Jump to content
Калькуляторы

Не работает маркировка определенных пакетов (mangle)

Доброго дня. 

На старом провайдере была настроена маркировка пакетов для доступа к заблоченным ресурсам и всё прекрасно работало. провайдер через IPoE назначал внешний IP и поверх него ППТП туннель с маркировкой пакетов, нупример для доступа к livetv.sx. да без разницы, к любому ресурсу...

Пару дней как сменил провайдер и здесь данная конфигурация не работает.

Что имеем:

внутренняя сеть провайдера- 10.0.0.0/8, далее поднимается л2тп туннель и выдается белый внешний айпи. Дополнительный VPN для обхода блокировок подключается, с микротика нужный ресурс пингуается, а вот с конечных компов нет. Кто-то может подксказать где ошибка?

routes.JPG

Share this post


Link to post
Share on other sites

на провайдерском л2тп мту 1456 (с этим значением всё работает отлично в интернете), а на дополнительном туннеле мту 1450. в какую сторону есть смысл крутить? меня смущает что с роутера ресурсы которые заворачиваются на доп туннель резолвятся и соответственно пингуются, а с компа адрес резолвится, но не пингуется.

routes2.JPG

Share this post


Link to post
Share on other sites

Пока более умные не начали отвечать- А если дать маршрут по умолчанию через конечный рртр? может где-то в этом косяк. Если не пингуется с компов после микрота.

Share this post


Link to post
Share on other sites

добавил экспорт компакт

export compact
# feb/28/2023 20:14:24 by RouterOS 6.40.4
# software id = A3F5-WDHP
#
# model = RouterBOARD 941-2nD
# serial number = ***
/interface bridge
add admin-mac=D4:CA:6D:89:CA:46 arp=proxy-arp auto-mac=no fast-forward=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no \
    distance=indoors frequency=2422 mode=ap-bridge ssid="Ololowku Freedom" wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:0C:43:30:52:D1 name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
/interface l2tp-client
add add-default-route=yes allow=chap connect-to=l2tp.freedom default-route-distance=1 disabled=no \
    keepalive-timeout=disabled max-mru=1456 max-mtu=1456 name=l2tp-freedom password=*** user=***
/interface pptp-client
add connect-to=pl226.vpnbook.com disabled=no name=vpn password=*** user=***
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\
    MikroTik wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface wireless access-list
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=***
/interface wireless connect-list
add interface=wlan1 mac-address=*** security-profile=default
add interface=wlan1 mac-address=*** security-profile=default
/ip address
add address=192.168.3.1/24 comment="default configuration" interface=ether2-master-local network=192.168.3.0
/ip dhcp-client
add comment="default configuration" default-route-distance=2 dhcp-options=hostname,clientid disabled=no \
    interface=ether1-gateway
/ip dhcp-server network
add address=192.168.3.0/24 comment="default configuration" gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.3.1 name=router
/ip firewall address-list
add address=178.63.151.224 list=vpn
add address=93.184.219.82 list=vpn
add address=93.174.89.3 list=vpn
add address=195.82.146.214 list=vpn
add address=176.114.3.91 list=vpn
add address=31.192.120.36 list=vpn
add address=185.36.100.195 list=vpn
add address=104.28.6.212 list=vpn
add address=176.114.0.132 list=vpn
add address=81.17.30.22 list=vpn
add address=185.25.48.155 list=vpn
add address=31.192.120.44 list=vpn
add address=88.208.29.24 list=vpn
add address=37.1.207.109 list=vpn
add address=46.148.17.244 list=vpn
add address=50.6.0.2 list=vpn
add address=67.22.32.168 list=vpn
add address=vator.org list=vpn
add address=www.new-rutor.info list=vpn
add address=proxy-rutor.org list=vpn
add address=sopcast.com list=vpn
add address=4pda.ru list=vpn
add address=gulagu.net list=vpn
add address=www.vpnbook.com list=vpn
add address=rutracker.org list=vpn
add address=kinoflux.org list=vpn
add address=bridges.torproject.org list=vpn
add address=www.torproject.org list=vpn
add address=dist.torproject.org list=vpn
add address=Twitter.com list=vpn
add address=mobile.twitter.com list=vpn
add address=twitterinc.com list=vpn
add address=facebook.com list=vpn
add address=m.facebook.com list=vpn
add address=instagram.com list=vpn
add address=31.13.71.174 list=vpn
add address=nnm-club.me list=vpn
add address=riseup.net list=vpn
add address=www.pimpletv.ru list=vpn
add address=2ip.ru list=vpn
add address=speedtest.net list=vpn
add address=livetv.sx list=vpn
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\
    established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=input protocol=udp
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24
add action=masquerade chain=srcnat src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=3389 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=3389
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=137 log-prefix=192.168.3.38 protocol=tcp \
    to-ports=137
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=139 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=139
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=443 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=80 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=80
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1434 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=1434
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1433 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=1433
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1812 protocol=udp to-addresses=\
    192.168.3.38 to-ports=1812
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1813 protocol=udp to-addresses=\
    192.168.3.38 to-ports=1813
/ip route
add distance=1 gateway=vpn routing-mark=vpn
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
/ip route rule
add action=lookup-only-in-table routing-mark=vpn table=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set winbox address=192.168.3.0/24,217.25.239.152/32
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.3.1 name=test password=*** remote-address=192.168.3.100 service=pptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system package update
set channel=bugfix
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.3.0/24 store-on-disk=no
add allow-address=217.25.239.152/32 store-on-disk=no
/tool graphing resource
add allow-address=192.168.3.0/24
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool romon port
add

