我需要在企业网络中设置 VPN,但遇到了一些问题。我有 2 个主要设备 - 1 个调制解调器/路由器(ASUS),它通过 VDSL 直接连接到互联网(具有公共 IP 地址),它是运行 VPN 的设备。我已将另一个路由器(MIKROTIK)直接连接到该调制解调器 - 第二个路由器有 6 个子网。我面临的问题是,我可以使用我的设备连接到 VPN,但我只能进入这两个路由器之间的网络,而不能进入第二个路由器上的子网。
我的 IP - 调制解调器(x = 1) - 路由器(x = 2):192.168.0.x/24 VPN 网络:192.168.6.x/24
我想进入的子网:192.168.1.x/24 和 192.168.4.x/24 我可以从所有网络 ping VPN 设备,但我的设备只能访问 192.168.6.x 网络和 192.168.0.x 网络。- 只能单向工作。你能帮我看看我做错了什么吗?我已经尝试了所有方法,包括路由、防火墙等。
附言:我是个初学者,所以有可能我忘记了一些事情。
提前致谢 ^^
R2 配置:
# software id = PSL3-JJZL
#
/interface bridge
add arp=proxy-arp name=bridge1
/interface ethernet
set [ find default-name=ether1 ] arp=proxy-arp comment=Modem-Router name=\
ether0
set [ find default-name=ether2 ] arp=proxy-arp comment=\
"Restaurace spodn\ED patro" name=ether1
set [ find default-name=ether3 ] comment="Restaurace pokoje" name=ether2
set [ find default-name=ether4 ] comment="Restaurace bar" name=ether3
set [ find default-name=ether5 ] comment=Kamery name=ether4
set [ find default-name=ether6 ] comment="Wifi spodn\ED - Unifi" name=ether5
set [ find default-name=ether7 ] arp=proxy-arp comment="Wifi horn\ED" \
master-port=ether5 name=ether6
set [ find default-name=ether8 ] name=ether7
set [ find default-name=ether9 ] name=ether8
set [ find default-name=ether10 ] arp=proxy-arp name=ether9
/ip neighbor discovery
set ether0 discover=no
/interface vlan
add interface=ether0 name=vlan1 vlan-id=1
add interface=ether1 name=vlan2 vlan-id=2
add interface=ether2 name=vlan3 vlan-id=3
add interface=ether3 name=vlan4 vlan-id=4
add interface=ether4 name=vlan5 vlan-id=5
add interface=ether5 name=vlan6 vlan-id=6
/ip pool
add name=restaurace ranges=192.168.1.10-192.168.1.254
add name=wifi ranges=192.168.5.3-192.168.5.254
add name="vrchn\ED pokoje" ranges=192.168.2.2-192.168.2.254
add name=Kamery ranges=192.168.4.2-192.168.4.254
add name=bar ranges=192.168.3.2-192.168.3.254
/ip dhcp-server
add address-pool=restaurace disabled=no interface=ether1 name=restaurace
add address-pool=wifi disabled=no interface=ether5 name=wifi
add address-pool="vrchn\ED pokoje" disabled=no interface=ether2 name=pokoje
add address-pool=Kamery disabled=no interface=ether4 name=Kamery
/routing bgp instance
set default redistribute-connected=yes redistribute-ospf=yes \
redistribute-other-bgp=yes redistribute-rip=yes redistribute-static=yes
/interface bridge port
add comment=defconf interface=ether1
add comment=defconf interface=ether5
add comment=defconf interface=sfp1
/ip settings
set accept-redirects=yes accept-source-route=yes
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.0.2/24 interface=ether0 network=192.168.0.0
add address=192.168.5.1/24 interface=ether5 network=192.168.5.0
add address=192.168.2.1/24 interface=ether2 network=192.168.2.0
add address=192.168.4.1/24 interface=ether4 network=192.168.4.0
add address=192.168.3.1/24 interface=ether3 network=192.168.3.0
add address=192.168.64.1/18 interface=ether8 network=192.168.64.0
/ip arp
add address=192.168.5.2 interface=ether5 mac-address=FC:EC:DA:86:44:7B
add address=192.168.0.1 interface=ether0 mac-address=14:DD:A9:4B:F5:CC
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=ether0
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 \
netmask=24
add address=192.168.1.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.1.1 \
netmask=24
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1 \
netmask=24
add address=192.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.3.1 \
netmask=24
add address=192.168.4.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.4.1 \
netmask=24
add address=192.168.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.5.1 \
netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.0.2 name=router
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes \
in-interface=ether0
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface=ether0
add action=drop chain=forward disabled=yes src-mac-address=48:6D:BB:C8:F6:F5
add action=accept chain=forward dst-address=192.168.1.1 src-address=\
192.168.6.0/24
add action=accept chain=input dst-port=500,0,0 in-interface=ether0 protocol=\
udp
add action=accept chain=input in-interface=ether0 protocol=ipsec-esp
add action=accept chain=input in-interface=ether0 protocol=ipsec-ah
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=ether0
/ip route
add distance=1 gateway=192.168.0.1
add distance=1 dst-address=192.168.0.0/24 gateway=ether0
add check-gateway=ping distance=1 dst-address=192.168.6.0/24 gateway=ether0 \
pref-src=192.168.6.1 scope=20 target-scope=30
/ip route rule
add dst-address=192.168.0.1/32 src-address=192.168.1.1/32
/routing bgp network
add network=192.168.6.0/32 synchronize=no
/routing rip interface
add interface=ether0 receive=v2
/routing rip network
add network=192.168.6.0/24
add network=192.168.0.0/24
/system clock
set time-zone-name=Europe/Prague
/tool mac-server
set [ find default=yes ] disabled=yes
add
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add