Не приходит ACK от sip провайдера

[Kostetyo]

Доброго времени суток.
Имеется sip-сервер внутренний IP 192.168.7.100
Имеется внешний IP ZZZ.ZZZ.ZZZ.ZZZ на микротике sfp3
все порты проброшены на микротике.
В суппорте телефонии и в супорте Sip-провайдера, говорят примерно одно и тоже -
не приходит ASK от sip-провайдера на телефонный сервер + sip провайдер говорит что он видит запрос от внутреннего ip ( 192.168.7.100), а не от внешнего ZZZ.ZZZ.ZZZ.ZZZ.
Не могу понять, почему такое происходит. Разумеется подсети натятся.
Конфиг огромный, сейчас приложу, на входе 3 интернет провайдера, все маркируется. (если бы я делал это с 0 сейчас, то переделал бы маркировку, сейчас такой возможности, временно нет).

Код: Выделить всё

/caps-man channel
add band=2ghz-g/n control-channel-width=20mhz frequency=2462 name=channel1 \
    tx-power=17

/interface bridge
add name=br_wifi
add fast-forward=no mtu=1500 name=bridge_aukcion
add fast-forward=no mtu=1500 name=bridge_service
add fast-forward=no mtu=1500 name=bridge_sfp

/interface ethernet
set [ find default-name=ether1 ] comment="WAN1 - Gleb" l2mtu=1590 speed=\
    100Mbps
set [ find default-name=ether2 ] comment="WAN2 - Oleg" l2mtu=1590 speed=\
    100Mbps
set [ find default-name=ether3 ] comment=TELEFONIYA l2mtu=1590 speed=100Mbps
set [ find default-name=ether4 ] advertise=1000M-half,1000M-full comment=\
    "MIK NEW" disabled=yes l2mtu=1598
set [ find default-name=ether5 ] comment=WIFI l2mtu=1590 speed=100Mbps
set [ find default-name=ether6 ] comment=BackupSrv l2mtu=1590 speed=100Mbps
set [ find default-name=ether7 ] comment=Auction2 l2mtu=1590 speed=100Mbps
set [ find default-name=ether8 ] comment="Server 1C" l2mtu=1590 speed=100Mbps
set [ find default-name=ether9 ] comment="LAN Oleg" l2mtu=1590 speed=100Mbps
set [ find default-name=ether10 ] comment="SIP1 7.0" l2mtu=1590 speed=100Mbps
set [ find default-name=ether11 ] advertise=100M-full,1000M-half,1000M-full \
    comment="SIP2 10.0" l2mtu=1590 speed=100Mbps
set [ find default-name=ether12 ] comment=ServicePort l2mtu=1590 speed=\
    100Mbps
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full \
    comment=SFP_BRIDGE l2mtu=1590
set [ find default-name=sfp2 ] advertise=10M-full,100M-full,1000M-full l2mtu=\
    1590
set [ find default-name=sfp3 ] advertise=10M-full,100M-full,1000M-full \
    comment=WAN3 l2mtu=1590
set [ find default-name=sfp4 ] advertise=10M-full,100M-full,1000M-full \
    comment=MT_GF_dop_main l2mtu=1590

/interface vlan
add interface=bridge_sfp name=vlan11 vlan-id=11

/caps-man datapath
add bridge=br_wifi client-to-client-forwarding=yes local-forwarding=no name=\
    datapath1

/caps-man rates
add name=rate1

/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
    group-key-update=1h name=secur_wifi passphrase=WIFIPASS

/caps-man configuration
add channel=channel1 country=russia3 datapath=datapath1 mode=ap name=cfg1 \
    rates=rate1 security=secur_wifi ssid=WIFI111

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MT_main

/ip firewall layer7-protocol
add name=site_video regexp="^.+(youtube.ru|youtube.com).*\$"
add name=youtube regexp="(^.+(youtu.be).*\$)"

/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool

add name=dhcppool_service ranges=192.168.77.4-192.168.77.8
add name=pool_sfp ranges=\
    192.168.7.22-192.168.7.199,192.168.7.211-192.168.7.254
add name=dhcppool_aukc ranges=192.168.10.11-192.168.10.250
add name=dhcppool_wifi ranges=192.168.11.40-192.168.11.254

/ip dhcp-server
add address-pool=dhcppool_service authoritative=after-2sec-delay disabled=no \
    interface=bridge_service lease-time=5d name=dhcp_service
add address-pool=pool_sfp authoritative=after-2sec-delay disabled=no \
    interface=bridge_sfp lease-time=5d name=dhcp_sfp
add address-pool=dhcppool_aukc authoritative=after-2sec-delay disabled=no \
    interface=bridge_aukcion lease-time=1w name=dhcp1
add address-pool=dhcppool_wifi authoritative=after-2sec-delay disabled=no \
    interface=br_wifi lease-time=3d name=dhcp_wifi

/ppp profile
add local-address=192.168.7.1 name=profile1ppp remote-address=pool_sfp
add name=oasis use-compression=yes use-encryption=yes
add name=kv use-compression=yes use-encryption=yes

/queue type
add kind=pcq name=" pcq-download-120Kb" pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=51k pcq-src-address6-mask=64 \
    pcq-total-limit=100KiB

/queue simple
add disabled=yes max-limit=0/1M name=queuelimit120Kb packet-marks=youtube \
    queue="default-small/ pcq-download-120Kb" target=\
    192.168.7.0/24,192.168.11.0/24

