Jump to content
Калькуляторы

NAT на два провайдера

Reply to this topic

dayredo   

dayredo
Posted (edited)

Коллеги, нужна Ваша помощь.

Суть вопроса: есть два провайдера, которые дают серые IP (допустим, 172.16.0.0/30 & 10.1.2.0/30), у провайдера 1, есть ресурс который болтается на внешнем ИП, но доступен ИСКЛЮЧИТЕЛЬНО через свою серую сеть. У провайдера 2 есть необходимость подключения к сервису для предоставления мне услуг (если конкретно - SIP, забирать от ISP1 и заворачивать на АТС ISP2).

Собственно, что я сделал:

на интерфейсе ISP1 поставил маскарад, на интерфейсе смотрящего на ISP2 так же повесил маскарад, и сделал проброс портов с моего IP 10.1.2.2 на IP 1.2.3.4. Прописал два дефолтных маршрута на 172.16.0.1 и 10.1.2.1 с маркировками 1_SIP и 2_SIP соответственно, а так же указал маршрут на 1.2.3.4 через 172.16.0.1. На фаерволе в мангле так же указал прероутинг, что всё что идёт на 1.2.3.4 маркируется как 1_SIP.

Казалось бы, идеальная схема, обе сети за натом -> кроме конечного IP никто ничего не знает. На сервере 1.2.3.4 аутентификация по ИП должна работать, но! Про попытке соедениться - ничего не происходит. В логах Микротик послушно пишет, что от серверов из сети 10.0.0.0/24 пакет для порта 5060 получен, и отправлен на 1.2.3.4 (при этом и в фаерволе количество пакетов увеличивается, и всё хорошо), но не поступает ответной реакции, соответственно соединение не устанавливается. Ну и пакеты не возвращаются из сети ISP1.

Что не так, и куда копать? Уже неделю воюю, и не вижу ответа, который скорее всего очевиден.

Схема наглядная

post-134883-097852700 1463479074_thumb.jpg

Edited by dayredo

Share this post

Link to post
Share on other sites

dayredo   

dayredo
Posted

Отключено.

Вот выкладки. Неактуальные (выключенные) удалил что бы глаза не мозолили. IP - заменил на случайные "на случай чего".

Соотношение с прошлой картинкой:

Megafon - ISP1

Unitel - ISP2

 

Routes

 

 

Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit

0 A S ;;; MegafonSIP

dst-address=0.0.0.0/0 gateway=10.60.217.141 gateway-status=10.60.217.141 on MegafonSIP reachable via 07MegafonSIP distance=1 scope=30 target-scope=10 routing-mark=MegafonSIP

1 ADC dst-address=10.60.217.140/30 pref-src=10.60.217.142 gateway=07MegafonSIP gateway-status=07MegafonSIP reachable distance=0 scope=10 routing-mark=MegafonSIP

2 A S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 on MegafonSIP reachable via 07MegafonSIP distance=1 scope=30 target-scope=10 routing-mark=MegafonSIP

3 A S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=MegafonWAN

4 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=10 scope=30 target-scope=10 routing-mark=office

5 S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=11 scope=30 target-scope=10 routing-mark=office

6 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelWAN

7 A S dst-address=0.0.0.0/0 gateway=85.177.22.109 gateway-status=85.177.22.109 reachable via 02UnitelWiFi distance=1 scope=30 target-scope=10 routing-mark=Guest

8 A S dst-address=0.0.0.0/0 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=MegafonWAN1

9 A S dst-address=0.0.0.0/0 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP

10 A S dst-address=10.1.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP

11 A S dst-address=10.65.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 on UnitelSIP reachable via 08UnitelSIP check-gateway=ping distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP

12 ADC dst-address=10.65.51.24/30 pref-src=10.65.51.26 gateway=08UnitelSIP gateway-status=08UnitelSIP reachable distance=0 scope=10 routing-mark=UnitelSIP

13 S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 on UnitelSIP unreachable distance=1 scope=30 target-scope=10 routing-mark=UnitelSIP

14 A S dst-address=0.0.0.0/0 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN check-gateway=ping distance=1 scope=30 target-scope=10

16 A S dst-address=8.8.4.4/32 gateway=113.72.0.193 gateway-status=113.72.0.193 reachable via 04MegafonWAN distance=1 scope=30 target-scope=10

17 A S dst-address=8.8.8.8/32 gateway=85.177.21.245 gateway-status=85.177.21.245 reachable via 01UnitelWAN distance=1 scope=30 target-scope=10

18 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.1 gateway=bridge_test gateway-status=bridge_test reachable distance=0 scope=10

19 S dst-address=10.1.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 unreachable check-gateway=ping distance=1 scope=30 target-scope=10

20 S dst-address=10.65.0.0/16 gateway=10.65.51.25 gateway-status=10.65.51.25 unreachable check-gateway=ping distance=1 scope=30 target-scope=10

22 S dst-address=83.149.6.36/32 gateway=10.60.217.141 gateway-status=10.60.217.141 unreachable distance=1 scope=30 target-scope=10

23 ADC dst-address=172.16.9.0/24 pref-src=172.16.9.1 gateway=bridge_guest gateway-status=bridge_guest reachable distance=0 scope=10

24 A S dst-address=172.32.254.0/24 gateway=192.168.6.254 gateway-status=192.168.6.254 reachable via bridge_office distance=1 scope=30 target-scope=10

25 ADC dst-address=85.177.21.244/30 pref-src=85.177.21.246 gateway=01UnitelWAN gateway-status=01UnitelWAN reachable distance=0 scope=10

26 ADC dst-address=85.177.22.108/30 pref-src=85.177.22.110 gateway=02UnitelWiFi gateway-status=02UnitelWiFi reachable distance=0 scope=10

28 ADS dst-address=192.168.4.0/22 gateway=192.168.7.13 gateway-status=192.168.7.13 reachable via <l2tp-arxotech> distance=1 scope=30 target-scope=10

29 S dst-address=192.168.4.0/26 gateway=192.168.4.194 gateway-status=192.168.4.194 unreachable check-gateway=ping distance=1 scope=30 target-scope=10

31 S dst-address=192.168.4.64/26 gateway=192.168.4.195 gateway-status=192.168.4.195 unreachable check-gateway=ping distance=1 scope=30 target-scope=10

32 S dst-address=192.168.4.128/26 gateway=192.168.4.196 gateway-status=192.168.4.196 unreachable check-gateway=ping distance=1 scope=30 target-scope=10

33 DC dst-address=192.168.4.192/26 pref-src=192.168.4.193 gateway=03UnitelVPN gateway-status=03UnitelVPN unreachable distance=255 scope=10

34 ADC dst-address=192.168.6.0/24 pref-src=192.168.6.1 gateway=bridge_office gateway-status=bridge_office reachable distance=0 scope=10

35 ADC dst-address=192.168.7.13/32 pref-src=192.168.7.1 gateway=<l2tp-arxotech> gateway-status=<l2tp-arxotech> reachable distance=0 scope=10

36 ADC dst-address=113.72.0.192/29 pref-src=113.72.0.194 gateway=04MegafonWAN gateway-status=04MegafonWAN reachable distance=0 scope=10

 

 

 

NAT

 

 

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat action=accept src-address=192.168.6.0/23 dst-address=192.168.2.0/24 log=no log-prefix=""

1 ;;; Masq to Unitel WAN

chain=srcnat action=masquerade out-interface=01UnitelWAN log=no log-prefix=""

2 ;;; Masq to Unitel WiFi

chain=srcnat action=masquerade out-interface=02UnitelWiFi log=no log-prefix=""

3 ;;; Masq to Megafon WAN

chain=srcnat action=masquerade out-interface=04MegafonWAN log=no log-prefix=""

4 chain=srcnat action=masquerade out-interface=07MegafonSIP log=yes log-prefix="MASQ_07MS"

5 chain=srcnat action=masquerade out-interface=08UnitelSIP log=yes log-prefix="MASQ_08US"

6 ;;; POST

chain=dstnat action=netmap to-addresses=192.168.6.4 protocol=tcp dst-address-list=WAN dst-port=25,465,110,995,143,993,443,80 log=no log-prefix=""

7 chain=dstnat action=netmap to-addresses=192.168.6.254 protocol=tcp dst-address-list=WAN dst-port=1194 log=no log-prefix=""

8 chain=dstnat action=netmap to-addresses=192.168.6.254 protocol=udp dst-address-list=WAN dst-port=1194 log=no log-prefix=""

9 chain=dstnat action=netmap to-addresses=10.60.217.142 protocol=udp in-interface=08UnitelSIP dst-port=5060 log=yes log-prefix="SIP_nat"

10 chain=dstnat action=netmap to-addresses=83.149.6.36 protocol=udp dst-address=10.60.217.142 dst-port=5060 log=yes log-prefix="SIP_nat"

 

 

 

Filter

 

 

Flags: X - disabled, I - invalid, D - dynamic

0 D ;;; special dummy rule to show fasttrack counters

chain=forward

1 chain=input action=accept protocol=icmp log=no log-prefix=""

2 chain=forward action=accept protocol=icmp log=no log-prefix=""

3 chain=forward action=drop protocol=tcp src-address=192.168.6.60-192.168.6.69 dst-port=80,443 log=no log-prefix=""

4 chain=forward action=accept src-address=192.168.0.0/22 dst-address=192.168.4.0/22 log=no log-prefix=""

5 chain=forward action=accept src-address=192.168.4.0/26 dst-address=192.168.6.0/23 log=no log-prefix=""

6 chain=forward action=accept src-address=192.168.4.0/22 dst-address=192.168.0.0/22 log=no log-prefix=""

7 chain=forward action=accept src-address=192.168.6.0/23 dst-address=192.168.4.0/26 log=no log-prefix=""

8 chain=output action=accept dst-address=180.164.10.60 log=yes log-prefix="MSK_out"

9 chain=input action=accept src-address=180.164.10.60 log=no log-prefix="MSK"

10 chain=forward action=accept src-address=180.164.10.60 log=no log-prefix="MSK"

11 chain=forward action=accept dst-address=180.164.10.60 log=no log-prefix="MSK"

12 chain=input action=accept protocol=ipsec-esp log=no log-prefix=""

13 chain=input action=accept protocol=udp dst-port=500,1701,4500 log=no log-prefix=""

14 chain=forward action=fasttrack-connection connection-state=established,related log=no log-prefix=""

15 chain=forward action=accept connection-state=established,related log=no log-prefix=""

16 chain=input action=fasttrack-connection connection-state=established,related log=no log-prefix=""

17 chain=input action=accept connection-state=established,related log=no log-prefix=""

18 chain=output action=fasttrack-connection log=no log-prefix=""

19 chain=input action=accept connection-state=!invalid in-interface=08UnitelSIP log=yes log-prefix="Unitel_in"

20 chain=forward action=accept connection-state=!invalid in-interface=08UnitelSIP out-interface=07MegafonSIP log=yes log-prefix="Uni_fwd"

21 chain=input action=accept connection-state=!invalid in-interface=07MegafonSIP log=yes log-prefix="Mega_in"

22 chain=forward action=accept connection-state=!invalid in-interface=07MegafonSIP out-interface=08UnitelSIP log=yes log-prefix="Mega_fwd"

23 chain=forward action=accept connection-state=established,related,new in-interface=bridge_guest out-interface=02UnitelWiFi log=no log-prefix=""

24 chain=forward action=accept in-interface=bridge_office out-interface=07MegafonSIP log=no log-prefix=""

25 chain=forward action=accept connection-state=!invalid in-interface=bridge_office out-interface=!02UnitelWiFi log=no log-prefix=""

26 chain=input action=accept connection-state=established,related,new in-interface=bridge_office log=no log-prefix=""

27 chain=forward action=accept in-interface=all-ppp out-interface=!01UnitelWAN log=no log-prefix=""

28 chain=input action=accept in-interface=all-ppp log=no log-prefix=""

29 chain=input action=accept protocol=udp dst-port=67-68 log=no log-prefix=""

