3 провайдера, не работает nat.
Добавлено: 21 окт 2019, 08:13
Столкнулся с проблемой и уже больше недели не могу решить.
Есть Mikrotik 3011, 3 провайдера статические адреса. Интернет есть, микротик доступен со всех трех адресов, работает адресс лист с конкретными пользователями на определенного провайдера. Не работает проброс портов, хоть ты тресни. У меня идеи закончились.
В логах вот такое
dstnat: in:ISP3 out:(unknown 0), src-mac 00:01:00:01:00:01, proto TCP (SYN), 37.xx.x.154:49728->188.x.xxx.232:3389, len 52
В wan листе три интерфейса. Isp1, isp2 и isp3.
UPD.
Работает вот с этим правилом
add action=masquerade chain=srcnat dst-address=10.171.1.111 dst-port=3389 protocol=tcp
Но это костыль какой то. Есть еще мнения?
Есть Mikrotik 3011, 3 провайдера статические адреса. Интернет есть, микротик доступен со всех трех адресов, работает адресс лист с конкретными пользователями на определенного провайдера. Не работает проброс портов, хоть ты тресни. У меня идеи закончились.
Код: Выделить всё
ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 ;;; defconf
10.171.1.1/24 10.171.1.0 ether4
1 87.xxx.xx.154/30 87.xxx.xx.152 ISP1
2 87.xxx.xx.6/30 87.xxx.xx.4 ISP2
3 188.x.xxx.232/25 188.x.xxx.128 ISP3
ip route print
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 A S 0.0.0.0/0 188.x.xxx.129 1
1 S 0.0.0.0/0 87.xxx.xx.5 1
2 S 0.0.0.0/0 87.xxx.xx.153 1
3 S 0.0.0.0/0 ISP1 1
4 S 0.0.0.0/0 8.8.8.8 1
5 S 0.0.0.0/0 8.8.4.4 2
6 A S 0.0.0.0/0 77.88.8.8 3
7 S 8.8.4.4/32 87.xxx.xx.5 1
8 S 8.8.8.8/32 87.xxx.xx.5 1
9 ADC 10.171.1.0/24 10.171.1.1 ether4 0
10 A S 77.88.8.8/32 188.x.xxx.129 1
11 DC 87.xxx.xx.4/30 87.xxx.xx.6 ISP2 255
12 DC 87.xxx.xx.152/30 87.xxx.xx.154 ISP1 255
13 ADC 188.x.xxx.128/25 188.x.xxx.232 ISP3 0
0 ;;; 1.1. Forward and Input Established and Related connections
chain=forward action=accept connection-state=established,related log=no log-prefix=""
1 chain=forward action=drop connection-state=invalid log=no log-prefix=""
2 chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN log=no log-prefix=""
3 chain=input action=accept connection-state=established,related log=no log-prefix=""
4 chain=input action=drop connection-state=invalid log=no log-prefix=""
5 ;;; 1.2. DDoS Protect - Connection Limit
chain=input action=add-src-to-address-list connection-limit=100,32 protocol=tcp address-list=ddos-blacklist address-list-timeout=1d in-interface-list=WAN log=no
log-prefix=""
6 chain=input action=tarpit connection-limit=3,32 protocol=tcp src-address-list=ddos-blacklist log=no log-prefix=""
7 ;;; 1.3. DDoS Protect - SYN Flood
chain=forward action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""
8 chain=input action=jump jump-target=SYN-Protect tcp-flags=syn connection-state=new protocol=tcp in-interface-list=WAN log=no log-prefix=""
9 chain=SYN-Protect action=return tcp-flags=syn connection-state=new protocol=tcp limit=200,5:packet log=no log-prefix=""
10 chain=SYN-Protect action=drop tcp-flags=syn connection-state=new protocol=tcp log=no log-prefix=""
11 ;;; 1.4. Protected - Ports Scanners
chain=input action=drop src-address-list=Port Scanners log=no log-prefix=""
12 chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port Scanners address-list-timeout=none-dynamic in-interface-list=WAN log=no
log-prefix=""
13 ;;; 1.5. Protected - WinBox Access
chain=input action=drop src-address-list=Black List Winbox
14 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 3 address-list=Black List Winbox
address-list-timeout=none-dynamic in-interface-list=WAN dst-port=8291 log=yes log-prefix="BLACK WINBOX"
15 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 2 address-list=Winbox Stage 3 address-list-timeout=1m
in-interface-list=WAN dst-port=8291
16 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=Winbox Stage 1 address-list=Winbox Stage 2 address-list-timeout=1m
in-interface-list=WAN dst-port=8291
17 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=Winbox Stage 1 address-list-timeout=1m in-interface-list=WAN dst-port=8291
18 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=8291
19 ;;; 1.6. Protected - OpenVPN Connections
chain=input action=drop src-address-list=Black List OpenVPN log=no log-prefix=""
20 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 3 address-list=Black List OpenVPN
address-list-timeout=none-dynamic in-interface-list=WAN dst-port=1194 log=yes log-prefix="BLACK OVPN"
21 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 2 address-list=OpenVPN Stage 3 address-list-timeout=1m
in-interface-list=WAN dst-port=1194 log=no log-prefix=""
22 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=OpenVPN Stage 1 address-list=OpenVPN Stage 2 address-list-timeout=1m
in-interface-list=WAN dst-port=1194 log=no log-prefix=""
23 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=OpenVPN Stage 1 address-list-timeout=1m in-interface-list=WAN dst-port=1194
log=no log-prefix=""
24 chain=input action=accept protocol=tcp in-interface-list=WAN dst-port=1194 log=no log-prefix=""
25 ;;; 1.8. Access Normal Ping
chain=input action=accept protocol=icmp in-interface-list=WAN limit=50/5s,2:packet log=no log-prefix=""
26 ;;; 1.9. Drop All Other
chain=input action=drop in-interface-list=WAN log=no log-prefix=""
27 ;;; Reject MS Telemetry
chain=forward action=reject reject-with=icmp-network-unreachable dst-address-list=MStelemetry
ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=mark-connection new-connection-mark=in_ISP1_for in-interface=ISP1
1 chain=prerouting action=mark-routing new-routing-mark=ISP1 src-address=10.171.1.0/24 connection-mark=in_ISP1_for
2 chain=forward action=mark-connection new-connection-mark=in_ISP2_for in-interface=ISP2
3 chain=prerouting action=mark-routing new-routing-mark=ISP2 src-address=10.171.1.0/24 connection-mark=in_ISP2_for
4 chain=forward action=mark-connection new-connection-mark=in_ISP3_for in-interface=ISP3
5 chain=prerouting action=mark-routing new-routing-mark=ISP3 src-address=10.171.1.0/24 connection-mark=in_ISP3_for
6 chain=input action=mark-connection new-connection-mark=in_ISP3 passthrough=yes in-interface=ISP3 log=no log-prefix=""
7 chain=input action=mark-connection new-connection-mark=in_ISP2 in-interface=ISP2
8 chain=input action=mark-connection new-connection-mark=in_ISP1 in-interface=ISP1
9 chain=output action=mark-routing new-routing-mark=ISP3-route connection-mark=in_ISP3
10 chain=output action=mark-routing new-routing-mark=ISP2-route connection-mark=in_ISP2
11 chain=output action=mark-routing new-routing-mark=ISP1-route connection-mark=in_ISP1
12 ;;; Routing special users
chain=prerouting action=mark-routing new-routing-mark=cpecial_user passthrough=yes src-address-list=special users log=no log-prefix=""
ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade out-interface-list=WAN
1 ;;; RDP
chain=dstnat action=dst-nat to-addresses=10.171.1.111 to-ports=3389 protocol=tcp in-interface-list=WAN dst-port=3389 log=yes log-prefix=""
dstnat: in:ISP3 out:(unknown 0), src-mac 00:01:00:01:00:01, proto TCP (SYN), 37.xx.x.154:49728->188.x.xxx.232:3389, len 52
В wan листе три интерфейса. Isp1, isp2 и isp3.
UPD.
Работает вот с этим правилом
add action=masquerade chain=srcnat dst-address=10.171.1.111 dst-port=3389 protocol=tcp
Но это костыль какой то. Есть еще мнения?