dayredo Posted May 17, 2016 Posted May 17, 2016 (edited) Коллеги, нужна Ваша помощь. Суть вопроса: есть два провайдера, которые дают серые IP (допустим, 172.16.0.0/30 & 10.1.2.0/30), у провайдера 1, есть ресурс который болтается на внешнем ИП, но доступен ИСКЛЮЧИТЕЛЬНО через свою серую сеть. У провайдера 2 есть необходимость подключения к сервису для предоставления мне услуг (если конкретно - SIP, забирать от ISP1 и заворачивать на АТС ISP2). Собственно, что я сделал: на интерфейсе ISP1 поставил маскарад, на интерфейсе смотрящего на ISP2 так же повесил маскарад, и сделал проброс портов с моего IP 10.1.2.2 на IP 1.2.3.4. Прописал два дефолтных маршрута на 172.16.0.1 и 10.1.2.1 с маркировками 1_SIP и 2_SIP соответственно, а так же указал маршрут на 1.2.3.4 через 172.16.0.1. На фаерволе в мангле так же указал прероутинг, что всё что идёт на 1.2.3.4 маркируется как 1_SIP. Казалось бы, идеальная схема, обе сети за натом -> кроме конечного IP никто ничего не знает. На сервере 1.2.3.4 аутентификация по ИП должна работать, но! Про попытке соедениться - ничего не происходит. В логах Микротик послушно пишет, что от серверов из сети 10.0.0.0/24 пакет для порта 5060 получен, и отправлен на 1.2.3.4 (при этом и в фаерволе количество пакетов увеличивается, и всё хорошо), но не поступает ответной реакции, соответственно соединение не устанавливается. Ну и пакеты не возвращаются из сети ISP1. Что не так, и куда копать? Уже неделю воюю, и не вижу ответа, который скорее всего очевиден. Схема наглядная Edited May 17, 2016 by dayredo Вставить ник Quote
DRiVen Posted May 17, 2016 Posted May 17, 2016 а так же указал маршрут на 1.2.3.4 через 172.16.0.1 А маршрут до 10.0.0.0 через 10.1.2.х? Вставить ник Quote
dayredo Posted May 17, 2016 Author Posted May 17, 2016 А маршрут до 10.0.0.0 через 10.1.2.х? Да, маршруты прописаны до их сетей. Вставить ник Quote
DRiVen Posted May 17, 2016 Posted May 17, 2016 Попробуйте sip alg отключить(ip->firewall->service-port), если не заработает - показывайте конфиг. Манглы, маршруты, нат, фильтр. Вставить ник Quote
dayredo Posted May 17, 2016 Author Posted May 17, 2016 Отключено. Вот выкладки. Неактуальные (выключенные) удалил что бы глаза не мозолили. IP - заменил на случайные "на случай чего". Соотношение с прошлой картинкой: Megafon - ISP1 Unitel - ISP2 Routes Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 0 A S ;;; MegafonSIP dst-address=0.0.0.0/0 gateway=10.60.217.141 gateway-status=10.60.217.141 on MegafonSIP reachable via 07MegafonSIP distance=1 scope=30 target-scope=10 routing-mark=MegafonSIP 1 ADC dst-address=10.60.217.140/30 pref-src=10.60.217.142 gateway=07MegafonSIP gateway-status=07MegafonSIP reachable distance=0 scope=10 routing-mark=MegafonSIP 2 A S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 on MegafonSIP reachable via 07MegafonSIP distance=1 scope=30 target-scope=10 routing-mark=MegafonSIP 3 A S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=MegafonWAN 4 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=office 5 S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=11 scope=30 target-scope=10 routing-mark=office 6 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelWAN 7 A S dst-address=0.0.0.0/0 gateway=85.177.22.109 gateway-status=85.177.22.109 reachable via 02UnitelWiFi distance=1 scope=30 target-scope=10 routing-mark=Guest 8 A S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=MegafonWAN1 9 A S dst-address=0.0.0.0/0 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP 10 A S dst-address=10.1.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP 11 A S dst-address=10.65.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP 12 ADC dst-address=10.65.51.24/30 pref-src=10.65.51.26 gateway=08UnitelSIP gateway-status=08UnitelSIP reachable distance=0 scope=10 routing-mark=UnitelSIP 13 S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 on UnitelSIP unreachable distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP 14 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=1 scope=30 target-scope=10 16 A S dst-address=8.8.4.4/32 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN distance=1 scope=30 target-scope=10 17 A S dst-address=8.8.8.8/32 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN distance=1 scope=30 target-scope=10 18 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=bridge_test gateway-status=bridge_test reachable distance=0 scope=10 19 S dst-address=10.1.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 20 S dst-address=10.65.