Собственно столкнулся с проблемой, да даже не проблемой а небольшим недопониманием в работе маршрутизации.
Вообщем расклад такой, имеем HexS, в него приходит оптика через sfp, dhcp получает с порта sfp, так же поднять dhcp сервер.
После микротика стоит Keenetik, который собственно раздает wifi устройствам. (микроток в данном случае стоит вместо мгтс роутера).
Имеем следующую адресацию:
10.2.1.254-микротик
100.98.60.85-адрес получаемый от мгтс
192.168.1.1-onu
10.10.1.254-keenetic
Все на данный момент работает, кроме пинга от микротика на конечные устройства. Пинг от ноута на микроток через кинетик идет идеально, а вот в обратную сторону нет.
# oct/31/2023 21:08:12 by RouterOS 6.49.10
# software id = 7DD5-869L
#
# model = RB760iGS
# serial number = A36A0B7831D9
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] sfp-shutdown-temperature=80C
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=10.2.1.2-10.2.1.30
/ip dhcp-server
add add-arp=yes address-pool=pool1 disabled=no interface=bridge1 lease-time=\
1d10m name=server1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=10.2.1.254/24 comment=lan interface=bridge1 network=10.2.1.0
add address=192.168.1.11/24 comment="lan onu" interface=sfp1 network=\
192.168.1.0
/ip dhcp-client
add disabled=no interface=sfp1
/ip dhcp-server lease
add address=10.2.1.30 client-id=1:50:ff:20:79:2c:de mac-address=\
50:FF:20:79:2C:DE server=server1
/ip dhcp-server network
add address=10.2.1.0/24 gateway=10.2.1.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add disabled=yes list=BlackList
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList \
address-list-timeout=10h chain=input comment="Rule #1 \"Block TCP port sca\
nning\": add a device scanning an unused port to BlackList." \
connection-state=new dst-port=\
20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
in-interface=sfp1 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
/ip firewall raw
add action=drop chain=prerouting comment="Rule #10 \"BlackList\": reject the c\
onnection with a device from the Blacklist." disabled=yes \
src-address-list=BlackList
add action=add-dst-to-address-list address-list=BlackList \
address-list-timeout=1h10m chain=output comment="Rule #15 \"Bruteforce\": \
add a device performing unsuccessful authorization to BlackList." \
content="invalid user name or password"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip route
add distance=1 dst-address=10.10.1.0/24 gateway=ether3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9090
set ssh disabled=yes port=2233
set api disabled=yes
set winbox address=10.2.1.0/24 port=49010
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system package update
set channel=long-term
/system script
add dont-require-permissions=no name="Imperial marsh" owner=root policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=810 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=470 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# software id = 7DD5-869L
#
# model = RB760iGS
# serial number = A36A0B7831D9
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=sfp1 ] sfp-shutdown-temperature=80C
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool1 ranges=10.2.1.2-10.2.1.30
/ip dhcp-server
add add-arp=yes address-pool=pool1 disabled=no interface=bridge1 lease-time=\
1d10m name=server1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge1 list=LAN
add interface=sfp1 list=WAN
/ip address
add address=10.2.1.254/24 comment=lan interface=bridge1 network=10.2.1.0
add address=192.168.1.11/24 comment="lan onu" interface=sfp1 network=\
192.168.1.0
/ip dhcp-client
add disabled=no interface=sfp1
/ip dhcp-server lease
add address=10.2.1.30 client-id=1:50:ff:20:79:2c:de mac-address=\
50:FF:20:79:2C:DE server=server1
/ip dhcp-server network
add address=10.2.1.0/24 gateway=10.2.1.254 netmask=24
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add disabled=yes list=BlackList
/ip firewall filter
add action=add-src-to-address-list address-list=BlackList \
address-list-timeout=10h chain=input comment="Rule #1 \"Block TCP port sca\
nning\": add a device scanning an unused port to BlackList." \
connection-state=new dst-port=\
20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
in-interface=sfp1 protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=input connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=sfp1
/ip firewall raw
add action=drop chain=prerouting comment="Rule #10 \"BlackList\": reject the c\
onnection with a device from the Blacklist." disabled=yes \
src-address-list=BlackList
add action=add-dst-to-address-list address-list=BlackList \
address-list-timeout=1h10m chain=output comment="Rule #15 \"Bruteforce\": \
add a device performing unsuccessful authorization to BlackList." \
content="invalid user name or password"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set sip disabled=yes
set pptp disabled=yes
set dccp disabled=yes
/ip route
add distance=1 dst-address=10.10.1.0/24 gateway=ether3
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=9090
set ssh disabled=yes port=2233
set api disabled=yes
set winbox address=10.2.1.0/24 port=49010
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system package update
set channel=long-term
/system script
add dont-require-permissions=no name="Imperial marsh" owner=root policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":\
beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=750 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=810 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=470 length=500ms;\r\
\n:delay 500ms;\r\
\n:beep frequency=400 length=500ms;\r\
\n:delay 400ms;\r\
\n:beep frequency=600 length=200ms;\r\
\n:delay 100ms;\r\
\n:beep frequency=500 length=500ms;\r\
\n:delay 1000ms;"
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN