Vladimir777VRN Posted February 24, 2023 · Report post Доброго дня. На старом провайдере была настроена маркировка пакетов для доступа к заблоченным ресурсам и всё прекрасно работало. провайдер через IPoE назначал внешний IP и поверх него ППТП туннель с маркировкой пакетов, нупример для доступа к livetv.sx. да без разницы, к любому ресурсу... Пару дней как сменил провайдер и здесь данная конфигурация не работает. Что имеем: внутренняя сеть провайдера- 10.0.0.0/8, далее поднимается л2тп туннель и выдается белый внешний айпи. Дополнительный VPN для обхода блокировок подключается, с микротика нужный ресурс пингуается, а вот с конечных компов нет. Кто-то может подксказать где ошибка? Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
weedman Posted February 24, 2023 · Report post Много туннелей, наверное MTU (он мне теперь везде мерещится) Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Vladimir777VRN Posted February 24, 2023 · Report post на провайдерском л2тп мту 1456 (с этим значением всё работает отлично в интернете), а на дополнительном туннеле мту 1450. в какую сторону есть смысл крутить? меня смущает что с роутера ресурсы которые заворачиваются на доп туннель резолвятся и соответственно пингуются, а с компа адрес резолвится, но не пингуется. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
weedman Posted February 25, 2023 · Report post Пока более умные не начали отвечать- А если дать маршрут по умолчанию через конечный рртр? может где-то в этом косяк. Если не пингуется с компов после микрота. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Vladimir777VRN Posted February 27, 2023 · Report post Если включить маршрут по умолчанию через ППТП, то вообще ничего недоступно в интернете. Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
fractal Posted February 28, 2023 · Report post не видно всего конфига, export compact нужен Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
Vladimir777VRN Posted February 28, 2023 · Report post добавил экспорт компакт export compact # feb/28/2023 20:14:24 by RouterOS 6.40.4 # software id = A3F5-WDHP # # model = RouterBOARD 941-2nD # serial number = *** /interface bridge add admin-mac=D4:CA:6D:89:CA:46 arp=proxy-arp auto-mac=no fast-forward=no name=bridge-local /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no \ distance=indoors frequency=2422 mode=ap-bridge ssid="Ololowku Freedom" wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] mac-address=00:0C:43:30:52:D1 name=ether1-gateway set [ find default-name=ether2 ] name=ether2-master-local set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local /interface l2tp-client add add-default-route=yes allow=chap connect-to=l2tp.freedom default-route-distance=1 disabled=no \ keepalive-timeout=disabled max-mru=1456 max-mtu=1456 name=l2tp-freedom password=*** user=*** /interface pptp-client add connect-to=pl226.vpnbook.com disabled=no name=vpn password=*** user=*** /ip neighbor discovery set ether1-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\ MikroTik wpa-pre-shared-key=*** wpa2-pre-shared-key=*** /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.3.10-192.168.3.254 /ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default /interface bridge port add bridge=bridge-local interface=ether2-master-local add bridge=bridge-local interface=wlan1 /interface wireless access-list add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** /interface wireless connect-list add interface=wlan1 mac-address=*** security-profile=default add interface=wlan1 mac-address=*** security-profile=default /ip address add address=192.168.3.1/24 comment="default configuration" interface=ether2-master-local network=192.168.3.0 /ip dhcp-client add comment="default configuration" default-route-distance=2 dhcp-options=hostname,clientid disabled=no \ interface=ether1-gateway /ip dhcp-server network add address=192.168.3.0/24 comment="default configuration" gateway=192.168.3.1 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.3.1 name=router /ip firewall address-list add address=178.63.151.224 list=vpn add address=93.184.219.82 list=vpn add address=93.174.89.3 list=vpn add address=195.82.146.214 list=vpn add address=176.114.3.91 list=vpn add address=31.192.120.36 list=vpn add address=185.36.100.195 list=vpn add address=104.28.6.212 list=vpn add address=176.114.0.132 list=vpn add address=81.17.30.22 list=vpn add address=185.25.48.155 list=vpn add address=31.192.120.44 list=vpn add address=88.208.29.24 list=vpn add address=37.1.207.109 list=vpn add address=46.148.17.244 list=vpn add address=50.6.0.2 list=vpn add address=67.22.32.168 list=vpn add address=vator.org list=vpn add address=www.new-rutor.info list=vpn add address=proxy-rutor.org list=vpn add address=sopcast.com list=vpn add address=4pda.ru list=vpn add address=gulagu.net list=vpn add address=www.vpnbook.com list=vpn add address=rutracker.org list=vpn add address=kinoflux.org list=vpn add address=bridges.torproject.org list=vpn add address=www.torproject.org list=vpn add address=dist.torproject.org list=vpn add address=Twitter.com list=vpn add address=mobile.twitter.com list=vpn add address=twitterinc.com list=vpn add address=facebook.com list=vpn add address=m.facebook.com list=vpn add