[fumufu86]

Проблемы с пробросом портов в Mikrotik.

Нужно RDP на 4 компьютера

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3391 in-interface=ether1 protocol=tcp to-addresses=192.168.88.11 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3392 in-interface=ether1 protocol=tcp to-addresses=192.168.88.12 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3393 in-interface=ether1 protocol=tcp to-addresses=10.11.185.201 to-ports=3389

 

Но работают они странно

add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=3389 отправляет на нужный комп

add action=dst-nat chain=dstnat dst-port=3391 in-interface=ether1 protocol=tcp to-addresses=192.168.88.11 to-ports=3389 не работает

add action=dst-nat chain=dstnat dst-port=3392 in-interface=ether1 protocol=tcp to-addresses=192.168.88.12 to-ports=3389 не работает

add action=dst-nat chain=dstnat dst-port=3393 in-interface=ether1 protocol=tcp to-addresses=10.11.185.201 to-ports=3389 При включении отправляет на комп 192.168.88.11

 

 

[admin@MikroTik] > export compact
# dec/01/2016 14:53:57 by RouterOS 6.38rc37
# software id =
#
/interface ethernet
set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=00:0C:29:40:4B:86 speed=100Mbps
/ip dhcp-server option
add code=249 name=static249 value=0x080A0A0BB901
add code=121 name=static121 value=0x080A0A0BB901
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.88.250-192.168.88.253
add name=ofis ranges=10.11.185.200-10.11.185.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=ether2 name=dhcp1
add add-arp=yes address-pool=ofis disabled=no interface=ether3 name=ofis
/interface bridge port
add interface=ether2
/ip address
add address=81.163.39.158/28 comment="default configuration" interface=ether1 network=81.163.39.144
add address=192.168.88.1/24 interface=ether2 network=192.168.88.0
add address=10.11.185.254/24 interface=ether3 network=10.11.185.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server lease
add address=192.168.88.10 client-id=1:0:c:29:bd:a1:22 mac-address=00:0C:29:BD:A1:22 server=dhcp1
add address=192.168.88.11 client-id=1:0:c:29:c3:52:f mac-address=00:0C:29:C3:52:0F server=dhcp1
add address=192.168.88.12 client-id=1:0:c:29:5f:6c:ad mac-address=00:0C:29:5F:6C:AD server=dhcp1
/ip dhcp-server network
add address=10.11.185.0/24 dhcp-option=static249,static121 dns-server=81.163.39.114 gateway=10.11.185.254 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
/ip dns
set servers=8.8.8.8
/ip firewall filter
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist
add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage3
add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage2
add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage1
add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp
add action=drop chain=input comment="drop telnet brute forcers" dst-port=80 protocol=tcp src-address-list=web_blacklist
add action=add-src-to-address-list address-list=web_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage3
add action=add-src-to-address-list address-list=web_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage2
add action=add-src-to-address-list address-list=web_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage1
add action=add-src-to-address-list address-list=web_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3391 in-interface=ether1 protocol=tcp to-addresses=192.168.88.11 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3392 in-interface=ether1 protocol=tcp to-addresses=192.168.88.12 to-ports=3389
add action=dst-nat chain=dstnat dst-port=3393 in-interface=ether1 protocol=tcp to-addresses=10.11.185.201 to-ports=3389
/ip route
add distance=1 gateway=81.163.39.145
/system package update
set channel=release-candidate
[admin@MikroTik] > 

Edited December 1, 2016 by fumufu86

[Chexov]

В firewall добавьте разрешающие правило для RDP

[fumufu86]

В firewall добавьте разрешающие правило для RDP

В firewall нет запрещающих правил для RDP. По умолчанию все что не запрещено, то разрешено?

Отсутствие этого правила так же не мешает работать RDP на двух компьютерах.

[myth]

Это устаревшая технология))

[Nuts]

fumufu86

Вы привели полную конфигурацию?

Вижу IP адрес на ether2, но ether2 добавлен в bridge - уже неправильно. Сам bridge не создан.

[fumufu86]

Забыл об этом. Удалил. Проблему не решило.

[admin@MikroTik] > export compact

# dec/08/2016 19:34:17 by RouterOS 6.38rc37

# software id =

#

/interface ethernet

set [ find default-name=ether1 ] advertise=10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full mac-address=00:0C:29:40:4B:86 speed=100Mbps

/ip dhcp-server option

add code=249 name=static249 value=0x080A0A0BB901

add code=121 name=static121 value=0x080A0A0BB901

/ip ipsec proposal

set [ find default=yes ] enc-algorithms=aes-128-cbc

/ip pool

add name=dhcp ranges=192.168.88.250-192.168.88.253

add name=ofis ranges=10.11.185.200-10.11.185.250

/ip dhcp-server

add add-arp=yes address-pool=dhcp disabled=no interface=ether2 name=dhcp1

add add-arp=yes address-pool=ofis disabled=no interface=ether3 name=ofis

/queue simple

add max-limit=13M/13M name=queue1 target=10.11.185.75/32

/ip address

add address=81.163.39.158/28 comment="default configuration" interface=ether1 network=81.163.39.144

add address=192.168.88.1/24 interface=ether2 network=192.168.88.0

add address=10.11.185.254/24 interface=ether3 network=10.11.185.0

/ip dhcp-client

add dhcp-options=hostname,clientid interface=ether1

/ip dhcp-server lease

add address=192.168.88.10 client-id=1:0:c:29:bd:a1:22 mac-address=00:0C:29:BD:A1:22 server=dhcp1

add address=192.168.88.11 always-broadcast=yes client-id=1:0:c:29:c3:52:f mac-address=00:0C:29:C3:52:0F server=dhcp1

add address=192.168.88.12 client-id=1:0:c:29:5f:6c:ad mac-address=00:0C:29:5F:6C:AD server=dhcp1

add address=10.11.185.75 client-id=1:fc:aa:14:1c:e2:d1 mac-address=FC:AA:14:1C:E2:D1 server=ofis

/ip dhcp-server network

add address=10.11.185.0/24 dhcp-option=static249,static121 dns-server=81.163.39.114 gateway=10.11.185.254 netmask=24

add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24

/ip dns

set servers=8.8.8.8

/ip firewall filter

add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist

add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3

add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2

add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1

add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp

add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 protocol=tcp src-address-list=telnet_blacklist

add action=add-src-to-address-list address-list=telnet_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage3

add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage2

add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp src-address-list=telnet_stage1

add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 protocol=tcp

add action=drop chain=input comment="drop ssh brute forcers" dst-port=8291 protocol=tcp src-address-list=winbox_blacklist

add action=add-src-to-address-list address-list=winbox_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage3

add action=add-src-to-address-list address-list=winbox_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage2

add action=add-src-to-address-list address-list=winbox_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp src-address-list=winbox_stage1

add action=add-src-to-address-list address-list=winbox_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=8291 protocol=tcp

add action=drop chain=input comment="drop telnet brute forcers" dst-port=80 protocol=tcp src-address-list=web_blacklist

add action=add-src-to-address-list address-list=web_blacklist address-list-timeout=12w6d chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage3

add action=add-src-to-address-list address-list=web_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage2

add action=add-src-to-address-list address-list=web_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp src-address-list=web_stage1

add action=add-src-to-address-list address-list=web_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=80 protocol=tcp

add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist

add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp

add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp

/ip firewall nat

add action=masquerade chain=srcnat out-interface=ether1

add action=dst-nat chain=dstnat dst-port=3390 in-interface=ether1 protocol=tcp to-addresses=192.168.88.10 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3391 in-interface=ether1 protocol=tcp to-addresses=192.168.88.11 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3392 in-interface=ether1 protocol=tcp to-addresses=192.168.88.12 to-ports=3389

add action=dst-nat chain=dstnat dst-port=3393 in-interface=ether1 protocol=tcp to-addresses=10.11.185.201 to-ports=3389

/ip route

add distance=1 gateway=81.163.39.145

/system package update

set channel=release-candidate

[nkusnetsov]

Забыл об этом. Удалил. Проблему не решило.

 

На самом деле у Вас почти всё работает. См. скрин.

Подозреваю, что тестируете Вы из той же локальной сети, обращаясь к внешнему IP-адресу. Чтобы работало И так нужно делать "hairpin nat".

Из Интернета серверы прекрасно видно.

[fumufu86]

Забыл об этом. Удалил. Проблему не решило.

 

На самом деле у Вас почти всё работает. См. скрин.

Подозреваю, что тестируете Вы из той же локальной сети, обращаясь к внешнему IP-адресу. Чтобы работало И так нужно делать "hairpin nat".

Из Интернета серверы прекрасно видно.

 

Я когда пытаюсь зайти по этому же адресу попадаю на 3393. Я пытаюсь зайти не из локальной сети. С адреса 176.120.221.221. Но это один и тот же провайдер.

Спасибо за совет.