VLAN подсети я настроил на bridge интерфейсах на роутере R1, теперь пытаюсь наладить коммуникацию между ними.
Имеется VLAN10 для офиса, сеть 192.168.10.0/24 - у R1 адрес 192.168.10.1
и VLAN70 для серверов, сеть 192.168.70.0/24 - у R1 адрес 192.168.70.1
Задача - подключатся с компьютера из VLAN10 на RDP сервер 192.168.70.21 (прописаны подсеть 255.255.255.0 и шлюз 192.168.70.1).
Изоляция VLAN выполнена с помощью route rules с действием unreachable.
C самого R1 пинги на 192.168.70.21 идут.
А с компьютера на 192.168.10.199 - "Сеть недоступна", если отключаю route rules, то "Превышен интервал ожидания для запроса". На 192.168.70.1 пинг идет, хотя про трассировке этого не скажешь:
tracert:
Код: Выделить всё
Трассировка маршрута к 192.168.70.21 с максимальным числом прыжков 30
1 <1 мс <1 мс <1 мс 192.168.10.1
2 * * * Превышен интервал ожидания для запроса.
3 * * * Превышен интервал ожидания для запроса.
4 * * * Превышен интервал ожидания для запроса.
5 * * * Превышен интервал ожидания для запроса.
6 * * * Превышен интервал ожидания для запроса.
И так далее
Код: Выделить всё
#RouterOS 6.44.1
# model = CRS125-24G-1S
/interface bridge
add comment=OFFICE fast-forward=no name=bridge-vlan10-office
add arp=reply-only comment=GUESTS fast-forward=no name=bridge-vlan30-guests
add comment=SERVERS fast-forward=no name=bridge-vlan70-servers
add comment=MANAGEMENT fast-forward=no name=bridge-vlan80-management
add comment="OLD NETWORK" name=bridge-vlan99-oldnetwork
/interface ethernet
set [ find default-name=ether1 ] comment=SERVERS name=ether1-servers
set [ find default-name=ether2 ] name=ether2-servers
set [ find default-name=ether3 ] name=ether3-servers
set [ find default-name=ether4 ] name=ether4-servers
set [ find default-name=ether5 ] name=ether5-servers
set [ find default-name=ether6 ] name=ether6-servers
set [ find default-name=ether7 ] name=ether7-servers
set [ find default-name=ether8 ] name=ether8-servers
set [ find default-name=ether9 ] comment=MANAGEMENT name=ether9-management
set [ find default-name=ether10 ] name=ether10-management
set [ find default-name=ether11 ] name=ether11-management
set [ find default-name=ether12 ] name=ether12-management
set [ find default-name=ether13 ] comment="OLD NETWORK" name=\
ether13-oldnetwork-uplink
set [ find default-name=ether14 ] comment=NONUSED
set [ find default-name=ether17 ] comment=OFFICE name=ether17-office
set [ find default-name=ether18 ] comment=GUESTS name=ether18-guests
set [ find default-name=ether19 ] comment=TRUNK name=ether19-trunk
set [ find default-name=ether20 ] name=ether20-trunk
set [ find default-name=ether21 ] name=ether21-trunk
set [ find default-name=ether22 ] name=ether22-trunk
set [ find default-name=ether23 ] comment=NONUSED
set [ find default-name=ether24 ] comment=WAN name=ether24-uplink
set [ find default-name=sfp1 ] comment=NONUSED
/interface vlan
add interface=ether19-trunk name=vlan10-trunk-to-R2 vlan-id=10
add interface=ether19-trunk name=vlan30-trunk-to-R2 vlan-id=30
add interface=ether19-trunk name=vlan99-trunk-to-R3 vlan-id=99
/interface list
add name=WAN
add name=OFFICE
add name=MANAGEMENT
add include=OFFICE,MANAGEMENT name=LAN
/ip pool
add name=pool-vlan10-office ranges=192.168.10.100-192.168.10.200
add name=pool-vlan30-guests ranges=192.168.30.100-192.168.30.200
/ip dhcp-server
add address-pool=pool-vlan10-office disabled=no interface=\
bridge-vlan10-office lease-time=3d name=dhcp-vlan10-office
add add-arp=yes address-pool=pool-vlan30-guests disabled=no interface=\
bridge-vlan30-guests lease-time=3d name=dhcp-vlan30-guests
/interface bridge port
add bridge=bridge-vlan70-servers comment=SERVERS interface=ether1-servers
add bridge=bridge-vlan70-servers interface=ether2-servers
add bridge=bridge-vlan70-servers interface=ether3-servers
add bridge=bridge-vlan70-servers interface=ether4-servers
add bridge=bridge-vlan70-servers interface=ether5-servers
