MIKROTIK не ходит через VPN

RIP, OSFP, BGP, MPLS/VPLS
SnoopCat
Сообщения: 2
Зарегистрирован: 16 фев 2020, 18:15

MIKROTIK не ходит через VPN

Сообщение SnoopCat »

Здравствуйте!
Проблема следующего характера. Хочу отправлять сообщения, посредствам telegram бота через VPN. В данный момент клиенты ходят в телеграмм через VPN, но сам mikrotik не хочет ни в какую.

При попытке отправить сообщение выдаёт ошибку:

Код: Выделить всё

 > /tool fetch url="https://api.telegram.org/botxxxxxxxxxxx:xxxxxxxxxxxxxxxxxxx/sendMessage\?chat_id=3xxxxxxxxx&text=Im Mikrotik"
  status: failed

failure: closing connection: <connection failed> 149.154.167.220:443 (4)

Мой конфиг:

Код: Выделить всё

/interface bridge
aadd add-default-route=yes allow-fast-path=yes connect-to=Internet default-route-distance=50 dial-on-demand=yes disabled=no keepalive-timeout=50 name=xxxxxxxxx password=xxxxxxxxxxxxxx user=xxxxx
/interface pptp-client
add allow=mschap2 connect-to=xxxxxxxxxxx.xxx disabled=no max-mtu=1200 name=freevpn password=xxxxxxxx user=xxxxxxxx
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=ether6
add bridge=bridge comment=defconf interface=ether7
add bridge=bridge comment=defconf interface=ether8
add bridge=bridge comment=defconf interface=ether9
add bridge=bridge comment=defconf interface=ether10
add bridge=bridge comment=defconf interface=sfp-sfpplus1
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Internet list=WAN
add interface=freevpn list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall address-list
add address=telegram.org list=Telegram
add address=vk.com list=block_site
add address=149.154.167.220 list=Telegram
add address=91.108.4.0/22 list=Telegram
add address=91.108.8.0/22 list=Telegram
add address=91.108.12.0/22 list=Telegram
add address=91.108.16.0/22 list=Telegram
add address=91.108.56.0/22 list=Telegram
add address=149.154.160.0/22 list=Telegram
add address=149.154.164.0/22 list=Telegram
add address=149.154.168.0/22 list=Telegram
add address=149.154.172.0/22 list=Telegram
add address=rutracker.org list=Telegram
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: accept ICMP" in-interface=freevpn protocol=icmp
add action=jump chain=input comment="defconf: accept ICMP" in-interface-list=WAN jump-target=ICMP limit=5,5:packet protocol=icmp src-address-list=managment
add action=accept chain=ICMP comment="icmp 0:0 (ping)" icmp-options=0:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="icmp 8:0 (ping)" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="icmp 11:0 (traceroute)" icmp-options=11:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="icmp 3:3 (traceroute)" icmp-options=3:3 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="icmp 3:4 (MTU discovery)" icmp-options=3:4 limit=1,5:packet protocol=icmp
add action=accept chain=input comment="forward traafic for  mikrotik" in-interface=freevpn
add action=accept chain=output comment="forward traafic for  mikrotik" disabled=yes out-interface=freevpn
add action=reject chain=forward comment="block site" disabled=yes protocol=tcp reject-with=tcp-reset src-address-list=block_site
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward disabled=yes in-interface=bridge out-interface=freevpn
add action=accept chain=forward disabled=yes in-interface=freevpn out-interface=bridge
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from freevpn not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=freevpn
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark Telegram" dst-address-list=Telegram log=yes new-routing-mark=telegram_mark passthrough=yes src-address=192.168.88.0/24
add action=mark-routing chain=output comment="Mark Telegram" disabled=yes dst-address-list=Telegram log=yes new-routing-mark=mark_telegram passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment=Telegram ipsec-policy=out,none log=yes out-interface-list=WAN routing-mark=telegram_mark
/ip route
add distance=1 gateway=freevpn routing-mark=telegram_mark
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Moscow
/system leds
add interface=wlan2 leds=wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-led,wlan2_signal4-led,wlan2_signal5-led type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Аватара пользователя
Chupaka
Сообщения: 4086
Зарегистрирован: 29 фев 2016, 15:26
Откуда: Минск

Re: MIKROTIK не ходит через VPN

Сообщение Chupaka »

Приветствую.

Вижу у вас в правиле mangle для chain=output две ошибки:

1. Оно отключено (disabled=yes).
2. Оно вешает на пакет метку несуществующей таблицы маршрутизации (new-routing-mark=mark_telegram, а должно быть telegram_mark).
SnoopCat
Сообщения: 2
Зарегистрирован: 16 фев 2020, 18:15

Re: MIKROTIK не ходит через VPN

Сообщение SnoopCat »

Доброй ночи! Спасибо за ответ. Поправил, но ситуация не поменялась. Когда пытаюсь достучаться до бота телеграмма, счётчик пакетов увеличивается только в этом правиле, но в VPN не попадает...


Ан нет! Заработало!

Спасибо!