0

I have a Mikrotik(DC), acting as a l2tp server and a CentOS7(Office) OS connected to that server. The problem is that I can ping the mikrotik from the centos and from the network behind it, and I can ping centos from mikrotik and network behind it. But I can't access any of the computers behind mikrotik and behind centos. iptables:

    # Generated by iptables-save v1.4.21 on Wed Feb  6 00:26:09 2019
*nat
:PREROUTING ACCEPT [10023:752813]
:INPUT ACCEPT [1512:195812]
:OUTPUT ACCEPT [71:5442]
:POSTROUTING ACCEPT [3521:254098]
-A POSTROUTING -o ppp0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Wed Feb  6 00:26:09 2019
# Generated by iptables-save v1.4.21 on Wed Feb  6 00:26:09 2019
*filter
:INPUT ACCEPT [24872:18721138]
:FORWARD ACCEPT [415636:32442804]
:OUTPUT ACCEPT [19025:3915262]
-A FORWARD -i ppp0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o ppp0 -j ACCEPT
COMMIT
# Completed on Wed Feb  6 00:26:09 2019

mikrotik firewall:

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=accept chain=input src-address=10.192.68.0/24
add action=accept chain=input src-address=10.192.69.0/24
add action=accept chain=input port=1701,500,4500 protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input src-address=10.192.67.0/24
add action=accept chain=forward disabled=yes dst-address=10.192.69.0/24 \
    src-address=10.192.68.0/24
add action=accept chain=forward disabled=yes dst-address=10.192.68.0/24 \
    src-address=10.192.69.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

mikrotik nat:

/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address=10.192.69.0/24 src-address=\
    10.192.68.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
    out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
add action=masquerade chain=srcnat out-interface=l2tp-in-Jarvis src-address=\
    10.192.68.0/24

Office network: 10.192.69.0/24 DC network: 10.192.68.0/24 I want to be able to to access network behind mikrotik from the office and vise versa, please point me int he direction where have I messed up?

Ajlewa
  • 1
  • 2

1 Answers1

0

You should enable IP forwarding in your CentOS linux.

sysctl net.ipv4.ip_forward=1

If you want to have it permanently edit /etc/sysctl.conf and uncomment the net.ipv4.ip_forward=1 line.

Arash
  • 274
  • 1
  • 8
  • Nah, it was already done, and still nothing, the problem was that the centos host also couldn't reach hosts after mikrotik, but We just bought another mikrotik to put into the office, not the classiest solution, but now everything works – Ajlewa Feb 10 '19 at 01:45