Не во всех случаях работает NAT

[Roman.Pospelov]

Интернет заведен по оптоволокну в роутер провайдера, к потру этого роутера подключен Mikrotik, который раздает WiFi, почти все работает, но я заметил, что некоторые функции не работают, а именно, например если я зайду на developer.apple.com и попытаюсь там авторизоваться с помощью Passkey то выводится сообщение "Не удается верифицировать аккаунт".  На Mikrotik настроено правило блокировки входящих соединений (последнее в списке ниже), я настроил вывод в лог для этого правила:

Код: Выделить всё

/ip firewall filter
add action=accept chain=input comment="Accept established,related" connection-state=established,related in-interface-list=WAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid in-interface-list=WAN
add action=drop chain=input comment="Drop all from WAN" in-interface-list=WAN log=yes log-prefix="DROP IN"

Тогда в лог начали попадать сообщения вида:

Код: Выделить всё

DROP IN input: in:ether1-ISP out:(unknown 0), connection-state:new src-mac 7c:52:59:d3:a0:ae, proto TCP (ACK), 17.253.73.203:443->192.168.100.2:50003, len 1496

192.168.100.2 - адрес, который выдает роутер провайдер моему Mikrotik. Отключение этого правила не дало результата. Тогда я добавил еще парочку правил:

Код: Выделить всё

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=46000-65000 in-interface=ether1-ISP protocol=tcp to-addresses=10.20.30.252
add action=dst-nat chain=dstnat dst-port=46000-65000 in-interface=ether1-ISP protocol=udp to-addresses=10.20.30.252

10.20.30.252 - адрес одного из компьютеров подключенного к WiFi, на нем все стало работать.

Как можно настроить, чтобы работало для всех устройств в сети WiFi?

