NAT + EoIP
Добавлено: 13 апр 2016, 09:48
Настроил связь между офисами с помощью eoip туннеля (PPTP 1.1.1.1->1.1.1.2, два микротика 951G), адресное пространство общее (192.168.2.0). Если находиться в данном адресном пространстве (тоесть подключенным локально к одному из роутеров) то оба роутера доступны по ip. Но если мне надо зайти на роутер клиент (192.168.2.81), через внешний (ddns) интерфейс роутера сервера (192.168.2.1), на котором настроен проброс портов (2710->80) на web клиента, то ничего не получается.
Если нужна доп инфо спрашивайте, я не силен еще в микротиках.
ps прошу прощения, была изначально допущена ошибка, недоступен только именно роутер клиент, однако локалка этого клиента открывается (ip камеры, принтеры). Тоесть проблема в том что не могу зайти в веб оболочку роутера клиента через внешний интерфейс роутера сервера, с локалки по ip заходит нормально.
Зыы необходимость заходить на клиент через сервер обусловлена тем что клиент имеет инет через 3г модем у которого серый ip, тоесть ddns не проканает. Белый ip есть только у роутера-сервера.
export:
Если нужна доп инфо спрашивайте, я не силен еще в микротиках.
ps прошу прощения, была изначально допущена ошибка, недоступен только именно роутер клиент, однако локалка этого клиента открывается (ip камеры, принтеры). Тоесть проблема в том что не могу зайти в веб оболочку роутера клиента через внешний интерфейс роутера сервера, с локалки по ip заходит нормально.
Зыы необходимость заходить на клиент через сервер обусловлена тем что клиент имеет инет через 3г модем у которого серый ip, тоесть ddns не проканает. Белый ip есть только у роутера-сервера.
export:
Код: Выделить всё
# apr/13/2016 12:30:12 by RouterOS 6.34.4
# software id = 4W29-ZFQ9
#
/interface bridge
add admin-mac=D4:CA:6D:DD:95:01 auto-mac=no mtu=1492 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
country=russia disabled=no distance=indoors frequency=2422 mode=ap-bridge \
mtu=1492 ssid=*********** wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] mtu=1492 name=ether1-gateway
set [ find default-name=ether2 ] mtu=1492 name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local mtu=1492 \
name=ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local mtu=1492 \
name=ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local mtu=1492 \
name=ether5-slave-local
/interface eoip
add !keepalive local-address=1.1.1.1 mac-address=02:94:F2:51:3A:13 name=\
eoip-agar remote-address=1.1.1.3 tunnel-id=2
add !keepalive local-address=1.1.1.1 mac-address=02:94:F6:D9:89:26 name=\
eoip-sklad remote-address=1.1.1.2 tunnel-id=1
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
wpa-pre-shared-key=*********** wpa2-pre-shared-key=*********
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=dhcp ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add add-arp=yes address-pool=dhcp disabled=no interface=bridge-local \
lease-time=3d name=office
/port
set 0 name=usb1
/interface ppp-client
add apn=internet name=ppp-out1 port=usb1
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=eoip-sklad
add bridge=bridge-local interface=eoip-agar
/interface pptp-server server
set authentication=chap,mschap1,mschap2 enabled=yes
/ip address
add address=192.168.2.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.2.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.2.7 comment=buh mac-address=00:50:8D:B0:B4:7B
add address=192.168.2.13 comment=gigaset595 mac-address=7C:2F:80:1E:AD:92
add address=192.168.2.101 comment=brother_logist mac-address=\
00:1B:A9:EC:3E:E6
add address=192.168.2.102 comment=brother_reception mac-address=\
00:1B:A9:ED:A0:99
add address=192.168.2.103 comment=brother_dostavka mac-address=\
00:80:92:BD:69:8F