/snmp community
set [ find default=yes ] addresses=192.168.7.0/24

/caps-man manager
set enabled=yes

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=cfg1 name-format=\
    prefix-identity name-prefix=cap

/interface bridge port
add bridge=bridge_sfp interface=sfp1
add bridge=bridge_sfp interface=sfp2
add bridge=bridge_service interface=ether12
add bridge=bridge_sfp comment="sip 10.0" interface=ether11
add bridge=bridge_sfp interface=ether9
add bridge=bridge_sfp interface=ether8
add bridge=bridge_sfp interface=ether6
add bridge=bridge_aukcion interface=ether7
add bridge=bridge_aukcion interface=ether3
add bridge=bridge_sfp interface=sfp4
add bridge=br_wifi interface=ether5
add bridge=br_wifi interface=vlan11
add bridge=bridge_sfp comment="sip 7.0" interface=ether10

/ip neighbor discovery-settings
set discover-interface-list=all

/ip address
add address=192.168.77.1/29 comment=Service interface=bridge_service network=\
    192.168.77.0
add address=192.168.7.1/24 comment="SFP Bridge" interface=bridge_sfp network=\
    192.168.7.0
add address=192.168.10.1/24 comment=Aukcion interface=bridge_aukcion network=\
    192.168.10.0
add address=192.168.105.200/24 comment=WAN2 interface=ether2 network=\
    192.168.105.0
add address=192.168.11.5/24 comment=WIFI disabled=yes interface=ether5 \
    network=192.168.11.0
add address=192.168.22.2/24 comment=SIP disabled=yes interface=ether10 \
    network=192.168.22.0
add address=XXX.XXX.XXX.XXX/27 comment=WAN1 interface=ether1 network=\
    XXX.XXX.XXX.128
add address=192.168.11.4/24 comment=WIFI interface=br_wifi network=\
    192.168.11.0
add address=192.168.88.10/24 comment="MIK new" disabled=yes interface=ether4 \
    network=192.168.88.0
add address=192.168.8.1/24 comment="SFP Bridge" interface=bridge_sfp network=\
    192.168.8.0
add address=192.168.35.1/24 interface=ether3 network=192.168.35.0
add address=192.168.100.1/30 comment="to MT2" interface=bridge_sfp network=\
    192.168.100.0
add address=ZZZ.ZZZ.ZZZ.ZZZ/27 comment=WAN3 interface=sfp3 network=ZZZ.ZZZ.ZZZ.64

/ip dhcp-server lease
add address=192.168.7.100 comment=3CX mac-address=94:40:C9:49:01:61 server=\
    dhcp_sfp

/ip dhcp-server network
add address=192.168.7.0/24 dns-server=8.8.8.8,8.8.4.4,1.1.1.1 gateway=\
    192.168.7.1 netmask=24
add address=192.168.10.0/24 dns-server=\
    8.8.8.8,8.8.4.4,87.245.145.6,87.245.190.122 gateway=192.168.10.1
add address=192.168.11.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.11.4
add address=192.168.77.0/24 gateway=192.168.77.1

/ip dns
set servers=\
    195.128.48.65,195.128.50.30,8.8.8.8,8.8.4.4,77.87.200.2,77.87.207.254

/ip firewall address-list
add address=192.168.10.0/24 comment=Aykcion list=LANIP
add address=192.168.11.0/24 comment=Wifi list=LANIP
add address=192.168.7.0/24 comment="Lan(seti)" list=LANIP
add address=192.168.77.0/29 comment=Service list=LANIP
add address=192.168.7.0/24 disabled=yes list=BLOCKtoWAN1
add address=192.168.0.0/24 comment=Video list=LANIP
add address=192.168.22.0/24 comment="br dlya SIP" list=LANIP
add address=192.168.113.0/24 comment="br dlya SIP2" list=LANIP
add address=192.168.199.0/24 disabled=yes list=LANIP
add address=192.168.21.0/24 comment=Wifi_b list=LANIP
add address=192.168.8.0/24 comment=TEL list=LANIP
add address=vk.com list=vk.com
add address=facebook.com list=facebook.com
add address=instagram.com list=instagram.com
add address=ok.com list=ok.com
add address=rutube.ru list=rutube.ru
add address=smotri.com list=smotri.com
add address=www.odnoklassniki.ru list=www.odnoklassniki.ru
add address=youtube.com disabled=yes list=youtube.com
add address=64.233.162.93 list=64.233.162.93
add address=youtube.ru disabled=yes list=youtube.ru
add address=www.youtube.com disabled=yes list=www.youtube.com
add address=play.google.com disabled=yes list=play.google.com
add address=195.91.247.122 list=1c
add address=144.76.5.94 list=1c
add address=188.255.68.206 list=1c
add address=195.201.117.10 list=1c
add address=5.143.253.102 list=sip_iax
add address=185.108.20.138 list=sip_iax
add address=192.168.10.182 list=sip_iax
add address=185.108.20.139 list=sip_iax
add address=192.168.10.182 list=allow_sip
add address=185.108.20.138 list=allow_sip
add address=185.108.20.139 list=allow_sip
add address=195.90.150.235 list=allow_sip
add address=5.143.253.102 list=allow_sip
add address=192.168.0.0/16 list=allow_sip
add address=192.168.52.0/24 comment=KV3 list=LANIP
add address=192.168.53.0/24 comment=BAKY list=LANIP
add address=192.168.41.0/24 comment=KV1 list=LANIP
add address=192.168.51.0/24 comment=KV2 list=LANIP
add address=192.168.3.0/24 comment="OASIS LAN" list=LANIP
add address=192.168.54.0/24 comment=SKLAD8Mart list=LANIP
add address=192.168.101.0/24 list=LANIP

