Гостевой Wifi

Обсуждение ПО и его настройки
Ответить
Edelstein
Сообщения: 28
Зарегистрирован: 03 май 2013, 15:33

Добрый вечер.

Офис, основной шлюз 10.0.1.2, днс 10.0.2.2.

Внутри Rb951g-2hnd (10.0.202.2), раздает два Wifi - основной через радиус в режиме AP, и нужно сделать гостевую сеть с доступом в интернет, а 10.x.x.x закрыть.

На порт 1 приходит кабель, остальные порты и Wlan объединены с ним в бридж.

Сделал:
1. VirtualAP, SSID "Guest".
2. DHCP на нем, клиенты корректно подключаются и получают адрес.

Вопрос:
1. Что служит шлюзом для Guest, на каком интерфейсе этот шлюз должен быть? Сделал 192.168.100.1 на Guest.
2. Как настроить маршрутизацию и какие интерфейсы натить?
3. Какой взять днс, можно ли 8.8.8.8?
4. Как резать на Guest внутреннюю сеть, если микротик все равно получает интернет через 10.0.1.2, а запросы к нему нужно убирать?

Заранее спасибо за ответы!


Аватара пользователя
simpl3x
Модератор
Сообщения: 1532
Зарегистрирован: 19 апр 2012, 14:03

1.
что значит эта фраза? шлюзом, для пользователей, которые подключаются к вашему гостевому ssid будет сам же микротик. адрес его будет таким, который прописан на интерфейсе этого виртуального ssid. если вы сделали ему адрес 192.168.100.1, то соответственно пользователи должны получать адреса из той же сети.
если вы имели что то другое - раскройте вопрос.
2.
у вас же работает офисная сеть, по её подобию сделайте nat для гостевой сети. смысла в настройке какой то там маршрутизации я не вижу, у вас одно устройство, которое принадлежит все сетям одновременно.
3.
а смысл брать какой то другой? можете конешно и 8.8.8.8, только смысл?
4.
фаерволом. одной строчкой:

Код: Выделить всё

ip firewall filter add chain=prerouting action=drop src-address=192.168.100.0/24 dst-address=10.0.0.0/8

при условии что гостевая сеть укладывается в 192.168.100.0/24. правило писал с головы, синтаксис не проверял.


Edelstein
Сообщения: 28
Зарегистрирован: 03 май 2013, 15:33

Итак, интерфейс WiFi-Guest, его IP 192.168.100.1/24, на нем DHCP, NAT. Никаких статических маршрутов не делал.

Проверить могу только удаленно, поэтому на клиенте (ноутбук) делал route "какой-то ip" 192.168.100.1 и пинг, получаю "Ответ от 192.168.100.1: заданная сеть недоступна". 192.168.100.1 с клиента пингуется.
Пробовал создавать на микротике route 0.0.0.0/0 interface ether1-gateway, тогда ошибка на клиенте меняется на "Ответ от 192.168.100.1: заданный узел недоступен".

Где косяк, подскажите плиз?

