Добрый день. Вводные данные: Внешние адреса офиса: office.243.29 и office.243.24 на одном линке(ether1) Внутренняя сеть офиса: 1.1.1.0/24 Внутренняя сеть VPN: 1.1.2.0/24 Первый офисный web-сервер: 1.1.1.2 Второй офисный web-сервер: 1.1.1.11 Внешние адреса филиала: filial.131 Внутренняя сеть филиала: 2.2.2.0/24 Офис с одним офисным web-сервером. Приобретен у этого же провайдера второй ip-адрес(office.243.24) для организации другого web-сервера по отдельном внешнему ip-адресу. Первый сервер по старому ip-адресу(office.243.29) доступен, а второй никак не выйдет наружу по office.243.24. Да внутрь тоже не прилетает. Провайдер говорит, что с его стороны всё в порядке. Помогите, пожалуйста, с такой проблемой. Доступность сервера проверяю с телефона либо из филиала Данные /export hide-sensitive: [mainuser@host_01] > /export hide-sensitive # mar/10/2022 14:10:16 by RouterOS 6.44 # model = CRS326-24G-2S+ /interface bridge add admin-mac=::::: arp=proxy-arp auto-mac=no comment=LAN name=\ bridge /interface ethernet set [ find default-name=ether1 ] comment=WAN speed=100Mbps set [ find default-name=ether2 ] speed=100Mbps set [ find default-name=ether3 ] comment=SRV speed=100Mbps set [ find default-name=ether4 ] speed=100Mbps ... set [ find default-name=ether24 ] speed=100Mbps set [ find default-name=sfp-sfpplus1 ] speed=10Gbps set [ find default-name=sfp-sfpplus2 ] speed=10Gbps /interface list add name=WAN add name=LAN /ip pool add name=default-dhcp ranges=1.1.1.10-1.1.1.254 add name=VPN ranges=1.1.2.0-1.1.2.250 /ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge lease-time=10h name=\ server1 /interface bridge port add bridge=bridge comment=defconf disabled=yes interface=ether1 add bridge=bridge comment=defconf interface=ether2 ... add bridge=bridge comment=defconf interface=ether24 add bridge=bridge comment=defconf interface=sfp-sfpplus1 add bridge=bridge comment=defconf interface=sfp-sfpplus2 /ip neighbor discovery-settings set discover-interface-list=all /interface detect-internet set detect-interface-list=all /interface l2tp-server server set authentication=mschap2 enabled=yes keepalive-timeout=60 use-ipsec=required /interface list member add interface=ether1 list=WAN add interface=bridge list=LAN /ip address add address=1.1.1.1/24 interface=bridge network=1.1.1.0 add address=office.243.29/24 interface=ether1 network=office.243.0 add address=1.1.2.1/24 interface=ether1 network=1.1.2.0 add address=1.1.1.18/24 interface=bridge network=1.1.1.0 add address=1.1.1.19/24 interface=bridge network=1.1.1.0 add address=office.243.24/24 comment=WebServer interface=ether1 network=\ office.243.0 /ip dhcp-client add add-default-route=no dhcp-options=hostname,clientid interface=ether1 /ip dhcp-server lease add address=1.1.1.2 client-id=::::: mac-address=\ ::::: server=server1 /ip dhcp-server network add address=2.2.8.0/24 dns-server=1.1.1.1 gateway=2.2.8.1 \ netmask=24 ntp-server=1.1.1.1 add address=1.1.1.0/23 dns-server=1.1.1.1 gateway=1.1.1.1 \ netmask=23 next-server=192.168.101.1 ntp-server=1.1.1.1 add address=1.1.2.0/24 dns-server=1.1.1.1 gateway=1.1.2.1 \ netmask=24 ntp-server=1.1.1.1 /ip dns set allow-remote-requests=yes cache-max-ttl=1d query-server-timeout=1s servers=\ 8.8.8.8 /ip firewall filter add action=passthrough chain=input disabled=yes dst-address=office.243.29 \ in-interface-list=all src-address=filial.131 add action=passthrough chain=output disabled=yes dst-address=filial.131 \ src-address=office.243.29 add action=passthrough chain=input disabled=yes dst-address=office.243.24 add action=passthrough chain=input dst-address=office.243.24 log=yes \ src-address=!1.1.1.100 add action=passthrough chain=output disabled=yes log=yes src-address=\ office.243.24 add action=passthrough chain=output dst-address=!1.1.1.100 log=yes \ src-address=office.243.24 add action=accept chain=input comment="accept ICMP" protocol=icmp add action=accept chain=input comment="VPN l2tp" in-interface=ether1 protocol=\ ipsec-esp add action=accept chain=input in-interface=ether1 protocol=ipsec-ah add action=accept chain=input dst-port=1701,500,4500 in-interface=ether1 \ protocol=udp add action=accept chain=input dst-port=62 in-interface=ether1 protocol=udp add action=accept chain=input dst-port=62 in-interface=ether1 protocol=tcp add action=accept chain=input comment="accept established,related" \ connection-state=established,related add action=accept chain=input comment="accept established,related" dst-port=\ 8291 protocol=tcp add action=accept chain=forward comment="accept established,related" \ connection-state=established,related add action=accept chain=input comment=RDP dst-port=3389 in-interface=ether1 \ protocol=udp add action=accept chain=input dst-port=3389 in-interface=ether1 protocol=tcp add action=accept chain=input in-interface=bridge add action=accept chain=input dst-port=53 in-interface=!ether1 protocol=udp add action=log chain=input comment="defconf: drop all not coming from LAN" \ disabled=yes in-interface-list=!LAN log=yes add action=drop chain=input comment="drop all from WAN" in-interface=ether1 add action=drop chain=forward comment="Drop Invalid connections" \ connection-state=invalid /ip firewall mangle add action=mark-routing chain=prerouting log=yes new-routing-mark=webserver \ passthrough=yes src-address=1.1.1.11 /ip firewall nat add action=passthrough chain=srcnat comment="To web server 1.1.1.11" \ dst-address=!1.1.1.0/24 routing-mark=webserver src-address=\ 1.1.1.11 add action=passthrough chain=srcnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 add action=passthrough chain=dstnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 add action=passthrough chain=dstnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 log=yes src-address=!1.1.1.100 add action=passthrough chain=srcnat comment="Webserver 1.1.1.11" \ dst-port=80 log=yes protocol=tcp src-address=1.1.1.11 add action=passthrough chain=dstnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 dst-port=80 log=yes protocol=tcp to-addresses=\ 1.1.1.11 add action=passthrough chain=srcnat comment="Webserver 1.1.1.11" \ dst-port=443 log=yes protocol=tcp src-address=1.1.1.11 add action=passthrough chain=dstnat comment="Webserver 1.1.1.11" \ dst-port=80 log=yes protocol=tcp src-address=1.1.1.11 add action=passthrough chain=dstnat comment="Webserver 1.1.1.11" \ dst-port=443 log=yes protocol=tcp src-address=1.1.1.11 add action=passthrough chain=srcnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 log=yes src-address=1.1.1.11 add action=passthrough chain=srcnat comment="Webserver 1.1.1.11" \ dst-address=office.243.24 log=yes add action=masquerade chain=srcnat comment=NAT out-interface=ether1 add action=masquerade chain=srcnat out-interface=all-ppp add action=dst-nat chain=dstnat comment="To web server 1.1.1.11" \ dst-address=office.243.24 dst-port=80 log=yes protocol=tcp to-addresses=\ 1.1.1.11 to-ports=80 add action=dst-nat chain=dstnat comment="To web server 1.1.1.11" \ dst-address=office.243.24 dst-port=443 log=yes protocol=tcp to-addresses=\ 1.1.1.11 to-ports=443 add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1 protocol=tcp \ to-addresses=1.1.1.2 to-ports=80 add action=dst-nat chain=dstnat dst-port=8084 in-interface=ether1 protocol=tcp \ to-addresses=1.1.1.254 to-ports=80 add action=dst-nat chain=dstnat dst-port=3389 in-interface=ether1 port=3389 \ protocol=tcp to-addresses=1.1.1.2 to-ports=3389 /ip route add distance=1 gateway=office.243.1 add distance=1 dst-address=2.2.8.0/24 gateway=1.1.2.171 pref-src=\ 1.1.2.1 add check-gateway=ping distance=1 dst-address=1.1.1.112/32 gateway=bridge add distance=1 dst-address=1.1.1.113/32 gateway=bridge Все "passthrough" или comment="Webserver 1.1.1.11" - мои, просто пытался хоть как-то отловить трафик Что нетак с правилами?
Так, а что не работает-то? Мне вот этот кусок не до конца понятен. Второй IP на WAN-интерфес повесили?