Имам проблем с рутер rb2004, имам 4 мрежи... 3 от тях имат интернет, мрежата за гости няма. Топология rb2004->cisco managed switch->unifi ap-> 3 мрежи, 2 имат интернет 3-тата няма... получавам ip адрес от рутера по dhcp, имам ping, но нямам постъпили пакети в правилото за nat. Моля за помощ.
Question
gkk
Здравейте,
Имам проблем с рутер rb2004, имам 4 мрежи... 3 от тях имат интернет, мрежата за гости няма. Топология rb2004->cisco managed switch->unifi ap-> 3 мрежи, 2 имат интернет 3-тата няма... получавам ip адрес от рутера по dhcp, имам ping, но нямам постъпили пакети в правилото за nat. Моля за помощ.
interface/bridge export
# oct/24/2022 13:45:43 by RouterOS 7.4 # software id = 1FV8-28MX # # model = CCR2004-16G-2S+ # serial number /interface bridge add arp=proxy-arp name=br1 protocol-mode=none vlan-filtering=yes /interface bridge port add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether5 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether6 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether7 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether8 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether9 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether10 pvid=50 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether13 pvid=100 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether14 pvid=100 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether15 pvid=100 add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\ ether16 pvid=100 add bridge=br1 interface=vlan49-mngmt pvid=49 add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether11 add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether12 add bridge=br1 interface=ether3 pvid=49 add bridge=br1 interface=ether4 multicast-router=disabled pvid=50 add bridge=br1 interface=ether2 pvid=50 /interface bridge vlan add bridge=br1 tagged=br1,ether11,ether12,sfp-sfpplus2 vlan-ids=49 add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=50 add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=100 add bridge=br1 tagged=br1,ether12,ether11,sfp-sfpplus2 vlan-ids=150 add bridge=br1 tagged=br1,ether11,ether12 vlan-ids=200
ip/firewall/filter export
# oct/24/2022 13:47:20 by RouterOS 7.4 # software id = 1FV8-28MX # # model = CCR2004-16G-2S+ # serial number /ip firewall filter add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN add action=accept chain=input comment="Allow admin_vlan Full Access" \ in-interface-list=MGMT add action=accept chain=input comment="allow ipsec nat" dst-port=4500 \ in-interface-list=WAN protocol=udp add action=accept chain=input comment="allow vpn" dst-port=500 \ in-interface-list=WAN protocol=udp add action=accept chain=input comment="allow l2tp" dst-port=1701 \ in-interface-list=WAN protocol=udp add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \ in-interface-list=MGMT protocol=tcp add action=accept chain=input comment="winbox allow from vpn" dst-port=22022 \ in-interface-list=WAN protocol=tcp src-address=1.1.1.1 add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \ in-interface=all-ppp protocol=tcp add action=accept chain=input comment="pptp vpn port" dst-port=1723 \ in-interface-list=WAN protocol=tcp add action=accept chain=input comment="pptp vpn port" in-interface-list=WAN \ protocol=gre add action=accept chain=input comment="allow ping from - wan" \ in-interface-list=WAN protocol=icmp add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp add action=drop chain=input comment=\ "drop all to router from - guest network" disabled=yes in-interface=\ vlan150_guest add action=drop chain=input comment="drop dns request from guest network" \ disabled=yes dst-port=53 in-interface=vlan150_guest protocol=tcp add action=drop chain=input comment="drop dns request from WAN interfaces" \ dst-port=53 in-interface-list=WAN protocol=udp add action=drop chain=input comment="drop dns request from guest network" \ disabled=yes dst-port=53 in-interface=vlan150_guest protocol=udp add action=drop chain=input comment="drop dns request from WAN interfaces" \ dst-port=53 in-interface-list=WAN protocol=tcp add action=drop chain=input comment="drop all to router from - wan" disabled=\ yes add action=accept chain=forward comment="Allow Estab & Related" \ connection-state=established,related add action=accept chain=forward comment="VLAN Internet Access only" \ connection-state=new in-interface-list=VLAN out-interface-list=WAN add action=accept chain=forward comment="allow admin to access vlans" \ in-interface-list=MGMT out-interface-list=VLAN add action=accept chain=forward comment="allow admin to access internet" \ in-interface-list=MGMT out-interface-list=WAN add action=accept chain=forward comment="allow vpn ping internal networks" \ in-interface=all-ppp out-interface-list=VLAN protocol=icmp add action=accept chain=forward comment="allow vpn internet accesss" \ in-interface=all-ppp out-interface-list=WAN add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=\ all-ppp add action=accept chain=forward dst-address=192.168.49.0/24 in-interface=\ all-ppp add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\ all-ppp add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \ protocol=tcp src-address=192.168.50.77 add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \ protocol=tcp src-address=192.168.50.123 add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \ protocol=tcp