Что имеется:
Роутер MicroTik RBD52G-5HacD2HnD, RouterOS 7,13, адрес 192.168.88.1
Роутер будет иногда переноситься с одного места, на другое, со сменой провайдера (вместе оба провайдера работать точно не будут).
На первом порту: Идентификация доступа в интернет по MAC адресу, идёт раздача WiFi и немного перенаправления портов.
Что хотелось бы иметь:
при подключении во второй порт Ethernet нужно, чтобы работал второй провайдер интернет, с иденитификацией через PPPOE, ну и чтобы продолжалась раздача интернета по WiFi, при этом при подключении во второй порт Ethernet, перенаправление портов не важно (кроме winbox конечно). Важно, что физически роутер будет переезжать с места не место, т.е. это не одномоментная работа двух провайдеров.
Просто дал в руки человеку, который подключил в одном месте, через неделю переехал с роутером, включил в другом месте провода и всё, и с настройками чтобы не мучался.
Буду благодарен за любые советы по текущей конфигурации роутера, вдруг что-то перемудрил.
Конфигурация роутера:
# 2024-01-09 16:32:50 by RouterOS 7.13
# software id = FAGH-CT77
#
# model = RBD52G-5HacD2HnD
# serial number = A9740A84EE26
/interface bridge
add admin-mac=74:4D:28:01:D0:9E auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Home-net mctk 2GHz" station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Home-net mctk 5GHz" station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=D4:BF:7F:72:08:B9
/disk
set usb1 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.200 client-id=1:b8:ec:a3:d8:c1:df mac-address=B8:EC:A3:D8:C1:DF server=defconf
add address=192.168.88.188 mac-address=50:3E:AA:CC:5B:15 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Rule for outside access to the router via winbox" dst-address=!192.168.88.1 dst-port=8291 protocol=tcp src-port=!8291
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=accept chain=input comment="Rule for outside hidden access to the router via web interface" dst-address=!192.168.88.1 dst-port=3131 protocol=tcp src-port=!3131
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forwarding to QNAP NAS web interface" dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=8080
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=443
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=8081
add action=dst-nat chain=dstnat dst-port=2622 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=2622
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=21
add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=5001
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1701 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=1701
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=500
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=4500
add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6881
add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6881
add action=dst-nat chain=dstnat dst-port=4433 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=4433
add action=dst-nat chain=dstnat dst-port=6880 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6882
add action=dst-nat chain=dstnat dst-port=6969 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6969
add action=dst-nat chain=dstnat dst-port=6969 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6969
add action=dst-nat chain=dstnat dst-port=6880 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6882
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set www address=0.0.0.0/0 port=3131
/ip smb
set enabled=yes
/ip smb shares
add directory=/usb1 name=share1
/ppp secret
add caller-id=111111 local-address=192.168.88.1 name=vpn remote-address=192.168.88.150 service=l2tp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.msk-ix.ru
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >
# software id = FAGH-CT77
#
# model = RBD52G-5HacD2HnD
# serial number = A9740A84EE26
/interface bridge
add admin-mac=74:4D:28:01:D0:9E auto-mac=no comment=defconf name=bridge port-cost-mode=short
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Home-net mctk 2GHz" station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] antenna-gain=0 band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto installation=indoor mode=ap-bridge ssid="Home-net mctk 5GHz" station-roaming=enabled wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mac-address=D4:BF:7F:72:08:B9
/disk
set usb1 type=hardware
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp interface=bridge lease-time=10m name=defconf
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set default-profile=default enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface pptp-server server
# PPTP connections are considered unsafe, it is suggested to use a more modern VPN protocol instead
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.88.200 client-id=1:b8:ec:a3:d8:c1:df mac-address=B8:EC:A3:D8:C1:DF server=defconf
add address=192.168.88.188 mac-address=50:3E:AA:CC:5B:15 server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="Rule for outside access to the router via winbox" dst-address=!192.168.88.1 dst-port=8291 protocol=tcp src-port=!8291
add action=accept chain=forward connection-nat-state=dstnat connection-state=new in-interface=ether1
add action=accept chain=input comment="Rule for outside hidden access to the router via web interface" dst-address=!192.168.88.1 dst-port=3131 protocol=tcp src-port=!3131
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Forwarding to QNAP NAS web interface" dst-port=8080 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=8080
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=443
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=8081
add action=dst-nat chain=dstnat dst-port=2622 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=2622
add action=dst-nat chain=dstnat dst-port=5000 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=5000
add action=dst-nat chain=dstnat dst-port=21 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=21
add action=dst-nat chain=dstnat dst-port=5001 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=5001
add action=dst-nat chain=dstnat dst-port=1723 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=1723
add action=dst-nat chain=dstnat dst-port=1701 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=1701
add action=dst-nat chain=dstnat dst-port=500 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=500
add action=dst-nat chain=dstnat dst-port=4500 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=4500
add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6881
add action=dst-nat chain=dstnat dst-port=6881 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6881
add action=dst-nat chain=dstnat dst-port=4433 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=4433
add action=dst-nat chain=dstnat dst-port=6880 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6882
add action=dst-nat chain=dstnat dst-port=6969 in-interface=ether1 protocol=tcp to-addresses=192.168.88.200 to-ports=6969
add action=dst-nat chain=dstnat dst-port=6969 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6969
add action=dst-nat chain=dstnat dst-port=6880 in-interface=ether1 protocol=udp to-addresses=192.168.88.200 to-ports=6882
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ip service
set www address=0.0.0.0/0 port=3131
/ip smb
set enabled=yes
/ip smb shares
add directory=/usb1 name=share1
/ppp secret
add caller-id=111111 local-address=192.168.88.1 name=vpn remote-address=192.168.88.150 service=l2tp
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Moscow
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.msk-ix.ru
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
[admin@MikroTik] >