До обновления на последнюю ROS всё работало как часики, пинговались все аплинки одновременно и нормально работал dst-nat
После обновления начались глюки. Сначала перестали пинговаться все аплинки одновременно (решил это дело добавление route rules), но...
Перестал нормально работать dst-nat. Работает только с одного аплинка, по логам вижу, что пакет прилетает на нужный интерфейс а дальше тишина. Такое ощущение, что после ната он обратно выходит только через один интерфейс, соответственно соединения рвётся
И второй глюк, на проводе перестала работать балансировка каналов, хотя на WiFi она пашет (проверялось торрентом, на комп с WiFi тащит через все аплинки, на комп по проводу - тащит только через первый аплинк)
Конфа
mangle
Код: Выделить всё
/ip firewall mangle
add action=change-ttl chain=prerouting comment="Ubiraem chast seti ot provaidera" disabled=yes new-ttl=increment:1 passthrough=yes
add action=accept chain=forward comment="################## Change MSS for PPPoE #############" disabled=yes
add action=change-mss chain=forward in-interface=00.pppoe-ISP01 log-prefix=pppoe1 new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=change-mss chain=forward in-interface=00.pppoe-ISP02 log-prefix=pppoe2 new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=00.pppoe-ISP01 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=change-mss chain=forward log-prefix=pppoe2 new-mss=clamp-to-pmtu out-interface=00.pppoe-ISP02 passthrough=yes protocol=tcp tcp-flags=syn tcp-mss=1300-65535
add action=accept chain=forward comment="############## End Change MSS for PPPoE #########" disabled=yes
add action=accept chain=prerouting comment="Dostup iz 7.0 v ostaljnye seti (192.168.2.0/24)" dst-address-list=Dostup_iz_lokalki in-interface=WiFi+LAN log-prefix=Hrjundel
add action=mark-routing chain=prerouting dst-address-list=ddosed new-routing-mark=ddoser-route-mark passthrough=no src-address-list=ddoser
add action=mark-routing chain=prerouting comment="Email cherez ISP1" dst-port=25 in-interface=WiFi+LAN log-prefix=email new-routing-mark=route_isp_01 passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment="Chastj saitov cherez Latviju" dst-address-list=blocked-addr log-prefix=tor new-routing-mark=vpn_lv passthrough=no
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=accept chain=prerouting dst-address=192.168.2.0/24
add action=accept chain=prerouting dst-address=192.168.7.0/24
add action=accept chain=prerouting dst-address=192.168.88.0/24
add action=accept chain=prerouting dst-address=198.51.100.1
add action=accept chain=prerouting dst-address=172.16.0.0/24
add action=accept chain=prerouting dst-address=172.16.1.0/24
add action=accept chain=prerouting dst-address=172.16.253.0/24
add action=mark-routing chain=prerouting comment=60GHz dst-address=192.168.88.0/24 new-routing-mark=to_60ghz passthrough=no
add action=mark-routing chain=prerouting comment="Seroe soedinenie s udalennymi ruterami" dst-address=172.16.0.0/24 new-routing-mark=to_billing_vpn passthrough=no
add action=mark-routing chain=prerouting comment="Seroe soedinenie s udalennymi ruterami" dst-address=172.30.0.0/22 new-routing-mark=to_client passthrough=no
add action=mark-routing chain=prerouting comment="Public network" dst-address=172.16.253.0/24 new-routing-mark=to_misha passthrough=no
add action=mark-connection chain=input comment=PCC connection-state=new in-interface=00.pppoe-ISP01 log-prefix=pppoe1 new-connection-mark=conn_isp_01 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=00.pppoe-ISP02 log-prefix=pppoe2 new-connection-mark=conn_isp_02 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface=03.ISP_03 new-connection-mark=conn_isp_03 passthrough=yes
