Нет доступа к локальной сети за микротиком.

Форум — Admin

На VPS-ке подняты L2TP и OVPN сервера. На микротике поднят L2TP клиент. Домашний ПК - клиент OVPN. С микротика пинги до впн клиента идут. С впн клиента пингуется только интерфейс L2TP микротика, пинги до локальной сети микротика(bridge-local) не идут. Что не так? Маршруты на сервере.

netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         55.83.62.1      0.0.0.0         UG        0 0          0 eth0
55.83.62.0      0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.10.0      0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.10.11.2      0.0.0.0         255.255.255.255 UH        0 0          0 ppp0
10.10.12.0      0.0.0.0         255.255.255.0   U         0 0          0 ppp0

iptables -n -L -v --line-numbers
Chain INPUT (policy ACCEPT 14 packets, 1777 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     3148  427K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
2        9  5114 ACCEPT     all  --  *      *       10.10.11.0/29        0.0.0.0/0           
3        1    84 ACCEPT     all  --  *      *       0.0.0.0/0            10.10.11.0/29      
4        0     0 TCPMSS     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x02 TCPMSS clamp to PMTU
5        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            state INVALID

Chain OUTPUT (policy ACCEPT 14 packets, 1620 bytes)
num   pkts bytes target     prot opt in     out     source               destination

ip_forward = 1

Маршруты на клиенте OVPN

$ route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 ppp0
10.10.10.0      0.0.0.0         255.255.255.0   U     0      0        0 tun0
10.10.11.0      10.10.10.1      255.255.255.0   UG    0      0        0 tun0
10.10.12.0      0.0.0.0         255.255.255.0   UH    0      0        0 tun0

Трассировка с впн клиента до локальной сети микротика

~$ traceroute 10.10.12.24
traceroute to 10.10.12.24 (10.10.12.24), 30 hops max, 60 byte packets
 1  10.10.10.1 (10.10.10.1)  47.490 ms  94.475 ms  94.491 ms
 2  10.10.11.2 (10.10.11.2)  141.637 ms  141.668 ms  141.670 ms
 3  * * *
 4  * * *

Маршруты на микротике.

#      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                         64.83.21.1                1
 1 ADC  64.83.21.0/22     64.83.21.12     eth1                      0
 2 AS   10.10.10.0/24                     l2tp-out1                 1
 3 ADC  10.10.11.1/32     10.10.11.2      l2tp-out1                 0
 4 ADC  10.10.12.0/24     10.10.12.1      bridge-local              0

Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward 

 1    ;;; drop ssh brute forcers
      chain=input action=drop protocol=tcp src-address-list=ssh_blacklist log=no log-prefix="" 

 2    ;;; record https brute forcers
      chain=input action=add-src-to-address-list protocol=tcp address-list=ssh_blacklist address-list-timeout=1h dst-port=443 log=yes 
      log-prefix=" --- HTTPS ATTEMPT --- " 

 3    ;;; record ssh brute forcers
      chain=input action=add-src-to-address-list protocol=tcp address-list=ssh_blacklist address-list-timeout=1h dst-port=22 log=yes 
      log-prefix=" --- SSH ATTEMPT --- " 

 4    ;;; record http brute forcers
      chain=input action=add-src-to-address-list protocol=tcp address-list=ssh_blacklist address-list-timeout=1h dst-port=80 log=yes 
      log-prefix=" --- HTTP ATTEMPT --- "  

 5    ;;; default configuration
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 6    ;;; default configuration
      chain=input action=accept connection-state=established,related log=no log-prefix="" 

 7    ;;; default configuration
      chain=input action=drop in-interface=eth1 log=no log-prefix="" 
 
 8    ;;; default configuration
      chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 

 9    ;;; default configuration
      chain=forward action=accept connection-state=established,related log=no log-prefix="" 

10    ;;; default configuration
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

11    ;;; default configuration
      chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=eth1 log=no log-prefix="" 

12    ;;; Deny invalid connections
      chain=input action=drop connection-state=invalid log=no log-prefix=""

      
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic  
 0    chain=srcnat action=masquerade out-interface=eth1 log=no 
      log-prefix=""

debian, l2tp, mikrotik, openvpn, vpn

onixzz
(09.10.16 14:38:26 MSK)

4 комментария

Сообщения onixzz

Нет доступа к локальной сети за микротиком.