MultiWAN с одним шлюзом.

Тема в разделе "Маршрутизация", создана пользователем Gungster, 24 окт 2018.

  1. Gungster

    Gungster Новый участник

    Посмотрел тут MUM Реализация MultiWAN. Вопросы, проблемы и решения - Илья Князев (SPW.RU, Россия). Очень грамотно рассказано, но момент с одним шлюзом не совсем понял.

    Тут https://spw.ru/forum/threads/3-belyx-ajpi-ot-odnogo-provajdera-rb2011.3099/ у Вас писали, что в принципе не возможно, а человек утверждает, что возможно, но указано только 2 WAN (DualWAN). Связку address%interface пробовал, но... понятно то, что ничего непонятно.

    У меня аналогичная ситуёвина: 4 бухгалтера сдача отчётности строго через свой выделенный IP. Провайдер один IP'шники разные - шлюз один.
    Две внутренние подсети: 192.168.0.0/24, 192.168.102.0/24
    Кроме указания:
    /ip route
    add distance=1 gateway=10.0.0.1%ether1-WAN1
    add distance=2 gateway=10.0.0.1%ether2-WAN2
    add distance=3 gateway=10.0.0.1%ether3-WAN3
    add distance=4 gateway=10.0.0.1%ether4-WAN4
    add distance=1 gateway=10.0.0.1%ether1-WAN1 routing-mark=WAN1
    add distance=1 gateway=10.0.0.1%ether2-WAN2 routing-mark=WAN2
    add distance=1 gateway=10.0.0.1%ether3-WAN3 routing-mark=WAN3
    add distance=1 gateway=10.0.0.1%ether4-WAN4 routing-mark=WAN4
    Что ещё нужно указывать для правильного функционирования маршрутизации, заворота бухгалтерских IP'шников в нужный WAN? Что указывать для балансировки нагрузки? Плюс ко всему через l2tp будут подключаться пользователи (подсеть 192.168.31.0/24). Их сеть нужно пробросить в наши сети.
    Если не сложно, можно пример...
    Сильно не пинать учусь я только и разбираюсь ))).

     
    Последнее редактирование: 24 окт 2018
  2. alexei1977

    alexei1977 Участник

    Что за бред???
     
  3. Илья Князев

    Илья Князев Администратор Команда форума

    У вас нет мультиван. У вас он ОДИН.
    Для того чтобы бухгалтер всегда выходил с нужного адреса - используйте NAT.
    https://spw.ru/educate/articles/natpart3/ в помощь
     
  4. Gungster

    Gungster Новый участник

    Дабы не плодить темы решил спросить здесь.


    Что имею: 4 канала от одного провайдера с белыми адресами. На Микротике R1 поднят DHCP сервер для локальных подсетей. Микротик R1 через транк соединён с Циской. Циска переведена в режим L3. На Микротике также поднят L2TP сервер. Микротик R2 из удалённого офиса цепляется к R1. Но где то, что то, я упустил и понять не могу. В общем с Микротика R1 пингуется вся сеть филиала 192.168.32.0/24, а с компьютера 192.168.0.250 в головном офисе не пингуется. С Микротика филиала пингуется только 192.168.0.1 и 192.168.0.2 на Циске. С компа в филиале не пингуется вообще ничего.

    Вот схема:

    upload_2018-11-27_16-2-28.png
     
  5. Gungster

    Gungster Новый участник

    Конфиг CISCO:

