Нужна Ваша помощь в решении следующей проблемы:
Есть железка Mikrotik crs125-24g-15-in.
Она играет роль шлюза с сервисами : DHCP, DNS, NTP, Proxy.
Роль эту она должна исполнять для клиентов-бездисковых станций, на которых имеются браузеры и SIP клиенты. Клиенты эти за NAT
Сетка для этих клиентов такая: 10.10.10.0/24.
Набросал схему:
Проблема следующая:
Сип клиенты не логинятся на Asterisk, да вообще лучше SIP использовать без NAT .
Поэтому хотел сделать так:
Интерфейс eth1 как бы раздваивается, один адрес он цепляет из сетки организации по dhcp, другой назначается вручную с подключение Vlan к порту eth1
Но при подключение vlan клиенты перестают получать доступ в интернет.
Как быть ? Может кто подскажет еще какие-нибудь варианты использование mikrotik как шлюза но совсем без NAT?
Конфиг :
# jul/18/2016 16:37:10 by RouterOS 6.35.4
# software id = W198-255P
#
/interface ethernet
set [ find default-name=ether1 ] name=eth1
set [ find default-name=ether2 ] name=eth2-lan-master
set [ find default-name=ether3 ] master-port=eth2-lan-master name=eth3-lan
set [ find default-name=ether4 ] master-port=eth2-lan-master name=eth4-lan
set [ find default-name=ether5 ] master-port=eth2-lan-master name=eth5-lan
set [ find default-name=ether6 ] master-port=eth2-lan-master name=eth6-lan
set [ find default-name=ether7 ] master-port=eth2-lan-master name=eth7-lan
set [ find default-name=ether8 ] master-port=eth2-lan-master name=eth8-lan
set [ find default-name=ether9 ] master-port=eth2-lan-master name=eth9-lan
set [ find default-name=ether10 ] master-port=eth2-lan-master name=eth10-lan
set [ find default-name=ether11 ] master-port=eth2-lan-master name=eth11-lan
set [ find default-name=ether12 ] master-port=eth2-lan-master name=eth12-lan
set [ find default-name=ether13 ] master-port=eth2-lan-master name=eth13-lan
set [ find default-name=ether14 ] master-port=eth2-lan-master name=eth14-lan
set [ find default-name=ether15 ] master-port=eth2-lan-master name=eth15-lan
set [ find default-name=ether16 ] master-port=eth2-lan-master name=eth16-lan
set [ find default-name=ether17 ] master-port=eth2-lan-master name=eth17-lan
set [ find default-name=ether18 ] master-port=eth2-lan-master name=eth18-lan
set [ find default-name=ether19 ] master-port=eth2-lan-master name=eth19-lan
set [ find default-name=ether20 ] master-port=eth2-lan-master name=eth20-lan
set [ find default-name=ether21 ] master-port=eth2-lan-master name=eth21-lan
set [ find default-name=ether22 ] master-port=eth2-lan-master name=eth22-lan
set [ find default-name=ether23 ] master-port=eth2-lan-master name=eth23-lan
set [ find default-name=ether24 ] master-port=eth2-lan-master name=eth24-lan
set [ find default-name=sfp1 ] master-port=eth1
/interface vlan
add interface=eth1 name=eth1-vlan-2 vlan-id=2
/ip pool
add name=dhcp10 ranges=10.10.10.5-10.10.10.250
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=eth2-lan-master lease-time=12h \
name=dhcp10
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/ip address
add address=192.168.88.1/24 comment=defconf interface=eth1 network=\
192.168.88.0
add address=10.10.10.1/24 interface=eth2-lan-master network=10.10.10.0
add address=192.168.0.249/24 interface=eth1-vlan-2 network=192.168.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=eth1
/ip dhcp-server network
add address=10.10.10.0/24 boot-file-name=pxelinux.0 dns-server=10.10.10.1 \
gateway=10.10.10.1 netmask=24 next-server=10.0.5.115 ntp-server=\
10.10.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established,related
add chain=output connection-state=!invalid
add chain=forward connection-state=established,new in-interface=\
eth2-lan-master out-interface=eth1 src-address=10.10.10.0/24
add chain=forward connection-state=established,related in-interface=eth1 \
out-interface=eth2-lan-master
add chain=input src-address=10.10.10.0/24
add chain=input in-interface=eth1 src-address=192.168.10.15
add chain=input in-interface=eth1 src-address=10.0.5.0/24
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=\
9999 new-connection-mark=allow_in protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1 src-address=\
10.10.10.0/24
add action=redirect chain=dstnat dst-port=9999 protocol=tcp to-ports=80
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
src-address=10.10.10.0/24 to-ports=8080
add action=redirect chain=dstnat dst-address=0.0.0.0/0 dst-port=80 protocol=\
tcp src-address=10.10.10.0/24 to-ports=8080
/ip proxy
set anonymous=yes cache-on-disk=yes enabled=yes parent-proxy=0.0.0.0 \
src-address=0.0.0.0
/ip proxy access
add action=deny disabled=yes dst-host=!yandex.ru dst-port=80 src-address=\
10.10.10.0/24
add dst-host=!pleer.ru src-address=10.10.10.0/24
add action=deny dst-host=!any src-address=10.10.10.0/24
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system routerboard settings
set protected-routerboot=disabled
# software id = W198-255P
#
/interface ethernet
set [ find default-name=ether1 ] name=eth1
set [ find default-name=ether2 ] name=eth2-lan-master
set [ find default-name=ether3 ] master-port=eth2-lan-master name=eth3-lan
set [ find default-name=ether4 ] master-port=eth2-lan-master name=eth4-lan
set [ find default-name=ether5 ] master-port=eth2-lan-master name=eth5-lan
set [ find default-name=ether6 ] master-port=eth2-lan-master name=eth6-lan
set [ find default-name=ether7 ] master-port=eth2-lan-master name=eth7-lan
set [ find default-name=ether8 ] master-port=eth2-lan-master name=eth8-lan
set [ find default-name=ether9 ] master-port=eth2-lan-master name=eth9-lan
set [ find default-name=ether10 ] master-port=eth2-lan-master name=eth10-lan
set [ find default-name=ether11 ] master-port=eth2-lan-master name=eth11-lan
set [ find default-name=ether12 ] master-port=eth2-lan-master name=eth12-lan
set [ find default-name=ether13 ] master-port=eth2-lan-master name=eth13-lan
set [ find default-name=ether14 ] master-port=eth2-lan-master name=eth14-lan
set [ find default-name=ether15 ] master-port=eth2-lan-master name=eth15-lan
set [ find default-name=ether16 ] master-port=eth2-lan-master name=eth16-lan
set [ find default-name=ether17 ] master-port=eth2-lan-master name=eth17-lan
set [ find default-name=ether18 ] master-port=eth2-lan-master name=eth18-lan
set [ find default-name=ether19 ] master-port=eth2-lan-master name=eth19-lan
set [ find default-name=ether20 ] master-port=eth2-lan-master name=eth20-lan
set [ find default-name=ether21 ] master-port=eth2-lan-master name=eth21-lan
set [ find default-name=ether22 ] master-port=eth2-lan-master name=eth22-lan
set [ find default-name=ether23 ] master-port=eth2-lan-master name=eth23-lan
set [ find default-name=ether24 ] master-port=eth2-lan-master name=eth24-lan
set [ find default-name=sfp1 ] master-port=eth1
/interface vlan
add interface=eth1 name=eth1-vlan-2 vlan-id=2
/ip pool
add name=dhcp10 ranges=10.10.10.5-10.10.10.250
/ip dhcp-server
add address-pool=dhcp10 disabled=no interface=eth2-lan-master lease-time=12h \
name=dhcp10
/interface ethernet switch port
set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\
8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\
:8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128"
/ip address
add address=192.168.88.1/24 comment=defconf interface=eth1 network=\
192.168.88.0
add address=10.10.10.1/24 interface=eth2-lan-master network=10.10.10.0
add address=192.168.0.249/24 interface=eth1-vlan-2 network=192.168.0.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no \
interface=eth1
/ip dhcp-server network
add address=10.10.10.0/24 boot-file-name=pxelinux.0 dns-server=10.10.10.1 \
gateway=10.10.10.1 netmask=24 next-server=10.0.5.115 ntp-server=\
10.10.10.1
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add chain=input protocol=icmp
add chain=input connection-state=established,related
add chain=output connection-state=!invalid
add chain=forward connection-state=established,new in-interface=\
eth2-lan-master out-interface=eth1 src-address=10.10.10.0/24
add chain=forward connection-state=established,related in-interface=eth1 \
out-interface=eth2-lan-master
add chain=input src-address=10.10.10.0/24
add chain=input in-interface=eth1 src-address=192.168.10.15
add chain=input in-interface=eth1 src-address=10.0.5.0/24
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=new dst-port=\
9999 new-connection-mark=allow_in protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=eth1 src-address=\
10.10.10.0/24
add action=redirect chain=dstnat dst-port=9999 protocol=tcp to-ports=80
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
src-address=10.10.10.0/24 to-ports=8080
add action=redirect chain=dstnat dst-address=0.0.0.0/0 dst-port=80 protocol=\
tcp src-address=10.10.10.0/24 to-ports=8080
/ip proxy
set anonymous=yes cache-on-disk=yes enabled=yes parent-proxy=0.0.0.0 \
src-address=0.0.0.0
/ip proxy access
add action=deny disabled=yes dst-host=!yandex.ru dst-port=80 src-address=\
10.10.10.0/24
add dst-host=!pleer.ru src-address=10.10.10.0/24
add action=deny dst-host=!any src-address=10.10.10.0/24
/system clock
set time-zone-name=Asia/Krasnoyarsk
/system routerboard settings
set protected-routerboot=disabled