Имеем кучу мостов и сетей. Но проблема в следующем. Нам нельзя ходит из 85 сети в 80, а наборот можно. Казалось бы все просто ? Пишем правила . . .
Не работает вот так. Пинги не идут в 85 сеть из 80, на устройства зайти нельзя тоже.
Отключаем верхнее правило, в нижнем ставим галку "new" - работает, но некоторые SIP устройства не могут подключится к Астериску, хотя правило касательно него тоже есть. Объясните, помогите
Почему не работают правила ?
-
- Сообщения: 1197
- Зарегистрирован: 29 сен 2011, 09:16
Скриншоты не информативны, выполните ip firewall filter export и покажите результат.
-
- Сообщения: 8
- Зарегистрирован: 05 дек 2017, 17:05
Код: Выделить всё
/ip firewall filter
add action=drop chain=input comment=\
"Bruteforce login prevention(Winbox: drop Winbox brute forcers)" dst-port=\
8291 protocol=tcp src-address-list=winbox_blacklist
add action=add-src-to-address-list address-list=winbox_blacklist \
address-list-timeout=1d chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage_3
add action=add-src-to-address-list address-list=winbox_stage_3 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage_2
add action=add-src-to-address-list address-list=winbox_stage_2 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp src-address-list=winbox_stage_1
add action=add-src-to-address-list address-list=winbox_stage_1 \
address-list-timeout=1m chain=input connection-state=new dst-port=8291 \
protocol=tcp
add action=drop chain=input comment="Bruteforce ssh prevention" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=3m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=3m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=3m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=input comment="Bruteforce l2tp prevention" dst-port=\
1701,500,4500 protocol=tcp src-address-list=l2tp_BlackList
add action=add-src-to-address-list address-list=l2tp_BlackList \
address-list-timeout=1d chain=input connection-state=new dst-port=\
1701,500,4500 protocol=tcp src-address-list=l2tp_stage_3
add action=add-src-to-address-list address-list=l2tp_stage_3 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=tcp src-address-list=l2tp_stage_2
add action=add-src-to-address-list address-list=l2tp_stage_2 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=tcp src-address-list=l2tp_stage_1
add action=add-src-to-address-list address-list=l2tp_stage_1 \
address-list-timeout=3m chain=input connection-state=new dst-port=\
1701,500,4500 protocol=tcp
add action=accept chain=forward comment="From 85 net to Asterisk" dst-address=\
192.168.80.216 src-address=192.168.85.0/24
add action=accept chain=forward comment="From 80 to 85 net accept" disabled=yes \
dst-address=192.168.85.0/24 src-address=192.168.80.0/24
add action=drop chain=forward comment="From 85 to 80 net - drop" \
connection-state=new dst-address=192.168.80.0/24 src-address=\
192.168.85.0/24
add action=drop chain=input comment="Black List from Adress Lists" \
src-address-list="Block IP"
add action=drop chain=input comment="Block DNS from Local" dst-port=53 \
in-interface=Internet protocol=udp
add action=accept chain=forward comment="Allow Ping" protocol=icmp
add action=accept chain=input protocol=icmp
add action=drop chain=forward comment=No_inet_pool in-interface=!ether1 \
src-address-list=no_inet
add action=drop chain=forward comment=No_inet_pool in-interface=\
"!Beeline Reserv" src-address-list=no_inet
add action=drop chain=forward comment="GUEST Wi-Fi Drop" disabled=yes protocol=\
tcp src-address=192.168.88.0/24
add action=drop chain=forward comment=AMMY content=rl.ammyy.com disabled=yes
add action=drop chain=forward comment="Block Teamviewer" disabled=yes \
src-address-list=Teamviewer
add action=drop chain=forward content=" rl.ammyy.com" disabled=yes
add action=drop chain=input comment="Block Teamviewer" disabled=yes \
src-address-list=Teamviewer
add action=drop chain=forward comment="TeamViewer: block port 5938" disabled=\
yes dst-port=5938 out-interface=ether1 protocol=tcp
add action=accept chain=forward comment="Allow RDP" disabled=yes dst-port=3389 \
protocol=tcp
add action=accept chain=input comment="Accept established connections" \
connection-state=established
add action=accept chain=forward connection-state=established
add action=accept chain=input comment="Accept related connections" \
connection-state=related
add action=accept chain=forward connection-state=related
add action=accept chain=input comment="Allow UDP_80" in-interface=\
Local_bridge_80 protocol=udp
add action=accept chain=forward in-interface=Local_bridge_80 protocol=udp
add action=accept chain=input comment="Allow UDP_85" in-interface=\
Local_bridge_85 protocol=udp
add action=accept chain=forward in-interface=Local_bridge_85 protocol=udp
add action=accept chain=input comment="Allow UDP_87" in-interface=\
Local_bridge_87 protocol=udp
add action=accept chain=forward in-interface=Local_bridge_87 protocol=udp
add action=accept chain=input comment="Allow UDP_88" in-interface=\
Local_bridge_88 protocol=udp
add action=accept chain=forward in-interface=Local_bridge_88 protocol=udp
add action=drop chain=input comment="Drop invalid connections" \
connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=accept chain=input comment="Access to Mikrotik" dst-port=8291 \
protocol=tcp
add action=accept chain=forward comment=\
"Access to internet from local network 80" in-interface=Local_bridge_80 \
src-address=192.168.80.0/24
add action=accept chain=forward comment=\
"Access to internet from local network 85" in-interface=Local_bridge_85 \
src-address=192.168.85.0/24
add action=accept chain=forward comment=\
"Access to internet from local network 87" in-interface=Local_bridge_87 \
src-address=192.168.87.0/24
add action=accept chain=forward comment=\
"Access to internet from local network 88" in-interface=Local_bridge_88 \
src-address=192.168.88.0/24
add action=drop chain=input comment="All other drop"
add action=drop chain=forward
-
- Сообщения: 8
- Зарегистрирован: 05 дек 2017, 17:05
From 80 to 85 net accept - соответственно отключено ибо не пашет
-
- Сообщения: 18
- Зарегистрирован: 15 янв 2018, 16:06
может лучше запретить не правилом, а маршрутом?
Вот выдержка
Вот выдержка
Откройте меню IP - Routes;
Перейдите на вкладку Rules;
Нажмите "красный плюсик";
В поле Src. Address укажите офисную подсеть 192.168.88.0/24;
В поле Dst. Address укажите гостевую подсеть 192.168.10.0/24;
В списке Action выберите unreachable;
Нажмите кнопку OK.
-
- Сообщения: 8
- Зарегистрирован: 05 дек 2017, 17:05
некоторые адреса из подсети все же должны быть доступны. целиком сеть нельзя делать недоступной.