Есть следующие железки:
Основной офис: RB951Ui-2nD (впн сервер pptp, локалка 192.168.88.*, инет - статика)
Склад: RB941-2nD (впн клиент, локалка 192.168.10.*, инет - пппое поверх статики)
Проблема - не пингуются ресурсы склада из основного офиса, наоборот - все окей. Иными словами, из 88 подсети не могу попасть в 10, а из 10 в 88 ходится отлично
Фаервол основы:
Код: Выделить всё
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 chain=input action=accept protocol=tcp dst-port=1723 log=no log-prefix=""
3 ;;; Hackers
chain=input action=add-src-to-address-list protocol=tcp address-list=Hackers address-list-timeout=4w2d in-interface=ether1 dst-port=21,22,23,3389 log=yes log-prefix="Attack"
4 ;;; drop_public_dns
chain=input action=drop protocol=udp in-interface=ether1 dst-port=53
5 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
6 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
7 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
8 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
9 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
10 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
11 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
12 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
13 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
14 ;;; Hackers
chain=forward action=drop protocol=tcp src-address-list=Hackers in-interface=ether1
15 ;;; Port_scanner_drop
chain=input action=drop src-address-list=Hackers
16 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Hackers address-list-timeout=2w in-interface=ether1
17 chain=input action=add-src-to-address-list tcp-flags=fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
18 chain=input action=add-src-to-address-list tcp-flags=fin,syn protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
19 chain=input action=add-src-to-address-list tcp-flags=syn,rst protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
20 chain=input action=add-src-to-address-list tcp-flags=fin,psh,urg,!syn,!rst,!ack protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
21 chain=input action=add-src-to-address-list tcp-flags=fin,syn,rst,psh,ack,urg protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
22 chain=input action=add-src-to-address-list tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg protocol=tcp address-list=Hackers address-list-timeout=2w in-interface=ether1
Код: Выделить всё
0 D ;;; special dummy rule to show fasttrack counters
chain=forward action=passthrough
1 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
2 chain=input action=drop protocol=udp in-interface=pppoe-out1 dst-port=53 log=no log-prefix=""
3 chain=input action=accept protocol=tcp in-interface=pppoe-out1 dst-port=8291 log=no log-prefix=""
4 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid log=no log-prefix=""
5 ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp
6 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
7 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
8 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
9 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
10 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid log=no log-prefix=""
11 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
Код: Выделить всё
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 46.48.125.73 1
1 ADC 46.48.125.72/30 *Внешний ip* ether1 0
2 A S 192.168.10.0/24 192.168.88.2 1
3 ADC 192.168.88.0/24 192.168.88.1 bridge 0
4 ADC 192.168.88.2/32 192.168.88.1 <pptp-bs> 0
Код: Выделить всё
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 pppoe-out1 1
1 ADC 5.165.2.254/32 *Внешний ip* pppoe-out1 0
2 ADC 192.168.10.0/24 192.168.10.1 bridge 0
3 A S 192.168.88.0/24 192.168.88.1 1
4 ADC 192.168.88.1/32 192.168.88.2 pptp-out1 0
На складе - так же
Буду рад подробным объяснениям что и где я сделал не так, с данным оборудованием - на Вы.