NAT + EoIP

Сообщения не соответствующие ПФ, а также неоднократно повторяющиеся Темы
Ответить
maxtor
Сообщения: 2
Зарегистрирован: 13 апр 2016, 09:11

Настроил связь между офисами с помощью eoip туннеля (PPTP 1.1.1.1->1.1.1.2, два микротика 951G), адресное пространство общее (192.168.2.0). Если находиться в данном адресном пространстве (тоесть подключенным локально к одному из роутеров) то оба роутера доступны по ip. Но если мне надо зайти на роутер клиент (192.168.2.81), через внешний (ddns) интерфейс роутера сервера (192.168.2.1), на котором настроен проброс портов (2710->80) на web клиента, то ничего не получается.
Если нужна доп инфо спрашивайте, я не силен еще в микротиках.

ps прошу прощения, была изначально допущена ошибка, недоступен только именно роутер клиент, однако локалка этого клиента открывается (ip камеры, принтеры). Тоесть проблема в том что не могу зайти в веб оболочку роутера клиента через внешний интерфейс роутера сервера, с локалки по ip заходит нормально.
Зыы необходимость заходить на клиент через сервер обусловлена тем что клиент имеет инет через 3г модем у которого серый ip, тоесть ddns не проканает. Белый ip есть только у роутера-сервера.

export:

