我在 Mikrotik 上设置了一个 L2TP VPN 服务器。当我在路由器后面时,连接到 VPN 是可行的,但是一旦我从 WAN 端连接,它就不行了。我记录了我的防火墙,看看我是否使用默认丢弃规则丢弃了它,结果是:
WANDROP input: in:ether1-gateway out:(none), src-mac 00:00:5e:00:01:66, proto UDP, 5.6.7.8:38211->1.2.3.4:500, len 412
但我的规则是这样的:
add action=accept chain=input dst-address=1.2.3.4 dst-port=500,1701,4500 in-interface=ether1-gateway log=yes protocol=udp src-address=0.0.0.0
add action=accept chain=input dst-address=1.2.3.4 in-interface=ether1-gateway log=yes protocol=ipsec-esp src-address=0.0.0.0
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway log=yes log-prefix=WANDROP
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway log=yes log-prefix=DROP
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.232 to-ports=80
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
不确定我做错了什么或者遗漏了什么。
答案1
您的接受规则将源地址设置为 ,0.0.0.0不带掩码,这就是它们不匹配任何内容的原因。如果您有0.0.0.0,路由器会尝试仅匹配特定0.0.0.0地址的数据包。由于您想匹配所有内容(我假设),因此应该是0.0.0.0/0。