Проблема следующая: есть rb2011 в одном городе и csr125 в другом. Оба шлюзы по умолчанию. Поднимаю ipsec, коннект есть, трафик шифруется, соединение работает без проблем. На одной стороне сеть 192.168.100.0, на другой 192.168.0.0. С обоих сторон пингуются шлюзы и некоторые устройства, т.е. адреса, соответственно я могу попасть на них с противоположенных сетей, а некоторые устройства, т.е. адреса хоть убей не пингуются и на них нет доступа.
В чем может быть проблема? Всю голову сломал уже, вроде и правила все написаны, и маршруты, но вот часть адресов пингуется, а часть нет.... Причем ситуация одинаковая, хоть при gre, хоть pptp, хоть l2tp.... Что не так делаю, не пойму. И еще нюанс, изначально csr125 настраивал не я и возможно не была вычищена изначальная конфигурация, а сейчас все сбросить нет возможности тк железка в другом городе и доступ к ней во всяком случае пока, только удаленно.
Спасибо заранее. экспорт прилагаю.
sep/19/2017 06:57:49 by RouterOS 6.40.3
# software id = NS6P-ZPZ8
#
# model = CRS125-24G-1S-2HnD
# serial number =
/interface bridge
add admin-mac=********** arp=proxy-arp auto-mac=no fast-forward=no name=bridge_local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] master-port=ether2-master
set [ find default-name=ether7 ] master-port=ether2-master
set [ find default-name=ether8 ] master-port=ether2-master
set [ find default-name=ether9 ] master-port=ether2-master
set [ find default-name=ether10 ] master-port=ether2-master
set [ find default-name=ether11 ] master-port=ether2-master
set [ find default-name=ether12 ] master-port=ether2-master
set [ find default-name=ether13 ] master-port=ether2-master
set [ find default-name=ether14 ] master-port=ether2-master
set [ find default-name=ether15 ] master-port=ether2-master
set [ find default-name=ether16 ] master-port=ether2-master
set [ find default-name=ether17 ] master-port=ether2-master
set [ find default-name=ether18 ] master-port=ether2-master
set [ find default-name=ether19 ] master-port=ether2-master
set [ find default-name=ether20 ] master-port=ether2-master
set [ find default-name=ether21 ] master-port=ether2-master
set [ find default-name=ether22 ] master-port=ether2-master
set [ find default-name=ether23 ] master-port=ether2-master
set [ find default-name=ether24 ] master-port=ether2-master
set [ find default-name=sfp1 ] master-port=ether2-master
/interface l2tp-client
add allow=mschap2 connect-to=XX.XXX.XXX.XX ipsec-secret=*********** name=l2tp-out1 password=********* user=*******
/interface pptp-client
add allow=mschap2 connect-to=XX.XXX.XXX.XX keepalive-timeout=600 name=******** password=********* user=*********
/interface gre
add allow-fast-path=no disabled=yes ipsec-secret=********** local-address=YY.YY.YYY.YYY name=gre-tunnel1 remote-address=XX.XXX.XXX.XX
/ip neighbor discovery
set ether1_WAN discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******** wpa2-pre-shared-key=*******
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik wpa-pre-shared-key=********* wpa2-pre-shared-key=*********
/interface wireless
add disabled=no mac-address=********** master-interface=wlan1 name=wlan2 security-profile=profile ssid=Guest
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.100.105-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_local lease-time=10h10m name=dhcp1
/ppp profile
set *FFFFFFFE bridge=bridge_local
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge_local comment=defconf interface=ether2-master
add bridge=bridge_local comment=defconf interface=wlan1
add bridge=bridge_local interface=wlan2
/ip address
add address=192.168.100.1/24 interface=ether2-master network=192.168.100.0
add address=YY.YY.YYY.YYY/24 interface=ether1_WAN network=YY.YY.YYY.0
add address=172.16.30.2/30 disabled=yes interface=gre-tunnel1 network=172.16.30.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_WAN
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=YY.YYY.YY.YYY,YYY.YYY.YY.YY
/ip dns static
add address=192.168.100.1 name=router
/ip firewall filter
add action=accept chain=input dst-address=192.168.100.0/24 log=yes src-address=192.168.0.0/24
add action=accept chain=output dst-address=192.168.0.0/24 log=yes src-address=192.168.100.0/24
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=output disabled=yes protocol=gre
add action=accept chain=input dst-port=500 in-interface=ether1_WAN protocol=udp
add action=accept chain=output dst-port=500 out-interface=ether1_WAN protocol=udp
add action=accept chain=input in-interface=ether1_WAN protocol=ipsec-esp
add action=accept chain=output out-interface=ether1_WAN protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log=yes src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=192.168.0.0/24
/ip ipsec peer
add address=XX.XXX.XXX.XX/32 compatibility-options=skip-peer-id-validation dh-group=modp1024 enc-algorithm=3des mode-config=request-only nat-traversal=no secret=************
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/24 sa-dst-address=XX.XXX.XXX.XX sa-src-address=YY.YY.YYY.YYY src-address=192.168.100.0/24 tunnel=yes
/ip route
add distance=1 gateway=YY.YY.YYY.1
add distance=1 dst-address=192.168.0.0/24 gateway=ether1_WAN pref-src=YY.YY.YYY.YYY scope=10
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=gre-tunnel1 pref-src=192.168.100.1
/ip route rule
add disabled=yes dst-address=192.168.0.0/24 interface=bridge_local routing-mark=main src-address=192.168.100.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=ether1_WAN type=external
add interface=bridge_local type=internal
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw.*********
/system ntp client
set enabled=yes primary-ntp=91.226.136.155 secondary-ntp=88.147.254.232 server-dns
/system routerboard settings
set cpu-frequency=750MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