address=instagram.com list=vpn add address=31.13.71.174 list=vpn add address=nnm-club.me list=vpn add address=riseup.net list=vpn add address=www.pimpletv.ru list=vpn add address=2ip.ru list=vpn add address=speedtest.net list=vpn add address=livetv.sx list=vpn /ip firewall filter add action=accept chain=input comment="default configuration" protocol=icmp add action=accept chain=input comment="default configuration" connection-state=established,related add action=drop chain=input comment="default configuration" in-interface=ether1-gateway add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\ established,related add action=accept chain=forward comment="default configuration" connection-state=established,related add action=drop chain=forward comment="default configuration" connection-state=invalid add action=drop chain=input protocol=udp add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=\ new in-interface=ether1-gateway /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \ passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24 add action=masquerade chain=srcnat src-address=192.168.3.0/24 add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=3389 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=3389 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=137 log-prefix=192.168.3.38 protocol=tcp \ to-ports=137 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=139 protocol=tcp to-addresses=192.168.3.38 \ to-ports=139 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=443 protocol=tcp to-addresses=192.168.3.38 \ to-ports=443 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=80 protocol=tcp to-addresses=192.168.3.38 \ to-ports=80 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1434 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=1434 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1433 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=1433 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1812 protocol=udp to-addresses=\ 192.168.3.38 to-ports=1812 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1813 protocol=udp to-addresses=\ 192.168.3.38 to-ports=1813 /ip route add distance=1 gateway=vpn routing-mark=vpn add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1 /ip route rule add action=lookup-only-in-table routing-mark=vpn table=vpn /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set winbox address=192.168.3.0/24,217.25.239.152/32 set api-ssl disabled=yes /ppp secret add local-address=192.168.3.1 name=test password=*** remote-address=192.168.3.100 service=pptp /system clock set time-zone-autodetect=no time-zone-name=Europe/Moscow /system package update set channel=bugfix /tool graphing set store-every=hour /tool graphing interface add allow-address=192.168.3.0/24 store-on-disk=no add allow-address=217.25.239.152/32 store-on-disk=no /tool graphing resource add allow-address=192.168.3.0/24 /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local /tool romon port add Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...
fractal Posted March 1, 2023 · Report post 7 часов назад, Vladimir777VRN сказал: добавил экспорт компакт export compact # feb/28/2023 20:14:24 by RouterOS 6.40.4 # software id = A3F5-WDHP # # model = RouterBOARD 941-2nD # serial number = *** /interface bridge add admin-mac=D4:CA:6D:89:CA:46 arp=proxy-arp auto-mac=no fast-forward=no name=bridge-local /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no \ distance=indoors frequency=2422 mode=ap-bridge ssid="Ololowku Freedom" wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] mac-address=00:0C:43:30:52:D1 name=ether1-gateway set [ find default-name=ether2 ] name=ether2-master-local set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local /interface l2tp-client add add-default-route=yes allow=chap connect-to=l2tp.freedom default-route-distance=1 disabled=no \ keepalive-timeout=disabled max-mru=1456 max-mtu=1456 name=l2tp-freedom password=*** user=*** /interface pptp-client add connect-to=pl226.vpnbook.com disabled=no name=vpn password=*** user=*** /ip neighbor discovery set ether1-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\ MikroTik wpa-pre-shared-key=*** wpa2-pre-shared-key=*** /ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc /ip pool add name=dhcp ranges=192.168.3.10-192.168.3.254 /ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default /interface bridge port add bridge=bridge-local interface=ether2-master-local add bridge=bridge-local interface=wlan1 /interface wireless access-list add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** vlan-mode=no-tag add interface=wlan1 mac-address=*** /interface wireless connect-list add interface=wlan1 mac-address=*** security-profile=default add interface=wlan1 mac-address=*** security-profile=default /ip address add address=192.168.3.1/24 comment="default configuration" interface=ether2-master-local network=192.168.3.0 /ip dhcp-client add comment="default configuration" default-route-distance=2 dhcp-options=hostname,clientid disabled=no \ interface=ether1-gateway /ip dhcp-server network add address=192.168.3.0/24 comment="default configuration" gateway=192.168.3.1 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.3.1 name=router /ip firewall address-list add address=178.63.151.224 list=vpn add address=93.184.219.82 list=vpn add address=93.174.89.3 list=vpn add address=195.82.146.214 list=vpn add address=176.114.3.91 list=vpn add address=31.192.120.36 list=vpn add address=185.36.100.195 list=vpn add address=104.28.6.212 list=vpn add address=176.114.0.132 list=vpn add address=81.17.30.22 list=vpn add address=185.25.48.155 list=vpn add address=31.192.120.44 list=vpn add address=88.208.29.24 list=vpn add address=37.1.207.109 list=vpn add address=46.148.17.244 list=vpn add address=50.6.0.2 list=vpn add address=67.22.32.168 list=vpn add address=vator.org list=vpn add address=www.new-rutor.info list=vpn add address=proxy-rutor.org list=vpn add address=sopcast.com list=vpn add address=4pda.ru list=vpn add address=gulagu.net list=vpn add address=www.vpnbook.com list=vpn add address=rutracker.org list=vpn add address=kinoflux.org list=vpn add address=bridges.torproject.org list=vpn add address=www.torproject.org list=vpn add address=dist.torproject.org list=vpn add address=Twitter.com list=vpn add address=mobile.twitter.com list=vpn add address=twitterinc.com list=vpn add address=facebook.com list=vpn add address=m.facebook.com list=vpn add address=instagram.com list=vpn add address=31.13.71.174 list=vpn add address=nnm-club.me list=vpn add address=riseup.net list=vpn add address=www.pimpletv.ru list=vpn add address=2ip.ru list=vpn add address=speedtest.net list=vpn add address=livetv.sx list=vpn /ip firewall filter add action=accept chain=input comment="default configuration" protocol=icmp add action=accept chain=input comment="default configuration" connection-state=established,related add action=drop chain=input comment="default configuration" in-interface=ether1-gateway add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\ established,related add action=accept chain=forward comment="default configuration" connection-state=established,related add action=drop chain=forward comment="default configuration" connection-state=invalid add action=drop chain=input protocol=udp add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=\ new in-interface=ether1-gateway /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \ passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24 add action=masquerade chain=srcnat src-address=192.168.3.0/24 add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=3389 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=3389 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=137 log-prefix=192.168.3.38 protocol=tcp \ to-ports=137 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=139 protocol=tcp to-addresses=192.168.3.38 \ to-ports=139 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=443 protocol=tcp to-addresses=192.168.3.38 \ to-ports=443 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=80 protocol=tcp to-addresses=192.168.3.38 \ to-ports=80 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1434 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=1434 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1433 protocol=tcp to-addresses=\ 192.168.3.38 to-ports=1433 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1812 protocol=udp to-addresses=\ 192.168.3.38 to-ports=1812 add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1813 protocol=udp to-addresses=\ 192.168.3.38 to-ports=1813 /ip route add distance=1 gateway=vpn routing-mark=vpn add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1 /ip route rule add action=lookup-only-in-table routing-mark=vpn table=vpn /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set winbox address=192.168.3.0/24,217.25.239.152/32 set api-ssl disabled=yes /ppp secret add local-address=192.168.3.1 name=test password=*** remote-address=192.168.3.100 service=pptp /system clock set time-zone-autodetect=no time-zone-name=Europe/Moscow /system package update set channel=bugfix /tool graphing set store-every=hour /tool graphing interface add allow-address=192.168.3.0/24 store-on-disk=no add allow-address=217.25.239.152/32 store-on-disk=no /tool graphing resource add allow-address=192.168.3.0/24 /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=wlan1 add interface=bridge-local /tool romon port add У Вас видимо прошивка старая, у меня 7я ветка, мне не нравится mangle, в mangle зачем то бридж как IN Ваш конфиг /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \ passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24 /ip route add distance=1 gateway=vpn routing-mark=vpn в Моем работает так, причем я обновлялся с ветки 6 на 7, ничего не трогая, как работало так и работает /ip firewall mangle add action=mark-routing chain=prerouting disabled=yes dst-address-list=rkn new-routing-mark=table_vpn passthrough=yes src-address=192.168.100.0/24 /ip firewall nat add action=masquerade chain=srcnat disabled=yes out-interface=vpn routing-mark=table_vpn /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway= "IP шлюза vpn" pref-src=0.0.0.0 routing-table=table_vpn scope=30 suppress-hw-offload=no \ target-scope=10 ну и вообщем, с компа трасировка покажет куда пакет пытается идти PS и выключите старый и не нужные статики Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...