johnfx Posted April 27, 2015 (edited) · Report post Здравтвуйте! есть серая сеть, есть пул белых ip, шлюз для них, авторизация серых проиходит на другом железе, на микротике нужно реализовать только nat, т.е. на входе 10.220.0.0/18, транслируюрся в пул белых 188.х.х.0/24 и выходят наружу через 141.х.х.х вот конфиг, но что-то тут явно не так... # /interface bonding add link-monitoring=none mode=802.3ad name=bo-ex slaves=ether1,ether2,ether3,ether4 add link-monitoring=none mode=802.3ad name=bo-loc slaves=ether5,ether6,ether7,ether8 /interface vlan add interface=bo-loc name=vlan-800-bo-loc vlan-id=800 add interface=bo-loc name=vlan-3800-bo-loc vlan-id=3800 add interface=bo-ex name=vlan-3900-bo-ex vlan-id=3900 /ip address add address=10.220.0.0/18 interface=bo-loc network=10.220.0.0 add address=188.x.x.x/24 interface=bo-ex network=188.x.x.0 add address=172.18.0.100/24 interface=vlan-800-bo-loc network=172.18.0.0 add address=141.x.x.122/30 interface=vlan-3800-bo-loc network=141.x.x.120 add address=141.x.x.126/30 interface=vlan-3900-bo-ex network=141.x.x.124 /ip firewall address-list add address=10.220.0.0/18 list=p-108 add address=188.x.x.0/24 list=p-108 /ip firewall filter add chain=input connection-state=established,related add chain=input src-address-list=p-108 add chain=input src-address=172.18.0.0/16 add chain=input src-address=192.168.0.0/16 add action=drop chain=input add chain=forward connection-state=established,related add chain=forward src-address-list=p-108 add chain=forward src-address=172.18.0.0/16 add action=drop chain=forward /ip firewall mangle add action=mark-connection chain=prerouting log=yes new-connection-mark=c-108 src-address-list=p-108 add action=mark-packet chain=prerouting connection-mark=c-108 new-packet-mark=p-108 add action=mark-routing chain=prerouting new-routing-mark=r-108 src-address-list=p-108 add action=mark-routing chain=prerouting dst-address-list=p-108 new-routing-mark=r-108 add action=mark-routing chain=prerouting disabled=yes new-routing-mark=r-107 src-address-list=p-107 add action=mark-routing chain=prerouting disabled=yes dst-address-list=p-107 new-routing-mark=r-107 /ip firewall nat add action=src-nat chain=srcnat comment=108 out-interface=vlan-3900-bo-ex src-address-list=p-108 to-addresses=188.x.x.0/24 add action=masquerade chain=srcnat out-interface=vlan-3900-bo-ex /ip firewall service-port set ftp disabled=yes /ip route add distance=1 gateway=141.x.x.125 routing-mark=r-108 add disabled=yes distance=1 gateway=141.x.x.125 routing-mark=r-108 add distance=5 gateway=172.18.0.1 Edited April 27, 2015 by johnfx Share this post Link to post Share on other sites
