Re: EoIP - Попасть из одной подсети в другую
Добавлено: 29 окт 2018, 01:02
В сниффере пусто, icmp вообще отсутствует, остальные просто :: и всё. Параллельно ещё одна проблема вылезла, видимо взаимосвязана, но отпишусь уже утром, сил нет
For every complex problem, there is a solution that is simple, neat, and wrong.
https://forum.mikrotik.by/
Код: Выделить всё
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet log-prefix=nat22 \
out-interface=!WiFi+LAN src-address=!333.333.333.0/22
Код: Выделить всё
/ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=isp-servis.ru list=blocked-addr
add address=oxygenno.fun list=blocked-addr
add address=fast-torrent.ru list=blocked-addr
add address=7-zip.org list=blocked-addr
add address=st.unibytes.com list=blocked-addr
add address=api.telegram.org list=blocked-addr
add address=ucrm.ubnt.com list=blocked-addr
add address=addons.mozilla.org list=blocked-addr
add address=dev-ucrm-billing-demo.ubnt.com list=blocked-addr
add address=192.168.7.0/24 list=my-network
add address=198.51.100.0/24 list=my-network
add address=nolapro.com list=blocked-addr
add address=2ip.ru list=blocked-addr
add address=updates.tdesktop.com list=blocked-addr
add address=updates.theme-fusion.com list=blocked-addr
add address=secure-a.vimeocdn.com list=blocked-addr
add address=nextcloud.com list=blocked-addr
add address=lastpass.com list=blocked-addr
add address=172.16.0.0/12 list=my-network
add address=192.168.0.0/16 list=my-network
add address=hideip.me list=blocked-addr
add address=lostfilm.tv list=blocked-addr
add address=111.111.111.111 list=wan-list
add address=222.222.222.222 list=wan-list
add address=444.444.444.444 list=wan-list
add address=198.51.100.254 list=wan-list
add address=193.164.16.1 list=wan-list
add address=nulledfiles.ru list=blocked-addr
add address=nzix.org list=blocked-addr
add address=333.333.333.0/22 list=Dostup_iz_lokalki
add address=192.168.2.0/24 list=Dostup_iz_lokalki
/ip firewall filter
add chain=input comment="PPTP Access" protocol=gre
add chain=input comment="PPTP Access" dst-port=1723 protocol=tcp
add action=fasttrack-connection chain=forward connection-state=\
established,related routing-mark=!to_tor
add action=accept chain=input dst-port=12443 in-interface-list=WAN \
log-prefix=sstp protocol=tcp
add action=accept chain=input log-prefix=ping protocol=icmp
add action=accept chain=forward connection-state=established,related \
routing-mark=!to_tor
add action=jump chain=forward connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos dst-limit=\
32,256,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos connection-limit=500,32
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos connection-limit=500,32
add action=drop chain=forward comment="Drop Invalid connections" \
connection-state=invalid
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
in-interface-list=WAN protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=\
1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist \
address-list-timeout=1h chain=output content="530 Login incorrect" \
protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
in-interface-list=WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="DROP Telnet brutforce" dst-port=23 \
in-interface-list=WAN protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist \
address-list-timeout=30m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=23 \
protocol=tcp
add action=add-src-to-address-list address-list=ddos-blacklist \
address-list-timeout=30m chain=input comment=\
"DDoS - Limit incoming connections, add IP to Blacklist (WAN List)" \
connection-limit=100,32 in-interface-list=WAN protocol=tcp
