Есть Mikrotik 3011, 3 провайдера статические адреса. Интернет есть, микротик доступен со всех трех адресов, работает адресс лист с конкретными пользователями на определенного провайдера. Не работает проброс портов, хоть ты тресни. У меня идеи закончились.
Код: Выделить всё
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
10.171.1.1/24 10.171.1.0 ether4
1 87.xxx.xx.154/30 87.xxx.xx.152 ISP1
2 87.xxx.xx.6/30 87.xxx.xx.4 ISP2
3 188.x.xxx.232/25 188.x.xxx.128 ISP3
ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 S dst-address=0.0.0.0/0 gateway=87.xxx.xx.5 gateway-status=87.xxx.xx.5 unreachable distance=1 scope=30 target-scope=10 routing-mark=ISP2-route
1 S dst-address=0.0.0.0/0 gateway=87.xxx.xx.153 gateway-status=87.xxx.xx.153 unreachable distance=1 scope=30 target-scope=10 routing-mark=ISP1-route
2 S dst-address=0.0.0.0/0 gateway=ISP1 gateway-status=ISP1 unreachable distance=1 scope=30 target-scope=10 routing-mark=cpecial_user
3 A S dst-address=0.0.0.0/0 gateway=188.x.xxx.129 gateway-status=188.x.xxx.129 reachable via ISP3 distance=1 scope=30 target-scope=10
4 S dst-address=0.0.0.0/0 gateway=8.8.8.8 gateway-status=8.8.8.8 unreachable check-gateway=ping distance=1 scope=30 target-scope=10
5 S dst-address=0.0.0.0/0 gateway=8.8.4.4 gateway-status=8.8.4.4 unreachable check-gateway=ping distance=2 scope=30 target-scope=10
6 S dst-address=0.0.0.0/0 gateway=77.88.8.8 gateway-status=77.88.8.8 recursive via 188.x.xxx.129 ISP3 check-gateway=ping distance=3 scope=30 target-scope=10
7 S dst-address=8.8.4.4/32 gateway=87.xxx.xx.5 gateway-status=87.xxx.xx.5 unreachable distance=1 scope=10 target-scope=10
8 S dst-address=8.8.8.8/32 gateway=87.xxx.xx.153 gateway-status=87.xxx.xx.153 unreachable distance=1 scope=10 target-scope=10
9 ADC dst-address=10.171.1.0/24 pref-src=10.171.1.1 gateway=ether4 gateway-status=ether4 reachable distance=0 scope=10
10 A S dst-address=77.88.8.8/32 gateway=188.x.xxx.129 gateway-status=188.x.xxx.129 reachable via ISP3 distance=1 scope=10 target-scope=10
11 DC dst-address=87.xxx.xx.4/30 pref-src=87.xxx.xx.6 gateway=ISP2 gateway-status=ISP2 unreachable distance=255 scope=10
12 DC dst-address=87.xxx.xx.152/30 pref-src=87.xxx.xx.154 gateway=ISP1 gateway-status=ISP1 unreachable distance=255 scope=10
13 ADC dst-address=188.x.xxx.128/25 pref-src=188.x.xxx.232 gateway=ISP3 gateway-status=ISP3 reachable distance=0 scope=10
0 ;;; 1.1. Forward and Input Established and Related connections
chain=forward action=accept connection-state=established,related log=no log-prefix=""
1 chain=forward action=drop connection-state=invalid log=no log-prefix=""
2 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
3 chain=input action=accept connection-state=established,related log=no log-prefix=""
4 chain=input action=drop connection-state=invalid log=no log-prefix=""
5 ;;; 1.2. DDoS Protect - Connection Limit
chain=input action=add-src-to-address-list connection-limit=100,32 protocol=tcp address-list=ddos-blacklist address-list-timeout=1d in-interface-list=WAN log=no
log-prefix=""
6 chain=input action=tarpit connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist log=no log-prefix=""
7 ;;; 1.3. DDoS Protect - SYN Flood
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""
8 chain=input action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp in-interface-list=WAN log=no log-prefix=""
9 chain=SYN-Protect action=return tcp-flags=syn connection-state=new protocol=tcp limit=200,5:packet log=no log-prefix=""
10 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""
11 ;;; 1.4. Protected - Ports Scanners
chain=input action=drop src-address-list=Port Scanners log=no log-prefix=""
