Доброго дня всем! Тут много тем поднималось по этому вопросу, я в этом плане новичок, но знаю что есть способы настроить на роутере доступ из vpn в сеть имея разные подсети пример LAN 192.168.X.X и VPN 10.200.X.X, подскажите как это сделать и если можно сразу с правилами и командами и куда вводить. Требуется предоставить клиентам удаленный доступ RDP через VPN со снятой галочкой "Использовать основной шлюз удаленной сети" с галочкой все работает.
Настрой роутера:
Firewall
0 ;;; bruteforce add to blacklist
chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=bruteforce_stage3
address-list=bruteforce_blacklist address-list-timeout=1w3d
dst-port=0,21,22,23,69,80,443,3389,5060,5061,7547,8291 log=no
log-prefix=""
1 ;;; bruteforce add to stage3
chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=bruteforce_stage2
address-list=bruteforce_stage3 address-list-timeout=1w3d
dst-port=0,21,22,23,69,80,443,3389,5060,5061,7547,8291 log=no
log-prefix=""
2 ;;; bruteforce add to stage2
chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=bruteforce_stage1
address-list=bruteforce_stage2 address-list-timeout=15m
dst-port=0,21,22,23,69,80,443,3389,5060,5061,7547,8291 log=no
log-prefix=""
3 ;;; bruteforce add to stage1
chain=input action=add-src-to-address-list connection-state=new
protocol=tcp src-address-list=!alow_ssh address-list=bruteforce_stage1
address-list-timeout=2m
dst-port=0,21,22,23,69,80,443,3389,5060,5061,7547,8291 log=no
log-prefix=""
4 ;;; Established/Related
chain=input action=accept connection-state=established,related log=no
log-prefix=""
5 ;;; Drop invalid
chain=input action=drop connection-state=invalid in-interface=ether1
log=no log-prefix=""
6 ;;; Established/Related
chain=forward action=accept connection-state=established,related log=no
log-prefix=""
7 ;;; Drop invalid
chain=forward action=drop connection-state=invalid in-interface=ether1
log=no log-prefix=""
8 ;;; Winbox knock
chain=input action=drop protocol=tcp src-address-list=!knock
dst-port=999 log=no log-prefix=""
9 chain=input action=add-src-to-address-list protocol=tcp address-list=knock>
address-list-timeout=30s dst-port=111 log=no log-prefix=""
10 chain=input action=add-src-to-address-list protocol=tcp
src-address-list=knock1 address-list=knock2 address-list-timeout=30s
dst-port=222 log=no log-prefix=""
11 chain=input action=add-src-to-address-list protocol=tcp
src-address-list=knock2 address-list=knock address-list-timeout=30s
dst-port=333 log=no log-prefix=""
12 X ;;; PSD
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1
address-list=PSD address-list-timeout=none-dynamic log=no log-prefix=""
13 ;;; Winbox
chain=input action=accept protocol=tcp in-interface=ether1 dst-port=999
log=no log-prefix=""
14 ;;; ICMP
chain=input action=accept protocol=icmp connection-rate=0-128
icmp-options=8:0 packet-size=0-128 log=no log-prefix=""
15 ;;; VPN
chain=input action=accept protocol=udp in-interface=ether1
dst-port=1701,500,4500 log=no log-prefix=""
16 ;;; IPsec
chain=input action=accept protocol=ipsec-esp log=no log-prefix=""
17 chain=input action=accept protocol=ipsec-ah log=no log-prefix=""
18 ;;; Drop WAN
chain=input action=drop in-interface=ether1 log=no log-prefix=""
19 ;;; Drop without DstNAT
chain=forward action=drop connection-nat-state=!dstnat
in-interface=ether1 log=no log-prefix=""
RAW
0 ;;; drop bruteforces
chain=prerouting action=drop src-address-list=bruteforce_blacklist
1 ;;; drop DNS
chain=prerouting action=drop in-interface=ether1 dst-port=53 log=no
log-prefix="" protocol=udp
2 ;;; drop DNS
chain=prerouting action=drop in-interface=ether1 dst-port=53 log=no
log-prefix="" protocol=tcp
VPN profile
name="l2tp" local-address=10.200.2.1 remote-address=l2tp-pool
bridge-learning=default use-ipv6=no use-mpls=default
use-compression=default use-encryption=no only-one=yes change-tcp-mss=yes
use-upnp=no address-list="" dns-server=10.200.2.1 on-up="" on-down=""
Ipconfig клиента
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.178 55
10.0.0.0 255.0.0.0 10.200.2.1 10.200.2.100 46
10.200.2.100 255.255.255.255 On-link 10.200.2.100 301
Адаптер PPP Routedist:
DNS-суффикс подключения . . . . . :
IPv4-адрес. . . . . . . . . . . . : 10.200.2.100
Маска подсети . . . . . . . . . . : 255.255.255.255
Основной шлюз. . . . . . . . . :
