Есть 2 типа устройств - микротики (живут в одной подсети) и отдельные девайсы (телефоны, ноутбуки и пр).
Первые должны видеть друг друга для удаленной настройки (работает), вторые при подключении отдают весь трафик через CHR как через gateway (работает)
Проблема: Не могу заставить на один микротик заворачивать трафик в туннель, кроме запроса к адресам vpn-подсети, а очень хочу чтобы микротик мог часть трафика отдавать в vpn.
Код: Выделить всё
[astral@MikroTik] > export
# jan/01/2023 16:12:45 by RouterOS 6.49.7
/interface bridge
add name=IKEv2-bridge
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
/ip ipsec mode-config
add address=10.100.0.2 name=IKEv2-***-cfg split-include=10.100.0.0/24 \
system-dns=no
add address=10.100.0.6 name=IKEv2-***-cfg split-include=\
10.100.0.0/24 system-dns=no
add address=10.100.0.7 name=IKEv2-***-cfg split-include=\
10.100.0.0/24 system-dns=no
add address=10.100.10.2 name="IKEv2-***" static-dns=10.100.10.1 \
system-dns=no
add address=10.100.10.3 name="IKEv2-***" static-dns=\
10.100.10.1 system-dns=no
add address=10.100.10.4 name=IKEv2-*** static-dns=10.100.10.1 system-dns=no
add address=10.100.10.5 name="IKEv2-***" static-dns=\
10.100.10.1 system-dns=no
add address=10.100.10.6 name="IKEv2-***" static-dns=\
10.100.10.1 system-dns=no
add address=10.100.10.7 name="IKEv2-***" static-dns=\
10.100.10.1 system-dns=no
add address=10.100.0.5 name=IKEv2-***-cfg split-include=10.100.0.0/24 \
system-dns=no
add address=10.100.0.3 name=IKEv2-***-cfg split-include=10.100.0.0/24 \
system-dns=no
add address=10.100.0.8 name=IKEv2-***-cfg split-include=10.100.0.0/24 \
system-dns=no
add address=10.100.0.10 name=IKEv2-***-cfg split-include=10.100.0.0/24 \
system-dns=no
/ip ipsec policy group
add name=ikev2-policies
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 dpd-interval=30s enc-algorithm=\
aes-256,aes-192,aes-128 hash-algorithm=sha256 lifebytes=10 lifetime=30m \
name=IKEv2
/ip ipsec peer
add exchange-mode=ike2 name=IKEv2-peer passive=yes profile=IKEv2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-256-cbc,aes-128-cbc lifetime=8h \
pfs-group=none
add auth-algorithms=sha512,sha256,sha1 name=IKEv2 pfs-group=none
/ip pool
add name=IKEv2-internal ranges=10.100.0.100-10.100.0.110
add name=IKEv2-external ranges=10.100.10.50-10.100.10.100
/ip ipsec mode-config
add address-pool=IKEv2-internal name*** split-include=10.100.0.0/24
add address-pool=IKEv2-external name=*** static-dns=10.100.10.1 \
system-dns=no
add address-pool=IKEv2-external name=*** static-dns=10.100.10.1 \
system-dns=no
add address-pool=IKEv2-external name=***
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip address
add address=10.100.0.1/24 comment=IKEv2-internal interface=IKEv2-bridge \
network=10.100.0.0
add address=10.100.10.1/24 comment=IKEv2-external interface=IKEv2-bridge \
network=10.100.10.0
/ip dhcp-client
add default-route-distance=2 disabled=no interface=ether1
/ip dns
set allow-remote-requests=yes use-doh-server=https://1.1.1.1/dns-query \
verify-doh-cert=yes
/ip firewall filter
add action=fasttrack-connection chain=forward connection-state=\
established,related
add action=accept chain=input comment="access input established and related" \
connection-state=established,related
add action=accept chain=forward comment=\
"access forward established and related" connection-state=\
established,related
add action=drop chain=input comment="drop input invalid" connection-state=\
invalid
add action=drop chain=forward comment="drop forward invalid" connection-state=\
invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=";;;; accept https" dst-port=3051 \
in-interface=ether1 log=yes protocol=tcp
add action=accept chain=input comment="IKE2 - Accept IPSec-esp" protocol=\
ipsec-esp
add action=accept chain=input comment="IKE2 - Accept UDP 500,4500 IPSec" \
dst-port=500,4500 in-interface=ether1 protocol=udp