add bridge=bridge-vlan70-servers interface=ether6-servers
add bridge=bridge-vlan70-servers interface=ether7-servers
add bridge=bridge-vlan70-servers interface=ether8-servers
add bridge=bridge-vlan80-management comment=MANAGEMENT interface=\
ether9-management
add bridge=bridge-vlan80-management interface=ether10-management
add bridge=bridge-vlan80-management interface=ether11-management
add bridge=bridge-vlan80-management interface=ether12-management
add bridge=bridge-vlan10-office comment=OFFICE interface=vlan10-trunk-to-R2
add bridge=bridge-vlan10-office interface=ether17-office
add bridge=bridge-vlan30-guests comment=GUESTS interface=vlan30-trunk-to-R2
add bridge=bridge-vlan30-guests interface=ether18-guests
add bridge=bridge-vlan99-oldnetwork comment="OLD NETWORK" interface=\
ether13-oldnetwork-uplink
add bridge=bridge-vlan99-oldnetwork interface=vlan99-trunk-to-R3
/ip neighbor discovery-settings
set discover-interface-list=MANAGEMENT
/interface list member
add interface=bridge-vlan80-management list=MANAGEMENT
add interface=ether24-uplink list=WAN
add interface=bridge-vlan10-office list=OFFICE
add interface=bridge-vlan30-guests list=LAN
/ip address
add address=192.168.10.1/24 comment=OFFICE interface=bridge-vlan10-office \
network=192.168.10.0
add address=192.168.30.1/24 comment=GUESTS interface=bridge-vlan30-guests \
network=192.168.30.0
add address=192.168.70.1/24 comment=SERVERS interface=bridge-vlan70-servers \
network=192.168.70.0
add address=192.168.80.1/24 comment=MANAGEMENT interface=\
bridge-vlan80-management network=192.168.80.0
/ip dhcp-client
add dhcp-options=clientid,hostname disabled=no interface=ether24-uplink
/ip dhcp-server network
add address=192.168.10.0/24 comment=OFFICE dns-server=192.168.10.1 gateway=\
192.168.10.1 netmask=24
add address=192.168.30.0/24 comment=GUESTS dns-server=192.168.30.1 gateway=\
192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="Allow DNS" disabled=yes \
in-interface-list=all protocol=udp
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
in-interface-list=LAN protocol=icmp
add action=drop chain=input comment="drop all not coming from MANAGEMENT - all\
ow to manage R1 (this) only from management vlan" disabled=yes \
in-interface-list=!MANAGEMENT
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN log=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route rule
add action=unreachable disabled=yes dst-address=192.168.10.0/24 src-address=\
192.168.30.0/24
add action=unreachable disabled=yes dst-address=192.168.10.0/24 src-address=\
192.168.70.0/24
add action=unreachable disabled=yes dst-address=192.168.10.0/24 src-address=\
192.168.80.0/24
add action=unreachable disabled=yes dst-address=192.168.30.0/24 src-address=\
192.168.10.0/24
add action=unreachable disabled=yes dst-address=192.168.30.0/24 src-address=\
192.168.70.0/24
add action=unreachable disabled=yes dst-address=192.168.30.0/24 src-address=\
192.168.80.0/24
add action=unreachable disabled=yes dst-address=192.168.70.0/24 src-address=\
192.168.10.0/24
add action=unreachable disabled=yes dst-address=192.168.70.0/24 src-address=\
192.168.30.0/24
add action=unreachable disabled=yes dst-address=192.168.70.0/24 src-address=\
192.168.80.0/24
add action=unreachable disabled=yes dst-address=192.168.80.0/24 src-address=\
192.168.10.0/24
add action=unreachable disabled=yes dst-address=192.168.80.0/24 src-address=\
192.168.30.0/24
add action=unreachable disabled=yes dst-address=192.168.80.0/24 src-address=\
192.168.70.0/24
add action=unreachable comment="GUESTS CLIENT ISOLATION" disabled=yes \
dst-address=192.168.30.0/24 src-address=192.168.30.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=R1
/tool mac-server
set allowed-interface-list=MANAGEMENT
/tool mac-server mac-winbox
set allowed-interface-list=MANAGEMENT
Подскажите, что нужно добавить/изменить?