add action=tarpit chain=input comment=\
"DDoS - capture and hold connections, try to slow the attacker " \
connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist
add action=jump chain=forward comment="DDoS - SYN Flood protect (WAN List)" \
connection-state=new jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=jump chain=input connection-state=new in-interface-list=WAN \
jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=return chain=SYN-Protect connection-state=new limit=200,5:packet \
protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new protocol=tcp \
tcp-flags=syn
/ip firewall mangle
add action=accept chain=prerouting comment="\D7\E0\F1\F2\FC \F1\E5\F2\E8 \E8\
\E7 \EB\EE\EA\E0\EB\EA\E8 (333.333.333.0/22 \E8 192.168.2.0/24)" \
dst-address-list=Dostup_iz_lokalki log-prefix=net22
add action=mark-routing chain=prerouting dst-address-list=ddosed \
new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser
add action=mark-routing chain=output comment=\
"Telegram (router) \F7\E5\F0\E5\E7 \CB\E0\F2\E2\E8\FE" dst-address-list=\
tor-traff log-prefix=telega new-routing-mark=vpn_lv passthrough=no \
src-address=!333.333.333.0/22
add action=mark-routing chain=prerouting comment=\
"Email \EE\F2\F1\FB\EB\EA\E0 \F7\E5\F0\E5\E7 ISP1" dst-port=25 \
in-interface=WiFi+LAN log-prefix=email new-routing-mark=route_isp_01 \
passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment="\C1\EB\EE\EA\E8\F0\EE\E2\EA\
\E0 \F2\E5\EB\E5\E3\E8 \F7\E5\F0\E5\E7 \CB\E0\F2\E2\E8\FE" \
dst-address-list=tor-traff log-prefix=tor new-routing-mark=vpn_lv \
passthrough=no src-address=!333.333.333.0/22
add action=mark-routing chain=prerouting comment=\
"\CB\E8\F7\ED\FB\E5 \F7\E5\F0\E5\E7 \CB\E0\F2\E2\E8\FE" dst-address-list=\
blocked-addr log-prefix=tor new-routing-mark=vpn_lv passthrough=no \
src-address=!333.333.333.0/22
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.7.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=172.16.0.0/24
add action=accept chain=prerouting dst-address=172.16.253.0/24
add action=accept chain=prerouting dst-address=172.16.1.0/24
add action=accept chain=prerouting dst-address=198.51.100.1
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=mark-routing chain=prerouting comment="OVPN \C1\E8\EB\EB\E8\ED\E3" \
dst-address=172.16.0.0/24 new-routing-mark=to_billing_vpn passthrough=no
add action=mark-routing chain=prerouting comment="\CA\EB\E8\E5\ED\F2\FB" \
dst-address=172.30.0.0/22 new-routing-mark=to_client passthrough=no
add action=mark-routing chain=prerouting comment="Public network" \
dst-address=172.16.253.0/24 new-routing-mark=to_misha passthrough=no
add action=mark-routing chain=prerouting comment="OVPN \CB\E0\F2\E2\E8\FF" \
dst-address=172.16.1.0/24 new-routing-mark=to_ovpn_lv passthrough=no
add action=mark-routing chain=prerouting comment=\
"OVPN \CC\EE\F1\EA\E2\E0 RB1100hx4" dst-address=172.16.251.0/24 \
log-prefix=moscow new-routing-mark=to_ovpn_moscow passthrough=no
add action=mark-routing chain=prerouting comment=60GHz dst-address=\
192.168.88.0/24 new-routing-mark=to_60ghz passthrough=no
add action=mark-routing chain=prerouting comment=D-Link disabled=yes \
dst-address=10.90.90.0/24 new-routing-mark=to_dlink passthrough=no
add action=change-ttl chain=prerouting comment="\CF\F0\FF\F7\E5\EC \F1\E5\F2\
\FC \EE\F2 \E2\FB\F8\E5\F1\F2\EE\FF\F9\E5\E3\EE \EF\F0\EE\E2\E0\E9\E4\E5\
\F0\E0" disabled=yes new-ttl=increment:1 passthrough=yes
add action=change-mss chain=forward disabled=yes new-mss=1360 passthrough=yes \
protocol=tcp tcp-flags=syn tcp-mss=1453-65535
add action=mark-connection chain=input comment=PCC connection-state=new \