src-address=192.168.50.82 add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \ protocol=tcp src-address=192.168.50.123 add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \ protocol=tcp src-address=192.168.50.82 add action=accept chain=forward dst-address=192.168.100.220 in-interface=\ all-ppp add action=accept chain=forward dst-address=192.168.100.230 in-interface=\ all-ppp add action=accept chain=forward dst-address=192.168.49.2 in-interface=all-ppp add action=accept chain=forward dst-address=192.168.49.3 dst-port=8443 \ in-interface=all-ppp protocol=tcp add action=accept chain=forward dst-address=192.168.49.2 dst-port=22 \ in-interface=all-ppp protocol=tcp add action=accept chain=forward dst-port=37777 in-interface-list=WAN \ out-interface-list=VLAN protocol=tcp add action=drop chain=forward disabled=yes dst-address=192.168.100.0/24 \ src-address=192.168.150.0/24 add action=drop chain=forward disabled=yes dst-address=192.168.50.0/24 \ src-address=192.168.150.0/24 add action=drop chain=forward disabled=yes dst-address=192.168.49.0/24 \ src-address=192.168.150.0/24 add action=drop chain=forward dst-address=192.168.100.0/24 src-address=\ 192.168.50.0/24 add action=drop chain=forward comment=Drop
ip/firewall/nat export
# oct/24/2022 13:47:04 by RouterOS 7.4 # software id = 1FV8-28MX # # model = CCR2004-16G-2S+ # serial number = /ip firewall nat add action=masquerade chain=srcnat comment=\ "Default masquerade office network" out-interface=ether1 src-address=\ 192.168.50.0/24 add action=masquerade chain=srcnat comment=\ "Default masquerade office network" out-interface=ether1 src-address=\ 192.168.51.0/24 add action=masquerade chain=srcnat comment="Default masquerade admin network" \ out-interface=ether1 src-address=192.168.49.0/24 add action=masquerade chain=srcnat comment=\ "Default masquerade security network" out-interface=ether1 src-address=\ 192.168.100.0/24 add action=masquerade chain=srcnat out-interface=ether1 src-address=\ 192.168.200.0/24 add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\ 0.50 (copy this rule for new device and change ip:port)" dst-port=80 \ in-interface-list=WAN protocol=tcp to-addresses=192.168.50.244 to-ports=\ 80 add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\ 0.50 (copy this rule for new device and change ip:port)" dst-port=88 \ in-interface-list=WAN protocol=tcp to-addresses=192.168.49.2 to-ports=80 add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-port=37777 \ in-interface-list=WAN protocol=tcp to-addresses=192.168.100.50 to-ports=\ 37777 add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\ 78.130.219.76 dst-port=37777 in-interface-list=WAN protocol=tcp \ src-address=192.168.50.0/24 to-addresses=192.168.100.50 to-ports=37777 add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\ 78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.100.0/24 \ to-addresses=192.168.100.50 to-ports=37777 add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\ 78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.49.0/24 \ to-addresses=192.168.100.50 to-ports=37777 add action=masquerade chain=srcnat comment=\ "port forwarding from local net (admin network)" dst-address=\ 192.168.100.50 src-address=192.168.49.0/24 add action=masquerade chain=srcnat comment=\ "port forwarding from local net (office network)" dst-address=\ 192.168.100.50 src-address=192.168.50.0/24 add action=masquerade chain=srcnat comment=\ "port forwarding from local net (security network)" dst-address=\ 192.168.100.50 src-address=192.168.100.0/24 add action=dst-nat chain=dstnat comment="port forwarding from local net (admin\ \_network) 192.168.100.50 - copy this rule for new device and change ip:po\ rt" dst-address=!192.168.49.1 dst-address-type=local dst-port=37777 \ protocol=tcp to-addresses=192.168.100.50 to-ports=37777 add action=dst-nat chain=dstnat comment="port forwarding from local net (offic\ e network) 192.168.100.50 - copy this rule for new device and change ip:po\ rt" dst-address=!192.168.50.1 dst-address-type=local dst-port=37777 \ protocol=tcp to-addresses=192.168.100.50 to-ports=37777 add action=dst-nat chain=dstnat comment="port forwarding from local net (secur\ ity network) 192.168.100.50 - copy this rule for new device and change ip:\ port" dst-address=!192.168.100.1 dst-address-type=local dst-port=37777 \ protocol=tcp to-addresses=192.168.100.50 to-ports=37777 add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=\ tcp to-addresses=192.168.49.2 to-ports=80 add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=\ ether1 protocol=tcp to-addresses=192.168.49.3 to-ports=8443 add action=dst-nat chain=dstnat dst-port=37779 in-interface-list=WAN \ protocol=tcp to-addresses=192.168.100.51 to-ports=37777
ip/addreess export
# oct/24/2022 13:46:37 by RouterOS 7.4 # software id = 1FV8-28MX # # model = CCR2004-16G-2S+ # serial number /ip address add address=192.168.49.1/24 interface=vlan49-mngmt network=192.168.49.0 add address=192.168.50.1/24 interface=vlan50_office network=192.168.50.0 add address=192.168.100.1/24 interface=vlan100-security network=192.168.100.0 add address=192.168.160.1/24 interface=vlan150_guest network=192.168.160.0 add address=192.168.1.1/24 interface=vlan100-security network=192.168.1.0 add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0
Link to comment
Share on other sites
8 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now