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 22 S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 unreachable distance=1 scope=30 target-scope=10 23 ADC dst-address=172.16.9.0/24 pref-src=172.16.9.1 gateway=bridge_guest gateway-status=bridge_guest reachable distance=0 scope=10 24 A S dst-address=172.32.254.0/24 gateway=192.168.6.254 gateway-status=192.168.6.254 reachable via bridge_office distance=1 scope=30 target-scope=10 25 ADC dst-address=85.177.21.244/30 pref-src=85.177.21.246 gateway=01UnitelWAN gateway-status=01UnitelWAN reachable distance=0 scope=10 26 ADC dst-address=85.177.22.108/30 pref-src=85.177.22.110 gateway=02UnitelWiFi gateway-status=02UnitelWiFi reachable distance=0 scope=10 28 ADS dst-address=192.168.4.0/22 gateway=192.168.7.13 gateway-status=192.168.7.13 reachable via <l2tp-arxotech> distance=1 scope=30 target-scope=10 29 S dst-address=192.168.4.0/26 gateway=192.168.4.194 gateway-status=192.168.4.194 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 31 S dst-address=192.168.4.64/26 gateway=192.168.4.195 gateway-status=192.168.4.195 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 32 S dst-address=192.168.4.128/26 gateway=192.168.4.196 gateway-status=192.168.4.196 unreachable check-gateway=ping distance=1 scope=30 target-scope=10 33 DC dst-address=192.168.4.192/26 pref-src=192.168.4.193 gateway=03UnitelVPN gateway-status=03UnitelVPN unreachable distance=255 scope=10 34 ADC dst-address=192.168.6.0/24 pref-src=192.168.6.1 gateway=bridge_office gateway-status=bridge_office reachable distance=0 scope=10 35 ADC dst-address=192.168.7.13/32 pref-src=192.168.7.1 gateway=<l2tp-arxotech> gateway-status=<l2tp-arxotech> reachable distance=0 scope=10 36 ADC dst-address=113.72.0.192/29 pref-src=113.72.0.194 gateway=04MegafonWAN gateway-status=04MegafonWAN reachable distance=0 scope=10 NAT Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=accept src-address=192.168.6.0/23 dst-address=192.168.2.0/24 log=no log-prefix="" 1 ;;; Masq to Unitel WAN chain=srcnat action=masquerade out-interface=01UnitelWAN log=no log-prefix="" 2 ;;; Masq to Unitel WiFi chain=srcnat action=masquerade out-interface=02UnitelWiFi log=no log-prefix="" 3 ;;; Masq to Megafon WAN chain=srcnat action=masquerade out-interface=04MegafonWAN log=no log-prefix="" 4 chain=srcnat action=masquerade out-interface=07MegafonSIP log=yes log-prefix="MASQ_07MS" 5 chain=srcnat action=masquerade out-interface=08UnitelSIP log=yes log-prefix="MASQ_08US" 6 ;;; POST chain=dstnat action=netmap to-addresses=192.168.6.4 protocol=tcp dst-address-list=WAN dst-port=25,465,110,995,143,993,443,80 log=no log-prefix="" 7 chain=dstnat action=netmap to-addresses=192.168.6.254 protocol=tcp dst-address-list=WAN dst-port=1194 log=no log-prefix="" 8 chain=dstnat action=netmap to-addresses=192.168.6.254 protocol=udp dst-address-list=WAN dst-port=1194 log=no log-prefix="" 9 chain=dstnat action=netmap to-addresses=10.60.217.142 protocol=udp in-interface=08UnitelSIP dst-port=5060 log=yes log-prefix="SIP_nat" 10 chain=dstnat action=netmap to-addresses=83.149.6.36 protocol=udp dst-address=10.60.217.142 dst-port=5060 log=yes log-prefix="SIP_nat" Filter Flags: X - disabled, I - invalid, D - dynamic 0 D ;;; special dummy rule to show fasttrack counters chain=forward 1 chain=input action=accept protocol=icmp log=no log-prefix="" 2 chain=forward action=accept protocol=icmp log=no log-prefix="" 3 chain=forward action=drop protocol=tcp src-address=192.168.6.60-192.168.6.69 dst-port=80,443 log=no log-prefix="" 4 chain=forward action=accept src-address=192.168.0.0/22 dst-address=192.168.4.0/22 log=no log-prefix="" 5 chain=forward action=accept src-address=192.168.4.0/26 dst-address=192.168.6.0/23 log=no log-prefix="" 6 chain=forward action=accept src-address=192.168.4.0/22 dst-address=192.168.0.0/22 log=no log-prefix="" 7 chain=forward action=accept src-address=192.168.6.0/23 dst-address=192.168.4.0/26 log=no log-prefix="" 8 chain=output action=accept dst-address=180.164.10.60 log=yes log-prefix="MSK_out" 9 chain=input action=accept src-address=180.164.10.60 log=no log-prefix="MSK" 10 chain=forward action=accept src-address=180.164.10.60 log=no log-prefix="MSK" 11 chain=forward action=accept dst-address=180.164.10.60 log=no log-prefix="MSK" 12 chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 13 chain=input action=accept protocol=udp dst-port=500,1701,4500 log=no log-prefix="" 14 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix="" 15 chain=forward action=accept connection-state=established,related log=no log-prefix="" 16 chain=input action=fasttrack-connection connection-state=established,related log=no log-prefix="" 17 chain=input action=accept connection-state=established,related log=no log-prefix="" 18 chain=output action=fasttrack-connection log=no log-prefix="" 19 chain=input action=accept