12 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port Scanners address-list-timeout=none-dynamic in-interface-list=WAN log=no
log-prefix=""
13 ;;; 1.5. Protected - WinBox Access
chain=input action=drop src-address-list=Black List Winbox
14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 3 address-list=Black List Winbox
address-list-timeout=none-dynamic in-interface-list=WAN dst-port=8291 log=yes log-prefix="BLACK WINBOX"
15 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 2 address-list=Winbox Stage 3 address-list-timeout=1m
in-interface-list=WAN dst-port=8291
16 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 1 address-list=Winbox Stage 2 address-list-timeout=1m
in-interface-list=WAN dst-port=8291
17 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=Winbox Stage 1 address-list-timeout=1m in-interface-list=WAN dst-port=8291
18 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=8291
19 ;;; 1.6. Protected - OpenVPN Connections
chain=input action=drop src-address-list=Black List OpenVPN log=no log-prefix=""
20 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 3 address-list=Black List OpenVPN
address-list-timeout=none-dynamic in-interface-list=WAN dst-port=1194 log=yes log-prefix="BLACK OVPN"
21 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 2 address-list=OpenVPN Stage 3 address-list-timeout=1m
in-interface-list=WAN dst-port=1194 log=no log-prefix=""
22 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 1 address-list=OpenVPN Stage 2 address-list-timeout=1m
in-interface-list=WAN dst-port=1194 log=no log-prefix=""
23 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=OpenVPN Stage 1 address-list-timeout=1m in-interface-list=WAN dst-port=1194
log=no log-prefix=""
24 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""
25 ;;; 1.8. Access Normal Ping
chain=input action=accept protocol=icmp in-interface-list=WAN limit=50/5s,2:packet log=no log-prefix=""
26 ;;; 1.9. Drop All Other
chain=input action=drop in-interface-list=WAN log=no log-prefix=""
27 ;;; Reject MS Telemetry
chain=forward action=reject reject-with=icmp-network-unreachable dst-address-list=MStelemetry
ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=mark-connection new-connection-mark=in_ISP1_for in-interface=ISP1
1 chain=prerouting action=mark-routing new-routing-mark=ISP1 src-address=10.171.1.0/24 connection-mark=in_ISP1_for
2 chain=forward action=mark-connection new-connection-mark=in_ISP2_for in-interface=ISP2
3 chain=prerouting action=mark-routing new-routing-mark=ISP2 src-address=10.171.1.0/24 connection-mark=in_ISP2_for
4 chain=forward action=mark-connection new-connection-mark=in_ISP3_for in-interface=ISP3
5 chain=prerouting action=mark-routing new-routing-mark=ISP3 src-address=10.171.1.0/24 connection-mark=in_ISP3_for
6 chain=input action=mark-connection new-connection-mark=in_ISP3 passthrough=yes in-interface=ISP3 log=no log-prefix=""
7 chain=input action=mark-connection new-connection-mark=in_ISP2 in-interface=ISP2
8 chain=input action=mark-connection new-connection-mark=in_ISP1 in-interface=ISP1
9 chain=output action=mark-routing new-routing-mark=ISP3-route connection-mark=in_ISP3
10 chain=output action=mark-routing new-routing-mark=ISP2-route connection-mark=in_ISP2
11 chain=output action=mark-routing new-routing-mark=ISP1-route connection-mark=in_ISP1
12 ;;; Routing special users
chain=prerouting action=mark-routing new-routing-mark=cpecial_user passthrough=yes src-address-list=special users log=no log-prefix=""
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface-list=WAN
1 ;;; RDP
chain=dstnat action=dst-nat to-addresses=10.171.1.111 to-ports=3389 protocol=tcp in-interface-list=WAN dst-port=3389 log=yes log-prefix=""