Есть wan, есть два vpn канала в качестве клиента на микроте.
В адресс листе прописано что на 1ый сайт выход через 1ый впн, на второй сайт через второй впн, все остальное через провайдера.
Проверьте, пожалуйста, также маскарадинг, нат и прочее, я что-то намудрил.
Дело в том, что при попытке выйти на определенный сайт, который должен открываться через впн канал - все равно вылезает заглушка моего провайдера. В то время как другой сайт вроде как открывается нормально. При этом труйсроут до сайта из адресс листа с самого микрота показывает, что я все равно иду через провайдера
Код: Выделить всё
# apr/27/2021 10:47:56 by RouterOS 6.48.2
# software id = *************B4HI
#
# model = RBD52G-5HacD2HnD
# serial number = ***************
/interface bridge
add igmp-snooping=yes name=bridge-1 protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=WAN
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
band=2ghz-b/g/n basic-rates-a/g=\
6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=\
1Mbps,2Mbps,5.5Mbps,11Mbps channel-width=20/40mhz-XX country=russia3 \
disabled=no disconnect-timeout=15s distance=indoors frequency=2437 \
frequency-mode=manual-txpower hw-protection-mode=rts-cts installation=\
indoor mode=ap-bridge multicast-helper=full ssid=Mik2.4 tx-power-mode=\
all-rates-fixed wireless-protocol=802.11 wmm-support=enabled wps-mode=\
disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
band=5ghz-n/ac channel-width=20/40/80mhz-XXXX country=russia3 disabled=no \
disconnect-timeout=15s distance=indoors frequency=auto frequency-mode=\
manual-txpower hw-protection-mode=rts-cts installation=indoor \
max-station-count=16 mode=ap-bridge multicast-helper=full ssid=Mik5 \
tx-power=20 tx-power-mode=all-rates-fixed wireless-protocol=802.11 \
wmm-support=enabled wps-mode=disabled
/interface wireless nstreme
set wlan1 enable-polling=no
set wlan2 enable-polling=no
/interface list
add name=Internet
add name=LAN
add name=VPN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk disable-pmkid=\
yes eap-methods="" group-key-update=1h mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=*********** \
wpa2-pre-shared-key=28745925
add authentication-types=wpa2-psk eap-methods="" group-key-update=1h mode=\
dynamic-keys name=guest_profile supplicant-identity=MikroTik \
wpa-pre-shared-key=freewifi wpa2-pre-shared-key=Guestfreewifi*
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=\
aes-256-cbc,aes-192-cbc,aes-128-cbc,3des
/ip pool
add name=dhcp ranges=192.168.10.100-192.168.10.200
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge-1 lease-time=\
1w name=server1
/ppp profile
add change-tcp-mss=yes name=vpn use-compression=yes use-encryption=required
/interface l2tp-client
add allow=mschap2 connect-to=188.***.***.202 disabled=no ipsec-secret=\
************ name=l2tp-out1 password=************ profile=vpn \
use-ipsec=yes user=MikrotikArt
add connect-to=130.***.***.83 disabled=no ipsec-secret=*********** \
name=l2tp-out2 password=i********** profile=vpn use-ipsec=yes user=\
ubu***********
/routing bgp instance
add as=65500 disabled=yes ignore-as-path-len=yes name=antifilter.download \
out-filter=bgp_in router-id=95.***.***.28
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge-1 interface=ether2
add bridge=bridge-1 interface=ether3
add bridge=bridge-1 interface=wlan1
add bridge=bridge-1 interface=wlan2
add bridge=bridge-1 interface=ether5
add bridge=bridge-1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set tcp-syncookies=yes
/interface detect-internet
set detect-interface-list=all lan-interface-list=static
/interface list member
add interface=WAN list=Internet
add interface=l2tp-out1 list=VPN
add interface=bridge-1 list=LAN
add interface=l2tp-out2 list=VPN
/ip address
add address=192.168.10.1/24 interface=bridge-1 network=192.168.10.0
add address=95.***.***.28/29 interface=WAN network=95.***.***.24
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1 \
netmask=24 ntp-server=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d cache-size=32768KiB \
use-doh-server=https://1.0.0.2/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=sknt.ru list=ToSknt
add address=rutracker.org list=ToRkn
add address=oserial4ik.online list=ToRkn
add address=linkedin.cn list=ToRkn
add address=linkedin.com list=ToRkn
/ip firewall filter
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
connection-state=established,related protocol=udp
add action=fasttrack-connection chain=forward connection-mark=!ipsec \
connection-state=established,related protocol=tcp
add action=accept chain=forward connection-state=established,related
add action=drop chain=forward comment="Drop invalid Forward" \
connection-state=invalid
add action=drop chain=forward comment="drop all packets for lan, no nat" \
connection-nat-state=!dstnat connection-state=new in-interface-list=\
Internet
add action=accept chain=input comment="Accept Input established related" \
connection-state=established,related protocol=!ipsec-esp
add action=drop chain=input comment="Drop Invalid Input" connection-state=\
invalid
add action=drop chain=input dst-port=53 in-interface-list=Internet protocol=\
udp
add action=drop chain=input dst-port=53 in-interface-list=Internet protocol=\
tcp
add action=jump chain=input comment="Protected - WinBox, ssh, telnet chain" \
connection-state=new dst-port=8291,22,23 in-interface-list=Internet \
jump-target=Protected log-prefix=jumpproverka protocol=tcp
add action=accept chain=input comment=IpSec log-prefix=50ipsec-esp protocol=\
ipsec-esp
add action=accept chain=input comment="IKE, IPsecNAT" connection-state="" \
dst-port=500,4500 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=accept chain=input comment=L2TP connection-state="" dst-port=1701 \
protocol=udp
add action=accept chain=input comment="Allow IGMP" in-interface=bridge-1 \
protocol=igmp
add action=accept chain=input comment="Winbox MAC" dst-port=20561 protocol=\
udp
add action=add-src-to-address-list address-list=BlackListProtected \
address-list-timeout=3d chain=Protected comment=\
"Protected - WinBox, ssh, telnet. Drop in RAW" connection-state=new \
src-address-list="ListProtected Stage 2"
add action=add-src-to-address-list address-list="ListProtected Stage 2" \
address-list-timeout=2m chain=Protected connection-state=new \
src-address-list="ListProtected Stage 1"
add action=add-src-to-address-list address-list="ListProtected Stage 1" \
address-list-timeout=1m chain=Protected connection-state=new log-prefix=\
ListProtected1
add action=accept chain=Protected dst-port=8291,22,23 in-interface-list=\
Internet protocol=tcp
add action=drop chain=input comment="Drop All Other" in-interface-list=\
Internet log-prefix="drop other"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark to SkyNet" \
dst-address-list=ToSknt new-routing-mark=ToSknt passthrough=no
add action=mark-routing chain=prerouting comment="Mark To VPS Server" \
dst-address-list=ToRkn new-routing-mark=ToRkn passthrough=yes
add action=mark-connection chain=input comment="Mark IPSec" ipsec-policy=\
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=output comment="Mark IPSec" connection-mark=\
ipsec ipsec-policy=out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN
add action=masquerade chain=srcnat log-prefix=\
"\EC\E0\F1\EA\E0\F0\E0\E4\F1\EA\ED\F2" out-interface=l2tp-out1
add action=masquerade chain=srcnat out-interface=l2tp-out2
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
log-prefix=redirectudp protocol=udp
add action=redirect chain=dstnat dst-port=53 in-interface-list=LAN \
log-prefix=redirect protocol=tcp
add action=masquerade chain=srcnat disabled=yes log-prefix=masquaradppp \
out-interface=all-ppp
add action=accept chain=srcnat disabled=yes out-interface=l2tp-out1
/ip firewall raw
add action=drop chain=prerouting in-interface-list=Internet src-address-list=\
BlackListProtected
/ip proxy
set serialize-connections=yes src-address=192.168.10.1
/ip route
add distance=1 gateway=l2tp-out1 routing-mark=ToSknt
add distance=1 gateway=l2tp-out2 routing-mark=ToRkn
add distance=1 gateway=95.***.***.25
add comment=SKNT distance=1 dst-address=192.168.11.0/24 gateway=l2tp-out1
/ip route rule
add action=lookup-only-in-table routing-mark=ToSknt src-address=0.0.0.0/0 \
table=ToSknt
add action=lookup-only-in-table routing-mark=ToRkn src-address=0.0.0.0/0 \
table=ToRkn
/ip service
set telnet address=192.168.0.0/16
set ftp disabled=yes
set www address=0.0.0.0/0 disabled=yes
set ssh address=192.168.0.0/16
set api disabled=yes
set winbox address=0.0.0.0/0
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether5 type=internal
add interface=WAN type=external
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=MikroTik_***
/system logging
add disabled=yes topics=firewall
add disabled=yes topics=dns
add disabled=yes prefix=ipcam topics=interface
add disabled=yes topics=ipsec
add disabled=yes prefix=wifi topics=wireless
/system ntp client
set enabled=yes primary-ntp=162.159.200.1
/system ntp server
set enabled=yes