Код: Выделить всё

[admin@MikroTik] > export   
# jan/02/1970 00:07:20 by RouterOS 5.25
# software id = CRI7-5NHR
#
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=\
    Bridge priority=0x8000 protocol-mode=none transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=00:1E:8C:8E:3E:BF master-port=\
    none mtu=1500 name=ether1-gateway speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:6C:6D:39 master-port=\
    none mtu=1500 name=ether2-master-local speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:6C:6D:3A master-port=\
    ether2-master-local mtu=1500 name=ether3-slave-local speed=100Mbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:6C:6D:3B master-port=\
    ether2-master-local mtu=1500 name=ether4-slave-local speed=100Mbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=\
    no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:6C:6D:3C master-port=\
    ether2-master-local mtu=1500 name=ether5-slave-local speed=100Mbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
    group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled management-protection-key="" mode=\
    dynamic-keys name=default radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
    XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
    static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" \
    static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=\
    none static-sta-private-key="" static-transmit-key=key-0 \
    supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm wpa-pre-shared-key=\
    XXX \
    wpa2-pre-shared-key=YYY
add authentication-types=wpa2-eap eap-methods=passthrough group-ciphers=aes-ccm \
    group-key-update=5m interim-update=0s management-protection=allowed \
    management-protection-key="" mode=dynamic-keys name=Secure \
    radius-eap-accounting=yes radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
    XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
    static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" \
    static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=\
    none static-sta-private-key="" static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm wpa-pre-shared-key="" wpa2-pre-shared-key=""
add authentication-types=wpa2-psk eap-methods="" group-ciphers=aes-ccm \
    group-key-update=5m interim-update=0s management-protection=allowed \
    management-protection-key="" mode=dynamic-keys name=Guest \
    radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=\
    XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
    static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" \
    static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=\
    none static-sta-private-key="" static-transmit-key=key-0 \
    supplicant-identity="" tls-certificate=none tls-mode=no-certificates \
    unicast-ciphers=aes-ccm wpa-pre-shared-key=YYY wpa2-pre-shared-key=\
    YYY
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=0 area="" \
    arp=enabled band=2ghz-b/g/n basic-rates-a/g=6Mbps basic-rates-b=1Mbps \
    bridge-mode=enabled channel-width=20/40mhz-ht-above compression=no country=\
    no_country_set default-ap-tx-limit=0 default-authentication=yes \
    default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=indoors \
    frame-lifetime=0 frequency=2412 frequency-mode=manual-txpower \
    frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 \
    ht-amsdu-threshold=8192 ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any \
    ht-rxchains=0,1 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,\
    mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mc\
    s-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0,1 \
    hw-fragmentation-threshold=disabled hw-protection-mode=none \
    hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=\
    D4:CA:6D:6C:6D:3D max-station-count=2007 mode=ap-bridge mtu=1500 \
    multicast-helper=default name=WiFi-Secure noise-floor-threshold=default \
    nv2-cell-radius=30 nv2-noise-floor-offset=default nv2-preshared-key="" \
    nv2-qos=default nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=\
    100ms periodic-calibration=enabled periodic-calibration-interval=10 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
    D4CA6D6C6D3D rate-selection=advanced rate-set=default scan-list=default \
    security-profile=Secure ssid=XXX-1 station-bridge-clone-mac=\
    00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tdma-period-size=2 tx-power-mode=default \
    update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
    none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
    wireless-protocol=any wmm-support=disabled
add area="" arp=enabled bridge-mode=enabled default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=yes \
    disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=\
    D6:CA:6D:6C:6D:3D master-interface=WiFi-Secure max-station-count=2007 mtu=\
    1500 multicast-helper=default name=WiFi-Guest proprietary-extensions=\
    post-2.9.25 security-profile=default ssid=XXX-1-Guest \
    update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none \
    wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=\
    disabled
/interface wireless manual-tx-power-table
set WiFi-Secure manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:1\
    7,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-\
    0:17,HT20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,H\
    T40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-7:\
    17"
/interface wireless nstreme
set WiFi-Secure disable-csma=no enable-nstreme=no enable-polling=yes \
    framer-limit=3200 framer-policy=none
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=\
    hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
    cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
    split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
    shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des \
    lifetime=30m name=default pfs-group=modp1024
/ip pool
add name="DHCP Pool WiFi Guest" ranges=192.168.100.10-192.168.100.254
/ip dhcp-server
add address-pool="DHCP Pool WiFi Guest" authoritative=after-2sec-delay \
    bootp-support=static disabled=no interface=WiFi-Guest lease-time=3d name=\
    "DHCP Server WiFi Guest"
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default \
    use-encryption=no use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default \
    use-compression=default use-encryption=yes use-mpls=default \
    use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 \
    red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no \
    ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
    redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no \
    redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in \
    metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=auto \
    metric-rip=20 metric-static=20 name=default out-filter=ospf-out \
    redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=\
    backbone type=default
/snmp community
set [ find default=yes ] addresses="" authentication-password="" \
    authentication-protocol=MD5 encryption-password="" encryption-protocol=DES \
    name=public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 \
    disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 \
    syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web\
    ,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pass\
    word,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,wi\
    nbox,password,web,sniff,sensitive,api" skin=default
/interface bridge port
add bridge=Bridge disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether2-master-local path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=Bridge disabled=no edge=auto external-fdb=auto horizon=none \
    interface=ether1-gateway path-cost=10 point-to-point=auto priority=0x80
add bridge=Bridge disabled=no edge=auto external-fdb=auto horizon=none \
    interface=WiFi-Secure path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption \
    enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
    default enabled=no keepalive-timeout=60 mac-address=FE:1E:E9:45:D6:5B \
    max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=\
    no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=\
    default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=\
    disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
    00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
    frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
    multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
    streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.0.202.2/16 disabled=no interface=ether1-gateway network=10.0.0.0
add address=192.168.100.1/24 disabled=no interface=WiFi-Guest network=\
    192.168.100.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.168.100.0/24 dhcp-option="" dns-server=8.8.8.8 gateway=\
    192.168.100.1 netmask=24 ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=4096 servers=""
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
    established disabled=no
add action=accept chain=input comment="default configuration" connection-state=\
    related disabled=no
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
add action=accept chain=forward disabled=yes dst-address=10.0.0.0/8 \
    out-interface=WiFi-Guest
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WiFi-Guest \
    src-address=192.168.100.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
set WiFi-Secure disabled=yes
set Bridge disabled=no
set WiFi-Guest disabled=yes
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
    cache-on-disk=no enabled=no max-cache-size=unlimited \
    max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
    parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no \
    src-address=0.0.0.0
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=yes port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=\
    all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no \
    max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=\
    15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no \
    lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-slave-local queue=only-hardware-queue
set WiFi-Secure queue=wireless-default
set WiFi-Guest queue=wireless-default
/radius
add accounting-backup=no accounting-port=1813 address=10.0.2.9 \
    authentication-port=1812 called-id="" disabled=no domain="" realm="" \
    secret=Uk1S8DD1Lg1FgGMzN10DKyJG6Y702LTXHijTVFTuQNVGKgcFA9tQS2JaIgB57RXd \
    service=wireless timeout=1s
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s \
    multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m \
    gateway-selection=no-gateway origination-interval=5s preferred-gateway=\
    0.0.0.0 timeout=1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 \
    metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no \
    routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators="" \
    trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
    "jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
set 0 disabled=no interface=WiFi-Secure leds=wlan-led type=wireless-status
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=broadcast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=\
    600MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
    0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
    none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=WiFi-Secure
add disabled=no
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=WiFi-Secure
add disabled=no
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol="" \
    filter-mac-address="" filter-mac-protocol="" filter-port="" filter-stream=\
    yes interface=all memory-limit=100KiB memory-scroll=yes only-headers=no \
    streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s \
    use-radius=no
[admin@MikroTik] >


Аватара пользователя
simpl3x
Модератор
Сообщения: 1532
Зарегистрирован: 19 апр 2012, 14:03

Шикарное правило маскарад, с out-interface на котором пакетов с таким src-address никогда не будет. Уберите аут-интерфейс.
Правило фаервола тоже бестолковое, пакетов к сети 10.0.0.0/8 на выходи интерфейса Выфы-гест никогда не будет, и тем более правило разрешающее, если вы хотели им что то от чего то отделить - у вас не прлучится


Ответить