in-interface=00.pppoe-ISP01 new-connection-mark=conn_isp_01 passthrough=\
yes
add action=mark-connection chain=input connection-state=new in-interface=\
00.pppoe-ISP02 new-connection-mark=conn_isp_02 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
03.ISP_03 new-connection-mark=conn_isp_03 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=\
"04.ISP_04(SXT)" new-connection-mark=conn_backup passthrough=yes
add action=mark-connection chain=prerouting connection-state=related \
in-interface=00.pppoe-ISP01 new-connection-mark=conn_isp_01 passthrough=\
yes
add action=mark-connection chain=prerouting connection-state=related \
in-interface=00.pppoe-ISP02 new-connection-mark=conn_isp_02 passthrough=\
yes
add action=mark-connection chain=prerouting connection-state=related \
in-interface=03.ISP_03 new-connection-mark=conn_isp_03 passthrough=yes
add action=mark-connection chain=prerouting connection-state=related \
in-interface="04.ISP_04(SXT)" new-connection-mark=conn_backup \
passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_01 \
new-routing-mark=route_isp_01 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_02 \
new-routing-mark=route_isp_02 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_03 \
new-routing-mark=route_isp_03 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_backup \
new-routing-mark=route_backup passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=IT39_PCC_1 passthrough=yes per-connection-classifier=\
both-addresses:3/0 src-address-list=BOGONS
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=IT39_PCC_2 passthrough=yes per-connection-classifier=\
both-addresses:3/1 src-address-list=BOGONS
add action=mark-connection chain=prerouting dst-address-type=!local \
new-connection-mark=IT39_PCC_3 passthrough=yes per-connection-classifier=\
both-addresses:3/2 src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_1 \
new-routing-mark=IT39_1 passthrough=yes src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_2 \
new-routing-mark=IT39_2 passthrough=yes src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_3 \
new-routing-mark=IT39_3 passthrough=yes src-address-list=BOGONS
add action=mark-connection chain=prerouting connection-mark=no-mark \
new-connection-mark=oTher passthrough=yes
add action=mark-routing chain=prerouting comment=\
"SIP \F7\E5\F0\E5\E7 \C4\E8\E0\EB\EE\E3" log-prefix=phone \
new-routing-mark=route_isp_01 passthrough=yes src-address=192.168.7.29
add action=mark-routing chain=prerouting comment=\
"\C2\ED\F3\F2\F0\E5\ED\ED\E8\E9 IP \F7\E5\F0\E5\E7 TTK (\CC\EE\E9)" \
disabled=yes new-routing-mark=route_isp_03 passthrough=yes src-address=\
192.168.7.7
add action=mark-routing chain=prerouting comment="\C2\ED\F3\F2\F0\E5\ED\ED\E8\
\E9 IP \F7\E5\F0\E5\E7 \D2\D2\CA (\CC\EE\E9 thunderbolt)" disabled=yes \
new-routing-mark=route_isp_03 passthrough=yes src-address=192.168.7.32
add action=mark-routing chain=prerouting comment=\
"\C2\ED\F3\F2\F0\E5\ED\ED\E8\E9 IP \F7\E5\F0\E5\E7 TTK (ASUS)" \
new-routing-mark=route_isp_03 passthrough=yes src-address=192.168.7.31
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.241
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.242
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.243
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.244
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (\DF\F1\E5\ED\FC\F1\EA\EE\E5)" \
new-routing-mark=route_isp_03 passthrough=yes src-address=192.168.7.246
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (\CE\EB\E5\ED\E8\F7\E5\E2)" \
new-routing-mark=route_isp_03 passthrough=yes src-address=192.168.7.247
