Помогите с конфигурацией
Есть Шлюз 1 с белым айпи и веб адресом и внутренним адресом 192.168.0.1.
Задача пробросить порт. На сервер внутри этой сети получается простым dst-nat.
Но дело усложняется тем, что надо пробросить порт в сеть 192.168.1.1
Сеть 192.168.1.1 находится на шлюзе 2. Между шлюзом 1 и 2 поднят l2tp ipsec. Сети настроены и узлы свободно между собой общаются.
Из сети 192.168.0.1 с любого узла спокойно заходит на нужный нам сервер:порт в сети 192.168.1.1
Поставил маркировку в логах (DACHA) на шлюзе1
firewall,info DACHА dstnat: in:Internet out:(unknown 0), src-mac xx:xx:82:
9a:7b:73, proto TCP (SYN), xx.87.157.15:45854->xx.36.60.113:8125, len 60
на шлюзе 2 поставил только файрвол правило разрешить порт 8125
пакеты вроде доходят
firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto
TCP (SYN), xx.87.157.151:29208->192.168.1.8:8125, len 60
Проброс порта
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Надо на втором микротике помечать соединения пришедшие извне и идущие до сервера через туннель, и обратные пакеты для этих соединений отправлять не по его дефолтному маршруту, а обратно в туннель.
Telegram: @thexvo
-
moskovskiy82
- Сообщения: 31
- Зарегистрирован: 12 июн 2020, 22:12
Спасибо если более расширенно подскажете. Гуманитарий я
/ip firewall filter
add action=accept chain=input comment="Local CAPSMAN" src-address-type=local
add action=accept chain=input comment=PINGS protocol=icmp
add action=accept chain=forward comment=Kvartira dst-address=192.168.1.0/24 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface="Home Connect" protocol=tcp #это не помню зачем
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=log chain=forward disabled=yes log=yes log-prefix=CAMERA out-interface-list=!LAN src-address-list=Cameras
add action=accept chain=forward dst-address=192.168.1.8 dst-port=8125 log=yes log-prefix="DACHA PORT ACCEPT" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN log=yes log-prefix=DROP2
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROOP3
/ip firewall nat
#вот как раз правило сервера
add action=masquerade chain=srcnat dst-address-type=local dst-port=8125 log=yes log-prefix="DACH SRC NAT" protocol=tcp src-address=\
192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface-list=WAN src-address-list=Guests
add chain=srcnat out-interface="Home Connect"
/ip firewall filter
add action=accept chain=input comment="Local CAPSMAN" src-address-type=local
add action=accept chain=input comment=PINGS protocol=icmp
add action=accept chain=forward comment=Kvartira dst-address=192.168.1.0/24 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface="Home Connect" protocol=tcp #это не помню зачем
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=log chain=forward disabled=yes log=yes log-prefix=CAMERA out-interface-list=!LAN src-address-list=Cameras
add action=accept chain=forward dst-address=192.168.1.8 dst-port=8125 log=yes log-prefix="DACHA PORT ACCEPT" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN log=yes log-prefix=DROP2
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROOP3
/ip firewall nat
#вот как раз правило сервера
add action=masquerade chain=srcnat dst-address-type=local dst-port=8125 log=yes log-prefix="DACH SRC NAT" protocol=tcp src-address=\
192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface-list=WAN src-address-list=Guests
add chain=srcnat out-interface="Home Connect"
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Следующее надо проделать на r2:
Плюс к этому:
0) проверить, что локальный бридж действительно добавлен в interface-list=LAN
1) создать interface-list internal и добавить в него обе внутренние подсети и подсеть используемую для туннеля.
2) в fasttrack правиле firewall'а добавить условие connection-mark=!con-r1
P.s.: на r1 у вас fasttrack не работает - он идет после дефолтного правила accept established,related,untracked.
Код: Выделить всё
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=con-r1 in-interface-list=LAN new-routing-mark=via-r1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=***название_тунельного_интерфейса*** new-connection-mark=con-r1 passthrough=no src-address-list=!internal
/ip route add distance=1 gateway=***адрес_на_туннеле_на_r1*** routing-mark=via-r10) проверить, что локальный бридж действительно добавлен в interface-list=LAN
1) создать interface-list internal и добавить в него обе внутренние подсети и подсеть используемую для туннеля.
2) в fasttrack правиле firewall'а добавить условие connection-mark=!con-r1
P.s.: на r1 у вас fasttrack не работает - он идет после дефолтного правила accept established,related,untracked.
Telegram: @thexvo
-
moskovskiy82
- Сообщения: 31
- Зарегистрирован: 12 июн 2020, 22:12
Итак сделал на r2 (конфиг выше с него). Но не помогло.
