Outils pour utilisateurs

Outils du site


mikrotikcompletestaging:mikrotik_complete_staging

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

Les deux révisions précédentes Révision précédente
Prochaine révision
Révision précédente
mikrotikcompletestaging:mikrotik_complete_staging [2020/09/18 15:09]
ghusson
mikrotikcompletestaging:mikrotik_complete_staging [2020/09/22 17:30]
ghusson
Ligne 882: Ligne 882:
   add action=accept chain=input comment="​Allow IPIP connections from clients"​ protocol=ipencap disabled=yes   add action=accept chain=input comment="​Allow IPIP connections from clients"​ protocol=ipencap disabled=yes
   add action=accept chain=input comment="​Allow IPSec connections from clients (IKE)" dst-port=500 protocol=udp disabled=yes   add action=accept chain=input comment="​Allow IPSec connections from clients (IKE)" dst-port=500 protocol=udp disabled=yes
 +  add action=accept chain=input comment="​Allow IPSec connections from clients (IKE2/nat traversal)"​ protocol=udp disabled=yes
   add action=accept chain=input comment="​Allow IPSec connections from clients (ESP)" protocol=ipsec-esp disabled=yes   add action=accept chain=input comment="​Allow IPSec connections from clients (ESP)" protocol=ipsec-esp disabled=yes
   add action=accept chain=input comment="​Allow IPSec connections from clients (AH)" protocol=ipsec-ah disabled=yes   add action=accept chain=input comment="​Allow IPSec connections from clients (AH)" protocol=ipsec-ah disabled=yes
Ligne 931: Ligne 932:
   add action=accept chain=output comment="​Allow IPIP connections from firewall"​ protocol=ipencap disabled=yes   add action=accept chain=output comment="​Allow IPIP connections from firewall"​ protocol=ipencap disabled=yes
   add action=accept chain=output comment="​Allow IPSec connections from firewall (IKE)" dst-port=500 protocol=udp disabled=yes   add action=accept chain=output comment="​Allow IPSec connections from firewall (IKE)" dst-port=500 protocol=udp disabled=yes
 +  add action=accept chain=output comment="​Allow IPSec connections from firewall (IKE2/nat traversal)"​ dst-port=4500 protocol=udp disabled=yes
   add action=accept chain=output comment="​Allow IPSec connections from firewall (ESP)" protocol=ipsec-esp disabled=yes   add action=accept chain=output comment="​Allow IPSec connections from firewall (ESP)" protocol=ipsec-esp disabled=yes
   add action=accept chain=output comment="​Allow IPSec connections from firewall (AH)" protocol=ipsec-ah disabled=yes   add action=accept chain=output comment="​Allow IPSec connections from firewall (AH)" protocol=ipsec-ah disabled=yes
Ligne 1158: Ligne 1160:
 /system clock print /system clock print
 /ip firewall filter enable [find where comment="​Allow SSTP connections from clients tcp/​42444"​] /ip firewall filter enable [find where comment="​Allow SSTP connections from clients tcp/​42444"​]
 +
  
  
 :put ""​ :put ""​
 :put "​======================================================================"​ :put "​======================================================================"​
-:put " = Set variables "+:put " = Set variables ​for SSTP script ​"
 :put "​======================================================================"​ :put "​======================================================================"​
 / /
Ligne 1191: Ligne 1194:
 :put ""​ :put ""​
 :put "​======================================================================"​ :put "​======================================================================"​
-:put " = HTTPS certificate generation (takes some time...)"​+:put " = HTTPS certificate generation ​for SSTP server(takes some time...)"​
 :put "​======================================================================"​ :put "​======================================================================"​
  