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.45
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.46
add action=mark-routing chain=prerouting comment=\
"\CA\EB\E8\E5\ED\F2 \F7\E5\F0\E5\E7 TTK (BRAS)" new-routing-mark=\
route_isp_03 passthrough=yes src-address=192.168.7.47
add action=mark-routing chain=prerouting comment="\C2\ED\F3\F2\F0\E5\ED\ED\E8\
\E9 IP \F7\E5\F0\E5\E7 Yota (\C4\FE\E4\E8\EA)" disabled=yes \
new-routing-mark=to_yota passthrough=yes src-address=192.168.7.15
add action=mark-routing chain=prerouting comment=\
"\C2\ED\F3\F2\F0\E5\ED\ED\E8\E9 IP \F7\E5\F0\E5\E7 Yota (Amour)" \
disabled=yes new-routing-mark=to_yota passthrough=yes src-address=\
192.168.7.18
add action=mark-routing chain=prerouting comment=\
"\C2\ED\F3\F2\F0\E5\ED\ED\E8\E9 IP \F7\E5\F0\E5\E7 Yota (\CC\EE\E9)" \
disabled=yes new-routing-mark=to_yota passthrough=yes src-address=\
192.168.7.7
add action=mark-routing chain=prerouting comment=\
"\C2\ED\F3\F2\F0\E5\ED\ED\E8\E9 IP \F7\E5\F0\E5\E7 LV (\CC\EE\E9)" \
disabled=yes new-routing-mark=vpn_192_168_2_0 passthrough=yes \
src-address=192.168.7.7
add action=mark-routing chain=prerouting comment="\C2\ED\F3\F2\F0\E5\ED\ED\E8\
\E9 IP \F7\E5\F0\E5\E7 Yota (\D2\E5\F1\F2\EE\E2\FB\E9 \E1\E8\EB\EB\E8\ED\
\E3)" disabled=yes new-routing-mark=to_yota passthrough=yes src-address=\
192.168.7.39
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet log-prefix=nat22 \
out-interface=!WiFi+LAN src-address=!333.333.333.0/22
add action=masquerade chain=srcnat comment=\
"\CC\E0\F1\EA\E0\F0\E0\E4 \E4\EB\FF SSTP" dst-address=192.168.7.2 \
dst-port=12443 protocol=tcp
add action=dst-nat chain=dstnat comment=SSTP dst-port=12443 log=yes \
log-prefix=sstp protocol=tcp to-addresses=192.168.7.2 to-ports=12443
add action=dst-nat chain=dstnat comment=L2TP disabled=yes dst-port=1701 \
in-interface-list=WAN protocol=udp to-addresses=192.168.7.2 to-ports=1701
add action=dst-nat chain=dstnat comment=PPtP disabled=yes dst-port=1723 \
in-interface-list=WAN log-prefix=pptp protocol=tcp to-addresses=\
192.168.7.2 to-ports=1723
add action=masquerade chain=srcnat comment="Local (\F0\E0\E7\EE\E1\F0\E0\F2\FC\
\F1\FF \F1 nat \E4\EB\FF \F1\E0\E9\F2\EE\E2)" dst-address=192.168.7.178
add action=masquerade chain=srcnat comment=OVPN dst-address=!172.16.0.254 \
out-interface=OVPN_billing
add action=masquerade chain=srcnat comment=OVPN out-interface=all-ppp
add action=masquerade chain=srcnat comment=\
"\D1\EF\E8\F1\EE\EA \D0\CA\CD (pptp)" disabled=yes out-interface=\
00.pptp-To-LV
add action=masquerade chain=srcnat comment="All Ethernet" disabled=yes \
out-interface=all-ethernet
add action=dst-nat chain=dstnat comment="WEB 80 port (WAN List)" \
dst-address-list=wan-list dst-address-type="" dst-port=80 log-prefix=www \
protocol=tcp to-addresses=192.168.7.178 to-ports=80
add action=dst-nat chain=dstnat comment=\
"WEB 8080 port (WAN List) SpeedTest server by oOkla" dst-address-list=\
wan-list dst-address-type="" dst-port=8080 log-prefix=www protocol=tcp \
to-addresses=192.168.7.178 to-ports=8080
add action=dst-nat chain=dstnat comment="WEB - 443 port (WAN List)" \
dst-address-list=wan-list dst-address-type="" dst-port=443 protocol=tcp \
to-addresses=192.168.7.178 to-ports=443
add action=dst-nat chain=dstnat comment=\
"PLEX DLNA (\C4\EE\F1\F2\F3\EF \EA \F1\E5\F0\E2\E5\F0\F3) WAN List" \
dst-address-list=wan-list dst-port=32400 protocol=tcp to-addresses=\
192.168.7.178 to-ports=32400
add action=dst-nat chain=dstnat comment="PLEX DLNA - (WAN List)" \
dst-address-list=wan-list dst-port=13099 protocol=tcp to-addresses=\
192.168.7.178 to-ports=32400
add action=dst-nat chain=dstnat comment="RDP - 3389 port (WAN List)" \
dst-address-list=wan-list dst-port=3389 protocol=tcp to-addresses=\
192.168.7.23 to-ports=3389
add action=dst-nat chain=dstnat comment="SSH - 22 port (WAN List)" \
dst-address-list=wan-list dst-port=22 protocol=tcp to-addresses=\
192.168.7.178 to-ports=22
add action=dst-nat chain=dstnat comment="FTP - 21 port (WAN List)" \
dst-address-list=wan-list dst-port=21 log-prefix=sxt protocol=tcp \
to-addresses=192.168.7.178 to-ports=21
add action=dst-nat chain=dstnat comment="Hosting management (WAN List)" \
dst-address-list=wan-list dst-port=8443 protocol=tcp to-addresses=\
192.168.7.178 to-ports=8443
add action=dst-nat chain=dstnat comment="Hosting update (WAN List)" \
dst-address-list=wan-list dst-port=8447 protocol=tcp to-addresses=\
192.168.7.178 to-ports=8447
add action=dst-nat chain=dstnat comment="IRC Server - 6667 port (WAN List)" \
dst-address-list=wan-list dst-port=6667 protocol=tcp to-addresses=\
192.168.7.178 to-ports=6667
add action=dst-nat chain=dstnat comment="SMTP - 25 port (WAN List)" \
dst-address-list=wan-list dst-port=25 protocol=tcp to-addresses=\
192.168.7.178 to-ports=25
add action=dst-nat chain=dstnat comment="POP3 - 110 port (WAN List)" \
dst-address-list=wan-list dst-port=110 protocol=tcp to-addresses=\
192.168.7.178 to-ports=110
add action=dst-nat chain=dstnat comment="WEB \C7\E0\E3\EB\F3\F8\EA\E0" \
dst-address-list=wan-list dst-port=81 protocol=tcp to-addresses=\
185.225.198.2 to-ports=81
add action=dst-nat chain=dstnat comment=robokassa_1 dst-address=\
111.111.111.111 dst-port=1444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1444
add action=dst-nat chain=dstnat comment=robokassa_2 dst-address=\
222.222.222.222 dst-port=1444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1444
add action=dst-nat chain=dstnat comment=robokassa_3 dst-address=\
444.444.444.444 dst-port=1444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1444
add action=dst-nat chain=dstnat comment=robokassassl_1 dst-address=\
111.111.111.111 dst-port=1443 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1443
add action=dst-nat chain=dstnat comment=robokassassl_2 dst-address=\
111.111.111.111 dst-port=1443 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1443
add action=dst-nat chain=dstnat comment=robokassassl_3 dst-address=\
444.444.444.444 dst-port=1443 protocol=tcp to-addresses=192.168.7.24 \
to-ports=1443
add action=dst-nat chain=dstnat comment=webssl_billing_1 dst-address=\
111.111.111.111 dst-port=444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=443
add action=dst-nat chain=dstnat comment=webssl_billing_2 dst-address=\
222.222.222.222 dst-port=444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=443
add action=dst-nat chain=dstnat comment=webssl_billing_3 dst-address=\
444.444.444.444 dst-port=444 protocol=tcp to-addresses=192.168.7.24 \
to-ports=443
add action=dst-nat chain=dstnat comment=nginxproxy1_1 dst-address=\
111.111.111.111 dst-port=7080 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7080
add action=dst-nat chain=dstnat comment=nginxproxy1_2 dst-address=\
222.222.222.222 dst-port=7080 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7080
add action=dst-nat chain=dstnat comment=nginxproxy1_3 dst-address=\
444.444.444.444 dst-port=7080 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7080
add action=dst-nat chain=dstnat comment=nginxproxy2_1 dst-address=\
111.111.111.111 dst-port=7081 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7081
add action=dst-nat chain=dstnat comment=nginxproxy2_2 dst-address=\
222.222.222.222 dst-port=7081 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7081
add action=dst-nat chain=dstnat comment=nginxproxy2_3 dst-address=\
444.444.444.444 dst-port=7081 protocol=tcp to-addresses=192.168.7.178 \
to-ports=7081
add action=dst-nat chain=dstnat comment=nginxproxy3_1 dst-address=\
111.111.111.111 dst-port=8893 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8893
add action=dst-nat chain=dstnat comment=nginxproxy3_2 dst-address=\
222.222.222.222 dst-port=8893 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8893
add action=dst-nat chain=dstnat comment=nginxproxy3_3 dst-address=\
444.444.444.444 dst-port=8893 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8893
add action=dst-nat chain=dstnat comment=nginxproxy4_1 dst-address=\
111.111.111.111 dst-port=8894 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8894
add action=dst-nat chain=dstnat comment=nginxproxy4_2 dst-address=\
222.222.222.222 dst-port=8894 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8894
add action=dst-nat chain=dstnat comment=nginxproxy4_3 dst-address=\
444.444.444.444 dst-port=8894 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8894
add action=dst-nat chain=dstnat comment=nginxproxy5_1 dst-address=\
111.111.111.111 dst-port=8895 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8895
add action=dst-nat chain=dstnat comment=nginxproxy5_2 dst-address=\
222.222.222.222 dst-port=8895 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8895
add action=dst-nat chain=dstnat comment=nginxproxy5_3 dst-address=\
444.444.444.444 dst-port=8895 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8895
add action=dst-nat chain=dstnat comment=web_1 disabled=yes dst-address=\
111.111.111.111 dst-port=80 protocol=tcp to-addresses=192.168.7.178 \
to-ports=80
add action=dst-nat chain=dstnat comment=web_2 disabled=yes dst-address=\
222.222.222.222 dst-port=80 protocol=tcp to-addresses=192.168.7.178 \
to-ports=80
add action=dst-nat chain=dstnat comment=web_3 disabled=yes dst-address=\
444.444.444.444 dst-port=80 protocol=tcp to-addresses=192.168.7.178 \
to-ports=80
add action=dst-nat chain=dstnat comment=web_4 disabled=yes dst-address=\
198.51.100.254 dst-port=80 protocol=tcp to-addresses=192.168.7.178 \
to-ports=80
add action=dst-nat chain=dstnat comment=webssl_1 disabled=yes dst-address=\
111.111.111.111 dst-port=443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=443
add action=dst-nat chain=dstnat comment=webssl_2 disabled=yes dst-address=\
222.222.222.222 dst-port=443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=443
add action=dst-nat chain=dstnat comment=webssl_3 disabled=yes dst-address=\
444.444.444.444 dst-port=443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=443
add action=dst-nat chain=dstnat comment=webssl_4 disabled=yes dst-address=\
198.51.100.254 dst-port=443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=443
add action=dst-nat chain=dstnat comment=pop3_1 disabled=yes dst-address=\
111.111.111.111 dst-port=110 protocol=tcp to-addresses=192.168.7.178 \
to-ports=110
add action=dst-nat chain=dstnat comment=pop3_2 disabled=yes dst-address=\
222.222.222.222 dst-port=110 protocol=tcp to-addresses=192.168.7.178 \
to-ports=110
add action=dst-nat chain=dstnat comment=pop3_3 disabled=yes dst-address=\
444.444.444.444 dst-port=110 protocol=tcp to-addresses=192.168.7.178 \
to-ports=110
add action=dst-nat chain=dstnat comment=smtp_1 disabled=yes dst-address=\
111.111.111.111 dst-port=25 protocol=tcp to-addresses=192.168.7.178 \
to-ports=25
add action=dst-nat chain=dstnat comment=smtp_2 disabled=yes dst-address=\
222.222.222.222 dst-port=25 protocol=tcp to-addresses=192.168.7.178 \