Код: Выделить всё



# apr/13/2016 12:30:12 by RouterOS 6.34.4

# software id = 4W29-ZFQ9

#

/interface bridge

add admin-mac=D4:CA:6D:DD:95:01 auto-mac=no mtu=1492 name=bridge-local

/interface wireless

set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \

    country=russia disabled=no distance=indoors frequency=2422 mode=ap-bridge \

    mtu=1492 ssid=*********** wireless-protocol=802.11

/interface ethernet

set [ find default-name=ether1 ] mtu=1492 name=ether1-gateway

set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local

set [ find default-name=ether3 ] master-port=ether2-master-local mtu=1492 \

    name=ether3-slave-local

set [ find default-name=ether4 ] master-port=ether2-master-local mtu=1492 \

    name=ether4-slave-local

set [ find default-name=ether5 ] master-port=ether2-master-local mtu=1492 \

    name=ether5-slave-local

/interface eoip

add !keepalive local-address=1.1.1.1 mac-address=02:94:F2:51:3A:13 name=\

    eoip-agar remote-address=1.1.1.3 tunnel-id=2

add !keepalive local-address=1.1.1.1 mac-address=02:94:F6:D9:89:26 name=\

    eoip-sklad remote-address=1.1.1.2 tunnel-id=1

/ip neighbor discovery

set wlan1 discover=no

/interface wireless security-profiles

set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \

    wpa-pre-shared-key=*********** wpa2-pre-shared-key=*********

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=3des

/ip pool

add name=dhcp ranges=192.168.2.100-192.168.2.199

/ip dhcp-server

add add-arp=yes address-pool=dhcp disabled=no interface=bridge-local \

    lease-time=3d name=office

/port

set 0 name=usb1

/interface ppp-client

add apn=internet name=ppp-out1 port=usb1

/system logging action

set 0 memory-lines=100

set 1 disk-lines-per-file=100

/interface bridge port

add bridge=bridge-local interface=ether2-master-local

add bridge=bridge-local interface=wlan1

add bridge=bridge-local interface=eoip-sklad

add bridge=bridge-local interface=eoip-agar

/interface pptp-server server

set authentication=chap,mschap1,mschap2 enabled=yes

/ip address

add address=192.168.2.1/24 comment="default configuration" interface=\

    ether2-master-local network=192.168.2.0

/ip dhcp-client

add comment="default configuration" dhcp-options=hostname,clientid disabled=\

    no interface=ether1-gateway

/ip dhcp-server lease

add address=192.168.2.7 comment=buh mac-address=00:50:8D:B0:B4:7B

add address=192.168.2.13 comment=gigaset595 mac-address=7C:2F:80:1E:AD:92

add address=192.168.2.101 comment=brother_logist mac-address=\

    00:1B:A9:EC:3E:E6

add address=192.168.2.102 comment=brother_reception mac-address=\

    00:1B:A9:ED:A0:99

add address=192.168.2.103 comment=brother_dostavka mac-address=\

    00:80:92:BD:69:8F

add address=192.168.2.104 comment=brother_sklad mac-address=00:80:92:CE:90:82

add address=192.168.2.222 comment=program_server mac-address=\

    D8:50:E6:DC:76:CF

add address=192.168.2.200 comment=videoserver mac-address=F0:79:59:8E:89:46

add address=192.168.2.2 comment=kassa mac-address=20:CF:30:EB:3D:A5

add address=192.168.2.150 comment=asterisk mac-address=00:1F:C6:9B:8B:63

add address=192.168.2.151 comment=cisco8800 mac-address=B8:62:1F:88:3D:FC

add address=192.168.2.250 comment=switch mac-address=E8:DE:27:FD:8F:D5

add address=192.168.2.152 comment=cisco8000 mac-address=20:AA:4B:58:03:04

add address=192.168.2.3 comment=kirill mac-address=20:16:D8:BF:B5:DA

add address=192.168.2.4 comment=ira mac-address=00:25:22:89:C9:89

add address=192.168.2.5 comment=sasha mac-address=20:16:D8:BF:A6:C7

