Indice   FAQ  
Iscriviti  Login
Indice RouterOS RouterOS

Aiuto navigazione internet sotto Ovpn

Tutto su questo sistema operativo linux based - Configurazioni, dubbi, problematiche &....

Aiuto navigazione internet sotto Ovpn

Messaggioda Akkor70 » lun 20 set 2021, 12:00

Buongiorno a tutti
Ho un problema con un apparato mikrotik che non mi permette di navigare quando mi ci collego in vpn
Il tunnel vpn funziona infatti riesco a vedere le risorse di rete senza problemi, ma non riesco a navigare in internet..........ma non è un blackout completo dato che per esempio anydesk funziona, ma la pura navigazione, l'email, e altri servizi come per esempio teams non funzionano.
Altra cosa strana è che quando sono sotto tunnel ovpn i tracert verso 8.8.8.8 arrivano a destinazione e anche il ping su google.com viene risolto e da risposta.
Il mikrotik in questione è in cascata sotto un modem fastweb fibra FTTH sul quale ho demilitarizzato l'ip del mikrotik

Allego per completezza la config del mikrotik e del client ovpn
Grazie dell'aiuto

Mikrotik config
Codice: Seleziona tutto
# sep/17/2021 23:42:02 by RouterOS 6.48.3
# software id = 7EDU-PA5L
#
# model = RBD53iG-5HacD2HnD
# serial number = E7290DADBD09
/interface bridge
add name=BRIDGE_LAN
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=italy disabled=no \
    installation=indoor mode=ap-bridge name=Wifi-2.4 radio-name=Atere ssid=\
    Atere wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac country=italy disabled=no \
    installation=indoor mode=ap-bridge name=Wifi-5.0 radio-name=Atere ssid=\
    Atere wireless-protocol=802.11
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=\
    dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=\
    "***********"
/ip pool
add name=dhcp_pool ranges=192.168.1.50-192.168.1.200
add name=ovpn_pool ranges=172.16.100.2-172.16.100.254
/ip dhcp-server
add address-pool=dhcp_pool disabled=no interface=BRIDGE_LAN name=DHCP
/ppp profile
add dns-server=172.16.100.1 local-address=ovpn_pool name=open_vpn \
    remote-address=ovpn_pool use-compression=no use-encryption=required
/interface bridge port
add bridge=BRIDGE_LAN interface=ether1
add bridge=BRIDGE_LAN interface=ether2
add bridge=BRIDGE_LAN interface=ether3
add bridge=BRIDGE_LAN interface=ether4
add bridge=BRIDGE_LAN interface=ether5
add bridge=BRIDGE_LAN interface=Wifi-2.4
add bridge=BRIDGE_LAN interface=Wifi-5.0
/interface list member
add interface=Wifi-5.0 list=WAN
add interface=ether1 list=LAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Wifi-2.4 list=LAN
/interface ovpn-server server
set certificate=server-certificate cipher=blowfish128,aes128,aes192,aes256 \
    default-profile=open_vpn enabled=yes require-client-certificate=yes
/ip address
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-server lease
add address=192.168.1.129 client-id=1:b8:27:eb:8c:b6:1d mac-address=\
    B8:27:EB:8C:B6:1D server=DHCP
/ip dhcp-server network
add address=172.16.100.0/24 comment=vpn dns-server=8.8.8.8 gateway=\
    172.166.100.1 netmask=24
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.254
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=192.168.1.0/24 list=Home-LAN
add address=172.16.100.0/24 list=Ovpn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
    established,related
add action=accept chain=input comment="Accept Established Related" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "Consenti l'inoltro da parte dei client OVPN " src-address=\
    192.168.100.0/24
add action=accept chain=input comment="Accept vpn address list" \
    src-address-list=Ovpn
add action=accept chain=forward comment="Accept vpn address list" \
    src-address-list=Ovpn
add action=accept chain=input comment=VPN dst-port=1194 protocol=tcp
add action=accept chain=input dst-address=192.168.1.1 dst-port=18291 \
    protocol=tcp src-address=172.16.100.0/24
add action=accept chain=input comment="Accept Ping" icmp-options=8:0 \
    protocol=icmp
add action=drop chain=forward comment=DropSSHbruteforcers src-address-list=\
    ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    22,23 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=4w2d chain=forward connection-state=new dst-port=\
    2222,2223 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=\
    2222,2223 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=\
    2222,2223 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=22,23 \
    protocol=tcp
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=forward connection-state=new dst-port=\
    2222,2223 protocol=tcp
add action=drop chain=input comment=DropWinboxbruteforcers src-address-list=\
    WinboxBlackList
add action=add-src-to-address-list address-list=WinboxBlackList \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=1723 \
    protocol=tcp src-address-list=WinboxStage3
add action=add-src-to-address-list address-list=WinboxBlackList \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=18291 \
