alibek Posted December 17, 2014 · Report post Давно не приходилось работать с микротиком, уже подзабыл нюансы. Помогите проверить и поправить конфигурацию. Маршрутизатор RB2011UAS. Порты eth1-eth5 - локальная сеть, соединены в бридж (у меня были сомнения в нормальной работе свитчипа). Порт eth6 - провайдер1, дает доступ к локальным ресурсам (DHCP) и в интернет (PPPoE). Порт eth7 - провайдер2, дает доступ в интернет (PPPoE). Порты eth8, eth9 - не используются. Порт eth10 - пока не используется, в дальнейшем будет отдельная сеть, на интерфейсе будет работать PPPoE-сервер. Конфигурация примерно такая: /ip pool add name=pool-lan ranges=192.168.48.0/24 /ip pool add name=dhcp-lan ranges=192.168.48.1-192.168.48.99 /ip dhcp-server add add-arp=yes address-pool=dhcp-lan disabled=no interface=bridge-lan lease-time=30m name=dhcp-lan /interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=2 dial-on-demand=no disabled=no interface=eth6,sfp1 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe1 password=pwd profile=default service-name="" use-peer-dns=yes user=user1 /interface pppoe-client add ac-name="" add-default-route=yes allow=pap,chap default-route-distance=10 dial-on-demand=no disabled=no interface=eth7 keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 name=pppoe2 password=pwd profile=default service-name="" use-peer-dns=yes user=user2 /interface bridge port add bridge=bridge-lan interface=eth1 add bridge=bridge-lan interface=eth2 add bridge=bridge-lan interface=eth3 add bridge=bridge-lan interface=eth4 add bridge=bridge-lan interface=eth5 /ip address add address=192.168.48.250/24 interface=bridge-lan network=192.168.48.0 /ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=eth6 use-peer-dns=no use-peer-ntp=no /ip dhcp-server network add address=192.168.48.0/24 dns-server=192.168.48.250 gateway=192.168.48.250 netmask=24 ntp-server=192.168.48.250 /ip dns set allow-remote-requests=yes /ip route add distance=1 dst-address=10.1.0.0/16 gateway=10.0.0.1 Настройки фаервола сделал такие: /ip firewall address-list add address=192.168.48.0/24 list=acl-lan add address=192.168.48.100 list=acl-admin add address=0.0.0.0/8 list=acl-invalid add address=127.0.0.0/8 list=acl-invalid add address=0.0.0.0/8 list=acl-bogon add address=10.0.0.0/8 list=acl-bogon add address=100.64.0.0/10 list=acl-bogon add address=127.0.0.0/8 list=acl-bogon add address=169.254.0.0/16 list=acl-bogon add address=172.16.0.0/12 list=acl-bogon add address=192.0.0.0/24 list=acl-bogon add address=192.0.2.0/24 list=acl-bogon add address=192.168.0.0/16 list=acl-bogon add address=198.18.0.0/15 list=acl-bogon add address=198.51.100.0/24 list=acl-bogon add address=203.0.113.0/24 list=acl-bogon add address=224.0.0.0/4 list=acl-bogon add address=240.0.0.0/4 list=acl-bogon /ip firewall nat add action=masquerade chain=srcnat comment="Internet over prov1" out-interface=pppoe1 src-address-list=acl-lan add action=masquerade chain=srcnat comment="Intranet over prov1" out-interface=eth6 src-address-list=acl-lan add action=masquerade chain=srcnat comment="Internet over prov2" out-interface=pppoe2 src-address-list=acl-lan /ip firewall filter add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe1 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon add action=drop chain=input comment="Self Normalization: Drop Bogons" in-interface=pppoe2 log=yes log-prefix="BOGONS: " src-address-list=acl-bogon add action=drop chain=input comment="Self Normalization: Drop Invalid" connection-state=invalid add chain=input comment="Self Normalization: Skip Established" connection-state=established add chain=input comment="Self Normalization: Skip Related" connection-state=related add chain=input comment="Border: Allow ICMP" protocol=icmp add chain=input comment="Border: Allow Remote" connection-state=new dst-port=8291 protocol=tcp src-address-list=acl-admin add chain=input comment="Border: Allow LAN" connection-state=new src-address-list=acl-lan add action=drop chain=input comment="Border: Block not LAN" connection-state=new in-interface=!bridge-lan add action=drop chain=input comment="Border: Default Policy" log=yes log-prefix="DROP: " add chain=output comment="Border: Limit outgoing UDP" limit=5,20 protocol=udp add action=drop chain=forward comment="Drop Invalid Src" log=yes log-prefix="INVALID: " src-address-list=acl-invalid add action=drop chain=forward comment="Drop Invalid Dst" dst-address-list=acl-invalid log=yes log-prefix="INVALID: " add action=drop chain=forward comment="Drop Invalid" connection-state=invalid add chain=forward comment="Skip Established" connection-state=established add chain=forward comment="Skip Related" connection-state=related add action=jump chain=forward comment="Processing ICMP" jump-target=icmp protocol=icmp add chain=forward comment="Allow from LAN" in-interface=bridge-lan src-address-list=acl-lan add chain=forward comment="Allow from LAN" out-interface=bridge-lan src-address-list=acl-lan add action=drop chain=forward comment="LAST RULE" log=yes log-prefix="DROP: " add chain=icmp comment="ICMP: echo reply" icmp-options=0:0 protocol=icmp add chain=icmp comment="ICMP: network unreachable" icmp-options=3:0 protocol=icmp add chain=icmp comment="ICMP: host unreachable" icmp-options=3:1 protocol=icmp add chain=icmp comment="ICMP: host unreachable fragmentation required" icmp-options=3:4 protocol=icmp add chain=icmp comment="ICMP: source quench" icmp-options=4:0 protocol=icmp add chain=icmp comment="ICMP: echo request" icmp-options=8:0 protocol=icmp add chain=icmp comment="ICMP: time exceed" icmp-options=11:0 protocol=icmp add chain=icmp comment="ICMP: parameter bad" icmp-options=12:0 protocol=icmp add action=drop chain=icmp comment="ICMP: drop other" log=yes log-prefix="ICMP: " add chain=forward comment="Allow to LAN" out-interface=bridge-lan src-address-list=acl-lan Вставить ник Quote Ответить с цитированием Share this post Link to post Share on other sites More sharing options...