add action=mark-connection chain=input connection-state=new in-interface="04.ISP_04(SXT)" new-connection-mark=conn_backup passthrough=yes
add action=mark-connection chain=prerouting connection-state=related in-interface=00.pppoe-ISP01 log-prefix=pppoe1 new-connection-mark=conn_isp_01 passthrough=yes
add action=mark-connection chain=prerouting connection-state=related in-interface=00.pppoe-ISP02 log-prefix=pppoe2 new-connection-mark=conn_isp_02 passthrough=yes
add action=mark-connection chain=prerouting connection-state=related in-interface=03.ISP_03 new-connection-mark=conn_isp_03 passthrough=yes
add action=mark-connection chain=prerouting connection-state=related in-interface="04.ISP_04(SXT)" new-connection-mark=conn_backup passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_01 log-prefix=pppoe1 new-routing-mark=route_isp_01 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_02 log-prefix=pppoe2 new-routing-mark=route_isp_02 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_isp_03 new-routing-mark=route_isp_03 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_backup new-routing-mark=route_backup passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=IT39_PCC_1 passthrough=yes per-connection-classifier=both-addresses:3/0 src-address-list=BOGONS
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=IT39_PCC_2 passthrough=yes per-connection-classifier=both-addresses:3/1 src-address-list=BOGONS
add action=mark-connection chain=prerouting dst-address-type=!local new-connection-mark=IT39_PCC_3 passthrough=yes per-connection-classifier=both-addresses:3/2 src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_1 new-routing-mark=IT39_1 passthrough=yes src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_2 new-routing-mark=IT39_2 passthrough=yes src-address-list=BOGONS
add action=mark-routing chain=prerouting connection-mark=IT39_PCC_3 new-routing-mark=IT39_3 passthrough=yes src-address-list=BOGONS
add action=mark-connection chain=prerouting connection-mark=no-mark new-connection-mark=oTher passthrough=yes
add action=mark-routing chain=prerouting comment="SIP cherez ISP1" log-prefix=phone new-routing-mark=route_isp_01 passthrough=yes src-address=192.168.7.29
Код: Выделить всё
/ip route
add distance=1 routing-mark=ddoser-route-mark type=blackhole
add check-gateway=ping distance=1 gateway=192.168.2.1 pref-src=192.168.2.2 routing-mark=vpn_lv
add distance=1 dst-address=192.168.88.0/24 gateway=03.ISP_03 pref-src=192.168.88.1 routing-mark=to_60ghz scope=10
add distance=1 dst-address=172.30.0.0/22 gateway=WiFi+LAN routing-mark=to_client scope=10
add check-gateway=ping comment=BACKUP distance=1 gateway=198.51.100.1 routing-mark=route_backup
add check-gateway=arp distance=1 gateway=00.pppoe-ISP01 routing-mark=IT39_1
add check-gateway=arp distance=2 gateway=00.pppoe-ISP02 routing-mark=IT39_1
add check-gateway=arp distance=3 gateway=217.150.47.186%03.ISP_03 routing-mark=IT39_1
add check-gateway=arp comment=BACKUP distance=4 gateway=198.51.100.1 routing-mark=IT39_1
add check-gateway=arp distance=1 gateway=00.pppoe-ISP02 routing-mark=IT39_2
add check-gateway=arp distance=2 gateway=217.150.47.186%03.ISP_03 routing-mark=IT39_2
add check-gateway=arp distance=3 gateway=00.pppoe-ISP01 routing-mark=IT39_2
add check-gateway=arp comment=BACKUP distance=4 gateway=198.51.100.1 routing-mark=IT39_2
add check-gateway=arp distance=1 gateway=217.150.47.186%03.ISP_03 routing-mark=IT39_3
add check-gateway=arp distance=2 gateway=00.pppoe-ISP01 routing-mark=IT39_3
add check-gateway=arp distance=3 gateway=00.pppoe-ISP02 routing-mark=IT39_3
add check-gateway=arp comment=BACKUP distance=4 gateway=198.51.100.1 routing-mark=IT39_3
add distance=1 dst-address=192.168.2.0/24 gateway=EoIP_UNBLOCK pref-src=192.168.2.2 routing-mark=to_ovpn_lv scope=10
add check-gateway=arp distance=1 gateway=00.pppoe-ISP01
add check-gateway=ping distance=1 gateway=217.150.47.186%03.ISP_03
add check-gateway=ping distance=1 gateway="04.ISP_04(SXT)"
add check-gateway=ping distance=1 gateway=00.pppoe-ISP01
add check-gateway=ping distance=1 gateway=00.pppoe-ISP02
add check-gateway=arp distance=2 gateway=00.pppoe-ISP02
add check-gateway=arp distance=3 gateway=198.51.100.1
add check-gateway=arp distance=4 gateway=217.150.47.186%03.ISP_03
add distance=1 dst-address=149.154.167.220/32 gateway=EoIP_UNBLOCK
add distance=1 dst-address=198.51.100.0/24 gateway=198.51.100.1 pref-src=198.51.100.254 scope=10
add distance=1 dst-address=217.150.47.186/32 gateway=03.ISP_03 pref-src=217.150.47.185
Код: Выделить всё
/ip route rule
add action=lookup-only-in-table comment="telegram" dst-address=149.154.167.220/32 interface=EoIP_UNBLOCK table=main
add action=lookup-only-in-table routing-mark=route_isp_01 table=IT39_1
add action=lookup-only-in-table routing-mark=route_isp_02 table=IT39_2
add action=lookup-only-in-table routing-mark=route_isp_03 table=IT39_3
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=10.90.90.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=192.168.0.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=192.168.7.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=172.16.1.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=192.168.88.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=172.16.30.0/24
add action=drop comment="block acces to LAN" dst-address=172.16.253.0/24 src-address=172.16.251.0/24
Код: Выделить всё
/ip firewall nat
add action=masquerade chain=srcnat comment=Internet log-prefix=nat22 out-interface=!WiFi+LAN
add action=dst-nat chain=dstnat comment="WEB (WAN List)" dst-address-list=wan-list dst-port=80,443 log-prefix=web protocol=tcp to-addresses=192.168.7.178
add action=dst-nat chain=dstnat comment="MAIL (WAN List)" dst-address-list=wan-list dst-port=25,110,143,465,993,995 protocol=tcp to-addresses=192.168.7.178
add action=dst-nat chain=dstnat comment="PLEX DLNA WAN List" dst-address-list=wan-list dst-port=13099,32400 protocol=tcp to-addresses=192.168.7.178 to-ports=32400
add action=dst-nat chain=dstnat comment="Hosting management (WAN List)" dst-address-list=wan-list dst-port=8443,8447,8880 protocol=tcp to-addresses=192.168.7.178
add action=dst-nat chain=dstnat comment="RDP - 3389 port (WAN List)" dst-address-list=wan-list dst-port=3389 protocol=tcp to-addresses=192.168.7.23 to-ports=3389
add action=dst-nat chain=dstnat comment="SSH - 22 port (WAN List)" dst-address-list=wan-list dst-port=22 log-prefix=ssh protocol=tcp to-addresses=192.168.7.178 to-ports=22
add action=dst-nat chain=dstnat comment="FTP - 21 port (WAN List)" dst-address-list=wan-list dst-port=21 log-prefix=sxt protocol=tcp to-addresses=192.168.7.178 to-ports=21
add action=dst-nat chain=dstnat comment="Statistika" dst-address-list=wan-list dst-port=8083 protocol=tcp to-addresses=192.168.7.178 to-ports=8083
add action=dst-nat chain=dstnat comment="IRC Server - 6667 port (WAN List)" dst-address-list=wan-list dst-port=6667 protocol=tcp to-addresses=192.168.7.178 to-ports=6667