to-ports=25
add action=dst-nat chain=dstnat comment=smtp_3 disabled=yes dst-address=\
444.444.444.444 dst-port=25 protocol=tcp to-addresses=192.168.7.178 \
to-ports=25
add action=dst-nat chain=dstnat comment=irc_1 disabled=yes dst-address=\
111.111.111.111 dst-port=6667 protocol=tcp to-addresses=192.168.7.178 \
to-ports=6667
add action=dst-nat chain=dstnat comment=irc_2 disabled=yes dst-address=\
222.222.222.222 dst-port=6667 protocol=tcp to-addresses=192.168.7.178 \
to-ports=6667
add action=dst-nat chain=dstnat comment=irc_3 disabled=yes dst-address=\
444.444.444.444 dst-port=6667 protocol=tcp to-addresses=192.168.7.178 \
to-ports=6667
add action=dst-nat chain=dstnat comment=hosting_1 disabled=yes dst-address=\
111.111.111.111 dst-port=8443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8443
add action=dst-nat chain=dstnat comment=hosting_2 disabled=yes dst-address=\
222.222.222.222 dst-port=8443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8443
add action=dst-nat chain=dstnat comment=hosting_3 disabled=yes dst-address=\
444.444.444.444 dst-port=8443 protocol=tcp to-addresses=192.168.7.178 \
to-ports=8443
add action=dst-nat chain=dstnat comment=hosting_update_1 disabled=yes \
dst-address=111.111.111.111 dst-port=8447 protocol=tcp to-addresses=\
192.168.7.178 to-ports=8447
add action=dst-nat chain=dstnat comment=hosting_update_2 disabled=yes \
dst-address=222.222.222.222 dst-port=8447 protocol=tcp to-addresses=\
192.168.7.178 to-ports=8447
add action=dst-nat chain=dstnat comment=hosting_update_3 disabled=yes \
dst-address=444.444.444.444 dst-port=8447 protocol=tcp to-addresses=\
192.168.7.178 to-ports=8447
add action=dst-nat chain=dstnat comment=ssh_1 disabled=yes dst-address=\
111.111.111.111 dst-port=22 protocol=tcp to-addresses=192.168.7.178 \
to-ports=22
add action=dst-nat chain=dstnat comment=ssh_2 disabled=yes dst-address=\
222.222.222.222 dst-port=22 protocol=tcp to-addresses=192.168.7.178 \
to-ports=22
add action=dst-nat chain=dstnat comment=ssh_3 disabled=yes dst-address=\
444.444.444.444 dst-port=22 protocol=tcp to-addresses=192.168.7.178 \
to-ports=22
add action=dst-nat chain=dstnat comment=ftp_1 disabled=yes dst-address=\
111.111.111.111 dst-port=21 log-prefix=sxt protocol=tcp to-addresses=\
192.168.7.178 to-ports=21
add action=dst-nat chain=dstnat comment=ftp_2 disabled=yes dst-address=\
222.222.222.222 dst-port=21 protocol=tcp to-addresses=192.168.7.178 \
to-ports=21
add action=dst-nat chain=dstnat comment=ftp_3 disabled=yes dst-address=\
444.444.444.444 dst-port=21 protocol=tcp to-addresses=192.168.7.178 \
to-ports=21
add action=dst-nat chain=dstnat comment=plex_1 disabled=yes dst-address=\
111.111.111.111 dst-port=13099 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=plex_2 disabled=yes dst-address=\
222.222.222.222 dst-port=13099 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=plex_3 disabled=yes dst-address=\
444.444.444.444 dst-port=13099 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=plexint_1 disabled=yes dst-address=\
111.111.111.111 dst-port=32400 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=plexint_2 disabled=yes dst-address=\
222.222.222.222 dst-port=32400 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=plexint_3 disabled=yes dst-address=\
444.444.444.444 dst-port=32400 protocol=tcp to-addresses=192.168.7.178 \
to-ports=32400
add action=dst-nat chain=dstnat comment=web_billing_1 disabled=yes \
dst-address=111.111.111.111 dst-port=81 protocol=tcp to-addresses=\
192.168.7.24 to-ports=80
add action=dst-nat chain=dstnat comment=web_billing_2 disabled=yes \
dst-address=222.222.222.222 dst-port=81 protocol=tcp to-addresses=\
