alibek Posted May 28, 2018 · Report post Что не так в конфигурации? /interface bridge add arp=proxy-arp fast-forward=no name=bridge-lan /interface ethernet set [ find default-name=ether1 ] arp=disabled name=eth1 set [ find default-name=ether2 ] arp=disabled name=eth2 set [ find default-name=ether3 ] name=eth3 set [ find default-name=ether4 ] name=eth4 set [ find default-name=ether5 ] name=eth5 /interface vlan add interface=eth2 name=vlan30 vlan-id=30 add interface=eth2 name=vlan100 vlan-id=100 /interface pppoe-client add add-default-route=yes interface=eth1 name=pppoe use-peer-dns=yes user=username /interface bridge port add bridge=bridge-lan interface=eth3 add bridge=bridge-lan interface=eth4 /ppp profile add bridge=bridge-lan name=users only-one=yes /ppp secret add local-address=192.168.1.254 name=vpn1 profile=users remote-address=192.168.1.191 service=pptp add local-address=192.168.1.254 name=vpn2 profile=users remote-address=192.168.1.192 service=pptp /interface pptp-server server set default-profile=users enabled=yes /ip address add address=AA.AA.AA.80/25 comment="GW to Public" interface=vlan100 network=AA.AA.AA.0 add address=10.1.144.3/24 comment="GW to Core" interface=vlan30 network=10.1.144.0 add address=192.168.1.254/24 interface=bridge-lan network=192.168.1.0 /ip dhcp-client add default-route-distance=100 interface=eth5 /ip firewall address-list add address=192.168.1.0/24 list=acl-lan add address=AA.AA.AA.95 list=acl-admin add address=AA.AA.AA.0/25 list=acl-service add address=10.1.128.0/24 list=acl-service add address=192.168.1.9 list=acl-admin add address=10.1.10.0-10.1.19.255 list=acl-network add address=0.0.0.0/8 comment="source this" list=acl-bogon add address=10.0.0.0/8 comment="private network" list=acl-bogon add address=100.64.0.0/10 comment=CG-NAT list=acl-bogon add address=127.0.0.0/8 comment="loopback addresses" list=acl-bogon add address=169.254.0.0/16 comment="link-local subnet" list=acl-bogon add address=172.16.0.0/12 comment="private network" list=acl-bogon add address=192.0.0.0/24 comment=reserved list=acl-bogon add address=192.0.2.0/24 comment="test network" list=acl-bogon add address=192.42.172.0/24 comment=non-work list=acl-bogon add address=192.88.99.0/24 comment="anycast relay" list=acl-bogon add address=192.168.0.0/16 comment="private network" list=acl-bogon add address=198.18.0.0/15 comment="test inter-network" list=acl-bogon add address=198.51.100.0/24 comment="test network" list=acl-bogon add address=203.0.113.0/24 comment="test network" list=acl-bogon add address=224.0.0.0/4 comment=multicast list=acl-bogon add address=240.0.0.0/4 comment=reserved list=acl-bogon add address=0.0.0.0/8 list=acl-invalid add address=127.0.0.0/8 list=acl-invalid add address=AA.AA.AA.0/24 list=acl-monitor add address=192.168.1.0/24 list=acl-monitor /ip firewall filter add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe log=yes log-prefix="BOGONS: " src-address-list=acl-bogon add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=vlan100 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=eth1 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon add action=drop chain=input comment="Self Normalization: Drop Invalid" connection-state=invalid log=yes log-prefix="INVALID: " add action=accept chain=input comment="Self Normalization: Skip Established" connection-state=established,related add action=jump chain=input comment="Border: Allow ICMP" jump-target=icmp protocol=icmp add action=accept chain=input comment="Border: Allow Remote" connection-state=new dst-port=8291 protocol=tcp src-address-list=acl-admin add action=accept chain=input comment="Border: Graphs access" dst-port=80 protocol=tcp src-address-list=acl-monitor add action=accept chain=input comment="Border: Allow LAN" connection-state="" in-interface=bridge-lan src-address-list=acl-lan add action=accept chain=forward comment="Border: Allow PPTP" in-interface=vlan100 protocol=gre src-address-list=acl-admin add action=accept chain=forward comment="Border: Allow PPTP" dst-port=1723 in-interface=vlan100 protocol=tcp src-address-list=acl-admin add action=drop chain=input comment="Border: Default Policy" log=yes log-prefix="DEFAULT: " add action=drop chain=forward comment="Drop Invalid Src" log=yes log-prefix="INVALID: " src-address-list=acl-invalid add action=drop chain=forward comment="Drop Invalid Dst" dst-address-list=acl-invalid log=yes log-prefix="INVALID: " add action=drop chain=forward comment="Drop Invalid" connection-state=invalid log=yes log-prefix="INVALID: " add action=accept chain=forward comment="Skip Established" connection-state=established,related add action=jump chain=forward comment="Processing ICMP" jump-target=icmp protocol=icmp add action=accept chain=forward comment="Admin access" in-interface=all-vlan src-address-list=acl-admin add action=accept chain=forward comment="Allow LAN OUT" in-interface=bridge-lan out-interface=!bridge-lan src-address-list=acl-lan add action=accept chain=forward comment="Allow LAN IN (RDP)" dst-port=65200-65209 in-interface=vlan100 out-interface=bridge-lan protocol=tcp src-address-list=acl-lan add action=drop chain=forward comment="LAST RULE" log=yes log-prefix="LAST: " add action=accept chain=output comment="Border: Limit outgoing UDP" limit=15,20:packet protocol=udp add action=accept chain=icmp comment="ICMP: echo reply" icmp-options=0:0 protocol=icmp add action=accept chain=icmp comment="ICMP: network unreachable" icmp-options=3:0 protocol=icmp add action=accept chain=icmp comment="ICMP: host unreachable" icmp-options=3:1 protocol=icmp add action=accept chain=icmp comment="ICMP: host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add action=accept chain=icmp comment="ICMP: source quench" icmp-options=4:0 protocol=icmp add action=accept chain=icmp comment="ICMP: echo request" icmp-options=8:0 protocol=icmp add action=accept chain=icmp comment="ICMP: time exceed" icmp-options=11:0 protocol=icmp add action=accept chain=icmp comment="ICMP: parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="ICMP: drop other" log=yes log-prefix="ICMP: " add action=return chain=icmp comment="ICMP: continue" /ip firewall nat add action=masquerade chain=srcnat comment="Main Internet" out-interface=pppoe src-address-list=acl-lan add action=masquerade chain=srcnat comment="Main subinterfaces" out-interface=all-vlan src-address-list=acl-lan add action=masquerade chain=srcnat comment="Alt. Internet" disabled=yes out-interface=eth5 src-address-list=acl-lan /ip route add distance=10 dst-address=10.1.0.0/16 gateway=10.1.144.1 add distance=10 dst-address=10.102.0.0/16 gateway=10.1.144.1 add distance=10 dst-address=10.202.0.0/16 gateway=10.1.144.1 add distance=10 dst-address=AA.AA.AA.0/22 gateway=AA.AA.AA.126 Подключение не происходит, клиент долго висит на этапе подключения, потом выдает ошибку. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
boav Posted May 29, 2018 (edited) · Report post 8 часов назад, alibek сказал: add action=accept chain=forward comment="Border: Allow PPTP" in-interface=vlan100 protocol=gre src-address-list=acl-admin add action=accept chain=forward comment="Border: Allow PPTP" dst-port=1723 in-interface=vlan100 protocol=tcp src-address-list=acl-admin Почему у вас чепочка форвард а не инпут? Edited May 29, 2018 by boav на большом экране лучше видно Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
alibek Posted May 29, 2018 · Report post Очепятка. Сейчас поправлю. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...