add address=192.168.2.6 comment=popov mac-address=DC:0E:A1:2E:83:22

add address=192.168.2.8 comment=sklad mac-address=00:26:18:F3:A8:23

add address=192.168.2.9 comment=popova mac-address=F4:6D:04:0A:F6:C1

add address=192.168.2.10 comment=aksenov mac-address=B8:88:E3:B7:0F:DF

add address=192.168.2.12 comment=math mac-address=88:AE:1D:CA:09:41

add address=192.168.2.17 comment=yagovitin mac-address=00:1A:4D:37:86:A7

add address=192.168.2.14 comment=gigaset470 mac-address=00:01:E3:A2:39:15

add address=192.168.2.16 comment=mgk mac-address=7C:E9:D3:50:13:F6

add address=192.168.2.18 always-broadcast=yes comment=olya mac-address=\

    20:16:D8:BF:B7:78

add address=192.168.2.105 comment=brother_buh mac-address=30:05:5C:2C:00:CD

add address=192.168.2.11 comment=4824 mac-address=00:15:99:7E:CC:9A

add address=192.168.2.20 comment=public mac-address=1C:7E:E5:C9:42:1C

add address=192.168.2.92 client-id=1:28:10:7b:18:23:62 comment=cam_agar \

    mac-address=28:10:7B:18:23:62 server=office

/ip dhcp-server network

add address=192.168.2.0/24 comment="default configuration" dns-server=\

    8.8.8.8,78.29.2.21 gateway=192.168.2.1 netmask=24 wins-server=8.8.8.8

/ip dns

set allow-remote-requests=yes servers=8.8.8.8

/ip dns static

add address=192.168.2.1 name=router

/ip firewall filter

add chain=input comment="default configuration" connection-state=\

    established,related

add action=drop chain=input connection-state=invalid

add chain=input comment="default configuration" protocol=icmp

add chain=input dst-port=53 in-interface=bridge-local protocol=udp \

    src-address=192.168.2.0/24

add chain=input dst-port=8291 in-interface=bridge-local protocol=tcp \

    src-address=192.168.2.0/24

add chain=input dst-port=2709 protocol=tcp

add chain=input dst-port=1723 protocol=tcp

add chain=input protocol=gre

add chain=forward comment="default configuration" connection-state=\

    established,related

add chain=forward dst-address=192.168.2.0/24 dst-port=\

    80,443,21,2222,200,3306,8090,874,9102,2710,4880-4900 in-interface=\

    ether1-gateway protocol=tcp

add chain=forward in-interface=bridge-local src-address=192.168.2.0/24

add action=drop chain=forward comment="default configuration" \

    connection-state=invalid

/ip firewall mangle

add action=change-mss chain=forward new-mss=1448 protocol=tcp tcp-flags=syn \

    tcp-mss=!0-1448

/ip firewall nat

add action=masquerade chain=srcnat comment="default configuration" \

    out-interface=ether1-gateway to-addresses=0.0.0.0

add action=masquerade chain=srcnat comment="Harpin NAT" out-interface=\

    bridge-local protocol=tcp src-address=192.168.2.0/24

add action=netmap chain=dstnat comment=videoserver dst-address-type=local \

    dst-port=200 protocol=tcp to-addresses=192.168.2.200 to-ports=80

add action=netmap chain=dstnat comment=program_server dst-address-type=local \

    dst-port=80,443 protocol=tcp to-addresses=192.168.2.222 to-ports=443

add action=netmap chain=dstnat comment=ftp dst-address-type=local dst-port=21 \

    protocol=tcp to-addresses=192.168.2.20 to-ports=21

add action=netmap chain=dstnat comment=kassa dst-address-type=local dst-port=\

    2222 protocol=tcp to-addresses=192.168.2.2 to-ports=2222

add action=netmap chain=dstnat comment=mysql dst-address-type=local dst-port=\

    3306 protocol=tcp to-addresses=192.168.2.222 to-ports=3306

add action=netmap chain=dstnat comment=brother_reception dst-address-type=\

    local dst-port=9102 protocol=tcp to-addresses=192.168.2.102 to-ports=9100

add action=netmap chain=dstnat comment=asterisk dst-address-type=local \

