Community discussions

MikroTik App
  4. RouterOS
  5. Forwarding Protocols

2 Wan with load and VPN

Post Reply
 
AlejandroRh
just joined
Topic Author
Posts: 4
Joined: Sat Feb 10, 2024 10:02 pm

2 Wan with load and VPN

Wed Apr 10, 2024 7:18 pm

Hi guys I have a problem with this, first of all i post the config.
Code: Select all
# software id = 8MS4-GGM7
#
# model = RB2011iL
# serial number = HE508PC94SW

/ip pool
add name=VPN_PORT5 ranges=192.168.10.2-192.168.10.50
add name=Red_Taller ranges=192.168.20.10-192.168.20.100
add name=DHCP2 ranges=192.168.1.150-192.168.1.200

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=Vegafibra interface=WAN1 list=WAN
add comment=Telfy interface=WAN2 list=WAN
add comment="Red conexiones VPN" interface=Red_VPN_Port5 list=LAN
add comment="Red privada taller" interface=RED_Taller list=LAN

/ip address
add address=192.168.1.1/24 comment=defconf interface=bridge network=192.168.1.0
add address=192.168.120.5/24 interface=WAN2 network=192.168.120.0
add address=192.168.100.2/24 interface=WAN1 network=192.168.100.0
add address=192.168.10.1/24 interface=Red_VPN_Port5 network=192.168.10.0
add address=192.168.20.1/24 interface=RED_Taller network=192.168.20.0

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="allow IPsec NAT" disabled=yes dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 in-interface=WAN2 protocol=tcp
add action=accept chain=input comment=sstp disabled=yes dst-port=443 in-interface=WAN1 protocol=tcp
add action=accept chain=input disabled=yes dst-port=1723 in-interface=WAN2 protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.100.0/24 in-interface=bridge
add action=accept chain=prerouting dst-address=192.168.120.0/24 in-interface=bridge
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN1_conn \
    per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridge new-connection-mark=WAN2_conn passthrough=\
    yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=bridge new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=bridge new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add action=passthrough chain=prerouting
add action=passthrough chain=forward
add action=passthrough chain=postrouting

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface=WAN1 src-address-type=""
add action=masquerade chain=srcnat out-interface=WAN2 src-address-type=""

/ip route
add check-gateway=ping distance=1 gateway=192.168.100.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.120.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.100.1
add distance=2 gateway=192.168.120.1

/ip route rule
add dst-address=192.168.100.0/24 routing-mark=to_WAN1 table=to_WAN1
add dst-address=192.168.120.0/24 routing-mark=to_WAN2 table=to_WAN2
The thing is that I can't get the VPN to work. I have seen in another post that you cannot have both things working at the same time but it seems very strange to me. The vpn i tried is pptp but anyone else is worth it to me except the sstp because i need 443 port for other service

Can someone help me please?

Sorry if some of the configuration is not exported correctly, this is the first time I use it.
Top
 
llamajaja
Member Candidate
Member Candidate
Posts: 198
Joined: Sat Sep 30, 2023 3:11 pm

Re: 2 Wan with load and VPN

Thu Apr 18, 2024 7:47 pm

What type of VPN are you using. Do you have a publicly reachable WAN ( wan1, or wan2, or both)??
What type of interface is RED taller, a port??

Is the VPN port simply identifying which users will be going out VPn\?

WHat type of VPN is it, remote users coming to your router or using a third party vpn to send out users to a different internet location.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests
  4. RouterOS
  5. Forwarding Protocols