/tool sniffer
set filter-interface=ether1_WAN
# software id = NS6P-ZPZ8
#
# model = CRS125-24G-1S-2HnD
# serial number =
/interface bridge
add admin-mac=********** arp=proxy-arp auto-mac=no fast-forward=no name=bridge_local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=**** wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1_WAN
set [ find default-name=ether2 ] name=ether2-master
set [ find default-name=ether3 ] master-port=ether2-master
set [ find default-name=ether4 ] master-port=ether2-master
set [ find default-name=ether5 ] master-port=ether2-master
set [ find default-name=ether6 ] master-port=ether2-master
set [ find default-name=ether7 ] master-port=ether2-master
set [ find default-name=ether8 ] master-port=ether2-master
set [ find default-name=ether9 ] master-port=ether2-master
set [ find default-name=ether10 ] master-port=ether2-master
set [ find default-name=ether11 ] master-port=ether2-master
set [ find default-name=ether12 ] master-port=ether2-master
set [ find default-name=ether13 ] master-port=ether2-master
set [ find default-name=ether14 ] master-port=ether2-master
set [ find default-name=ether15 ] master-port=ether2-master
set [ find default-name=ether16 ] master-port=ether2-master
set [ find default-name=ether17 ] master-port=ether2-master
set [ find default-name=ether18 ] master-port=ether2-master
set [ find default-name=ether19 ] master-port=ether2-master
set [ find default-name=ether20 ] master-port=ether2-master
set [ find default-name=ether21 ] master-port=ether2-master
set [ find default-name=ether22 ] master-port=ether2-master
set [ find default-name=ether23 ] master-port=ether2-master
set [ find default-name=ether24 ] master-port=ether2-master
set [ find default-name=sfp1 ] master-port=ether2-master
/interface l2tp-client
add allow=mschap2 connect-to=XX.XXX.XXX.XX ipsec-secret=*********** name=l2tp-out1 password=********* user=*******
/interface pptp-client
add allow=mschap2 connect-to=XX.XXX.XXX.XX keepalive-timeout=600 name=******** password=********* user=*********
/interface gre
add allow-fast-path=no disabled=yes ipsec-secret=********** local-address=YY.YY.YYY.YYY name=gre-tunnel1 remote-address=XX.XXX.XXX.XX
/ip neighbor discovery
set ether1_WAN discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=******** wpa2-pre-shared-key=*******
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile supplicant-identity=MikroTik wpa-pre-shared-key=********* wpa2-pre-shared-key=*********
/interface wireless
add disabled=no mac-address=********** master-interface=wlan1 name=wlan2 security-profile=profile ssid=Guest
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1,md5 enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.100.105-192.168.100.200
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge_local lease-time=10h10m name=dhcp1
/ppp profile
set *FFFFFFFE bridge=bridge_local
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge_local comment=defconf interface=ether2-master
add bridge=bridge_local comment=defconf interface=wlan1
add bridge=bridge_local interface=wlan2
/ip address
add address=192.168.100.1/24 interface=ether2-master network=192.168.100.0
add address=YY.YY.YYY.YYY/24 interface=ether1_WAN network=YY.YY.YYY.0
add address=172.16.30.2/30 disabled=yes interface=gre-tunnel1 network=172.16.30.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1_WAN
/ip dhcp-server network
add address=192.168.100.0/24 gateway=192.168.100.1
/ip dns
set allow-remote-requests=yes servers=YY.YYY.YY.YYY,YYY.YYY.YY.YY
/ip dns static
add address=192.168.100.1 name=router
/ip firewall filter
add action=accept chain=input dst-address=192.168.100.0/24 log=yes src-address=192.168.0.0/24
add action=accept chain=output dst-address=192.168.0.0/24 log=yes src-address=192.168.100.0/24
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=output disabled=yes protocol=gre
add action=accept chain=input dst-port=500 in-interface=ether1_WAN protocol=udp
add action=accept chain=output dst-port=500 out-interface=ether1_WAN protocol=udp
add action=accept chain=input in-interface=ether1_WAN protocol=ipsec-esp
add action=accept chain=output out-interface=ether1_WAN protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
/ip firewall nat
add action=accept chain=srcnat dst-address=192.168.0.0/24 log=yes src-address=192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1_WAN
/ip firewall raw
add action=notrack chain=prerouting dst-address=192.168.0.0/24 src-address=192.168.100.0/24
add action=notrack chain=prerouting dst-address=192.168.100.0/24 src-address=192.168.0.0/24
/ip ipsec peer
add address=XX.XXX.XXX.XX/32 compatibility-options=skip-peer-id-validation dh-group=modp1024 enc-algorithm=3des mode-config=request-only nat-traversal=no secret=************
/ip ipsec policy
set 0 disabled=yes
add dst-address=192.168.0.0/24 sa-dst-address=XX.XXX.XXX.XX sa-src-address=YY.YY.YYY.YYY src-address=192.168.100.0/24 tunnel=yes
/ip route
add distance=1 gateway=YY.YY.YYY.1
add distance=1 dst-address=192.168.0.0/24 gateway=ether1_WAN pref-src=YY.YY.YYY.YYY scope=10
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=gre-tunnel1 pref-src=192.168.100.1
/ip route rule
add disabled=yes dst-address=192.168.0.0/24 interface=bridge_local routing-mark=main src-address=192.168.100.0/24 table=main
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=ether1_WAN type=external
add interface=bridge_local type=internal
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=gw.*********
/system ntp client
set enabled=yes primary-ntp=91.226.136.155 secondary-ntp=88.147.254.232 server-dns
/system routerboard settings
set cpu-frequency=750MHz
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master
add interface=wlan1
add interface=wlan2
/tool sniffer
set filter-interface=ether1_WAN