add action=accept chain=input comment="accept - In Ipsec" ipsec-policy=in,ipsec \
src-address=10.100.0.0/24
add action=accept chain=input comment="accept - In Ipsec only gateway" \
dst-address=10.100.10.1 src-address=10.100.10.0/24
add action=accept chain=forward comment="accept ipsec traffic" ipsec-policy=\
in,ipsec src-address=10.100.0.0/24
add action=accept chain=forward comment="accept ipsec traffic to internet" \
out-interface=ether1 src-address=10.100.10.0/24
add action=accept chain=input comment="accept - In Ipsec only gateway" \
src-address=10.100.20.0/24
add action=accept chain=forward comment=\
"accept ipsec traffic to russian internet" out-interface=ether1 \
src-address=10.100.0.0/24
add action=accept chain=input comment="accept winbox" dst-port=24867 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop all wan connections" in-interface=\
ether1
add action=drop chain=forward comment="drop all not dst-nat" \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT for external IKEv2 clients" \
out-interface=ether1 src-address=10.100.10.0/24
add action=masquerade chain=srcnat comment="NAT for internal IKEv2 clients" \
out-interface=ether1 src-address=10.100.0.0/24
add action=masquerade chain=srcnat src-address=172.50.0.0/24
/ip ipsec identity
add auth-method=digital-signature certificate=point.lezenford.com \
generate-policy=port-strict match-by=certificate mode-config=IKEv2-*** \
peer=IKEv2-peer policy-template-group=ikev2-policies remote-certificate=\
Desktop
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=ikev2-policies \
remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=ikev2-policies \
remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=ikev2-policies \
remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=ikev2-policies \
remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-certificate=***
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
IKEv2-***-cfg peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-certificate=***
add generate-policy=port-strict mode-config="IKEv2-***" \
my-id=fqdn:*** peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-id="fqdn:***" secret=\
***
add generate-policy=port-strict mode-config=IKEv2-*** my-id=\
fqdn:*** peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-id=fqdn:*** secret="***"
add generate-policy=port-strict mode-config="IKEv2-***" my-id=\
fqdn:*** peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-id="fqdn:***" secret=\
"***"
add generate-policy=port-strict mode-config="IKEv2-***" my-id=\
fqdn:*** peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-id="fqdn:***" secret=\
***
add generate-policy=port-strict mode-config="IKEv2-***" my-id=\
fqdn:*** peer=IKEv2-peer policy-template-group=\
ikev2-policies remote-id="fqdn:***" secret=\
***
add generate-policy=port-strict mode-config="IKEv2-***" peer=\
IKEv2-peer policy-template-group=ikev2-policies remote-id=\
"key-id:***" secret=***
add generate-policy=port-strict mode-config=IKEv2-*** peer=IKEv2-peer \
policy-template-group=ikev2-policies secret=***
add auth-method=digital-signature certificate=*** disabled=yes \
generate-policy=port-strict match-by=certificate mode-config=IKEv2-*** \
peer=IKEv2-peer policy-template-group=ikev2-policies remote-certificate=\
***
add auth-method=digital-signature certificate=*** disabled=yes \
generate-policy=port-strict mode-config=*** peer=IKEv2-peer \
policy-template-group=ikev2-policies remote-certificate=***
/ip ipsec policy
add dst-address=10.100.0.0/24 group=ikev2-policies proposal=IKEv2 src-address=\
0.0.0.0/0 template=yes
add dst-address=10.100.10.0/24 group=ikev2-policies proposal=IKEv2 src-address=\
0.0.0.0/0 template=yesКод: Выделить всё
[admin@Mikrotik ] > export
# jan/01/2023 18:28:36 by RouterOS 6.49.7
/interface bridge
add comment="guest network" name=bridge-guest
add admin-mac=18:FD:74:A4:F8:D7 auto-mac=no comment="local network" name=\
bridge-lan
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=eth1-wan
set [ find default-name=ether2 ] name=eth2-lan
set [ find default-name=ether3 ] name=eth3-lan
set [ find default-name=ether4 ] name=eth4-lan
set [ find default-name=ether5 ] name=eth5-lan
/interface lte
set [ find ] allow-roaming=yes name=lte network-mode=3g,lte
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] default-route-distance=3
/ip ipsec mode-config
add name=*** responder=no
/ip ipsec policy group
add name=***
/ip ipsec profile
add dh-group=modp2048,modp1536,modp1024 enc-algorithm=\
aes-256,aes-192,aes-128,3des hash-algorithm=sha256 name=***
/ip ipsec peer
add address=*** exchange-mode=ike2 name=*** \
profile=***
/ip ipsec proposal
add auth-algorithms=sha512,sha256,sha1 name=point.lezenford.com pfs-group=none
/ip pool
add name=dhcp-lan ranges=172.50.0.50-172.50.0.100
add name=dhcp-guest ranges=10.0.0.50-10.0.0.100
/ip dhcp-server
add add-arp=yes address-pool=dhcp-lan disabled=no interface=bridge-lan name=\
dhcp-lan
add add-arp=yes address-pool=dhcp-guest disabled=no interface=bridge-guest \
name=dhcp-guest
/interface bridge port
add bridge=bridge-lan interface=eth2-lan
add bridge=bridge-lan interface=eth3-lan
add bridge=bridge-lan interface=eth4-lan
add bridge=bridge-lan interface=eth5-lan
add bridge=bridge-lan interface=wlan1
add bridge=bridge-lan interface=wlan2
add bridge=bridge-guest interface=wlan_geust
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=lte list=WAN
add interface=eth1-wan list=WAN
/ip address
add address=172.50.0.1/24 interface=bridge-lan network=172.50.0.0
add address=10.0.0.1/24 interface=bridge-guest network=10.0.0.0
/ip dhcp-server network
add address=10.0.0.0/24 dns-server=8.8.8.8 gateway=10.0.0.1 netmask=24
add address=172.50.0.0/24 dns-server=172.50.0.1 gateway=172.50.0.1 netmask=24
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack"
add action=accept chain=forward comment="defconf: accept established,related" \
connection-state=established,related
add action=accept chain=input comment="defconf: accept established,related" \
connection-state=established,related
add action=drop chain=forward comment="drop invalid forward" connection-state=\
invalid
add action=drop chain=input comment="drop invalid input" connection-state=\
invalid
add action=accept chain=input comment="IKEV2 - Accept UDP 500,4500 IPSec" \
dst-port=500,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="IKEV2 - Accept IPSec-esp" \
in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment="accept vpn access" in-interface-list=WAN \
protocol=tcp src-address=10.100.0.0/24
add action=accept chain=forward comment="accept vpn access" in-interface-list=\
WAN protocol=tcp src-address=10.100.0.0/24
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
in-interface-list=WAN
add action=drop chain=input comment="defconf: drop all from WAN" \
connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall nat
add action=accept chain=srcnat dst-address=10.100.0.0/24 src-address=\
172.50.0.0/24
add action=masquerade chain=srcnat comment="lan masquerade" out-interface-list=\
WAN src-address=172.50.0.0/24
add action=masquerade chain=srcnat comment="guest masquerade" \
out-interface-list=WAN src-address=10.0.0.0/24
/ip ipsec identity
add auth-method=digital-signature certificate=*** \
generate-policy=port-strict match-by=certificate mode-config=\
*** peer=*** policy-template-group=\
*** remote-certificate=***
/ip ipsec policy
add dst-address=10.100.0.0/24 group=*** proposal=\
*** src-address=0.0.0.0/0 template=yes
/ip route rule
add action=unreachable dst-address=10.0.0.0/24 src-address=172.50.0.0/24
add action=unreachable dst-address=172.50.0.0/24 src-address=10.0.0.0/24
add action=unreachable dst-address=10.100.0.0/24 src-address=10.0.0.0/24
add action=unreachable dst-address=10.0.0.0/24 src-address=10.100.0.0/24
[admin@Mikrotik] >