/ip firewall filter
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=accept chain=input disabled=yes dst-port=1723 protocol=tcp
add action=accept chain=input disabled=yes protocol=gre
add action=accept chain=input in-interface=bridge_service
add action=accept chain=input dst-port=1701 protocol=udp
add action=accept chain=output out-interface=bridge_service
add action=reject chain=forward dst-address-list=facebook.com reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-address-list=instagram.com reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-address-list=ok.com reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-address-list=smotri.com reject-with=\
    icmp-network-unreachable
add action=reject chain=forward disabled=yes dst-address-list=youtube.ru \
    reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=yes dst-address-list=youtube.com \
    reject-with=icmp-network-unreachable
add action=reject chain=forward dst-address-list=rutube.ru reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-address-list=vk.com reject-with=\
    icmp-network-unreachable
add action=reject chain=forward dst-address-list=www.odnoklassniki.ru \
    reject-with=icmp-network-unreachable
add action=reject chain=forward disabled=yes dst-address-list=www.youtube.com \
    reject-with=icmp-network-unreachable
add action=reject chain=forward comment="YouTube blok2" disabled=yes \
    dst-limit=1,5,dst-address/1m40s layer7-protocol=youtube limit=5,5:packet \
    reject-with=icmp-network-unreachable
add action=reject chain=forward comment="YouTube blok1" disabled=yes \
    layer7-protocol=site_video protocol=tcp reject-with=\
    icmp-network-unreachable
add action=drop chain=forward dst-address=64.233.162.190
add action=drop chain=forward dst-address=151.106.13.171
add action=drop chain=forward dst-address=93.131.125.74
add action=drop chain=forward dst-address=173.194.44.0/24
add action=drop chain=forward dst-address=173.194.32.169 protocol=tcp
add action=drop chain=forward dst-address=173.194.122.231 protocol=tcp
add action=accept chain=forward in-interface=bridge_service
add action=accept chain=input protocol=icmp src-address=192.168.77.0/24
add action=drop chain=input disabled=yes dst-address=192.168.10.0/24 \
    src-address=192.168.11.0/24
add action=accept chain=forward comment=Video disabled=yes dst-address=\
    192.168.0.0/24 src-address=192.168.7.1
add action=accept chain=forward dst-address=192.168.0.99 src-address=\
    192.168.7.35
add action=accept chain=forward dst-address=192.168.10.182 src-address=\
    192.168.30.0/24
add action=accept chain=forward dst-address=192.168.30.0/24 src-address=\
    192.168.10.182
add action=accept chain=forward comment=PLANSHET dst-address=192.168.7.99 \
    src-address=192.168.11.56
add action=accept chain=input comment=PLANSHET dst-address=192.168.7.99 \
    src-address=192.168.11.56
add action=accept chain=forward comment=PLANSHET dst-address=192.168.11.56 \
    src-address=192.168.7.99
add action=accept chain=input comment=PLANSHET dst-address=192.168.11.56 \
    src-address=192.168.7.99
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.7.85
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.7.46
add action=accept chain=forward disabled=yes dst-address=192.168.7.1 \
    src-address=192.168.0.0/24
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.7.35
add action=accept chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.7.61
add action=accept chain=forward dst-address=192.168.7.35 src-address=\
    192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.61 src-address=\
    192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.85 src-address=\
    192.168.0.0/24
add action=accept chain=forward dst-address=192.168.7.46 src-address=\
    192.168.0.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/24 \
    src-address=192.168.7.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.7.0/24 \
    src-address=192.168.0.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.0.0/24 \
    src-address=192.168.10.0/24
add action=drop chain=forward dst-address=192.168.10.0/24 src-address=\
    192.168.0.0/24
add action=drop chain=forward dst-address=192.168.0.0/24 src-address=\
    192.168.11.0/24
add action=drop chain=forward dst-address=192.168.11.0/24 src-address=\
    192.168.0.0/24
add action=drop chain=input comment="podbor pass po ssh - drop" in-interface=\
    ether1 src-address=183.136.214.248
add action=drop chain=forward comment="sip - drop" dst-port=5060 protocol=udp \
    src-address=37.8.94.61
add action=drop chain=input comment=iax_drop dst-port=4569 protocol=udp \
    src-address-list=!sip_iax src-port=4569
add action=drop chain=input comment=sip_drop dst-port=5060 protocol=tcp \
    src-address-list=!allow_sip
add action=drop chain=input comment=sip_drop dst-port=5060 protocol=udp \
    src-address-list=!allow_sip

/ip firewall mangle
add action=mark-connection chain=input dst-address=XXX.XXX.XXX.XXX \
    in-interface=ether1 new-connection-mark=WAN1->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN1->Input \
    new-routing-mark=WAN1 passthrough=no
add action=mark-connection chain=input dst-address=192.168.105.200 \
    in-interface=ether2 new-connection-mark=WAN2->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN2->Input \
    new-routing-mark=WAN2 passthrough=no
add action=mark-connection chain=input dst-address=ZZZ.ZZZ.ZZZ.ZZZ in-interface=\
    sfp3 new-connection-mark=WAN3->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN3->Input \
    new-routing-mark=WAN3 passthrough=no
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=Aykcion passthrough=no src-address=192.168.10.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=WIFI passthrough=no src-address=192.168.11.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=WIFI_b passthrough=no src-address=192.168.21.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=BridgeSFP passthrough=no src-address=192.168.7.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=TEL passthrough=no src-address=192.168.8.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=Service passthrough=no src-address=192.168.77.0/29
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=Video passthrough=no src-address=192.168.0.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=SIP passthrough=no src-address=192.168.22.0/24
add action=mark-routing chain=prerouting dst-address-list=!LANIP \
    new-routing-mark=SIP2 passthrough=no src-address=192.168.113.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!LANIP \
    new-routing-mark=Prime passthrough=no src-address=192.168.30.0/24
add action=mark-packet chain=forward disabled=yes layer7-protocol=youtube \
    new-packet-mark=youtube passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=l2tp-in2
add action=masquerade chain=srcnat out-interface=l2tp-in1
add action=masquerade chain=srcnat out-interface=ether2
add action=masquerade chain=srcnat out-interface=sfp3
add action=masquerade chain=srcnat out-interface=bridge_service
add action=masquerade chain=srcnat dst-address=192.168.7.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.52.0/24
add action=masquerade chain=srcnat dst-address=192.168.51.0/24
add action=masquerade chain=srcnat dst-address=192.168.41.0/24
add action=netmap chain=dstnat dst-port=888 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.10.5 to-ports=80
add action=netmap chain=dstnat dst-port=28291 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.41.1 to-ports=8291
add action=netmap chain=dstnat dst-port=881 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.88.10 to-ports=8291
add action=netmap chain=dstnat disabled=yes dst-port=8888 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.9.1 to-ports=8291
add action=netmap chain=dstnat comment="to mt2" dst-port=8803 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.100.2 to-ports=8291
add action=netmap chain=dstnat dst-port=8802 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.7.12 to-ports=8291
add action=netmap chain=dstnat dst-port=8801 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.7.11 to-ports=8291
add action=netmap chain=dstnat dst-port=81 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.0.99 to-ports=80
add action=netmap chain=dstnat dst-port=82 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.0.100 to-ports=80
add action=netmap chain=dstnat dst-port=37777 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.99 to-ports=37777
add action=netmap chain=dstnat comment=ssh disabled=yes dst-port=2222 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.7.70 to-ports=22
add action=netmap chain=dstnat dst-port=37776 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.99 to-ports=37776
add action=netmap chain=dstnat dst-port=37779 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.100 to-ports=37779
add action=netmap chain=dstnat dst-port=37771 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.11.139 to-ports=37777
add action=netmap chain=dstnat dst-port=37778 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.100 to-ports=37778
add action=netmap chain=dstnat comment="SIP RDP" dst-port=33389 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.10.142 to-ports=3389
add action=netmap chain=dstnat comment="SIP RDP" dst-port=33389 in-interface=\
    sfp3 protocol=tcp to-addresses=192.168.10.142 to-ports=3389
add action=netmap chain=dstnat comment="SIP IAX" disabled=yes dst-port=4569 \
    in-interface=ether1 protocol=udp to-addresses=192.168.10.182 to-ports=\
    4569
add action=netmap chain=dstnat comment="https sip" disabled=yes dst-port=443 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.10.182 to-ports=443
add action=netmap chain=dstnat comment="SIP ssh" disabled=yes dst-port=3322 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.10.182 to-ports=22