192.168.7.24 to-ports=80
add action=dst-nat chain=dstnat comment=web_billing_3 disabled=yes \
dst-address=444.444.444.444 dst-port=81 protocol=tcp to-addresses=\
192.168.7.24 to-ports=80
/ip firewall raw
add action=accept chain=prerouting protocol=gre
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
10m chain=detect-ddos comment="Detect DDoS"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
10m chain=detect-ddos
add action=drop chain=prerouting src-address-list=ddoser
add action=drop chain=prerouting src-address-list=port_scanners
add action=add-src-to-address-list address-list=dnsflood \
address-list-timeout=1h chain=prerouting comment=\
"DNS flood protect (WAN List)" dst-port=53 in-interface-list=WAN \
protocol=udp
add action=drop chain=prerouting src-address=!198.51.100.0/24 \
src-address-list=dnsflood
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="Port scanners to list" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=port_scanners \
address-list-timeout=1h chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
при замене на dst-address заработало, я же говорю, что-то не понятное идёт, часть src-address приходится менять на dst-addressip fi nat add chain=srcnat src-address=333.333.333.0/22 action=accept
Жесть какая-то. Что значит "приходится"? Сам же отвечу: значит, что-то где-то непредсказуемо настроено Когда что-то делаешь со своей конфигурацией, неплохо бы понимать, что именно делаешь. Плохо, когда конфигурация заставляет тебя без понимания делать какую-то ересьSir_Prikol писал(а): ↑29 окт 2018, 14:56при замене на dst-address заработало, я же говорю, что-то не понятное идёт, часть src-address приходится менять на dst-addressip fi nat add chain=srcnat src-address=333.333.333.0/22 action=accept
Там ProxyARP везде выключен? %) Если да - тогда похоже на то, что Firewall Filter мешает. Из кусков конфига не понятно, что там за такие "to_tor" и когда они могут помешать.Sir_Prikol писал(а): ↑29 окт 2018, 14:56 По основной проблеме, выяснилось следующее, с сети 192.168.2.0/24 пингуются ТОЛЬКО IP на интерфейсах, ни один IP на бридже не пингуется.
Специально создал отдельный бридж, навесил на него IP и проверил, как только тот-же IP сменил с бриджа на интерфейс (любой на RB3011) то пинг пошёл.
Смотреть, куда и в каком виде летит пакет пинга. Третий раз уже в пустоту советую, больше не буду.Sir_Prikol писал(а): ↑29 окт 2018, 14:56 По основной проблеме, выяснилось следующее, с сети 192.168.2.0/24 пингуются ТОЛЬКО IP на интерфейсах, ни один IP на бридже не пингуется.
Настройки снифера остались за кадром, поэтому по существу комментировать, увы, нечего.Sir_Prikol писал(а): ↑29 окт 2018, 14:56 Пойду немного покурю мануалы по бриджам в микротике. Сниффер, при трейсе и пинге на бриджевые IP адреса - молчит как швед под Полтавой.
А это как поможет?..
Код: Выделить всё
ping 192.168.7.178 interface=bridge
SEQ HOST SIZE TTL TIME STATUS
0 192.168.7.178 56 63 56ms
1 192.168.7.178 56 63 56ms
2 192.168.7.178 56 63 56ms
3 192.168.7.178 56 63 56ms
4 192.168.7.178 56 63 56ms
5 192.168.7.178 56 63 56ms
6 192.168.7.178 56 63 56ms
7 192.168.7.178 56 63 56ms
8 192.168.7.178 56 63 56ms
sent=9 received=9 packet-loss=0% min-rtt=56ms avg-rtt=56ms max-rtt=56ms
К счастью я свою конфигурацию понимаю, а вот эти моменты dst-address и src-address пошли с одного обновления и именно косякнули на RB3011, саппорт развёл руками и предложил откатиться. Я тогда ещё весь принцип работы переделывал, ибо работало и перестало (Уже в какой-то теме писал об этои)Жесть какая-то. Что значит "приходится"? Сам же отвечу: значит, что-то где-то непредсказуемо настроено