L2TP s poolom v inej subnet

pravyroxor

Zdravím odborníkov, vlastním nový router RB4011iGS+5HacQ2HnD a ešte sa ho len učím konfigurovať. Podľa návodov na internete sa mi podarilo nastaviť L2TP VPN a dokážem sa naň vzdialene pripojiť. S čím si však neviem rady je problém možno so smerovaním, nakoľko l2tp-vpnpool je v inej podsieti ako hlavná LAN.

Toto je moja konfigurácia, no všetko funguje len ak navolím VPN užívateľovi IP adresu z rovnakej siete ako je LAN 172.19.187.0/24, zo 172.19.190.200 nemám žiadne odozvy na ping do LAN, funguje len pripojenie na IP adresy routra - 172.19.190.1 a 172.19.187.3

verzia RouterOS 6.44.3

/interface bridge

add admin-mac=xxx arp=proxy-arp auto-mac=no comment=defconf \

name=bridge

/ip pooladd comment=VPN name=l2tp-pool ranges=172.19.190.200,172.19.190.250

/ppp profile

add change-tcp-mss=yes dns-server=172.19.190.1,172.19.187.10 local-address=\

172.19.190.1 name=l2tp-ipsec remote-address=l2tp-pool

/interface l2tp-server server

set authentication=mschap1,mschap2 default-profile=l2tp-ipsec enabled=yes \

ipsec-secret=xxxxx use-ipsec=yes

/ip address

add address=172.19.187.3/24 comment=defconf interface=bridge network=\

172.19.187.0

/ppp secret

add name=xxx password=xxxx profile=l2tp-ipsec service=l2tp

pravyroxor

Už som si poradil, ak by to niekomu náhodou pomohlo...

/ip pool

add comment=VPN name=l2tp-pool ranges=172.19.190.200-172.19.190.250

/ip dhcp-server

add address-pool=l2tp-pool interface=bridge name=defconf

/ppp profile

add change-tcp-mss=yes dns-server=172.19.187.10 interface-list=LAN \

local-address=172.19.190.1 name=l2tp-ipsec remote-address=l2tp-pool \

use-encryption=required

/ip firewall filter

add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 \

in-interface=ether1-wan protocol=udp src-port=""

add action=accept chain=input in-interface=ether1-wan protocol=ipsec-esp

add action=accept chain=input in-interface=ether1-wan protocol=ipsec-ah

add action=accept chain=forward dst-address=172.19.190.0/24 src-address=\

172.19.187.0/24

add action=accept chain=forward dst-address=172.19.187.0/24 src-address=\

172.19.190.0/24

# Blokovanie internetu cez VPN

add action=drop chain=forward comment="VPN drop outside bridge" in-interface=\

all-ppp out-interface=!bridge

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade" \

ipsec-policy=out,none out-interface-list=WAN

add action=masquerade chain=srcnat dst-address=172.19.190.0/24 src-address=\

172.19.187.0/24

add action=masquerade chain=srcnat dst-address=172.19.187.0/24 src-address=\

172.19.190.0/24