    dst-port=8090 protocol=tcp to-addresses=192.168.2.150 to-ports=80

add action=netmap chain=dstnat comment=avreg dst-address-type=local dst-port=\

    874 protocol=tcp to-addresses=192.168.2.200 to-ports=874

add action=netmap chain=dstnat comment=vnc_program_server dst-address-type=\

    local dst-port=4880 protocol=tcp to-addresses=192.168.2.222 to-ports=5900

add action=netmap chain=dstnat comment=vnc_videoserver dst-address-type=local \

    dst-port=4881 protocol=tcp to-addresses=192.168.2.200 to-ports=5900

add action=netmap chain=dstnat comment=vnc_asterisk dst-address-type=local \

    dst-port=4882 protocol=tcp to-addresses=192.168.2.150 to-ports=5900

add action=netmap chain=dstnat comment=vnc_reception dst-address-type=local \

    dst-port=4889 protocol=tcp to-addresses=192.168.2.2 to-ports=5900

add action=netmap chain=dstnat comment=vnc_kirill dst-address-type=local \

    dst-port=4885 protocol=tcp to-addresses=192.168.2.3 to-ports=5900

add action=netmap chain=dstnat comment=vnc_ira dst-address-type=local \

    dst-port=4899 protocol=tcp to-addresses=192.168.2.4 to-ports=5900

add action=netmap chain=dstnat comment=vnc_sasha dst-address-type=local \

    dst-port=4897 protocol=tcp to-addresses=192.168.2.5 to-ports=5900

add action=netmap chain=dstnat comment=vnc_popov dst-address-type=local \

    dst-port=4895 protocol=tcp to-addresses=192.168.2.6 to-ports=5900

add action=netmap chain=dstnat comment=vnc_buh dst-address-type=local \

    dst-port=4888 protocol=tcp to-addresses=192.168.2.7 to-ports=5900

add action=netmap chain=dstnat comment=vnc_sklad dst-address-type=local \

    dst-port=4884 protocol=tcp to-addresses=192.168.2.8 to-ports=5900

add action=netmap chain=dstnat comment=vnc_anna dst-address-type=local \

    dst-port=4894 protocol=tcp to-addresses=192.168.2.9 to-ports=5900

add action=netmap chain=dstnat comment=vnc_aksenov dst-address-type=local \

    dst-port=4890 protocol=tcp to-addresses=192.168.2.10 to-ports=5900

add action=netmap chain=dstnat comment=vnc_math dst-address-type=local \

    dst-port=4886 protocol=tcp to-addresses=192.168.2.12 to-ports=5900

add action=netmap chain=dstnat comment=vnc_yagovitin dst-address-type=local \

    dst-port=4887 protocol=tcp to-addresses=192.168.2.17 to-ports=5900

add action=netmap chain=dstnat comment=vnc_mgk dst-address-type=local \

    dst-port=4883 protocol=tcp to-addresses=192.168.2.16 to-ports=5900

add action=netmap chain=dstnat comment=vnc_olya dst-address-type=local \

    dst-port=4891 protocol=tcp to-addresses=192.168.2.18 to-ports=5900

add action=netmap chain=dstnat comment=router_sklad dst-port=2710 protocol=\

    tcp to-addresses=192.168.2.81 to-ports=80

/ip firewall service-port

set tftp disabled=yes

set irc disabled=yes

set h323 disabled=yes

set sip disabled=yes

/ip route

add distance=1 dst-address=192.168.3.0/24 gateway=192.168.3.1 pref-src=\

    192.168.3.2

/ip service

set telnet disabled=yes

set www port=2709

set ssh disabled=yes

set api disabled=yes

set api-ssl disabled=yes

/ppp secret

add local-address=1.1.1.1 name=sklad password=manato172719 profile=\

    default-encryption remote-address=1.1.1.2 service=pptp

add local-address=1.1.1.1 name=agar password=manato172719 profile=\

    default-encryption remote-address=1.1.1.3 service=pptp

/system clock

set time-zone-name=Asia/Yekaterinburg

/system leds

set 0 interface=wlan1

/system scheduler

add interval=10m name=dyndns on-event="/system script run afraid" policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\