30 chain=input action=accept connection-state=!invalid in-interface=03UnitelVPN log=no log-prefix=""

31 chain=forward action=accept connection-state=!invalid in-interface=03UnitelVPN log=no log-prefix=""

32 chain=input action=accept protocol=tcp dst-port=20000 log=no log-prefix=""

33 chain=forward action=accept in-interface=bridge_test out-interface=07MegafonSIP log=no log-prefix=""

34 chain=input action=accept in-interface=bridge_test log=yes log-prefix=""

35 chain=forward action=accept protocol=tcp dst-port=25,465,110,995,143,993,443,80 log=no log-prefix=""

36 chain=input action=drop log=no log-prefix=""

37 chain=forward action=drop log=yes log-prefix="DROP"

 

 

 

mangle

 

 

Flags: X - disabled, I - invalid, D - dynamic

0 D chain=forward action=change-mss new-mss=1410 passthrough=yes tcp-flags=syn protocol=tcp out-interface=all-ppp tcp-mss=1411-65535 log=no log-prefix=""

1 D chain=forward action=change-mss new-mss=1360 passthrough=yes tcp-flags=syn protocol=tcp in-interface=all-ppp tcp-mss=1361-65535 log=no log-prefix=""

2 D ;;; special dummy rule to show fasttrack counters

chain=prerouting

3 D ;;; special dummy rule to show fasttrack counters

chain=forward

4 D ;;; special dummy rule to show fasttrack counters

chain=postrouting

5 chain=prerouting action=mark-routing new-routing-mark=MegafonSIP passthrough=no dst-address=83.149.6.36 log=no log-prefix=""

6 chain=output action=mark-routing new-routing-mark=MegafonSIP passthrough=no dst-address=83.149.6.36 log=no log-prefix=""

9 chain=prerouting action=mark-routing new-routing-mark=office passthrough=no src-address=192.168.6.0/24 dst-address-list=!LocalNet log=no log-prefix=""

10 chain=prerouting action=mark-routing new-routing-mark=Guest passthrough=no src-address=172.16.9.0/24 log=no log-prefix=""

11 chain=input action=mark-connection new-connection-mark=UnitelWAN passthrough=no dst-address=85.177.21.246 in-interface=01UnitelWAN log=no log-prefix=""

12 chain=output action=mark-routing new-routing-mark=UnitelWAN passthrough=no connection-mark=UnitelWAN log=no log-prefix=""

13 chain=input action=mark-connection new-connection-mark=MegafonWAN passthrough=no dst-address=113.72.0.196 in-interface=04MegafonWAN log=no log-prefix=""

14 chain=output action=mark-routing new-routing-mark=MegafonWAN passthrough=no connection-mark=MegafonWAN log=no log-prefix=""

15 chain=input action=mark-connection new-connection-mark=MegafonSIP passthrough=no dst-address=10.60.217.142 in-interface=07MegafonSIP log=no log-prefix=""

16 chain=output action=mark-routing new-routing-mark=MegafonSIP passthrough=no connection-mark=MegafonSIP log=no log-prefix=""

17 chain=input action=mark-connection new-connection-mark=UnitelSIP passthrough=no dst-address=10.65.51.26 in-interface=08UnitelSIP log=no log-prefix=""

18 chain=output action=mark-routing new-routing-mark=UnitelSIP passthrough=no connection-mark=UnitelSIP log=no log-prefix=""

 

 

Share this post

Link to post
Share on other sites

DRiVen   

DRiVen
Posted
IP - заменил на случайные "на случай чего"

То есть вывалили принты с динамическими записями, вместо рафинированного, относительно проблемной части, экспорта конфигурации (без вагона маркированых дефолтов в белые сетки и кучи маршрутов в те же публичные адреса, да еще и через интерфейсы, на схеме отсутствующие), "на случай чего" (чего?) заменили "серую" адресацию, и теперь все это предлагается как-то скурить, угадав соответствие нескольких строк конфига со схемой? О_о

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Followers 0
Go to topic listing Mikrotik коммутаторы и маршрутизаторы