 Конфигурация

# 2023-12-15 11:34:03 by RouterOS 7.12.1
#
# model = RBD53iG-5HacD2HnD
/interface bridge
add name=LAN-bridge
add name=VPN-bridge
/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP
/interface wireguard
add listen-port=37826 mtu=1420 name=wg-home
/interface list
add name=WAN
add name=HomeVPN
add name=LAN
/interface wifiwave2 channel
add band=5ghz-ac disabled=no frequency=5650-5730 name=chn_5
/interface wifiwave2 configuration
add country=Georgia disabled=no mode=ap name=cfg-ap-LAN \
security.authentication-types=wpa2-psk,wpa3-psk .management-protection=\
allowed ssid=Pumba
add disabled=no mode=ap name=cfg-ap-home-5G security.authentication-types=\
wpa2-psk,wpa3-psk .management-protection=allowed ssid=Zebra
add disabled=no mode=ap name=cfg-ap-home-2G security.authentication-types=\
wpa2-psk .encryption="" .management-protection=allowed ssid=\
"Zebra Legacy"
/interface wifiwave2
set [ find default-name=wifi1 ] configuration=cfg-ap-home-2G \
configuration.mode=ap name=wifi-2G-VPN
set [ find default-name=wifi2 ] channel.frequency=5700 configuration=\
cfg-ap-LAN configuration.mode=ap disabled=no mtu=1450 name=wifi-5G-LAN \
security.authentication-types=wpa2-psk,wpa3-psk
add configuration=cfg-ap-home-5G configuration.mode=ap disabled=no \
mac-address=1A:FD:74:E4:3D:44 master-interface=wifi-5G-LAN name=\
wifi-5G-VPN security.authentication-types=wpa2-psk,wpa3-psk
/ip pool
add name=LAN-pool ranges=10.20.30.30-10.20.30.254
add name=VPN-pool ranges=10.20.31.30-10.20.31.254
/ip dhcp-server
add address-pool=LAN-pool interface=LAN-bridge lease-time=10m name=LAN-dhcp
add address-pool=VPN-pool interface=VPN-bridge lease-time=10m name=VPN-dchp
/ppp profile
add bridge=VPN-bridge change-tcp-mss=no name=home use-compression=no \
use-mpls=yes
add change-tcp-mss=yes name=vps-ru use-compression=no use-mpls=yes
/interface l2tp-client
add allow-fast-path=yes connect-to=XXX.XXX.XXX.65 max-mru=1418 max-mtu=1418 \
name=l2tp-home profile=home use-ipsec=yes user=galileo
/routing table
add disabled=no fib name=home_l2tp
add disabled=no fib name=vpn_vps_ru
add disabled=no fib name=home_wg
/certificate settings
set crl-download=yes
/interface bridge port
add bridge=LAN-bridge interface=ether2
add bridge=LAN-bridge interface=ether3
add bridge=LAN-bridge interface=ether4
add bridge=VPN-bridge interface=ether5
add bridge=VPN-bridge interface=wifi-5G-VPN
add bridge=LAN-bridge interface=wifi-5G-LAN
add bridge=VPN-bridge interface=wifi-2G-VPN
/interface list member
add interface=l2tp-home list=HomeVPN
add interface=wg-home list=HomeVPN
add interface=ether1-ISP list=WAN
add interface=LAN-bridge list=LAN
add interface=VPN-bridge list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=XXX.XXX.XXX.65 endpoint-port=\
13231 interface=wg-home persistent-keepalive=20s preshared-key=\
"presharedkey" public-key=\
"publickey"
/ip address
add address=10.20.30.1/24 interface=LAN-bridge network=10.20.30.0
add address=10.20.31.1/24 interface=VPN-bridge network=10.20.31.0
add address=192.168.21.4 interface=wg-home network=192.168.21.4
/ip dhcp-client
add add-default-route=special-classless default-route-distance=2 disabled=yes \
interface=wifi-2G-VPN
add interface=ether1-ISP
/ip dhcp-server network
add address=10.20.30.0/24 dns-server=10.20.30.1 gateway=10.20.30.1
add address=10.20.31.0/24 dns-server=192.168.21.1,8.8.8.8 gateway=10.20.31.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=1.1.1.1,8.8.8.8 \
use-doh-server=https://doh.opendns.com/dns-query verify-doh-cert=yes
/ip firewall address-list
add address=stackoverflow.com list=no_vpn_list
add address=habr.com list=no_vpn_list
add address=199.223.232.0/21 comment=Youtube list=no_vpn_list
add address=207.223.160.0/20 comment=Youtube list=no_vpn_list
add address=208.65.152.0/22 comment=Youtube list=no_vpn_list
add address=208.117.224.0/19 comment=Youtube list=no_vpn_list
add address=209.85.128.0/17 comment=Youtube list=no_vpn_list
add address=216.58.192.0/19 comment=Youtube list=no_vpn_list
add address=216.239.32.0/19 comment=Youtube list=no_vpn_list
add address=192.168.1.3 list=home
add address=192.168.1.4 list=home
add address=192.168.1.1 list=home
add address=192.168.1.2 list=home
add address=boosty.to list=russia
add address=ozon.ru list=russia
add address=ozone.ru list=russia
add address=static.boosty.to list=russia
/ip firewall filter
add action=accept chain=input comment="Accept established,related" \
connection-state=established,related in-interface-list=WAN
add action=drop chain=input comment="Drop invalid" connection-state=invalid \
in-interface-list=WAN
add action=accept chain=input comment="Accept ICMP" in-interface-list=WAN \
protocol=icmp
add action=accept chain=input comment="Home Wireguard: accept" dst-port=37826 \
protocol=udp src-address=XXX.XXX.XXX.65
add action=drop chain=input comment="Drop all from WAN" \
in-interface-list=WAN log=yes log-prefix="DROP IN"
add action=fasttrack-connection chain=forward comment=Fasttrack \
connection-state=established,related hw-offload=yes in-interface-list=WAN \
out-interface-list=LAN
add action=fasttrack-connection chain=forward connection-state=\
established,related hw-offload=yes in-interface-list=LAN \
out-interface-list=WAN
add action=accept chain=forward comment="Accept established,related" \
connection-state=established,related in-interface-list=WAN
add action=add-dst-to-address-list address-list=no_vpn_list \
address-list-timeout=4d chain=forward comment=\
"Add to the list youtube addresses" dst-port=443 protocol=tcp tls-host=\
*youtube*
add action=drop chain=forward comment="Drop all from WAN (excl.DNAT)" \
connection-nat-state=!dstnat in-interface-list=WAN log=yes log-prefix=\
"DROP FW"
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=yes in-interface=VPN-bridge \
new-routing-mark=home_l2tp passthrough=yes
add action=add-dst-to-address-list address-list=no_vpn_list \
address-list-timeout=4d chain=forward comment=\
"Collect Youtube IP addresses to no_vpn_list" dst-port=443 protocol=tcp \
tls-host=*youtube*
add action=add-dst-to-address-list address-list=russia address-list-timeout=\
4d chain=forward comment="Collect OZON addresses to home list" dst-port=\
443 log-prefix=COLLECT protocol=tcp tls-host=*.ozon.ru
add action=add-dst-to-address-list address-list=russia address-list-timeout=\
4d chain=forward dst-port=443 log-prefix=COLLECT protocol=tcp tls-host=\
*.ozone.ru
add action=mark-routing chain=prerouting comment=\
"For routing VPN-BRIDGE through WG-HOME" in-interface=VPN-bridge \
new-routing-mark=home_wg passthrough=yes
add action=mark-routing chain=prerouting comment=\
"For rounting VPN-BRIDGE through ISP for no_vpn_list" dst-address-list=\
no_vpn_list in-interface=VPN-bridge new-routing-mark=main passthrough=yes
add action=mark-routing chain=prerouting comment=\
"For routing Home IPs through Home VPN" dst-address-list=home \
in-interface=LAN-bridge new-routing-mark=home_wg passthrough=yes
add action=mark-routing chain=prerouting comment=\
"For routing russia list through Home VPN" dst-address-list=russia \
in-interface=LAN-bridge new-routing-mark=home_wg passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
10.20.30.0/24
add action=masquerade chain=srcnat comment="Home Wireguard for no_vpn_list" \
out-interface-list=WAN src-address=10.20.31.0/24
# l2tp-home not ready
add action=masquerade chain=srcnat comment="Home L2TP" out-interface=\
l2tp-home src-address=10.20.31.0/24
add action=masquerade chain=srcnat comment="Home Wireguard from VPN-bridge" \
out-interface=wg-home src-address=10.20.31.0/24
add action=masquerade chain=srcnat comment="Home Wireguard from LAN-bridge" \
out-interface=wg-home src-address=10.20.30.0/24
add action=dst-nat chain=dstnat disabled=yes dst-port=46000-65000 \
in-interface=ether1-ISP log=yes log-prefix=DSNAT protocol=tcp \
to-addresses=10.20.30.252
add action=dst-nat chain=dstnat disabled=yes dst-port=46000-65000 \
in-interface=ether1-ISP log=yes log-prefix=DSNAT protocol=udp \
to-addresses=10.20.30.252
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=l2tp-home pref-src=\
"" routing-table=home_l2tp scope=30 suppress-hw-offload=no target-scope=\
10
add disabled=yes distance=1 dst-address=10.20.31.0/24 gateway=VPN-bridge \
pref-src="" routing-table=vpn_vps_ru scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=192.168.1.0/24 gateway=l2tp-home \
pref-src="" routing-table=home_l2tp scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=10.20.30.1/32 gateway=LAN-bridge \
pref-src="" routing-table=home_l2tp scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=*11 pref-src="" \
routing-table=vpn_vps_ru scope=30 suppress-hw-offload=no target-scope=10
add disabled=yes distance=1 dst-address=10.20.30.1/32 gateway=LAN-bridge \
pref-src="" routing-table=vpn_vps_ru scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no dst-address=0.0.0.0/0 gateway=wg-home routing-table=home_wg \
suppress-hw-offload=no
add disabled=no distance=1 dst-address=10.20.30.1/32 gateway=LAN-bridge \
pref-src="" routing-table=home_wg scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.21.0/24 gateway=wg-home \
pref-src="" routing-table=home_wg scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=10.20.31.0/24 gateway=VPN-bridge \
pref-src="" routing-table=home_wg scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=wg-home \
pref-src="" routing-table=home_wg scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=yes distance=1 dst-address=10.20.31.0/24 gateway=VPN-bridge \
pref-src="" routing-table=home_l2tp scope=30 suppress-hw-offload=no \
target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add forced-ip=192.168.21.4 interface=wg-home type=external
add interface=LAN-bridge type=internal
add interface=VPN-bridge type=internal
add interface=ether1-ISP type=external
/system clock
set time-zone-name=Asia/Tbilisi
/system identity
set name=Forest
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.google.com

[svetogor82]

разрешите цепочку forward на свой ip

[Roman.Pospelov]

Я пробовал разрешать всю цепочку forward без ограничений, так же пробовал выключить все правила, но это не помогает. Проблема остается. Так же я заметил, что в редких случаях авторизация срабатывает, примерно в 1 случае из 10, совершенно случайно. При подключении к другим сетям WiFi все работает идеально, так что проблема явно в моем маршрутизаторе.

[Roman.Pospelov]

Проблема решена. Я заметил, что при подключении по кабелю проблемы нет и все работает хорошо. Для решения проблемы при подключении по Wi-Fi добавил такое правило:

Код: Выделить всё

/ip firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn