Windows L2TP VPN 客户端没有 Internet

2024-5-31 • tag-icon

L2TP/IPSec VPN 服务器是 Mikrotik 路由器，具有以下防火墙配置：

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; VPN L2TP port 500
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=500 

 2    ;;; VPN L2TP port 1701
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=1701 

 3    ;;; VPN L2TP port 4500
      chain=input action=accept protocol=udp in-interface=pppoe-out1 
      dst-port=4500 

 4    ;;; VPN L2TP IPSec
      chain=input action=accept protocol=ipsec-esp in-interface=pppoe-out1 

 5    ;;; VPN L2TP AH
      chain=input action=accept protocol=ipsec-ah in-interface=pppoe-out1 

 6    ;;; Allow all from VPN
      chain=input action=accept src-address-type=local 

 7    ;;; defconf: accept ICMP
      chain=input action=accept protocol=icmp log=no log-prefix="" 

 8    ;;; defconf: accept establieshed,related
      chain=input action=accept connection-state=established,related log=no 
      log-prefix="" 

 9    ;;; Drop SSH requests from outside
      chain=input action=drop protocol=tcp in-interface=pppoe-out1 
      dst-port=22 log=no log-prefix="" 

10    ;;; Drop Winbox connection from outside
      chain=input action=drop protocol=tcp in-interface=pppoe-out1 
      dst-port=8291 log=no log-prefix="" 

11    ;;; Drop UDP DNS requests from outside
      chain=input action=drop protocol=udp in-interface=pppoe-out1 
      dst-port=53 log=no log-prefix="" 

12    ;;; Drop TCP DNS requests from outside
      chain=input action=drop protocol=tcp dst-port=53 log=no log-prefix="" 

13    ;;; Allow ping from outside
      chain=input action=accept protocol=icmp dst-address=103.12.163.90 
      log=no log-prefix="" 

14    ;;; defconf: drop all from WAN
      chain=input action=drop in-interface=ether1 log=no log-prefix="" 

15    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related log=no log-prefix="" 

16    ;;; defconf: accept established,related
      chain=forward action=accept connection-state=established,related log=no 
      log-prefix="" 

17    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

18    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface=ether1 log=no log-prefix="" 

/ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=masquerade out-interface=pppoe-out1 log=no 
      log-prefix="" 

 1    ;;; HTTPS remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=900 
      protocol=tcp in-interface=pppoe-out1 dst-port=900 log=no log-prefix="" 

 2    ;;; HTTP remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443 
      protocol=tcp in-interface=pppoe-out1 dst-port=443 log=no log-prefix="" 

 3    ;;; HTTP remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp in-interface=pppoe-out1 dst-port=80 log=no log-prefix="" 

 4    ;;; Plex server remote access
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=32400 
      protocol=tcp in-interface=pppoe-out1 dst-port=32400 log=no 
      log-prefix="" 

 5    ;;; HTTPS hairpin NAT
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=443 
      protocol=tcp dst-address-type=local dst-port=443 log=no log-prefix="" 

 6    ;;; HTTP hairpin NAT
      chain=dstnat action=dst-nat to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp dst-address-type=local dst-port=80 log=no log-prefix="" 

 7    ;;; HTTPS hairpin NAT
      chain=srcnat action=masquerade to-addresses=10.0.0.2 protocol=tcp 
      src-address=10.0.0.0/24 dst-address=10.0.0.2 out-interface=bridge 
      dst-port=443 log=no log-prefix="" 

 8    ;;; HTTP hairpin NAT
      chain=srcnat action=masquerade to-addresses=10.0.0.2 to-ports=80 
      protocol=tcp src-address=10.0.0.0/24 dst-address=10.0.0.2 
      out-interface=bridge dst-port=80 log=no log-prefix=""

现在奇怪的是，iOS 客户端可以连接到此 VPN 并访问本地网络和互联网，但 Windows 客户端只能访问本地网络而不能访问互联网（不知道其他平台是否如此，因为我现在无法访问）。我已经排除了 DNS 和路由问题，因为这些 Windows 客户端可以 ping 全局 IP 地址和域名，也可以tracert。我遗漏了什么吗？我已经对许多 Mikrotik 路由器使用了相同的配置，有问题的路由器的共同点是 WAN 连接是 PPPoE：

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=pppoe-out1 protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=pppoe-out1 protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=pppoe-out1 protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=pppoe-out1 protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=pppoe-out1 protocol=ipsec-ah

/ppp profile add change-tcp-mss=yes local-address=10.0.0.1 name=vpn-profile remote-address=pool-vpn dns-server=10.0.0.1 use-encryption=yes

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

相关内容