Маркировка пакетов через тунель gre
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
m1 роутер через который должен маркировать роутер m2, тоесть клиент за m2 должен иметь ИП м1
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
/ip firewall filter
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list="bann black list" address-list-timeout=1h chain=input \
connection-limit=30,32 in-interface=combo1 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input src-address-list="bann black list"
add action=jump chain=input connection-state=new dst-port=8291 in-interface=combo1 jump-target=\
"anti-brute Force" protocol=tcp
add action=return chain="anti-brute Force" dst-limit=5/1m,1,src-address/1m40s
add action=add-src-to-address-list address-list=ban-BruteForce address-list-timeout=1w chain=\
"anti-brute Force"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface=!combo1 protocol=udp
add action=accept chain=input dst-port=500,1701,4500 in-interface=combo1 protocol=udp
add action=accept chain=input in-interface=combo1 protocol=ipsec-esp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=add-src-to-address-list address-list="bann black list" address-list-timeout=1h chain=input \
connection-limit=30,32 in-interface=combo1 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input src-address-list="bann black list"
add action=jump chain=input connection-state=new dst-port=8291 in-interface=combo1 jump-target=\
"anti-brute Force" protocol=tcp
add action=return chain="anti-brute Force" dst-limit=5/1m,1,src-address/1m40s
add action=add-src-to-address-list address-list=ban-BruteForce address-list-timeout=1w chain=\
"anti-brute Force"
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=53 in-interface=!combo1 protocol=udp
add action=accept chain=input dst-port=500,1701,4500 in-interface=combo1 protocol=udp
add action=accept chain=input in-interface=combo1 protocol=ipsec-esp
add action=drop chain=input
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=\
!dstnat connection-state=new in-interface-list=WAN
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=mark passthrough=no routing-mark=mark \
src-address=10.70.7.51
add action=mark-routing chain=prerouting new-routing-mark=mark passthrough=no routing-mark=mark \
src-address=10.70.7.51
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
/ip route
add distance=1 gateway=10.10.10.2 routing-mark=mark
add distance=1 gateway=11111111
add distance=1 dst-address=192.168.24.0/24 gateway=10.10.10.2
add distance=1 dst-address=192.168.31.0/24 gateway=10.10.10.2
add distance=1 gateway=10.10.10.2 routing-mark=mark
add distance=1 gateway=11111111
add distance=1 dst-address=192.168.24.0/24 gateway=10.10.10.2
add distance=1 dst-address=192.168.31.0/24 gateway=10.10.10.2
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
add action=accept chain=input dst-port=8291 protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input dst-port=53 in-interface=!ether1 protocol=udp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=forward dst-address=10.70.7.0/24 src-address=192.168.24.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input dst-port=53 in-interface=!ether1 protocol=udp
add action=accept chain=input dst-port=500,1701,4500 in-interface=ether1 protocol=udp
add action=accept chain=input in-interface=ether1 protocol=ipsec-esp
add action=accept chain=forward dst-address=10.70.7.0/24 src-address=192.168.24.0/24
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new \
in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
/ip route
add distance=1 gateway=11111111
add distance=1 dst-address=10.70.7.0/24 gateway=10.10.10.3
add distance=1 gateway=11111111
add distance=1 dst-address=10.70.7.0/24 gateway=10.10.10.3
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
Mangle пустой и нат один провайдер.
-
gregory1988
- Сообщения: 41
- Зарегистрирован: 27 ноя 2021, 01:51
Не mangle, а NAT
add action=masquerade chain=srcnat out-interface=combo1
add action=masquerade chain=srcnat out-interface="gre"
add action=masquerade chain=srcnat out-interface=combo1
add action=masquerade chain=srcnat out-interface="gre"