 

Share this post


Link to post
Share on other sites

7 часов назад, Vladimir777VRN сказал:

добавил экспорт компакт

export compact
# feb/28/2023 20:14:24 by RouterOS 6.40.4
# software id = A3F5-WDHP
#
# model = RouterBOARD 941-2nD
# serial number = ***
/interface bridge
add admin-mac=D4:CA:6D:89:CA:46 arp=proxy-arp auto-mac=no fast-forward=no name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce country=russia disabled=no \
    distance=indoors frequency=2422 mode=ap-bridge ssid="Ololowku Freedom" wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=00:0C:43:30:52:D1 name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
/interface l2tp-client
add add-default-route=yes allow=chap connect-to=l2tp.freedom default-route-distance=1 disabled=no \
    keepalive-timeout=disabled max-mru=1456 max-mtu=1456 name=l2tp-freedom password=*** user=***
/interface pptp-client
add connect-to=pl226.vpnbook.com disabled=no name=vpn password=*** user=***
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=\
    MikroTik wpa-pre-shared-key=*** wpa2-pre-shared-key=***
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=dhcp ranges=192.168.3.10-192.168.3.254
/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge-local name=default
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/interface wireless access-list
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=*** vlan-mode=no-tag
add interface=wlan1 mac-address=***
/interface wireless connect-list
add interface=wlan1 mac-address=*** security-profile=default
add interface=wlan1 mac-address=*** security-profile=default
/ip address
add address=192.168.3.1/24 comment="default configuration" interface=ether2-master-local network=192.168.3.0
/ip dhcp-client
add comment="default configuration" default-route-distance=2 dhcp-options=hostname,clientid disabled=no \
    interface=ether1-gateway
/ip dhcp-server network
add address=192.168.3.0/24 comment="default configuration" gateway=192.168.3.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.3.1 name=router
/ip firewall address-list
add address=178.63.151.224 list=vpn
add address=93.184.219.82 list=vpn
add address=93.174.89.3 list=vpn
add address=195.82.146.214 list=vpn
add address=176.114.3.91 list=vpn
add address=31.192.120.36 list=vpn
add address=185.36.100.195 list=vpn
add address=104.28.6.212 list=vpn
add address=176.114.0.132 list=vpn
add address=81.17.30.22 list=vpn
add address=185.25.48.155 list=vpn
add address=31.192.120.44 list=vpn
add address=88.208.29.24 list=vpn
add address=37.1.207.109 list=vpn
add address=46.148.17.244 list=vpn
add address=50.6.0.2 list=vpn
add address=67.22.32.168 list=vpn
add address=vator.org list=vpn
add address=www.new-rutor.info list=vpn
add address=proxy-rutor.org list=vpn
add address=sopcast.com list=vpn
add address=4pda.ru list=vpn
add address=gulagu.net list=vpn
add address=www.vpnbook.com list=vpn
add address=rutracker.org list=vpn
add address=kinoflux.org list=vpn
add address=bridges.torproject.org list=vpn
add address=www.torproject.org list=vpn
add address=dist.torproject.org list=vpn
add address=Twitter.com list=vpn
add address=mobile.twitter.com list=vpn
add address=twitterinc.com list=vpn
add address=facebook.com list=vpn
add address=m.facebook.com list=vpn
add address=instagram.com list=vpn
add address=31.13.71.174 list=vpn
add address=nnm-club.me list=vpn
add address=riseup.net list=vpn
add address=www.pimpletv.ru list=vpn
add address=2ip.ru list=vpn
add address=speedtest.net list=vpn
add address=livetv.sx list=vpn
/ip firewall filter
add action=accept chain=input comment="default configuration" protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=\
    established,related
add action=accept chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
add action=drop chain=input protocol=udp
add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=\
    new in-interface=ether1-gateway
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24
add action=masquerade chain=srcnat src-address=192.168.3.0/24
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=3389 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=3389
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=137 log-prefix=192.168.3.38 protocol=tcp \
    to-ports=137
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=139 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=139
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=443 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=443
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=80 protocol=tcp to-addresses=192.168.3.38 \
    to-ports=80
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1434 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=1434
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1433 protocol=tcp to-addresses=\
    192.168.3.38 to-ports=1433
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1812 protocol=udp to-addresses=\
    192.168.3.38 to-ports=1812
add action=dst-nat chain=dstnat dst-address=46.72.238.149 dst-port=1813 protocol=udp to-addresses=\
    192.168.3.38 to-ports=1813
/ip route
add distance=1 gateway=vpn routing-mark=vpn
add distance=1 dst-address=192.168.0.0/24 gateway=192.168.0.1
/ip route rule
add action=lookup-only-in-table routing-mark=vpn table=vpn
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set winbox address=192.168.3.0/24,217.25.239.152/32
set api-ssl disabled=yes
/ppp secret
add local-address=192.168.3.1 name=test password=*** remote-address=192.168.3.100 service=pptp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system package update
set channel=bugfix
/tool graphing
set store-every=hour
/tool graphing interface
add allow-address=192.168.3.0/24 store-on-disk=no
add allow-address=217.25.239.152/32 store-on-disk=no
/tool graphing resource
add allow-address=192.168.3.0/24
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=wlan1
add interface=bridge-local
/tool romon port
add

 

У Вас видимо прошивка старая, у меня 7я ветка, мне не нравится mangle, в mangle зачем то бридж как IN

Ваш конфиг

/ip firewall mangle
add action=mark-routing chain=prerouting dst-address-list=vpn in-interface=bridge-local new-routing-mark=vpn \
    passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat out-interface=vpn src-address=192.168.3.0/24
    
/ip route
add distance=1 gateway=vpn routing-mark=vpn


в Моем работает так, причем я обновлялся с ветки 6 на 7, ничего не трогая, как работало так и работает

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes dst-address-list=rkn new-routing-mark=table_vpn passthrough=yes src-address=192.168.100.0/24

/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=vpn routing-mark=table_vpn

/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway= "IP шлюза vpn" pref-src=0.0.0.0 routing-table=table_vpn scope=30 suppress-hw-offload=no \
    target-scope=10

 

ну и вообщем, с компа трасировка покажет куда пакет пытается идти

 

PS и выключите старый и не нужные статики

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.