Почему то срабатывает правило. Получается все равно не в туннель заворачивает а мимо
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
В логе
firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto
TCP (SYN), 213.87.хх.хх:61459->192.168.1.8:8125, len 60
и следом
firewall,info DROP forward: in:bridge out:Internet, src-mac xx:xx:eb:55:59:
45, proto TCP (SYN,ACK), 192.168.1.8:8125->213.87.xx.xx:21691, len 6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Internet list=WAN
add interface="Home Connect" list=LAN
/ip firewall address-list
add address=192.168.1.0/24 list=internal
add address=192.168.0.0/24 list=internal
add address=10.10.15.1 list=internal
add address=10.10.15.2 list=internal
/ip route
add distance=1 gateway=10.10.15.1 routing-mark=con-r1 (via-r1 наверное опечатка?)
add distance=1 dst-address=192.168.0.0/24 gateway=10.10.15.1 pref-src=10.10.15.2 \
scope=10
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!con-r1 connection-state=established,related
add action=accept chain=input comment="Local CAPSMAN" src-address-type=local
add action=accept chain=input comment=PINGS protocol=icmp
add action=accept chain=forward comment=Kvartira dst-address=192.168.1.0/24 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.15.2 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface="Home Connect" protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=log chain=forward disabled=yes log=yes log-prefix=CAMERA out-interface-list=!LAN src-address-list=Cameras
add action=accept chain=forward dst-address=192.168.1.8 dst-port=8125 log=yes log-prefix="DACHA PORT ACCEPT" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=DROP2
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROOP3
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=con-r1 in-interface-list=LAN new-routing-mark=via-r1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="Home Connect" new-connection-mark=con-r1 passthrough=no src-address-list=!internal
/ip firewall nat
add action=masquerade chain=srcnat dst-address-type=local dst-port=8125 log=yes log-prefix="DACH SRC NAT" protocol=tcp src-address=192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface-list=WAN src-address-list=Guests
add chain=srcnat out-interface="Home Connect"
Почему то срабатывает правило. Получается все равно не в туннель заворачивает а мимо
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
В логе
firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto
TCP (SYN), 213.87.хх.хх:61459->192.168.1.8:8125, len 60
и следом
firewall,info DROP forward: in:bridge out:Internet, src-mac xx:xx:eb:55:59:
45, proto TCP (SYN,ACK), 192.168.1.8:8125->213.87.xx.xx:21691, len 6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=Internet list=WAN
add interface="Home Connect" list=LAN
/ip firewall address-list
add address=192.168.1.0/24 list=internal
add address=192.168.0.0/24 list=internal
add address=10.10.15.1 list=internal
add address=10.10.15.2 list=internal
/ip route
add distance=1 gateway=10.10.15.1 routing-mark=con-r1 (via-r1 наверное опечатка?)
add distance=1 dst-address=192.168.0.0/24 gateway=10.10.15.1 pref-src=10.10.15.2 \
scope=10
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=!con-r1 connection-state=established,related
add action=accept chain=input comment="Local CAPSMAN" src-address-type=local
add action=accept chain=input comment=PINGS protocol=icmp
add action=accept chain=forward comment=Kvartira dst-address=192.168.1.0/24 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=forward disabled=yes dst-address=10.10.15.2 in-interface="Home Connect" src-address=192.168.0.0/24
add action=accept chain=input dst-port=8291 in-interface="Home Connect" protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=log chain=forward disabled=yes log=yes log-prefix=CAMERA out-interface-list=!LAN src-address-list=Cameras
add action=accept chain=forward dst-address=192.168.1.8 dst-port=8125 log=yes log-prefix="DACHA PORT ACCEPT" protocol=tcp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix=DROP
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=DROP2
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROOP3
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=con-r1 in-interface-list=LAN new-routing-mark=via-r1 passthrough=no
add action=mark-connection chain=prerouting connection-mark=no-mark in-interface="Home Connect" new-connection-mark=con-r1 passthrough=no src-address-list=!internal
/ip firewall nat
add action=masquerade chain=srcnat dst-address-type=local dst-port=8125 log=yes log-prefix="DACH SRC NAT" protocol=tcp src-address=192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=srcnat out-interface-list=WAN src-address-list=Guests
add chain=srcnat out-interface="Home Connect"
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
Нет, не опечатка.moskovskiy82 писал(а): ↑25 авг 2020, 07:12
add distance=1 gateway=10.10.15.1 routing-mark=con-r1 (via-r1 наверное опечатка?)
Telegram: @thexvo
-
moskovskiy82
- Сообщения: 31
- Зарегистрирован: 12 июн 2020, 22:12
xvo писал(а): ↑25 авг 2020, 07:53Нет, не опечатка.moskovskiy82 писал(а): ↑25 авг 2020, 07:12
add distance=1 gateway=10.10.15.1 routing-mark=con-r1 (via-r1 наверное опечатка?)
Уже это понял. Исправил, но безрезультатно
-
xvo
- Сообщения: 4204
- Зарегистрирован: 25 фев 2018, 22:41
- Откуда: Москва
И что в логе при исправленном?
Telegram: @thexvo
-
moskovskiy82
- Сообщения: 31
- Зарегистрирован: 12 июн 2020, 22:12
Конфигурация r1
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment=Dacha dst-address=192.168.0.0/24 in-interface=Dacha src-address=192.168.1.0/24
add action=accept chain=forward comment=Dacha dst-address=10.10.15.1 in-interface=Dacha src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="IPSEC ESP" protocol=ipsec-esp
add action=accept chain=forward comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Established allow" connection-state=established
add action=accept chain=input comment="Related Allow" connection-state=related
add action=accept chain=input comment=web dst-port=80 protocol=tcp
add action=accept chain=input comment=web dst-port=8080 protocol=tcp
add action=drop chain=forward comment="Guest WiFi only WAN" disabled=yes in-interface="Guest WLAN" log=yes log-prefix="GUEST WIFI" out-interface=!Internet
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROP
add action=drop chain=forward comment="defcon OLD drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=Internet log=yes log-prefix=DROPNAT
/ip firewall nat
add action=redirect chain=dstnat dst-address=внешний ip dst-port=80 log=yes log-prefix=PROXY protocol=tcp to-ports=8080
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=DNAT-HASS dst-address=!192.168.0.1 dst-address-type=local dst-port=8123 log-prefix=HPOME protocol=tcp to-addresses=192.168.0.8 to-ports=8123
add action=dst-nat chain=dstnat comment=DACHA dst-address-type="" dst-port=8125 log=yes log-prefix=DACH protocol=tcp to-addresses=192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment=SNAT-HASS dst-port=8123 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="DACHA SNAT" disabled=yes dst-port=8125 out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
/ip proxy
set enabled=yes src-address=0.0.0.0
/ip proxy access
add action=deny comment="Block telnet and spam" dst-port=23-25
add dst-port=80
add disabled=yes dst-host=xxx.server.ru dst-port=80
add action=deny disabled=yes
/ip route
add comment="Dacha VPN" distance=1 dst-address=192.168.1.0/24 gateway=10.10.15.2 pref-src=10.10.15.1
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=forward comment=Dacha dst-address=192.168.0.0/24 in-interface=Dacha src-address=192.168.1.0/24
add action=accept chain=forward comment=Dacha dst-address=10.10.15.1 in-interface=Dacha src-address=192.168.1.0/24
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="IPSEC ESP" protocol=ipsec-esp
add action=accept chain=forward comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment="Established allow" connection-state=established
add action=accept chain=input comment="Related Allow" connection-state=related
add action=accept chain=input comment=web dst-port=80 protocol=tcp
add action=accept chain=input comment=web dst-port=8080 protocol=tcp
add action=drop chain=forward comment="Guest WiFi only WAN" disabled=yes in-interface="Guest WLAN" log=yes log-prefix="GUEST WIFI" out-interface=!Internet
add action=drop chain=input in-interface-list=!LAN log=yes log-prefix=DROP
add action=drop chain=forward comment="defcon OLD drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=Internet log=yes log-prefix=DROPNAT
/ip firewall nat
add action=redirect chain=dstnat dst-address=внешний ip dst-port=80 log=yes log-prefix=PROXY protocol=tcp to-ports=8080
add action=masquerade chain=srcnat out-interface-list=WAN
add action=dst-nat chain=dstnat comment=DNAT-HASS dst-address=!192.168.0.1 dst-address-type=local dst-port=8123 log-prefix=HPOME protocol=tcp to-addresses=192.168.0.8 to-ports=8123
add action=dst-nat chain=dstnat comment=DACHA dst-address-type="" dst-port=8125 log=yes log-prefix=DACH protocol=tcp to-addresses=192.168.1.8 to-ports=8125
