Добрый день!
Имеем три устройства
1. Микротик + модем МТС
2. Микротик + модем мегафон
3. Микротик 3011, по которому в первый порт заходит МТС, а во второй порт заходит мегафон
Все девайсы имеют прошивку 7.10.2
Настроена балансировка pcc
Но есть проблема. С МТС sip- телефония работает, а с мегафона не проходят звонки.
Никак не могу заставить, чтобы с определенных айпи адресов выходило через МТС, а не хаотично.
И второй вопрос, как сделать, чтобы сип аппараты автоматом добавлялись в address list?
Я так понимаю, что надо сделать правило, которое смотрит, какое устройство полезло по порту 5060 и автоматом добавилось в address list.
2 провайдера + привязка sip к первому
-
Illinory
- Сообщения: 100
- Зарегистрирован: 23 окт 2019, 15:08
Примерно так:
Код: Выделить всё
/ip firewall filter add action=add-src-to-address-list address-list=VoIP address-list-timeout=1h chain=forward dst-port=5060 protocol=udp-
pminaeff
- Сообщения: 7
- Зарегистрирован: 11 авг 2023, 11:56
Что-то не создается список.Illinory писал(а): ↑11 авг 2023, 18:42Примерно так:А как прибить определенный список к правильному Uplink-у почти в каждом мане про балансировку есть.Код: Выделить всё
/ip firewall filter add action=add-src-to-address-list address-list=VoIP address-list-timeout=1h chain=forward dst-port=5060 protocol=udp
Может быть выложить мой конфиг?
-
Illinory
- Сообщения: 100
- Зарегистрирован: 23 окт 2019, 15:08
Может у Вас TCP на VoIP?
Или порт другой.
Или порт другой.
-
pminaeff
- Сообщения: 7
- Зарегистрирован: 11 авг 2023, 11:56
Спасибо большое!
TCP был. Теперь никак не могу заставить аппараты ходить по определенному каналу.
Толи я маркирую не так, толи приоритет правил не верный(((
Плюс еще проблема возникла с пробросом рдп порта.
До вчерашнего дня все работало, а теперь когда работают два провайдера, то не работают проброс. Если отключить мегафон, то все работает
TCP был. Теперь никак не могу заставить аппараты ходить по определенному каналу.
Толи я маркирую не так, толи приоритет правил не верный(((
Плюс еще проблема возникла с пробросом рдп порта.
До вчерашнего дня все работало, а теперь когда работают два провайдера, то не работают проброс. Если отключить мегафон, то все работает
-
pminaeff
- Сообщения: 7
- Зарегистрирован: 11 авг 2023, 11:56
# 2023-08-14 23:04:39 by RouterOS 7.10.2
# software id = DYKJ-KK3J
#
# model = RB3011UiAS
# serial number = E7E90F9B7B0F
/interface bridge
add admin-mac=DC:2C:6E:22:97:F2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=MTS
set [ find default-name=ether2 ] name=OPSOS2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_MTS
add disabled=no fib name=to_OPSOS2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=MTS list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=MTS use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no interface=OPSOS2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.0.102 client-id=1:1c:c1
e6:d0:7e comment=ESXI \
mac-address=1C:C1:DE:E6:D0:7E server=defconf
add address=192.168.0.251 client-id=1:a8:a1:59:72:d2:83 comment=AST \
mac-address=A8:A1:59:72:D2:83 server=defconf
add address=192.168.0.54 client-id=1:0:c:29:a9:46:0 comment=nextcloud \
mac-address=00:0C:29:A9:46:00 server=defconf
add address=192.168.0.231 client-id=1:0:25:90:63:3c:b1 mac-address=\
00:25:90:63:3C:B1 server=defconf
add address=192.168.0.137 client-id=1:ac:b9:2f:38:b3:6d comment=hikvision \
mac-address=AC:B9:2F:38:B3:6D server=defconf
add address=192.168.0.175 client-id=1:7c:10:c9:20:a0:ec mac-address=\
7C:10:C9:20:A0:EC server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.253 list=OUT2
add address=192.168.0.251 list=OUT2
add address=192.168.0.236 list=OUT2
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=add-dst-to-address-list address-list=MTS address-list-timeout=\
none-dynamic chain=forward disabled=yes port=5060 protocol=tcp
add action=add-src-to-address-list address-list=SIP address-list-timeout=18h \
chain=forward dst-port=5060 protocol=tcp
add action=add-src-to-address-list address-list=SIP address-list-timeout=18h \
chain=forward dst-port=5060 protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment=Accept dst-address=192.168.99.0/24
add action=accept chain=prerouting dst-address=192.168.77.0/24
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address-list=MTS \
new-routing-mark=to_MTS passthrough=yes
add action=mark-connection chain=prerouting comment=\
"\CF\D0\C8\C2\DF\C7\CA\C0 \CA \CE\CF\D1\CE\D1\D3" connection-mark=no-mark \
disabled=yes new-connection-mark=OPSOS2_input passthrough=yes \
src-address-list=SIP
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes new-connection-mark=OPSOS2_input passthrough=yes src-address-list=\
OUT2
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
disabled=yes new-routing-mark=to_OPSOS2 passthrough=yes src-address=\
192.168.0.0/24
add action=mark-connection chain=input comment=Input in-interface=MTS \
new-connection-mark=MTS_input passthrough=yes
add action=mark-connection chain=input in-interface=OPSOS2 \
new-connection-mark=OPSOS2_input passthrough=yes
add action=mark-connection chain=prerouting comment="Mark Connection" \
in-interface=MTS new-connection-mark=MTS_input passthrough=yes
add action=mark-connection chain=prerouting in-interface=OPSOS2 \
new-connection-mark=OPSOS2_input passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=\
local in-interface=bridge new-connection-mark=MTS_input passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=bridge new-connection-mark=OPSOS2_input passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=Output connection-mark=\