    startup

/system script

add name=afraid owner=maxtor policy=\

    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#######\

    #######   Script FreeDNS.afraid.org   ##################\

    \n##############   PARSER EDITION   ##################\

    \n##############   CREATED LESHIY_ODESSA   ##################\

    \n   \

    \n# Specify the \"Direct URL\", which is https://freedns.afraid.org/dynami\

    c/\

    \n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\

    s\" change this to \"http\". Also see below.\

    \n# In front of the sign \"\?\" put a backslash \"\\\".\

    \n:global \"direct-url\" \"http://freedns.afraid.org/dynamic/update.php\\\

    \?**************\"\

    \n\

    \n# Specify the URL API \"ASCII\"\

    \n# Log in under your account and open the page https://freedns.afraid.org\

    /api/\

    \n# Then copy the URL of your site - Available API Interfaces : ASCII (!!!\

    \_NOT XML !!!)\

    \n# ATTENTION!!!! Before the question mark, put a backslash \"\\\".\

    \n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\

    s\" change this to \"http\".\

    \n:global \"api-url\" \"http://freedns.afraid.org/api/\\\?action=getdyndns\

    &sha=************************\"\

    \n    \

    \n# Specify your domain or subdomain.\

    \n:global \"dns-domain\" \"***********\"\

    \n\

    \n# Define variables for the external (WAN) interface\

    \n# Case sensitive.\

    \n:global \"out-interface\" \"ether1-gateway\"\

    \n       \

    \n# !!!!!!!!!!!!!!!!! Nothing more do not need to edit!!!!!!!!!!!!!!!!!\

    \n       \

    \n# Check whether the file with the IP domain - freedns.txt\

    \n:if ([:len [/file find name=freedns.txt]] > 0) do={\

    \n} else={\

    \n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\

    \n}\

    \n# Find out the IP address of the domain using the API and parsing.\

    \n# Split the file\

    \n:local \"result\" [/file get freedns.txt contents]\

    \n:local \"startloc\" ([:find \$\"result\" \$\"dns-domain\"] + ([:len \$\"\

    dns-domain\"] + 1))\

    \n:local \"endloc\" ([:find \$\"result\" \$\"direct-url\" -1] -1)\

    \n:global \"dns-domain-ip\" [:pick \$\"result\" \$\"startloc\" \$\"endloc\

    \"]\

    \n       \

    \n# Find the current IP address on the external interface\

    \n:global \"current-ip\" [/ip address get [find interface=\$\"out-interfac\

    e\"] address]\

    \n    \

    \n# Obtained from IP addresses to be excluded subnet mask\

    \n:set \"current-ip\" [:pick \$\"current-ip\" 0 ([:len \$\"current-ip\"]-3\

    ) ]\

    \n       \

    \n# Compare the external IP with the IP address of the DNS domain.\

    \n:if (\$\"current-ip\" != \$\"dns-domain-ip\") do={\

    \n\

    \n# If different, then sent to freedns.afraid.org our external IP by using\

    \_Direct URL\

    \n:log info (\"Service Dynamic DNS: old IP address \$\"dns-domain-ip\" for\

    \_\$\"dns-domain\" CHANGED to -> \$\"current-ip\"\")\

    \n/tool fetch url=\$\"direct-url\" keep-result=no\

    \n# Download the file with the new IP after 5 sec.\

    \n:delay 5\

    \n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\

    \n} else={\

    \n# Not to clog the log, you need to comment out this line.\

    \n:log info (\"IP address is NOT CHANGED, the update is not required\")\

    \n}\

    \n    \

    \n# Since version RouterOS version 6.0rc12 supported encryption /tool fetc\

    h mode=https\

    \n# In :global \"direct-url\" need to change to httpS://\

    \n# For RouterOS version 6.xx\

    \n# /tool fetch mode=https url=\$\"direct url\"\

    \n# :global \"direct-url\" \"https://freedns.afraid.org/dynamic/update.php\

    \\\?UVdjU2lzQmQwSkdjZW9aWkNleTdJdXFtOjg2NTI0NzE=\"\

    \n\

    \n#      http://wiki.mikrotik.com/wiki/Manual:Scripting\

    \n#      http://wiki.mikrotik.com/wiki/Manual:Scripting-examples\

    \n#      http://wiki.mikrotik.com/wiki/Manual:Tools/Fetch\

    \n#      http://forum.ixbt.com/topic.cgi\?id=14:60498-86#2373\

    \n\

    \n##############Script FreeDNS.afraid.org##################"

/tool mac-server

set [ find default=yes ] disabled=yes

add interface=ether2-master-local

add interface=ether3-slave-local

add interface=ether4-slave-local

add interface=ether5-slave-local

add interface=wlan1

add interface=bridge-local

/tool mac-server mac-winbox

set [ find default=yes ] disabled=yes

add interface=ether2-master-local

add interface=ether3-slave-local

add interface=ether4-slave-local

add interface=ether5-slave-local

add interface=wlan1

add interface=bridge-local


Аватара пользователя
podarok66
Модератор
Сообщения: 4355
Зарегистрирован: 11 фев 2012, 18:49
Откуда: МО

Знаете, мне уж как-то удивительно, про доступ, пробросы и маркировку тут каждая третья тема. Ну пройдитесь по форуму, все есть. Неужто способность обрабатывать информацию отсутствует? Не верю!


Мануалы изучил и нигде не ошибся? Фаервол отключил? Очереди погасил? Витая пара проверена? ... Тогда Netinstal'ом железку прошей и настрой ее заново. Что, все равно не фурычит? Тогда к нам. Если не подскажем, хоть посочувствуем...
maxtor
Сообщения: 2
Зарегистрирован: 13 апр 2016, 09:11

удалите тему, спасибо


Ответить