add action=masquerade chain=srcnat comment=SNAT-HASS dst-port=8123 out-interface=bridge1 protocol=tcp src-address=192.168.0.0/24
add action=masquerade chain=srcnat comment="DACHA SNAT" disabled=yes dst-port=8125 out-interface=bridge1 protocol=tcp src-address=192.168.1.0/24
/ip proxy
set enabled=yes src-address=0.0.0.0
/ip proxy access
add action=deny comment="Block telnet and spam" dst-port=23-25
add dst-port=80
add disabled=yes dst-host=xxx.server.ru dst-port=80
add action=deny disabled=yes
/ip route
add comment="Dacha VPN" distance=1 dst-address=192.168.1.0/24 gateway=10.10.15.2 pref-src=10.10.15.1
-
moskovskiy82
- Сообщения: 31
- Зарегистрирован: 12 июн 2020, 22:12
Промаркировал на r1 следующее
08:27:19 firewall,info HASS DACHA forward: in:Internet out:Dacha, src-mac xx, proto TCP (ACK,RST), 213.xx.xx.40:32429->192.16.1.8:8125, NAT 213.xx.xx.40:32429->(185.xx.xx.xx:8125->192.16.1.8:8125), len 52
08:27:19 firewall,info HASS DACHA forward: in:Dacha out:Dacha, proto TCP (ACK,RST), 213.xx.xx.40:32429->192.16.1.8:8125, len 52
08:27:19 firewall,info HASS DACHA forward: in:Internet out:Dacha, src-mac xx, proto TCP (ACK,RST), 213.xx.xx.40:47995->192.16.1.8:8125, NAT 213.xx.xx.40:47995->(185.xx.xx.xx:8125->192.16.1.8:8125), len 52
08:27:19 firewall,info HASS DACHA forward: in:Internet out:Dacha, src-mac xx, proto TCP (ACK,RST), 213.xx.xx.40:47995->192.16.1.8:8125, NAT 213.xx.xx.40:47995->(185.xx.xx.xx:8125->192.16.1.8:8125), len 52
08:27:19 firewall,info HASS DACHA forward: in:Dacha out:Dacha, proto TCP (ACK,RST), 213.xx.xx.40:32429->192.16.1.8:8125, len 52
08:32:32 firewall,info HASS DACHA forward: in:Dacha out:Dacha, proto TCP (ACK,FIN,PSH), 213.xx.xx.40:3403->192.16.1.8:8125, len 542
08:32:32 firewall,info HASS DACHA forward: in:Internet out:Dacha, src-mac xx, proto TCP (ACK,PSH), 213.xx.xx.40:6666->192.16.1.8:8125, NAT 213.xx.xx.40:6666->(185.xx.xx.xx:8125->192.16.1.8:8125), len 542
08:32:32 firewall,info HASS DACHA forward: in:Internet out:Dacha, src-mac xx, proto TCP (ACK,PSH), 213.xx.xx.40:6666->192.16.1.8:8125, NAT 213.xx.xx.40:6666->(185.xx.xx.xx:8125->192.16.1.8:8125), len 542
08:32:32 firewall,info DACH dstnat: in:Dacha out:(unknown 0), proto TCP (ACK,PSH), 213.xx.xx.40:6666->192.16.1.8:8125, len 542
08:32:32 firewall,info HASS DACHA forward: in:Dacha out:Dacha, proto TCP (ACK,PSH), 213.xx.xx.40:6666->192.16.1.8:8125, len 542
08:32:32 firewall,info HASS DACHA forward: in:Dacha out:Dacha, proto TCP (ACK,PSH), 213.xx.xx.40:6666->192.16.1.8:8125, len 542
08:32:39 firewall,info DROP input: in:Internet out:(unknown 0), src-mac xx, proto TCP (ACK,FIN,PSH), 213.xx.xx.40:10171->185.xx.xx.xx:8125, len 534
r2 лог
08:34:47 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (SYN), 213.xx.xx.40:51172->192.168.1.8:8125, len 60
08:34:47 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK), 213.xx.xx.40:1079->192.168.1.8:8125, len 52
08:34:47 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:47 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:48 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:48 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK), 213.xx.xx.40:1079->192.168.1.8:8125, len 52
08:34:48 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:50 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK), 213.xx.xx.40:1079->192.168.1.8:8125, len 52
08:34:50 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:53 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK,PSH), 213.xx.xx.40:1079->192.168.1.8:8125, len 508
08:34:54 firewall,info DACHA PORT ACCEPT forward: in:Home Connect out:bridge, proto TCP (ACK), 213.xx.xx.40:1079->192.168.1.8:8125, len 52
08:35:19 firewall,info HADACH forward: in:bridge out:Internet, src-mac xx, proto TCP (SYN,ACK), 192.168.1.8:8125->213.xx.xx.40:51172, len 60
08:35:19 firewall,info HADACH forward: in:bridge out:Internet, src-mac xx, proto TCP (SYN,ACK), 192.168.1.8:8125->213.xx.xx.40:51172, len 60
08:35:19 firewall,info DROP forward: in:bridge out:Internet, src-mac xx, proto TCP (SYN,ACK), 192.168.1.8:8125->213.xx.xx.40:51172, len 60