=\
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 out-interface=\
ether1-wan src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-wan
/ip route
add distance=1 gateway=xx.xxx.xxx.x (local gateway)
/ip service
set telnet disabled=yes
i have disable all firewall rules but it wasn't the problem there
I also have created a l2tp + ipsec conecction for people who work remotely.
But I have one issue, everyone can ping the server in the headoffice. The devices in the other locations who are connect by IPSEC site to site, the remote laptop which connects via l2tp, and the other PCs in the headoffice.
headoffice has a server and several PCs for workers
But i don't know why i cannot ping the other devices of the headquarters. I cannot ping them from outside (other locations, remote) nor from the inside (cannot ping from server to PC1 in the same location but i can ping from pc1 to server).
I must have somethng wrong with the routes or the firewall but cannot figure out what.
This is relevant configuration
/interface bridge
add name=lan-ofic
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-pc1
set [ find default-name=ether3 ] name=ether3-SERVER
set [ find default-name=ether4 ] name=ether4-pc2
set [ find default-name=ether5 ] name=ether5-AP
/interface bridge port
add bridge=lan-ofic interface=ether2-pc1
add bridge=lan-ofic interface=ether3-SERVER
add bridge=lan-ofic interface=ether4-pc2
add bridge=lan-ofic interface=ether5-AP
/ip address
add address=xx.xxx.xx.xx/24 (public ip) comment="wan" interface=ether1-wan \
network=xxx.xxx.xxx.x
add address=192.168.1.1/24 comment=bridge interface=lan-ofic network=\
192.168.1.0
add address=192.168.1.2 comment="ether2" interface=ether2-pc1\
network=192.168.1.0
add address=192.168.1.3 comment="server ether3" interface=ether3-SERVER network=\
192.168.1.0
add address=192.168.1.4 comment="POS ether4" interface=ether4-pc2 network=\
192.168.1.0
add address=192.168.1.5 comment="AP TP LINK ether5" interface=ether5-AP \
network=192.168.1.0
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=accept chain=forward dst-address=192.168.1.0/24 protocol=icmp \
src-address=192.168.1.0/24
add action=accept chain=forward dst-address=192.168.1.0/24 protocol=icmp \
src-address=192.168.1.97
add action=accept chain=input dst-port=22 protocol=tcp src-address=192.168.1.100
add action=accept chain=input dst-port=22 protocol=tcp src-address-list=\
ssh-allowed
add action=accept chain=input dst-port=8728 protocol=tcp src-address-list=\
api-allowed
add action=drop chain=input dst-port=8728 protocol=tcp
add action=drop chain=input dst-port=22 protocol=tcp
add action=log chain=forward log-prefix="ICMP-from server" protocol=icmp \
src-address=192.168.1.97
/ip firewall nat
add action=accept chain=srcnat dst-address-list=192.168.1.0/24 src-address-list=\
192.168.1.0/24
add action=accept chain=srcnat dst-address=192.168.88.0/24 out-interface=\
ether1-wan src-address=192.168.1.0/24
add action=masquerade chain=srcnat out-interface=ether1-wan
/ip route
add distance=1 gateway=xx.xxx.xxx.x (local gateway)
/ip service
set telnet disabled=yes
i have disable all firewall rules but it wasn't the problem there
Statistics: Posted by zezeme — Tue Jan 28, 2025 10:44 pm