add action=netmap chain=dstnat disabled=yes dst-port=12345 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.7.200 to-ports=3389
add action=netmap chain=dstnat comment=1c dst-port=1122 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=22
add action=netmap chain=dstnat comment=1c dst-port=1122 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=22
add action=netmap chain=dstnat comment=1c dst-port=11389 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.7.107 to-ports=3389
add action=netmap chain=dstnat comment=1c dst-port=11389 in-interface=sfp3 \
    protocol=tcp to-addresses=192.168.7.107 to-ports=3389
add action=netmap chain=dstnat comment=1c disabled=yes dst-port=11390 \
    in-interface=sfp3 protocol=tcp src-address-list=1c to-addresses=\
    192.168.7.114 to-ports=3389
add action=netmap chain=dstnat comment=1c disabled=yes dst-port=11391 \
    in-interface=sfp3 protocol=tcp src-address-list=1c to-addresses=\
    192.168.7.56 to-ports=3389
add action=netmap chain=dstnat comment=1c dst-port=1153 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.7.113 to-ports=1153
add action=netmap chain=dstnat comment=1c dst-port=1153 in-interface=sfp3 \
    protocol=tcp to-addresses=192.168.7.113 to-ports=1153
add action=netmap chain=dstnat comment=1c dst-port=11902 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=902
add action=netmap chain=dstnat comment=1c dst-port=11902 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=902
add action=netmap chain=dstnat comment=1c dst-port=11903 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=903
add action=netmap chain=dstnat comment=1c dst-port=11903 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=903
add action=netmap chain=dstnat comment=1c dst-port=27000 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=\
    27000
add action=netmap chain=dstnat comment=1c dst-port=27000 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=\
    27000
add action=netmap chain=dstnat comment=1c dst-port=27010 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=\
    27010
add action=netmap chain=dstnat comment=1c dst-port=27010 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=\
    27010
add action=netmap chain=dstnat comment=1c dst-port=11443 in-interface=ether1 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=443
add action=netmap chain=dstnat comment=1c dst-port=11443 in-interface=sfp3 \
    protocol=tcp src-address-list=1c to-addresses=192.168.7.113 to-ports=443
add action=netmap chain=dstnat comment=1c dst-port=11234 in-interface=ether1 \
    protocol=tcp to-addresses=192.168.52.251 to-ports=3389
add action=netmap chain=dstnat comment=1c dst-port=11234 in-interface=sfp3 \
    protocol=tcp to-addresses=192.168.52.251 to-ports=3389
add action=netmap chain=dstnat dst-port=33333 in-interface=sfp3 protocol=tcp \
    to-addresses=192.168.7.70 to-ports=3389
add action=netmap chain=dstnat dst-port=33333 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.7.70 to-ports=3389
add action=dst-nat chain=dstnat comment="SIP HTTPS 3CX" dst-address=\
    ZZZ.ZZZ.ZZZ.ZZZ dst-port=80 in-interface=sfp3 protocol=tcp to-addresses=\
    192.168.7.100 to-ports=80
add action=dst-nat chain=dstnat comment="SIP HTTPS 3CX" dst-address=\
    ZZZ.ZZZ.ZZZ.ZZZ dst-port=443 in-interface=sfp3 protocol=tcp to-addresses=\
    192.168.7.100 to-ports=443
add action=dst-nat chain=dstnat comment="SIP TCP 3CX" dst-address=ZZZ.ZZZ.ZZZ.ZZZ \
    dst-port=5060 in-interface=sfp3 protocol=tcp to-addresses=192.168.7.100 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="SIP UDP 3CX" dst-address=ZZZ.ZZZ.ZZZ.ZZZ \
    dst-port=5060 in-interface=sfp3 protocol=udp to-addresses=192.168.7.100 \
    to-ports=5060
add action=dst-nat chain=dstnat comment="SIP TLS 3CX" dst-address=ZZZ.ZZZ.ZZZ.ZZZ \
    dst-port=5061 in-interface=sfp3 protocol=tcp to-addresses=192.168.7.100 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="SIP TLS 3CX" dst-address=ZZZ.ZZZ.ZZZ.ZZZ \
    dst-port=5061 in-interface=sfp3 protocol=udp to-addresses=192.168.7.100 \
    to-ports=5061
add action=dst-nat chain=dstnat comment="SIP Media UDP 3CX" dst-address=\
    ZZZ.ZZZ.ZZZ.ZZZ dst-port=9000-10999 in-interface=sfp3 protocol=udp \
    to-addresses=192.168.7.100 to-ports=9000-10999
add action=dst-nat chain=dstnat comment="SIP Tunnel UDP 3CX" dst-address=\
    ZZZ.ZZZ.ZZZ.ZZZ dst-port=5090 in-interface=sfp3 protocol=udp to-addresses=\
    192.168.7.100 to-ports=5090
add action=dst-nat chain=dstnat comment="SIP Tunnel TCP 3CX" dst-address=\
    ZZZ.ZZZ.ZZZ.ZZZ dst-port=5090 in-interface=sfp3 protocol=tcp to-addresses=\
    192.168.7.100 to-ports=5090
add action=dst-nat chain=dstnat comment="SIP Tunnel TCP 3CX 5000" \
    dst-address=ZZZ.ZZZ.ZZZ.ZZZ dst-port=5000-5001 in-interface=sfp3 protocol=tcp \
    to-addresses=192.168.7.100 to-ports=5000-5001
add action=dst-nat chain=dstnat comment="SIP Tunnel UDP 3CX 5000" \
    dst-address=ZZZ.ZZZ.ZZZ.ZZZ dst-port=5000-5001 in-interface=sfp3 protocol=udp \
    to-addresses=192.168.7.100 to-ports=5000-5001

