L2TP - сеть видна частично.
Добавлено: 21 фев 2020, 13:40
Форум поддержи и обмена опытом пользователей оборудования RouterBOARD и операционной системы RouterOS Латвийского производителя MikroTik
https://forummikrotik.ru/
Код: Выделить всё
[admin@BLHR] > export
# feb/21/2020 17:25:31 by RouterOS 6.42.10
# software id = 12F2-RTSA
#
# model = RB941-2nD
# serial number = A1880A1AFDCC
/interface bridge
add arp=proxy-arp name=bridge-LAN
/interface ethernet
set [ find default-name=ether1 ] comment=WAN name=ether1-WAN
/interface l2tp-client
add add-default-route=yes allow=mschap2 connect-to=193.xxx.xxx.148 disabled=no \
name=l2tp-out1 password=Yyyyyyyyy user=BLHR
/interface list
add exclude=dynamic name=discover
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=ap-security supplicant-identity="" \
wpa-pre-shared-key=S1234567 wpa2-pre-shared-key=S1234567
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n country=russia disabled=no \
mode=ap-bridge security-profile=ap-security ssid=Office-baza \
wireless-protocol=802.11
/ip pool
add name=dhcp-pool ranges=192.168.1.10-192.168.1.99
/ip dhcp-server
add address-pool=dhcp-pool disabled=no interface=bridge-LAN lease-time=1d10m \
name=dhcp-LAN
/interface bridge port
add bridge=bridge-LAN interface=ether2
add bridge=bridge-LAN interface=ether3
add bridge=bridge-LAN interface=ether4
add bridge=bridge-LAN interface=wlan1
/interface list member
add interface=ether1-WAN list=WAN
add interface=bridge-LAN list=LAN
/ip address
add address=192.168.1.1/24 interface=ether2 network=192.168.1.0
/ip arp
add address=192.168.1.2 interface=bridge-LAN mac-address=A0:F3:C1:A5:10:EC
add address=192.168.1.4 interface=bridge-LAN
add address=192.168.1.6 interface=bridge-LAN
add address=192.168.1.9 interface=bridge-LAN
add address=192.168.1.11 interface=bridge-LAN
add address=192.168.1.13 interface=bridge-LAN
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
/ip dhcp-server lease
add address=192.168.1.32 mac-address=10:BF:48:76:96:C3 server=dhcp-LAN
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1
/ip firewall address-list
add address=192.168.1.32 list=Office
add address=192.168.1.35 list=Office
add address=192.168.1.46 list=Office
add address=192.168.1.16 list=Office
add address=192.168.1.6 list=Office
add address=192.168.1.2 list=Office
add address=192.168.1.4 list=Office
add address=192.168.1.9 list=Office
add address=192.168.1.11 list=Office
add address=192.168.1.13 list=Office
/ip firewall filter
add action=accept chain=input protocol=icmp
add action=accept chain=input in-interface=ether1-WAN
add action=drop chain=forward connection-state=new disabled=yes \
src-address-list=BAN-DDoS
add action=return chain=anti-DDoS disabled=yes dst-limit=15,15,src-address/10s
add action=add-src-to-address-list address-list=BAN-DDoS address-list-timeout=\
1d chain=anti-DDoS disabled=yes
add action=drop chain=forward connection-state=new disabled=yes \
src-address-list=BAN-BruteForce-3
add action=return chain=anti-BruteForce-3 disabled=yes dst-limit=\
4/1m,1,src-address/1m40s
add action=add-src-to-address-list address-list=BAN-BruteForce-3 \
address-list-timeout=1d chain=anti-BruteForce-3 disabled=yes
add action=drop chain=forward comment="Teredo TCP" disabled=yes dst-port=3544 \
protocol=tcp
add action=drop chain=forward comment="Teredo UDP" disabled=yes dst-port=3544 \
protocol=udp
add action=drop chain=forward comment=6to4 disabled=yes protocol=ipv6
add action=accept chain=forward in-interface=l2tp-out1
add action=accept chain=output disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
add action=netmap chain=dstnat dst-port=5577 in-interface=ether1-WAN protocol=\
tcp to-addresses=192.168.1.222 to-ports=37777
add action=netmap chain=dstnat dst-port=5578 in-interface=ether1-WAN protocol=\
tcp to-addresses=192.168.1.222 to-ports=80
add action=netmap chain=dstnat dst-port=5576 in-interface=ether1-WAN protocol=\
tcp to-addresses=192.168.1.2 to-ports=80
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=1 dst-address=192.168.5.0/24 gateway=10.10.5.99 pref-src=\
192.168.1.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.10.99 name=Zzzzzzzz password=Yyyyyyyyy profile=\
default-encryption remote-address=10.10.10.90 service=l2tp
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=BLHR
/system routerboard settings
set silent-boot=no
[admin@BLHR] >
Почему адрес не на бридже, а на порту???dmitlit писал(а): ↑21 фев 2020, 17:32Код: Выделить всё
[admin@BLHR] > export /interface bridge port add bridge=bridge-LAN interface=ether2 add bridge=bridge-LAN interface=ether3 add bridge=bridge-LAN interface=ether4 add bridge=bridge-LAN interface=wlan1 /interface list member add interface=ether1-WAN list=WAN add interface=bridge-LAN list=LAN /ip address add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 [admin@BLHR] >
У Вас на схеме я насчитал как минимум 3 WiFi сети, как угадать о каких клиентах идет речь?
Код: Выделить всё
Quick SetWebFigTerminal
RouterOS v6.45.5 (stable)
Terminal
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.45.5 (c) 1999-2019 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
(580 messages not shown)
feb/21/2020 19:31:03 system,error,critical login failure for user admin from 194.54.154.193 via web
feb/21/2020 19:31:03 system,error,critical login failure for user user from 194.54.154.193 via web
feb/21/2020 19:31:03 system,error,critical login failure for user user from 194.54.154.193 via web
feb/21/2020 19:31:04 system,error,critical login failure for user from 194.54.154.193 via web
feb/22/2020 10:53:54 system,error,critical router was rebooted without proper shutdown
feb/22/2020 10:53:54 system,error,critical router was rebooted without proper shutdown
feb/22/2020 20:23:50 system,error,critical login failure for user admin from 95.153.131.2 via winbox
feb/24/2020 09:14:49 system,error,critical login failure for user admin from 192.168.5.172 via web
[admin@tst-client-abm] > export
# feb/24/2020 09:34:16 by RouterOS 6.45.5
# software id = PJVS-TDG5
#
# model = 750
# serial number = 4677xxxxxA5D
/interface ovpn-client
add auth=null cipher=null connect-to=vpn0.mywifi.cc disabled=yes mac-address=FE:B9:DB:0B:B1:51 name=ovpn-out1 password=vIfIpxxx user=136
add auth=null cipher=null connect-to=vpn1.mywifi.cc disabled=yes mac-address=FE:CC:8C:3C:23:02 name=ovpn-out2 password=vIfIpxxx user=136
/interface bridge
add arp=proxy-arp name=bridge_int
add fast-forward=no name=bridgefitnes
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=WAN name=ether1-WAN
set [ find default-name=ether2 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=LAN
set [ find default-name=ether3 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether4 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
set [ find default-name=ether5 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] dns-name=local.mywifi.cc hotspot-address=192.168.55.1 http-cookie-lifetime=6h name=hotspot nas-port-type=ethernet use-radius=yes
/ip ipsec policy group
add name=group1
/ip ipsec profile
add dh-group=modp1024 name=profile_1
/ip ipsec peer
# This entry is unreachable
add name=peer1 passive=yes profile=profile_1
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
add name=dhcp_pool_motel ranges=192.168.5.5-192.168.5.245
add name=dhcp ranges=192.168.55.10-192.168.55.254
add name=dhcp_pool2 ranges=192.168.5.10-192.168.5.254
add name=dhcp_pool_fitnes ranges=192.168.4.10-192.168.4.250
add name=vpn_pool ranges=10.10.5.10-10.10.5.98
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay interface=ether2 lease-time=1d name=dhcp1
add address-pool=dhcp_pool_motel authoritative=after-2sec-delay interface=ether5 lease-time=1d name=dhcp-server-motel
add address-pool=dhcp_pool_motel authoritative=after-2sec-delay interface=ether5 lease-time=12h name=dhcp2
add address-pool=dhcp authoritative=after-2sec-delay name=dhcp_hotspot
add address-pool=dhcp_pool2 authoritative=after-2sec-delay disabled=no interface=bridge_int lease-time=3d name=dhcp3
add address-pool=dhcp_pool_fitnes authoritative=after-2sec-delay disabled=no interface=bridgefitnes lease-time=3d10m name=dhcp_fitnes
/ip hotspot
add address-pool=dhcp disabled=no name=hotspot
/ppp profile
add change-tcp-mss=no local-address=10.10.5.99 name=l2tp_profile only-one=no remote-address=vpn_pool use-compression=yes use-encryption=yes use-mpls=no \
use-upnp=no
/snmp community
set [ find default=yes ] addresses=172.30.4.0/22,10.4.150.0/24,10.5.150.0/24,10.6.150.0/24,188.191.24.18/32,193.238.110.142/32,10.255.255.0/24 name=bee183vr
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge_int interface=ether4
add bridge=bridge_int interface=ether5
add bridge=bridgefitnes hw=no interface=ether3
add bridge=bridge_int interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=discover
/interface l2tp-server server
set authentication=mschap2 default-profile=l2tp_profile enabled=yes ipsec-secret=ZORG use-ipsec=yes
/interface list member
add interface=ether2 list=discover
add interface=ether3 list=discover
add interface=ether4 list=discover
add interface=ether5 list=discover
add list=discover
add interface=bridgefitnes list=discover
add list=discover
add interface=ether5 list=mactel
add interface=ether4 list=mactel
add interface=ether5 list=mac-winbox
add interface=ether3 list=mactel
add interface=ether4 list=mac-winbox
add interface=ether2 list=mactel
add interface=ether3 list=mac-winbox
add interface=ether2 list=mac-winbox
/ip address
add address=193.xxx.xxx.148/28 interface=ether1-WAN network=193.xxx.xxx.144
add address=192.168.88.1/24 disabled=yes interface=ether2 network=192.168.88.0
add address=192.168.5.1/24 interface=bridge_int network=192.168.5.0
add address=192.168.88.1/24 disabled=yes interface=ether3 network=192.168.88.0
add address=192.168.88.1/24 disabled=yes interface=ether4 network=192.168.88.0
add address=192.168.4.1/24 interface=bridgefitnes network=192.168.4.0
/ip dhcp-server network
add address=192.168.4.0/24 dns-server=192.168.4.1 gateway=192.168.4.1
add address=192.168.5.0/24 dns-server=192.168.5.1 gateway=192.168.5.1
add address=192.168.55.0/24 comment=hotspot dns-server=77.88.8.8 gateway=192.168.55.1
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.88,77.88.8.8
/ip firewall filter
add action=accept chain=input connection-state=new dst-port=1701 protocol=udp
add action=accept chain=input connection-state=established,related
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="Added by webbox" disabled=yes protocol=icmp
add action=accept chain=input comment="Added by webbox" connection-state=established disabled=yes in-interface=ether1-WAN
add action=jump chain=forward comment="Added by webbox" disabled=yes in-interface=ether1-WAN jump-target=customer
add action=accept chain=customer comment="Added by webbox" connection-state=established disabled=yes
add action=accept chain=customer comment="Added by webbox" connection-state=related disabled=yes
add action=drop chain=customer connection-state=invalid disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input disabled=yes dst-port=1701,500,4500 in-interface=ether1-WAN port=1701,500,4500 protocol=udp
add action=accept chain=input disabled=yes in-interface=ether1-WAN protocol=ipsec-esp
add action=accept chain=forward in-interface=ether1-WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Added by webbox" out-interface=ether1-WAN to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-WAN src-address=192.168.5.0/24
# ovpn-out1 not ready
add action=masquerade chain=srcnat out-interface=ovpn-out1
# ovpn-out2 not ready
add action=masquerade chain=srcnat out-interface=ovpn-out2
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-WAN
add action=dst-nat chain=dstnat dst-address=193.xxx.xxx.148 dst-port=8000 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.1.167 to-ports=8000
add action=dst-nat chain=dstnat dst-address=193.xxx.xxx.148 dst-port=5556 in-interface=ether1-WAN protocol=tcp to-addresses=192.168.5.172 to-ports=80
add action=masquerade chain=srcnat disabled=yes out-interface=ether1-WAN src-address=10.10.5.0/24
add action=dst-nat chain=dstnat dst-address=193.xxx.xxx.148 dst-port=5555 in-interface=ether1-WAN log=yes protocol=tcp to-addresses=192.168.5.172 to-ports=\
8291
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip hotspot walled-garden ip
add action=accept disabled=no dst-address=188.191.19.246 server=hotspot src-address=192.168.55.0/24
add action=accept disabled=no dst-address=77.88.8.8 dst-port=53 protocol=udp server=hotspot src-address=192.168.55.0/24
/ip ipsec identity
# Suggestion to use stronger pre-shared key or different authentication method
add peer=peer1 policy-template-group=group1 remote-id=ignore secret=ZORG
/ip route
add distance=1 gateway=193.xxx.xxx.145
add distance=1 dst-address=10.30.1.0/24 gateway=*D
add distance=1 dst-address=188.191.19.246/32 gateway=10.255.255.254
add distance=2 dst-address=188.191.19.246/32 gateway=10.255.255.255
add distance=1 dst-address=192.168.0.0/24 gateway=10.10.5.96 pref-src=192.168.5.1
add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=10.10.5.95 pref-src=192.168.5.1
add comment="Route to BLUHERA" distance=1 dst-address=192.168.1.0/24 gateway=10.10.5.86 pref-src=192.168.5.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=65522
set api disabled=yes
set api-ssl disabled=yes
/ip traffic-flow
set interfaces=bridgefitnes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=ether1-WAN type=external
add interface=ether2 type=internal
add interface=ether3 type=internal
add interface=ether4 type=internal
add interface=ether5 type=internal
/ppp secret
add local-address=10.10.5.99 name=remote01 password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.89 service=l2tp
add local-address=10.10.5.99 name=verdirest password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.97 service=l2tp
add local-address=10.10.5.99 name=gasprem password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.98 service=l2tp
add local-address=10.10.5.99 name=dom password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.88 service=l2tp
add local-address=10.10.5.99 name=ryba password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.96 service=l2tp
add local-address=10.10.5.99 name=verdi3kassa password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.95 service=l2tp
add local-address=10.10.5.99 name=rybzavod password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.94 service=l2tp
add local-address=10.10.5.99 name=remote02 password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.90 service=l2tp
add local-address=10.10.5.99 name=holm password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.87 service=l2tp
add local-address=10.10.5.99 name=bluhera password=Axxxxxxx profile=l2tp_profile remote-address=10.10.5.86 service=l2tp
/radius
add address=188.191.19.246 secret=lg4tY7cCll23 service=hotspot
/snmp
set contact=noc@mywifi.cc enabled=yes location=tst-client-abm
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system identity
set name=tst-client-abm
/tool graphing interface
add
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox
[admin@tst-client-abm] >