connection-state=!invalid in-interface=08UnitelSIP log=yes log-prefix="Unitel_in" 20 chain=forward action=accept connection-state=!invalid in-interface=08UnitelSIP out-interface=07MegafonSIP log=yes log-prefix="Uni_fwd" 21 chain=input action=accept connection-state=!invalid in-interface=07MegafonSIP log=yes log-prefix="Mega_in" 22 chain=forward action=accept connection-state=!invalid in-interface=07MegafonSIP out-interface=08UnitelSIP log=yes log-prefix="Mega_fwd" 23 chain=forward action=accept connection-state=established,related,new in-interface=bridge_guest out-interface=02UnitelWiFi log=no log-prefix="" 24 chain=forward action=accept in-interface=bridge_office out-interface=07MegafonSIP log=no log-prefix="" 25 chain=forward action=accept connection-state=!invalid in-interface=bridge_office out-interface=!02UnitelWiFi log=no log-prefix="" 26 chain=input action=accept connection-state=established,related,new in-interface=bridge_office log=no log-prefix="" 27 chain=forward action=accept in-interface=all-ppp out-interface=!01UnitelWAN log=no log-prefix="" 28 chain=input action=accept in-interface=all-ppp log=no log-prefix="" 29 chain=input action=accept protocol=udp dst-port=67-68 log=no log-prefix="" 30 chain=input action=accept connection-state=!invalid in-interface=03UnitelVPN log=no log-prefix="" 31 chain=forward action=accept connection-state=!invalid in-interface=03UnitelVPN log=no log-prefix="" 32 chain=input action=accept protocol=tcp dst-port=20000 log=no log-prefix="" 33 chain=forward action=accept in-interface=bridge_test out-interface=07MegafonSIP log=no log-prefix="" 34 chain=input action=accept in-interface=bridge_test log=yes log-prefix="" 35 chain=forward action=accept protocol=tcp dst-port=25,465,110,995,143,993,443,80 log=no log-prefix="" 36 chain=input action=drop log=no log-prefix="" 37 chain=forward action=drop log=yes log-prefix="DROP" mangle Flags: X - disabled, I - invalid, D - dynamic 0 D chain=forward action=change-mss new-mss=1410 passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1411-65535 log=no log-prefix="" 1 D chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1361-65535 log=no log-prefix="" 2 D ;;; special dummy rule to show fasttrack counters chain=prerouting 3 D ;;; special dummy rule to show fasttrack counters chain=forward 4 D ;;; special dummy rule to show fasttrack counters chain=postrouting 5 chain=prerouting action=mark-routing new-routing-mark=MegafonSIP passthrough=no dst-address=83.149.6.36 log=no log-prefix="" 6 chain=output action=mark-routing new-routing-mark=MegafonSIP passthrough=no dst-address=83.149.6.36 log=no log-prefix="" 9 chain=prerouting action=mark-routing new-routing-mark=office passthrough=no src-address=192.168.6.0/24 dst-address-list=!LocalNet log=no log-prefix="" 10 chain=prerouting action=mark-routing new-routing-mark=Guest passthrough=no src-address=172.16.9.0/24 log=no log-prefix="" 11 chain=input action=mark-connection new-connection-mark=UnitelWAN passthrough=no dst-address=85.177.21.246 in-interface=01UnitelWAN log=no log-prefix="" 12 chain=output action=mark-routing new-routing-mark=UnitelWAN passthrough=no connection-mark=UnitelWAN log=no log-prefix="" 13 chain=input action=mark-connection new-connection-mark=MegafonWAN passthrough=no dst-address=113.72.0.196 in-interface=04MegafonWAN log=no log-prefix="" 14 chain=output action=mark-routing new-routing-mark=MegafonWAN passthrough=no connection-mark=MegafonWAN log=no log-prefix="" 15 chain=input action=mark-connection new-connection-mark=MegafonSIP passthrough=no dst-address=10.60.217.142 in-interface=07MegafonSIP log=no log-prefix="" 16 chain=output action=mark-routing new-routing-mark=MegafonSIP passthrough=no connection-mark=MegafonSIP log=no log-prefix="" 17 chain=input action=mark-connection new-connection-mark=UnitelSIP passthrough=no dst-address=10.65.51.26 in-interface=08UnitelSIP log=no log-prefix="" 18 chain=output action=mark-routing new-routing-mark=UnitelSIP passthrough=no connection-mark=UnitelSIP log=no log-prefix="" Вставить ник Quote
DRiVen Posted May 18, 2016 Posted May 18, 2016 IP - заменил на случайные "на случай чего" То есть вывалили принты с динамическими записями, вместо рафинированного, относительно проблемной части, экспорта конфигурации (без вагона маркированых дефолтов в белые сетки и кучи маршрутов в те же публичные адреса, да еще и через интерфейсы, на схеме отсутствующие), "на случай чего" (чего?) заменили "серую" адресацию, и теперь все это предлагается как-то скурить, угадав соответствие нескольких строк конфига со схемой? О_о Вставить ник Quote
.png.5d2afa2996cc6a85d0f2c09b92dd0a28.png)
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.