MTS_input new-routing-mark=to_MTS passthrough=yes
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
new-routing-mark=to_OPSOS2 passthrough=yes
add action=mark-routing chain=prerouting comment="mark routing" \
connection-mark=MTS_input in-interface=bridge new-routing-mark=to_MTS \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
in-interface=bridge new-routing-mark=to_OPSOS2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=47911 protocol=tcp to-addresses=\
192.168.0.231 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.77.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# software id = DYKJ-KK3J
#
# model = RB3011UiAS
# serial number = E7E90F9B7B0F
/interface bridge
add admin-mac=DC:2C:6E:22:97:F2 auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] name=MTS
set [ find default-name=ether2 ] name=OPSOS2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/port
set 0 name=serial0
/routing table
add disabled=no fib name=to_MTS
add disabled=no fib name=to_OPSOS2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9
add bridge=bridge comment=defconf ingress-filtering=no interface=ether10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=MTS list=WAN
/interface ovpn-server server
set auth=sha1,md5
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
192.168.0.0
/ip dhcp-client
add add-default-route=no comment=defconf interface=MTS use-peer-dns=no \
use-peer-ntp=no
add add-default-route=no interface=OPSOS2 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.0.102 client-id=1:1c:c1
e6:d0:7e comment=ESXI \mac-address=1C:C1:DE:E6:D0:7E server=defconf
add address=192.168.0.251 client-id=1:a8:a1:59:72:d2:83 comment=AST \
mac-address=A8:A1:59:72:D2:83 server=defconf
add address=192.168.0.54 client-id=1:0:c:29:a9:46:0 comment=nextcloud \
mac-address=00:0C:29:A9:46:00 server=defconf
add address=192.168.0.231 client-id=1:0:25:90:63:3c:b1 mac-address=\
00:25:90:63:3C:B1 server=defconf
add address=192.168.0.137 client-id=1:ac:b9:2f:38:b3:6d comment=hikvision \
mac-address=AC:B9:2F:38:B3:6D server=defconf
add address=192.168.0.175 client-id=1:7c:10:c9:20:a0:ec mac-address=\
7C:10:C9:20:A0:EC server=defconf
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf dns-server=192.168.0.1 gateway=\
192.168.0.1
/ip dns
set allow-remote-requests=yes servers=77.88.8.8,77.88.8.1
/ip dns static
add address=192.168.0.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.0.253 list=OUT2
add address=192.168.0.251 list=OUT2
add address=192.168.0.236 list=OUT2
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" disabled=yes \
dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
add action=add-dst-to-address-list address-list=MTS address-list-timeout=\
none-dynamic chain=forward disabled=yes port=5060 protocol=tcp
add action=add-src-to-address-list address-list=SIP address-list-timeout=18h \
chain=forward dst-port=5060 protocol=tcp
add action=add-src-to-address-list address-list=SIP address-list-timeout=18h \
chain=forward dst-port=5060 protocol=udp
/ip firewall mangle
add action=accept chain=prerouting comment=Accept dst-address=192.168.99.0/24
add action=accept chain=prerouting dst-address=192.168.77.0/24
add action=accept chain=prerouting dst-address=192.168.0.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address-list=MTS \
new-routing-mark=to_MTS passthrough=yes
add action=mark-connection chain=prerouting comment=\
"\CF\D0\C8\C2\DF\C7\CA\C0 \CA \CE\CF\D1\CE\D1\D3" connection-mark=no-mark \
disabled=yes new-connection-mark=OPSOS2_input passthrough=yes \
src-address-list=SIP
add action=mark-connection chain=prerouting connection-mark=no-mark disabled=\
yes new-connection-mark=OPSOS2_input passthrough=yes src-address-list=\
OUT2
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
disabled=yes new-routing-mark=to_OPSOS2 passthrough=yes src-address=\
192.168.0.0/24
add action=mark-connection chain=input comment=Input in-interface=MTS \
new-connection-mark=MTS_input passthrough=yes
add action=mark-connection chain=input in-interface=OPSOS2 \
new-connection-mark=OPSOS2_input passthrough=yes
add action=mark-connection chain=prerouting comment="Mark Connection" \
in-interface=MTS new-connection-mark=MTS_input passthrough=yes
add action=mark-connection chain=prerouting in-interface=OPSOS2 \
new-connection-mark=OPSOS2_input passthrough=yes
add action=mark-connection chain=prerouting comment=PCC dst-address-type=\
local in-interface=bridge new-connection-mark=MTS_input passthrough=yes \
per-connection-classifier=both-addresses:2/0
add action=mark-connection chain=prerouting dst-address-type=local \
in-interface=bridge new-connection-mark=OPSOS2_input passthrough=yes \
per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting comment=Output connection-mark=\
MTS_input new-routing-mark=to_MTS passthrough=yes
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
new-routing-mark=to_OPSOS2 passthrough=yes
add action=mark-routing chain=prerouting comment="mark routing" \
connection-mark=MTS_input in-interface=bridge new-routing-mark=to_MTS \
passthrough=yes
add action=mark-routing chain=prerouting connection-mark=OPSOS2_input \
in-interface=bridge new-routing-mark=to_OPSOS2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat dst-port=47911 protocol=tcp to-addresses=\
192.168.0.231 to-ports=3389
/ip firewall service-port
set ftp disabled=yes
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.99.1 routing-table=main \
suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.77.1 routing-table=main \
suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN