Здравствуйте. Подскажите по возможности от чего трафик не идёт куда нужно, опишу положение: Подключено вот так. В теории описывается вот так: PC1 нужно забрать tcp\udp у Reg1. Для этого на R1 есть маршрут к 192.168.29.0/24 через bridge_video R2. И dst.nat на Reg1. Пинги ходят. В Torch на R2 вижу что пакеты приходят от PC1 с dst.adr Reg1 Далее согласно packet flow после conntrack соединение уходит в mangle forward и prerouting там метится соединение и маршрут. После этого соединение из mangle идет в route rule, используя помеченную таблицу И добавляется маршрут в 192.168.223.0/24 с помеченной таблицей. Я должно быть напутал, прикладываю выдержку из конфига: R1: /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" \ connection-state=established,related,untracked add action=accept chain=input comment="WAN web access" dst-port=80 in-interface-list=WAN \ protocol=tcp add action=accept chain=input comment="WAN winbox access" dst-port=8291 in-interface-list=\ WAN protocol=tcp add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\ in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\ out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes add action=accept chain=forward comment="defconf: accept established,related, untracked" \ connection-state=established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \ out-interface-list=WAN add action=dst-nat chain=dstnat comment="Reg 29.200 web/data port" dst-port=37774 \ in-interface-list=WAN protocol=tcp to-addresses=192.168.29.200 to-ports=37777 add action=dst-nat chain=dstnat dst-port=22030 in-interface-list=WAN protocol=tcp \ to-addresses=192.168.29.200 to-ports=80 # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S 0.0.0.0/0 192.168.220.2 1 3 ADC 192.168.29.0/24 192.168.29.250 bridge_video 0 5 ADC 192.168.99.0/24 192.168.99.250 bridge_video 0 7 ADC 192.168.220.0/24 192.168.220.250 ether1 0 8 A S 192.168.223.0/24 192.168.220.24 1 9 A S 192.168.224.0/24 192.168.220.24 1 # ADDRESS NETWORK INTERFACE 1 ;;; Mainlan 192.168.220.250/24 192.168.220.0 ether1 2 ;;; Videolan_100 192.168.129.250/24 192.168.129.0 ether4 3 ;;; Videolan_30 192.168.29.250/24 192.168.29.0 ether4 R2: ip firewall filter add action=accept chain=input comment="WAN web access" dst-port=80 \ in-interface=ether1 protocol=tcp add action=accept chain=input comment="WAN winbox access" dst-port=8291 \ in-interface=ether1 protocol=tcp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" connection-state=\ invalid add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=mark-connection chain=forward comment=\ Connetcion_To_REG_1_FROM_OFFICE connection-state="" dst-address=\ 192.168.29.200 in-interface=bridge_video new-connection-mark=\ Connetcion_To_REG_1_FROM_OFFICE passthrough=yes src-address=\ 192.168.223.0/24 add action=mark-routing chain=prerouting comment=Route_to_REG1_from_OFFICE \ connection-mark=To_REG_1_FROM_OFFICE dst-address=192.168.29.200 \ in-interface=bridge_video new-routing-mark=Route_to_REG1_from_OFFICE \ passthrough=yes src-address=192.168.223.0/24 add action=passthrough chain=forward comment=OFFICE_2_REG_COUNTER_1 disabled=\ yes dst-address=192.168.29.200 add action=passthrough chain=forward comment=OFFICE_2_REG_COUNTER_2 disabled=\ yes src-address=192.168.223.41 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \ ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat comment="REG web\\data\\rtsp" dst-port=8080 \ in-interface=ether1 protocol=tcp to-addresses=192.168.29.200 to-ports=80 add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1 protocol=tcp \ to-addresses=192.168.29.200 add action=dst-nat chain=dstnat comment=To_REG_1 connection-mark=To_REG_1 \ in-interface=bridge_video to-addresses=192.168.29.200 /ip firewall raw add action=passthrough chain=prerouting in-interface=bridge_video src-address=\ 192.168.223.41 /ip route 0 A S dst-address=192.168.223.0/24 gateway=192.168.29.250 gateway-status=192.168.29.250 reachable via bridge_video distance=1 scope=30 target-scope=10 routing-mark=Route_to_REG1_from_OFFICE 3 ADC dst-address=192.168.29.0/24 pref-src=192.168.29.220 gateway=bridge_video gateway-status=bridge_video reachable distance=0 scope=10 5 A S dst-address=192.168.223.0/24 gateway=192.168.30.2 gateway-status=192.168.30.2 reachable via ether1 distance=1 scope=30 target-scope=10 /ip route rule print 0 ;;; Rule_to reg1_from_office routing-mark=Route_to_REG1_from_OFFICE action=lookup-only-in-table table=Route_to_REG1_from_OFFICE /ip address # ADDRESS NETWORK INTERFACE 0 192.168.29.220/24 192.168.29.0 bridge_video 1 192.168.30.220/24 192.168.30.0 ether1