Ligne 1259: Ligne 1262:
 /ip firewall filter /ip firewall filter
  
-# sstp_inside_lan 
-add action=accept chain=forward comment="​SSTP inside LAN -> LAN" in-interface-list=iflist_sstp_inside_lan out-interface="​$lanBridge"​ log=yes log-prefix=sstpinlan disabled=no 
-add action=accept chain=forward comment="​SSTP inside LAN -> inside LAN" in-interface-list=iflist_sstp_inside_lan out-interface-list=iflist_sstp_inside_lan log=yes log-prefix=sstpinlan disabled=no 
-add action=accept chain=forward comment="​LAN -> inside LAN" in-interface="​$lanBridge"​ out-interface-list=iflist_sstp_inside_lan log=yes log-prefix=sstpinlan disabled=no 
  
-sstp_managed +VPN users directly in LAN (trusted, or admins) : inside lan 
-add action=accept chain=forward comment="​SSTP managed -> LAN" in-interface-list=iflist_sstp_managed out-interface="​$lanBridge" ​log=yes log-prefix=sstpmngd disabled=no +/ppp profile ​add bridge="​$lanBridge" ​change-tcp-mss=yes comment="​SSTP ​VPN Profile for clients inside pro lan"
-add action=accept chain=forward comment="​SSTP managed ​-> SSTP managed"​ in-interface-list=iflist_sstp_managed out-interface-list=iflist_sstp_managed log=yes log-prefix=sstpmngd disabled=yes +  dns-server="$lanDnsServer" ​local-address="$lanBridgeIp" ​name=ppp_profile_sstp_inside_lan only-one=yes
-add action=accept chain=forward ​comment="​LAN -> SSTP managed" ​in-interface="$lanBridge" ​out-interface-list=iflist_sstp_managed log=yes log-prefix=sstpmngd disabled=no +  remote-address="$lanUserIpPool" ​use-compression=yes use-encryption=yes use-mpls=no use-upnp=no interface-list=iflist_sstp_inside_lan
- +
-# sstp_unmanaged +
-add action=accept chain=forward comment="SSTP UNmanaged -> LAN" ​in-interface-list=iflist_sstp_unmanaged out-interface="​$lanBridge"​ log=yes log-prefix=sstpunmngd disabled=no +
-add action=accept chain=forward comment="SSTP UNmanaged -> SSTP UNmanaged" ​in-interface-list=iflist_sstp_unmanaged out-interface-list=iflist_sstp_unmanaged log=yes log-prefix=sstpunmngd disabled=yes +
-add action=accept chain=forward comment="​LAN ​-> SSTP UNmanaged"​ in-interface="​$lanBridge"​ out-interface-list=iflist_sstp_unmanaged log=yes log-prefix=sstpunmngd disabled=yes+
  
 +# VPN users that have customer managed equipment : managed
 +/ppp profile add bridge="​$managedUserBridge"​ change-tcp-mss=yes comment="​SSTP VPN Profile for managed clients"​\
 +  dns-server="​$managedUserDnsServer"​ local-address="​$managedUserBridgeIp"​ name=ppp_profile_sstp_managed only-one=yes\
 +  remote-address="​$managedUserIpPool"​ use-compression=yes use-encryption=yes use-mpls=no use-upnp=no interface-list=iflist_sstp_managed
  
 +# VPN users that have personnal equipment : UNmanaged
 +/ppp profile add bridge="​$notManagedUserBridge"​ change-tcp-mss=yes comment="​SSTP VPN Profile for UNmanaged clients"​\
 +  dns-server="​$notManagedUserDnsServer"​ local-address="​$notManagedUserBridgeIp"​ name=ppp_profile_sstp_unmanaged only-one=yes\
 +  remote-address="​$notManagedUserIpPool"​ use-compression=yes use-encryption=yes use-mpls=no use-upnp=no interface-list=iflist_sstp_unmanaged
  
  
Ligne 1280: Ligne 1282:
 :put ""​ :put ""​
 :put "​======================================================================"​ :put "​======================================================================"​
-:put " = Clean variables "+:put " = Clean variables ​for SSTP script ​"
 :put "​======================================================================"​ :put "​======================================================================"​
 :set sstpPortMikrotik :set sstpPortMikrotik
mikrotikcompletestaging/mikrotik_complete_staging.txt · Dernière modification: 2020/09/22 17:30 par ghusson