add address=192.168.2.104 comment=brother_sklad mac-address=00:80:92:CE:90:82
add address=192.168.2.222 comment=program_server mac-address=\
D8:50:E6:DC:76:CF
add address=192.168.2.200 comment=videoserver mac-address=F0:79:59:8E:89:46
add address=192.168.2.2 comment=kassa mac-address=20:CF:30:EB:3D:A5
add address=192.168.2.150 comment=asterisk mac-address=00:1F:C6:9B:8B:63
add address=192.168.2.151 comment=cisco8800 mac-address=B8:62:1F:88:3D:FC
add address=192.168.2.250 comment=switch mac-address=E8:DE:27:FD:8F:D5
add address=192.168.2.152 comment=cisco8000 mac-address=20:AA:4B:58:03:04
add address=192.168.2.3 comment=kirill mac-address=20:16:D8:BF:B5:DA
add address=192.168.2.4 comment=ira mac-address=00:25:22:89:C9:89
add address=192.168.2.5 comment=sasha mac-address=20:16:D8:BF:A6:C7
add address=192.168.2.6 comment=popov mac-address=DC:0E:A1:2E:83:22
add address=192.168.2.8 comment=sklad mac-address=00:26:18:F3:A8:23
add address=192.168.2.9 comment=popova mac-address=F4:6D:04:0A:F6:C1
add address=192.168.2.10 comment=aksenov mac-address=B8:88:E3:B7:0F:DF
add address=192.168.2.12 comment=math mac-address=88:AE:1D:CA:09:41
add address=192.168.2.17 comment=yagovitin mac-address=00:1A:4D:37:86:A7
add address=192.168.2.14 comment=gigaset470 mac-address=00:01:E3:A2:39:15
add address=192.168.2.16 comment=mgk mac-address=7C:E9:D3:50:13:F6
add address=192.168.2.18 always-broadcast=yes comment=olya mac-address=\
20:16:D8:BF:B7:78
add address=192.168.2.105 comment=brother_buh mac-address=30:05:5C:2C:00:CD
add address=192.168.2.11 comment=4824 mac-address=00:15:99:7E:CC:9A
add address=192.168.2.20 comment=public mac-address=1C:7E:E5:C9:42:1C
add address=192.168.2.92 client-id=1:28:10:7b:18:23:62 comment=cam_agar \
mac-address=28:10:7B:18:23:62 server=office
/ip dhcp-server network
add address=192.168.2.0/24 comment="default configuration" dns-server=\
8.8.8.8,78.29.2.21 gateway=192.168.2.1 netmask=24 wins-server=8.8.8.8
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip dns static
add address=192.168.2.1 name=router
/ip firewall filter
add chain=input comment="default configuration" connection-state=\
established,related
add action=drop chain=input connection-state=invalid
add chain=input comment="default configuration" protocol=icmp
add chain=input dst-port=53 in-interface=bridge-local protocol=udp \
src-address=192.168.2.0/24
add chain=input dst-port=8291 in-interface=bridge-local protocol=tcp \
src-address=192.168.2.0/24
add chain=input dst-port=2709 protocol=tcp
add chain=input dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=forward comment="default configuration" connection-state=\
established,related
add chain=forward dst-address=192.168.2.0/24 dst-port=\
80,443,21,2222,200,3306,8090,874,9102,2710,4880-4900 in-interface=\
ether1-gateway protocol=tcp
add chain=forward in-interface=bridge-local src-address=192.168.2.0/24
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall mangle
add action=change-mss chain=forward new-mss=1448 protocol=tcp tcp-flags=syn \
tcp-mss=!0-1448
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="Harpin NAT" out-interface=\
bridge-local protocol=tcp src-address=192.168.2.0/24
add action=netmap chain=dstnat comment=videoserver dst-address-type=local \
dst-port=200 protocol=tcp to-addresses=192.168.2.200 to-ports=80
add action=netmap chain=dstnat comment=program_server dst-address-type=local \
dst-port=80,443 protocol=tcp to-addresses=192.168.2.222 to-ports=443
add action=netmap chain=dstnat comment=ftp dst-address-type=local dst-port=21 \
protocol=tcp to-addresses=192.168.2.20 to-ports=21
add action=netmap chain=dstnat comment=kassa dst-address-type=local dst-port=\
2222 protocol=tcp to-addresses=192.168.2.2 to-ports=2222
add action=netmap chain=dstnat comment=mysql dst-address-type=local dst-port=\
3306 protocol=tcp to-addresses=192.168.2.222 to-ports=3306
add action=netmap chain=dstnat comment=brother_reception dst-address-type=\
local dst-port=9102 protocol=tcp to-addresses=192.168.2.102 to-ports=9100
add action=netmap chain=dstnat comment=asterisk dst-address-type=local \
dst-port=8090 protocol=tcp to-addresses=192.168.2.150 to-ports=80
add action=netmap chain=dstnat comment=avreg dst-address-type=local dst-port=\
874 protocol=tcp to-addresses=192.168.2.200 to-ports=874
add action=netmap chain=dstnat comment=vnc_program_server dst-address-type=\
local dst-port=4880 protocol=tcp to-addresses=192.168.2.222 to-ports=5900
add action=netmap chain=dstnat comment=vnc_videoserver dst-address-type=local \
dst-port=4881 protocol=tcp to-addresses=192.168.2.200 to-ports=5900
add action=netmap chain=dstnat comment=vnc_asterisk dst-address-type=local \
dst-port=4882 protocol=tcp to-addresses=192.168.2.150 to-ports=5900
add action=netmap chain=dstnat comment=vnc_reception dst-address-type=local \
dst-port=4889 protocol=tcp to-addresses=192.168.2.2 to-ports=5900
add action=netmap chain=dstnat comment=vnc_kirill dst-address-type=local \
dst-port=4885 protocol=tcp to-addresses=192.168.2.3 to-ports=5900
add action=netmap chain=dstnat comment=vnc_ira dst-address-type=local \
dst-port=4899 protocol=tcp to-addresses=192.168.2.4 to-ports=5900
add action=netmap chain=dstnat comment=vnc_sasha dst-address-type=local \
dst-port=4897 protocol=tcp to-addresses=192.168.2.5 to-ports=5900
add action=netmap chain=dstnat comment=vnc_popov dst-address-type=local \
dst-port=4895 protocol=tcp to-addresses=192.168.2.6 to-ports=5900
add action=netmap chain=dstnat comment=vnc_buh dst-address-type=local \
dst-port=4888 protocol=tcp to-addresses=192.168.2.7 to-ports=5900
add action=netmap chain=dstnat comment=vnc_sklad dst-address-type=local \
dst-port=4884 protocol=tcp to-addresses=192.168.2.8 to-ports=5900
add action=netmap chain=dstnat comment=vnc_anna dst-address-type=local \
dst-port=4894 protocol=tcp to-addresses=192.168.2.9 to-ports=5900
add action=netmap chain=dstnat comment=vnc_aksenov dst-address-type=local \
dst-port=4890 protocol=tcp to-addresses=192.168.2.10 to-ports=5900
add action=netmap chain=dstnat comment=vnc_math dst-address-type=local \
dst-port=4886 protocol=tcp to-addresses=192.168.2.12 to-ports=5900
add action=netmap chain=dstnat comment=vnc_yagovitin dst-address-type=local \
dst-port=4887 protocol=tcp to-addresses=192.168.2.17 to-ports=5900
add action=netmap chain=dstnat comment=vnc_mgk dst-address-type=local \
dst-port=4883 protocol=tcp to-addresses=192.168.2.16 to-ports=5900
add action=netmap chain=dstnat comment=vnc_olya dst-address-type=local \
dst-port=4891 protocol=tcp to-addresses=192.168.2.18 to-ports=5900
add action=netmap chain=dstnat comment=router_sklad dst-port=2710 protocol=\
tcp to-addresses=192.168.2.81 to-ports=80
/ip firewall service-port
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
/ip route
add distance=1 dst-address=192.168.3.0/24 gateway=192.168.3.1 pref-src=\
192.168.3.2
/ip service
set telnet disabled=yes
set www port=2709
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=1.1.1.1 name=sklad password=manato172719 profile=\
default-encryption remote-address=1.1.1.2 service=pptp
add local-address=1.1.1.1 name=agar password=manato172719 profile=\
default-encryption remote-address=1.1.1.3 service=pptp
/system clock
set time-zone-name=Asia/Yekaterinburg
/system leds
set 0 interface=wlan1
/system scheduler
add interval=10m name=dyndns on-event="/system script run afraid" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=\
startup
/system script
add name=afraid owner=maxtor policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="#######\
####### Script FreeDNS.afraid.org ##################\
\n############## PARSER EDITION ##################\
\n############## CREATED LESHIY_ODESSA ##################\
\n \
\n# Specify the \"Direct URL\", which is https://freedns.afraid.org/dynami\
c/\
\n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\
s\" change this to \"http\". Also see below.\
\n# In front of the sign \"\?\" put a backslash \"\\\".\
\n:global \"direct-url\" \"http://freedns.afraid.org/dynamic/update.php\\\
\?**************\"\
\n\
\n# Specify the URL API \"ASCII\"\
\n# Log in under your account and open the page https://freedns.afraid.org\
/api/\
\n# Then copy the URL of your site - Available API Interfaces : ASCII (!!!\
\_NOT XML !!!)\
\n# ATTENTION!!!! Before the question mark, put a backslash \"\\\".\
\n# If RouterOS version 5.xx, then remove from the URL encryption - \"http\
s\" change this to \"http\".\
\n:global \"api-url\" \"http://freedns.afraid.org/api/\\\?action=getdyndns\
&sha=************************\"\
\n \
\n# Specify your domain or subdomain.\
\n:global \"dns-domain\" \"***********\"\
\n\
\n# Define variables for the external (WAN) interface\
\n# Case sensitive.\
\n:global \"out-interface\" \"ether1-gateway\"\
\n \
\n# !!!!!!!!!!!!!!!!! Nothing more do not need to edit!!!!!!!!!!!!!!!!!\
\n \
\n# Check whether the file with the IP domain - freedns.txt\
\n:if ([:len [/file find name=freedns.txt]] > 0) do={\
\n} else={\
\n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\
\n}\
\n# Find out the IP address of the domain using the API and parsing.\
\n# Split the file\
\n:local \"result\" [/file get freedns.txt contents]\
\n:local \"startloc\" ([:find \$\"result\" \$\"dns-domain\"] + ([:len \$\"\
dns-domain\"] + 1))\
\n:local \"endloc\" ([:find \$\"result\" \$\"direct-url\" -1] -1)\
\n:global \"dns-domain-ip\" [:pick \$\"result\" \$\"startloc\" \$\"endloc\
\"]\
\n \
\n# Find the current IP address on the external interface\
\n:global \"current-ip\" [/ip address get [find interface=\$\"out-interfac\
e\"] address]\
\n \
\n# Obtained from IP addresses to be excluded subnet mask\
\n:set \"current-ip\" [:pick \$\"current-ip\" 0 ([:len \$\"current-ip\"]-3\
) ]\
\n \
\n# Compare the external IP with the IP address of the DNS domain.\
\n:if (\$\"current-ip\" != \$\"dns-domain-ip\") do={\
\n\
\n# If different, then sent to freedns.afraid.org our external IP by using\
\_Direct URL\
\n:log info (\"Service Dynamic DNS: old IP address \$\"dns-domain-ip\" for\
\_\$\"dns-domain\" CHANGED to -> \$\"current-ip\"\")\
\n/tool fetch url=\$\"direct-url\" keep-result=no\
\n# Download the file with the new IP after 5 sec.\
\n:delay 5\
\n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\
\n} else={\
\n# Not to clog the log, you need to comment out this line.\
\n:log info (\"IP address is NOT CHANGED, the update is not required\")\
\n}\
\n \
\n# Since version RouterOS version 6.0rc12 supported encryption /tool fetc\
h mode=https\
\n# In :global \"direct-url\" need to change to httpS://\
\n# For RouterOS version 6.xx\
\n# /tool fetch mode=https url=\$\"direct url\"\
\n# :global \"direct-url\" \"https://freedns.afraid.org/dynamic/update.php\
\\\?UVdjU2lzQmQwSkdjZW9aWkNleTdJdXFtOjg2NTI0NzE=\"\
\n\
\n# http://wiki.mikrotik.com/wiki/Manual:Scripting\
\n# http://wiki.mikrotik.com/wiki/Manual:Scripting-examples\
\n# http://wiki.mikrotik.com/wiki/Manual:Tools/Fetch\
\n# http://forum.ixbt.com/topic.cgi\?id=14:60498-86#2373\
\n\
\n##############Script FreeDNS.afraid.org##################"
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local