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes sip-timeout=4m
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes

/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0

/ip proxy
set cache-path=web-proxy1

/ip route
add check-gateway=ping distance=1 gateway=XXX.XXX.XXX.129 routing-mark=WAN1
add distance=1 gateway=192.168.105.1 routing-mark=WAN2
add distance=1 gateway=ZZZ.ZZZ.ZZZ.65 routing-mark=WAN3
add check-gateway=ping distance=11 gateway=ZZZ.ZZZ.ZZZ.65 routing-mark=Aykcion
add check-gateway=ping distance=12 gateway=XXX.XXX.XXX.129 routing-mark=\
    Aykcion
add check-gateway=ping distance=14 gateway=192.168.105.1 routing-mark=Aykcion
add check-gateway=ping distance=10 gateway=ZZZ.ZZZ.ZZZ.65 routing-mark=WIFI
add check-gateway=ping distance=11 gateway=XXX.XXX.XXX.129 routing-mark=WIFI
add check-gateway=ping distance=14 gateway=192.168.105.1 routing-mark=WIFI
add check-gateway=ping distance=14 gateway=192.168.105.1 routing-mark=WIFI_b
add distance=10 gateway=ZZZ.ZZZ.ZZZ.65 routing-mark=BridgeSFP
add check-gateway=ping distance=12 gateway=XXX.XXX.XXX.129 routing-mark=\
    BridgeSFP
add check-gateway=ping disabled=yes distance=14 gateway=192.168.105.1 \
    routing-mark=BridgeSFP
add check-gateway=ping distance=11 gateway=XXX.XXX.XXX.129 routing-mark=TEL
add check-gateway=ping disabled=yes distance=10 gateway=192.168.105.1 \
    routing-mark=TEL
add check-gateway=ping distance=11 gateway=XXX.XXX.XXX.129 routing-mark=\
    Service
add check-gateway=ping distance=14 gateway=192.168.105.1 routing-mark=Service
add check-gateway=ping distance=10 gateway=XXX.XXX.XXX.129 routing-mark=Video
add check-gateway=ping comment=Gleb distance=1 gateway=XXX.XXX.XXX.129
add check-gateway=ping comment=WAN3 distance=2 gateway=ZZZ.ZZZ.ZZZ.65
add check-gateway=ping comment=Oleg distance=3 gateway=192.168.105.1
add check-gateway=ping distance=10 gateway=ZZZ.ZZZ.ZZZ.65
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.7.11
add distance=1 dst-address=192.168.1.0/24 gateway=10.50.0.20
add distance=1 dst-address=192.168.3.0/24 gateway=10.50.0.20,10.51.1.10
add distance=1 dst-address=192.168.21.0/24 gateway=192.168.11.3
add distance=1 dst-address=192.168.22.1/32 gateway=ether10
add distance=1 dst-address=192.168.30.0/24 gateway=10.50.30.11
add distance=1 dst-address=192.168.31.0/24 gateway=10.50.30.11
add distance=1 dst-address=192.168.41.0/24 gateway=10.50.40.11
add distance=1 dst-address=192.168.51.0/24 gateway=10.50.50.11
add distance=1 dst-address=192.168.52.0/24 gateway=10.50.52.11
add distance=1 dst-address=192.168.53.0/24 gateway=10.50.53.11
add distance=1 dst-address=192.168.54.0/24 gateway=10.50.54.11
add distance=1 dst-address=192.168.60.0/24 gateway=10.50.61.11
add distance=1 dst-address=192.168.101.0/24 gateway=10.50.62.11
add distance=1 dst-address=192.168.111.0/24 gateway=10.7.111.20
add distance=1 dst-address=192.168.113.113/32 gateway=192.168.22.1
add distance=1 dst-address=192.168.199.0/24 gateway=192.168.77.3
add distance=1 dst-address=192.168.199.10/32 gateway=192.168.7.12

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.10.0/24,192.168.9.0/24,192.168.7.0/24,192.168.77.0/24
set ssh address=192.168.10.0/32,192.168.77.0/32,192.168.9.0/32
set api disabled=yes
set api-ssl disabled=yes

/radius
add address=192.168.11.4 secret=RADIUSPASS service=wireless

/snmp
set enabled=yes trap-version=2

/system clock
set time-zone-autodetect=no

/system clock manual
set time-zone=+03:00

/system identity
set name=MT_main

/system package update
set channel=release-candidate

/system routerboard settings
set silent-boot=no

/system scheduler
add disabled=yes name=job_eth2_disable on-event=\
    "/system script run eth2-disable" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    sep/29/2014 start-time=01:20:30
add disabled=yes name=reboot on-event="/system reboot" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    sep/29/2014 start-time=01:16:35
add disabled=yes name=job_again on-event="/system script run eth2-disable" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=sep/29/2014 start-time=01:15:30
add name=UP_Gleb policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    feb/05/2015 start-time=13:00:00

/system script
add dont-require-permissions=no name=eth2-disable owner=user policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/interface disable ether2"
add dont-require-permissions=no name=gleb_UP owner=user policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/ip route enable numbers=12"
add dont-require-permissions=no name=gleb_down owner=user policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/ip route disable numbers=12"

/system watchdog
set watchdog-timer=no

/tool graphing interface
add interface=ether1
add interface=sfp3

/tool netwatch
add disabled=yes down-script="/system script run gleb_up" host=192.168.9.1 \
    interval=10m up-script="/system script run gleb_down"
/tool romon
set enabled=yes id=CC:2D:E0:BB:1A:89 secrets=ROMONPASS
/tool romon port
add
add disabled=no forbid=yes interface=ether1
add disabled=no forbid=yes interface=ether2

[xvo]

В суппорте телефонии и в супорте Sip-провайдера, говорят примерно одно и тоже -
не приходит ASK от sip-провайдера на телефонный сервер + sip провайдер говорит что он видит запрос от внутреннего ip ( 192.168.7.100), а не от внешнего ZZZ.ZZZ.ZZZ.ZZZ.
Не могу понять, почему такое происходит. Разумеется подсети натятся.

Имеется ввиду видимо не ip с которого пакет приходит, а именно sip-овское поле внутри пакета.
Типа у вас сервер не знает своего внешнего IP.
Смотрите, что у вас за настройки транка.

[Kostetyo]

Имеется ввиду видимо не ip с которого пакет приходит, а именно sip-овское поле внутри пакета.
Типа у вас сервер не знает своего внешнего IP.
Смотрите, что у вас за настройки транка.

Я думаю Вы правы, однако данная схема работает еще в 3-х местах, с теми же настройками и с теми же провайдерами sip. Единственное отличие в настройках mikrotik, тут mangle настроен немного подругому.

[xvo]

Так, проглядел конфиг:

Код: Выделить всё

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.7.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.52.0/24
add action=masquerade chain=srcnat dst-address=192.168.51.0/24
add action=masquerade chain=srcnat dst-address=192.168.41.0/24

Вот этот вот кусок какую смысловую нагрузку несет?
Получается что у вас все внутри видит всё, что приходит снаружи, как-будто оно приходит с роутера.

Дальше, касательно mangle:

Код: Выделить всё

/ip firewall mangle
add action=mark-connection chain=input dst-address=XXX.XXX.XXX.XXX \
    in-interface=ether1 new-connection-mark=WAN1->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN1->Input \
    new-routing-mark=WAN1 passthrough=no
add action=mark-connection chain=input dst-address=192.168.105.200 \
    in-interface=ether2 new-connection-mark=WAN2->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN2->Input \
    new-routing-mark=WAN2 passthrough=no
add action=mark-connection chain=input dst-address=ZZZ.ZZZ.ZZZ.ZZZ in-interface=\
    sfp3 new-connection-mark=WAN3->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN3->Input \
    new-routing-mark=WAN3 passthrough=no

Вообще не уверен, что эта часть как-то нормально работает. Предполагается, что все, что приходит снаружи, должно уходить через тот же WAN.
Но только в таком виде оно затрагивает только трафик до роутера, а то, что проходит через dst-nat пролетает мимо этих правил.

[Kostetyo]

Так, проглядел конфиг:

Код: Выделить всё

/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.7.0/24
add action=masquerade chain=srcnat dst-address=192.168.30.0/24
add action=masquerade chain=srcnat dst-address=192.168.52.0/24
add action=masquerade chain=srcnat dst-address=192.168.51.0/24
add action=masquerade chain=srcnat dst-address=192.168.41.0/24

Вот этот вот кусок какую смысловую нагрузку несет?
Получается что у вас все внутри видит всё, что приходит снаружи, как-будто оно приходит с роутера.
192.168.7.0/24 натим внутренюю подсеть, 192.168.30.0/24, - 192.168.52.0/24, натим подсети за впнами.


Дальше, касательно mangle:

Код: Выделить всё

/ip firewall mangle
add action=mark-connection chain=input dst-address=XXX.XXX.XXX.XXX \
    in-interface=ether1 new-connection-mark=WAN1->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN1->Input \
    new-routing-mark=WAN1 passthrough=no
add action=mark-connection chain=input dst-address=192.168.105.200 \
    in-interface=ether2 new-connection-mark=WAN2->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN2->Input \
    new-routing-mark=WAN2 passthrough=no
add action=mark-connection chain=input dst-address=ZZZ.ZZZ.ZZZ.ZZZ in-interface=\
    sfp3 new-connection-mark=WAN3->Input passthrough=no
add action=mark-routing chain=output connection-mark=WAN3->Input \
    new-routing-mark=WAN3 passthrough=no

Вообще не уверен, что эта часть как-то нормально работает. Предполагается, что все, что приходит снаружи, должно уходить через тот же WAN.
Но только в таком виде оно затрагивает только трафик до роутера, а то, что проходит через dst-nat пролетает мимо этих правил.

Да, наверное оно так и есть, подскажите пожалуйста , как поправить эту ситуацию не переписывая правила mangle полностью. Потому что проблема видимо именно в этом.

[xvo]

Касательно лишних маскарадов - их вообще убрать.
Но я так сходу не уверен, что это не костыль для чего-то, и что ничего не сломается.

По вот этим 6 правилам мангла:
1) правила, которые делают mark connection перенести в цепочку prerouting.
2) правила, которые mark routing в цепочке output не трогать, но
3) сделать их копии в цепочку prerouting с обязательным условием, что пакет пришел не из WAN (например in-interface=!sfp3)
4) опять же проверить, не ломает ли это последующие правила мангла

[Kostetyo]

Касательно лишних маскарадов - их вообще убрать.
Но я так сходу не уверен, что это не костыль для чего-то, и что ничего не сломается.

По вот этим 6 правилам мангла:
1) правила, которые делают mark connection перенести в цепочку prerouting.
2) правила, которые mark routing в цепочке output не трогать, но
3) сделать их копии в цепочку prerouting с обязательным условием, что пакет пришел не из WAN (например in-interface=!sfp3)
4) опять же проверить, не ломает ли это последующие правила мангла

А если просто к правилам dst-nat добавить mark-connection или mark-routing?
Это не поможет?

[xvo]

Эти правила маскарада неправильные по сути, от них в любом случае надо избавляться.

[Kostetyo]

Ладно, сейчас все перепишу, попробую применить, позже отпишусь.

[Kostetyo]

Код: Выделить всё

/ip firewall mangle
add chain=prerouting in-interface=ether1 dst-address=X.X.X.0/24 connection-state=new action=mark-connection new-connection-mark=GW-X.X.X.129 passthrough=no
add chain=prerouting in-interface=ether2 dst-address=192.168.105.0/24 connection-state=new action=mark-connection new-connection-mark=GW-Y.Y.Y.1 passthrough=no
add chain=prerouting in-interface=sfp3 dst-address=Z.Z.Z.0/24 connection-state=new action=mark-connection new-connection-mark=GW-Z.Z.Z.65 passthrough=no

/ip route
add dst-address=0.0.0.0/0 gateway=X.X.X.129 routing-mark=GW-X.X.X.129
add dst-address=0.0.0.0/0 gateway=192.168.105.1 routing-mark=GW-Y.Y.Y.1
add dst-address=0.0.0.0/0 gateway=Z.Z.Z.65 routing-mark=GW-Z.Z.Z.65

/ip route rule
add routing-mark=GW-X.X.X.129 action=lookup-only-in-table table=GW-X.X.X.129
add routing-mark=GW-Y.Y.Y.1 action=lookup-only-in-table table=GW-Y.Y.Y.1
add routing-mark=GW-Z.Z.Z.65 action=lookup-only-in-table table=GW-Z.Z.Z.65

/ip firewall mangle
add chain=output connection-mark=GW-X.X.X.129 action=mark-routing new-routing-mark=GW-X.X.X.129 passthrough=no
add chain=output connection-mark=GW-Y.Y.Y.1 action=mark-routing new-routing-mark=GW-Y.Y.Y.1 passthrough=no
add chain=output connection-mark=GW-Z.Z.Z.65 action=mark-routing new-routing-mark=GW-Z.Z.Z.65 passthrough=no

/interface bridge add name=BR-LOOP

/ip route add dst-address=0.0.0.0/0 gateway=BR-LOOP distance=254 pref-src=X.X.X.133

/ip firewall mangle
add chain=output src-address=X.X.X.0/24 action=mark-routing new-routing-mark=GW-X.X.X.129 passthrough=no
add chain=output src-address=192.168.105.0/24 action=mark-routing new-routing-mark=GW-Y.Y.Y.1 passthrough=no
add chain=output src-address=Z.Z.Z.0/24 action=mark-routing new-routing-mark=GW-Z.Z.Z.65 passthrough=no

/ip firewall mangle
add chain=prerouting connection-mark=GW-X.X.X.129 in-interface=!ether1 action=mark-routing new-routing-mark=GW-X.X.X.129 passthrough=no
add chain=prerouting connection-mark=GW-Y.Y.Y.1 in-interface=!ether2 action=mark-routing new-routing-mark=GW-Y.Y.Y.1 passthrough=no
add chain=prerouting connection-mark=GW-Z.Z.Z.65 in-interface=!sfp3 action=mark-routing new-routing-mark=GW-Z.Z.Z.65 passthrough=no

/ip firewall address-list
add list=ISP1ETH1 address=192.168.3.0/24
add list=ISP2ETH2 address=192.168.50.0/24
add list=ISP3SFP3 address=192.168.7.0/24
add list=ISP3SFP3 address=192.168.10.0/24
add list=ISP3SFP3 address=192.168.11.0/24

/ip firewall address-list
add address=192.168.10.0/24 comment=Aykcion list=LANIP
add address=192.168.11.0/24 comment=Wifi list=LANIP
add address=192.168.7.0/24 comment="Lan(seti)" list=LANIP
add address=192.168.77.0/29 comment=Service list=LANIP
add address=192.168.7.0/24 disabled=yes list=BLOCKtoWAN1
add address=192.168.0.0/24 comment=Video list=LANIP
add address=192.168.22.0/24 comment="br dlya SIP" list=LANIP
add address=192.168.113.0/24 comment="br dlya SIP2" list=LANIP
add address=192.168.199.0/24 disabled=yes list=LANIP
add address=192.168.21.0/24 comment=Wifi_b list=LANIP
add address=192.168.8.0/24 comment=TEL list=LANIP
add address=192.168.52.0/24 comment=KV3 list=LANIP
add address=192.168.53.0/24 comment=BAKY list=LANIP
add address=192.168.41.0/24 comment=KV1 list=LANIP
add address=192.168.51.0/24 comment=KV2 list=LANIP
add address=192.168.3.0/24 comment="OASIS LAN" list=LANIP
add address=192.168.54.0/24 comment=SKLAD8Mart list=LANIP
add address=192.168.101.0/24 list=LANIP

/ip firewall mangle
add chain=prerouting src-address-list=ISP1ETH1 dst-address-list=!LANIP action=mark-routing new-routing-mark=GW-X.X.X.129 passthrough=no
add chain=prerouting src-address-list=ISP2ETH2 dst-address-list=!LANIP action=mark-routing new-routing-mark=GW-Y.Y.Y.1 passthrough=no
add chain=prerouting src-address-list=ISP3SFP3 dst-address-list=!LANIP action=mark-routing new-routing-mark=GW-Z.Z.Z.65 passthrough=no

/ip firewall nat
add chain=srcnat routing-mark=GW-X.X.X.129 src-address-list=ISP1ETH1 action=src-nat to-addresses=X.X.X.133
add chain=srcnat routing-mark=GW-Y.Y.Y.1 src-address-list=ISP2ETH2 action=src-nat to-addresses=192.168.105.200
add chain=srcnat routing-mark=GW-Z.Z.Z.65 src-address-list=ISP3SFP3 action=src-nat to-addresses=Z.Z.Z.85

/ip route
add dst-address=0.0.0.0/0 gateway=Z.Z.Z.65 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.105.1 distance=4
add dst-address=0.0.0.0/0 gateway=X.X.X.129 distance=3

/ip firewall mangle
add chain=prerouting connection-mark=eth1 action=mark-routing new-routing-mark=GW-X.X.X.129 passthrough=no in-interface=!ether1
add chain=prerouting connection-mark=eth2 action=mark-routing new-routing-mark=GW-Y.Y.Y.1 passthrough=no in-interface=!ether2
add chain=prerouting connection-mark=sfp3 action=mark-routing new-routing-mark=GW-Z.Z.Z.65 passthrough=no in-interface=!sfp3

/ip firewall nat
add chain=srcnat out-interface=ether1 routing-table=main action=src-nat to addresses=X.X.X.133
add chain=srcnat out-interface=ether2 routing-table=main action=src-nat to-addresses=192.168.105.200
add chain=srcnat out-interface=sfp32 routing-table=main action=src-nat to-addresses=Z.Z.Z.85

Вот что выходит, имеет ли право это на существование?