Jump to content
  • 0

Проблем с masquerade


gkk

Въпрос

Здравейте, 

Имам проблем с рутер rb2004, имам 4 мрежи... 3 от тях имат интернет, мрежата за гости няма. Топология rb2004->cisco managed switch->unifi ap-> 3 мрежи, 2 имат интернет 3-тата няма... получавам ip адрес от рутера по dhcp, имам ping, но нямам постъпили пакети в правилото за nat. Моля за помощ. 

interface/bridge export

# oct/24/2022 13:45:43 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/interface bridge
add arp=proxy-arp name=br1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether13 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether14 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether15 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether16 pvid=100
add bridge=br1 interface=vlan49-mngmt pvid=49
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether11
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether12
add bridge=br1 interface=ether3 pvid=49
add bridge=br1 interface=ether4 multicast-router=disabled pvid=50
add bridge=br1 interface=ether2 pvid=50
/interface bridge vlan
add bridge=br1 tagged=br1,ether11,ether12,sfp-sfpplus2 vlan-ids=49
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=50
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=100
add bridge=br1 tagged=br1,ether12,ether11,sfp-sfpplus2 vlan-ids=150
add bridge=br1 tagged=br1,ether11,ether12 vlan-ids=200

ip/firewall/filter export

# oct/24/2022 13:47:20 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip firewall filter
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow admin_vlan Full Access" \
    in-interface-list=MGMT
add action=accept chain=input comment="allow ipsec nat" dst-port=4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow vpn" dst-port=500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="winbox allow from vpn" dst-port=22022 \
    in-interface-list=WAN protocol=tcp src-address=1.1.1.1
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=input comment="pptp vpn port" dst-port=1723 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="pptp vpn port" in-interface-list=WAN \
    protocol=gre
add action=accept chain=input comment="allow ping from - wan" \
    in-interface-list=WAN protocol=icmp
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=\
    "drop all to router from -  guest network" disabled=yes in-interface=\
    vlan150_guest
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=tcp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=udp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop all to router from - wan" disabled=\
    yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin to access vlans" \
    in-interface-list=MGMT out-interface-list=VLAN
add action=accept chain=forward comment="allow admin to access internet" \
    in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment="allow vpn ping internal networks" \
    in-interface=all-ppp out-interface-list=VLAN protocol=icmp
add action=accept chain=forward comment="allow vpn internet accesss" \
    in-interface=all-ppp out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.77
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.220 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.230 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.2 in-interface=all-ppp
add action=accept chain=forward dst-address=192.168.49.3 dst-port=8443 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-address=192.168.49.2 dst-port=22 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-port=37777 in-interface-list=WAN \
    out-interface-list=VLAN protocol=tcp
add action=drop chain=forward disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.50.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.49.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.50.0/24
add action=drop chain=forward comment=Drop

ip/firewall/nat export

# oct/24/2022 13:47:04 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number =
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.51.0/24
add action=masquerade chain=srcnat comment="Default masquerade admin network" \
    out-interface=ether1 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade security network" out-interface=ether1 src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.200.0/24
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.50.244 to-ports=\
    80
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=88 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-port=37777 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.100.50 to-ports=\
    37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 in-interface-list=WAN protocol=tcp \
    src-address=192.168.50.0/24 to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.100.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.49.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (admin network)" dst-address=\
    192.168.100.50 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (office network)" dst-address=\
    192.168.100.50 src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (security network)" dst-address=\
    192.168.100.50 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="port forwarding from local net (admin\
    \_network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.49.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (offic\
    e network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.50.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (secur\
    ity network) 192.168.100.50 - copy this rule for new device and change ip:\
    port" dst-address=!192.168.100.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.49.3 to-ports=8443
add action=dst-nat chain=dstnat dst-port=37779 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.100.51 to-ports=37777

ip/addreess export

# oct/24/2022 13:46:37 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip address
add address=192.168.49.1/24 interface=vlan49-mngmt network=192.168.49.0
add address=192.168.50.1/24 interface=vlan50_office network=192.168.50.0
add address=192.168.100.1/24 interface=vlan100-security network=192.168.100.0
add address=192.168.160.1/24 interface=vlan150_guest network=192.168.160.0
add address=192.168.1.1/24 interface=vlan100-security network=192.168.1.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0

 

Адрес на коментара
Сподели в други сайтове

8 отговори на този въпрос

Recommended Posts

  • 0

Здравей, това е старата мрежа за гости... експорта е с нова мрежа vlan200, но всяка мрежа която добавя е все едно и също... няма интернет, пинг има ама няма пакети стигащи до nat правилото за мрежата. Явно версия 7 не е толкова за production както го водят

 

Редактирано от gkk
Адрес на коментара
Сподели в други сайтове

  • 0
  • Администратор
преди 59 минути, gkk написа:

Здравей, това е старата мрежа за гости... експорта е с нова мрежа vlan200, но всяка мрежа която добавя е все едно и също... няма интернет, пинг има ама няма пакети стигащи до nat правилото за мрежата. Явно версия 7 не е толкова за production както го водят

 

За да нямаш пакети на сорс нат означава , че някое правило във forward къса връзката за да стигне пакета до пострутинг веригата! Може да пробваш да добавиш в началото глобално правило за разрешаване на forward на мрежа 200 .

Адрес на коментара
Сподели в други сайтове

  • 0
  • Администратор

7-цата ли е виновна, че си задал адреси на подчинени на бриджа интерфейси?

  • Харесай 1
Харесай поста ^^^
acer.gif htc.gifsigpic4024_2.gif

Форумът е за взаимопомощ а не за свършване на чужда работа


ɹɐǝɥ uɐɔ noʎ ǝɹoɯ ǝɥʇ 'ǝɯoɔǝq noʎ ɹǝʇǝınb ǝɥʇ

Адрес на коментара
Сподели в други сайтове

  • 0
  • Администратор

Възможно да е пропуснато да се добави вилан интерфейса в листата за вилани и по този начин да не сработва в стената.

  • Харесай 1
Адрес на коментара
Сподели в други сайтове

  • 0

Здравей,

Точно това беше проблема, вече ще гледам повече какво се е объркало

Благодаря  и лек ден :)

Адрес на коментара
Сподели в други сайтове

  • 0
  • Администратор
преди 32 минути, gkk написа:

Здравей,

Точно това беше проблема, вече ще гледам повече какво се е объркало

Благодаря  и лек ден :)

Извинявай, кое точно с оказа проблема - пропуск да се добави в листата вилана ли?

Адрес на коментара
Сподели в други сайтове

Създайте нов акаунт или се впишете, за да коментирате

За да коментирате, трябва да имате регистрация

Създайте акаунт

Присъединете се към нашата общност. Регистрацията става бързо!

Регистрация на нов акаунт

Вход

Имате акаунт? Впишете се оттук.

Вписване
  • Потребители разглеждащи страницата   0 потребители

    • No registered users viewing this page.
×
×
  • Създай нов...

Important Information

By using this site, you agree to our Terms of Use.