    protocol=tcp src-address-list=WinboxStage3
add action=add-src-to-address-list address-list=WinboxBlackList \
    address-list-timeout=4w2d chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=WinboxStage3
add action=add-src-to-address-list address-list=WinboxStage3 \
    address-list-timeout=5m chain=input connection-state=new dst-port=1723 \
    protocol=tcp src-address-list=WinboxStage2
add action=add-src-to-address-list address-list=WinboxStage3 \
    address-list-timeout=5m chain=input connection-state=new dst-port=18291 \
    protocol=tcp src-address-list=WinboxStage2
add action=add-src-to-address-list address-list=WinboxStage3 \
    address-list-timeout=5m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=WinboxStage2
add action=add-src-to-address-list address-list=WinboxStage2 \
    address-list-timeout=5m chain=input connection-state=new dst-port=1723 \
    protocol=tcp src-address-list=WinboxStage1
add action=add-src-to-address-list address-list=WinboxStage2 \
    address-list-timeout=5m chain=input connection-state=new dst-port=18291 \
    protocol=tcp src-address-list=WinboxStage1
add action=add-src-to-address-list address-list=WinboxStage2 \
    address-list-timeout=5m chain=input connection-state=new dst-port=8291 \
    protocol=tcp src-address-list=WinboxStage1
add action=add-src-to-address-list address-list=WinboxStage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=1723 \
    protocol=tcp
add action=add-src-to-address-list address-list=WinboxStage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=18291 \
    protocol=tcp
add action=add-src-to-address-list address-list=WinboxStage1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=8291 \
    protocol=tcp
add action=drop chain=input comment=DroppingPortScannersinput \
    src-address-list=portscanners
add action=drop chain=forward comment=DroppingPortScannersforward \
    src-address-list=portscanners
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersPortscannerstolist protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScanners-NMAP-FIN-Stealthscan protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersSYN-FINscan protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersSYN-RSTscan protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersFIN-PSH-URGscan protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersALL-ALLscan protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=portscanners \
    address-list-timeout=4w2d chain=input comment=\
    DroppingPortScannersNMAP-NULLscan protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=reject chain=forward comment=RDP log-prefix=Blocked reject-with=\
    icmp-network-unreachable src-address-list=Blocked
add action=add-src-to-address-list address-list=Blocked address-list-timeout=\
    1w3d chain=forward comment="RDP stage 3" connection-state=new dst-port=\
    3389 log-prefix=RDP-BRUTEFORCE protocol=tcp src-address-list=rdp_stage3
add action=add-src-to-address-list address-list=rdp_stage3 \
    address-list-timeout=5m chain=forward comment="RDP stage 2" \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=\
    rdp_stage2
add action=add-src-to-address-list address-list=rdp_stage2 \
    address-list-timeout=5m chain=forward comment="RDP stage 1" \
    connection-state=new dst-port=3389 protocol=tcp src-address-list=\
    rdp_stage1
add action=add-src-to-address-list address-list=rdp_stage1 \
    address-list-timeout=5m chain=forward comment="RDP stage" \
    connection-state=new dst-port=3389 protocol=tcp
add action=drop chain=input dst-port=53 protocol=udp
add action=drop chain=input dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop Everithyng Else"
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.100.0/24
add action=masquerade chain=srcnat src-address=192.168.1.0/24
add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\
    192.168.1.129
add action=dst-nat chain=dstnat dst-port=443 protocol=tcp to-addresses=\
    192.168.1.129
/ip route
add distance=1 gateway=192.168.1.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox port=8291
set api-ssl disabled=yes
/ppp secret
add name=atere password="**********" profile=open_vpn service=ovpn
/system clock
set time-zone-name=Europe/Rome


Ovpn Client config
Codice: Seleziona tutto
client
dev tun
proto tcp-client
remote ***.***.***.***
port 1194
nobind
persist-key
persist-tun
tls-client
remote-cert-tls server
ca cert_export_ca-certificate.crt
cert cert_export_client-certificate.crt
key cert_export_client-certificate.key
verb 4
mute 10
cipher AES-128-CBC
auth SHA1
auth-user-pass atere.cfg
redirect-gateway def1
auth-nocache
route 192.168.1.0 255.255.255.0 172.16.100.1
dhcp-option DNS 192.168.1.1
dhcp-option DNS 8.8.8.8
Akkor70
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 6
Iscritto il: lun 20 set 2021, 11:47
Uso routerOS dalla Versione: v7.x

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda abbio90 » mar 21 set 2021, 0:02

Disabilita i dst-nat che hai per il Port forwarding e dimmi se così navighi...perché vedi che apri le porte 80 e 443 senza specificare il nodo di uscita...e visto che sono le medesime porte utilizzate per navigazione http e https farei in primis questa prova...anche perché vedo che il masquerade della VPN è presente
Scopri https://foisfabio.it - Tutorial sul Network
Avatar utente
abbio90
Mikrotik-Pro 1° Liv
Mikrotik-Pro 1° Liv
 
Messaggi: 517
Iscritto il: lun 26 giu 2017, 19:11
Località: Oristano
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda Akkor70 » mar 21 set 2021, 1:52

abbio90 ha scritto:Disabilita i dst-nat che hai per il Port forwarding e dimmi se così navighi...perché vedi che apri le porte 80 e 443 senza specificare il nodo di uscita...e visto che sono le medesime porte utilizzate per navigazione http e https farei in primis questa prova...anche perché vedo che il masquerade della VPN è presente


La tua indicazione ha funzionato, ho disabilitato i dst-nat e ora navigo, come posso sistemare il tutto ?
Grazie
Akkor70
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 6
Iscritto il: lun 20 set 2021, 11:47
Uso routerOS dalla Versione: v7.x

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda abbio90 » mar 21 set 2021, 14:12

In quei destination Nat devi impostare la in-interface...
La in interface sarà la tua wan
Scopri https://foisfabio.it - Tutorial sul Network
Avatar utente
abbio90
Mikrotik-Pro 1° Liv
Mikrotik-Pro 1° Liv
 
Messaggi: 517
Iscritto il: lun 26 giu 2017, 19:11
Località: Oristano
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda Akkor70 » mar 21 set 2021, 15:23

abbio90 ha scritto:In quei destination Nat devi impostare la in-interface...
La in interface sarà la tua wan


Ok, ti ringrazio ancora per l'aiuto, funziona

Se invece volessi che il traffico internet non fosse instradato sotto la vpn sarebbe complicato ?
Giusto per avere una seconda opzione.........
Akkor70
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 6
Iscritto il: lun 20 set 2021, 11:47
Uso routerOS dalla Versione: v7.x

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda abbio90 » mar 21 set 2021, 23:23

Questi intendi lato client?il client chi è?un pc?
Scopri https://foisfabio.it - Tutorial sul Network
Avatar utente
abbio90
Mikrotik-Pro 1° Liv
Mikrotik-Pro 1° Liv
 
Messaggi: 517
Iscritto il: lun 26 giu 2017, 19:11
Località: Oristano
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda Akkor70 » mer 22 set 2021, 11:36

abbio90 ha scritto:Questi intendi lato client?il client chi è?un pc?


Si traffico internet lato client che è un pc
Akkor70
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 6
Iscritto il: lun 20 set 2021, 11:47
Uso routerOS dalla Versione: v7.x

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda abbio90 » mer 22 set 2021, 18:14

Nelle impostazioni del client
Scopri https://foisfabio.it - Tutorial sul Network
Avatar utente
abbio90
Mikrotik-Pro 1° Liv
Mikrotik-Pro 1° Liv
 
Messaggi: 517
Iscritto il: lun 26 giu 2017, 19:11
Località: Oristano
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda Akkor70 » mer 22 set 2021, 22:59

abbio90 ha scritto:Nelle impostazioni del client


Ora non riesco più a sfogliare le risorse di rete............che tedio
Strano perchè le interfacce web dei servizi le vedo..........
C'è qualcosa di sbagliato nella mia config ?
Akkor70
Mikrotik Curious User
Mikrotik Curious User
 
Messaggi: 6
Iscritto il: lun 20 set 2021, 11:47
Uso routerOS dalla Versione: v7.x

Re: Aiuto navigazione internet sotto Ovpn

Messaggioda abbio90 » mer 22 set 2021, 23:30

Quali risorse ?
Scopri https://foisfabio.it - Tutorial sul Network
Avatar utente
abbio90
Mikrotik-Pro 1° Liv
Mikrotik-Pro 1° Liv
 
Messaggi: 517
Iscritto il: lun 26 giu 2017, 19:11
Località: Oristano
Uso routerOS dalla Versione: v4.x
Certificazioni Mikrotik: MTCNA


Prossimo

Torna a RouterOS

Chi c’è in linea

Visitano il forum: Nessuno e 12 ospiti