    Код:
    !
    version 12.2
    no service pad
    service timestamps debug datetime msec
    service timestamps log datetime msec
    no service password-encryption
    !
    hostname Switch
    !
    boot-start-marker
    boot-end-marker
    !
    no aaa new-model
    clock timezone EKATERINBURG 5
    clock summer-time PDT recurring
    switch 1 provision ws-c3750-48p
    system mtu routing 1500
    vtp mode transparent
    udld enable
    ip routing
    no ip domain-lookup
    ip domain-name accord-avto.ru
    ip name-server 192.168.0.11
    !
    crypto pki trustpoint TP-self-signed-2463687680
    enrollment selfsigned
    subject-name cn=IOS-Self-Signed-Certificate-2463687680
    revocation-check none
    rsakeypair TP-self-signed-2463687680
    !
    no errdisable detect cause gbic-invalid
    port-channel load-balance src-dst-ip
    !
    spanning-tree mode rapid-pvst
    spanning-tree extend system-id
    !
    vlan internal allocation policy ascending
    !
    vlan 2
    name Mobile_LAN
    !
    vlan 3
    name Guest_LAN
    !
    vlan 10
    name OFFICE_NET
    !
    vlan 11
    name SERVERS_NET
    !
    vlan 15
    name WiFi_LAN
    !
    vlan 100
    name VoIP_NET
    !
    vlan 101
    name Printers_NET
    !
    vlan 102
    name Video_LAN
    !
    vlan 210
    name Manegement_LAN
    !
    vlan 222
    !
    ip ssh time-out 60
    ip ssh authentication-retries 2
    ip ssh version 2
    !
    interface Port-channel1
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2,3,10,15,100-102,210
    switchport mode trunk
    !
    interface Port-channel2
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2,3,10,15,100-102,210,222
    switchport mode trunk
    !
    interface FastEthernet1/0/1
    switchport access vlan 2
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/2
    switchport access vlan 3
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/3
    switchport access vlan 10
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/4
    switchport access vlan 15
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/5
    switchport access vlan 100
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/6
    switchport access vlan 101
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/7
    switchport access vlan 102
    switchport mode access
    spanning-tree portfast
    !
    interface FastEthernet1/0/8
    switchport access vlan 210
    switchport mode access
    spanning-tree portfast
    !
    interface GigabitEthernet1/0/1
    description TO_LAN
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2,3,10,15,100-102,210
    switchport mode trunk
    channel-protocol lacp
    channel-group 1 mode active
    !
    interface GigabitEthernet1/0/2
    !
    interface GigabitEthernet1/0/3
    switchport trunk encapsulation dot1q
    switchport trunk allowed vlan 2,3,10,15,100-102,210,222
    switchport mode trunk
    channel-protocol lacp
    channel-group 2 mode active
    !
    interface GigabitEthernet1/0/4
    !
    interface Vlan1
    no ip address
    shutdown
    spanning-tree portfast
    !
    interface Vlan2
    ip address 192.168.2.2 255.255.255.0
    ip helper-address 192.168.2.1
    !
    interface Vlan3
    ip address 192.168.3.2 255.255.255.0
    ip access-group 110 in
    ip helper-address 192.168.3.1
    !
    interface Vlan10
    ip address 192.168.0.2 255.255.255.0
    ip helper-address 192.168.0.1
    !
    interface Vlan11
    ip address 192.168.11.2 255.255.255.0
    ip helper-address 192.168.11.1
    !
    interface Vlan15
    ip address 192.168.15.2 255.255.255.0
    ip helper-address 192.168.15.1
    !
    interface Vlan100
    ip address 192.168.100.2 255.255.255.0
    ip helper-address 192.168.100.1
    !
    interface Vlan101
    ip address 192.168.101.2 255.255.255.0
    ip helper-address 192.168.101.1
    !
    interface Vlan102
    ip address 192.168.102.2 255.255.255.0
    ip helper-address 192.168.102.1
    !
    interface Vlan210
    ip address 192.168.210.2 255.255.255.0
    !
    interface Vlan222
    ip address 192.168.222.2 255.255.255.0
    !
    ip classless
    ip route 0.0.0.0 0.0.0.0 192.168.222.1
    no ip http server
    ip http secure-server
    !
    !
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.0.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.2.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.11.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.15.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.100.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.101.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.102.0 0.0.0.255
    access-list 110 deny  ip 192.168.3.0 0.0.0.255 192.168.210.0 0.0.0.255
    access-list 110 permit ip any any
    no cdp run
    no cdp tlv location
    no cdp tlv app
    !
    snmp-server community cisco RO
    snmp-server community cisco123 RW
    !
    !
    line con 0
    line vty 0 4
    login
    line vty 5 15
    login
    !
    end
    
    
     
    Последнее редактирование: 27 ноя 2018
  6. Gungster

    Gungster Новый участник

    Вотконфиг R1 Mikrotik:

    Код:
    # jan/06/2002 08:50:22 by RouterOS 6.38.5
    # software id = DRDB-K9IQ
    #
    /interface bridge
    add name=br-VLAN0
    add name=br-VLAN2
    add name=br-VLAN3
    add name=br-VLAN15
    add name=br-VLAN100
    add name=br-VLAN101
    add name=br-VLAN102
    add name=br-VLAN210
    add name=br-VLAN222
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-WAN1
    set [ find default-name=ether2 ] name=ether2-WAN2
    set [ find default-name=ether3 ] name=ether3-WAN3
    set [ find default-name=ether4 ] name=ether4-WAN4
    set [ find default-name=ether10 ] name=ether10-LAN
    set [ find default-name=ether11 ] name=ether11-LAN
    set [ find default-name=ether12 ] name=ether12-LAN
    set [ find default-name=ether13 ] name=ether13-LAN
    /interface l2tp-server
    add name=Germes-to-HQ user=Germes
    /ip neighbor discovery
    set ether1-WAN1 discover=no
    set ether2-WAN2 discover=no
    set ether3-WAN3 discover=no
    set ether4-WAN4 discover=no
    /interface bonding
    add mode=802.3ad name=Trunk-LAN slaves=\
        ether13-LAN,ether12-LAN,ether11-LAN,ether10-LAN transmit-hash-policy=\
        layer-2-and-3
    /interface vlan
    add interface=Trunk-LAN name=VLAN0 vlan-id=10
    add interface=Trunk-LAN name=VLAN2 vlan-id=2
    add interface=Trunk-LAN name=VLAN3 vlan-id=3
    add interface=Trunk-LAN name=VLAN15 vlan-id=15
    add interface=Trunk-LAN name=VLAN100 vlan-id=100
    add interface=Trunk-LAN name=VLAN101 vlan-id=101
    add interface=Trunk-LAN name=VLAN102 vlan-id=102
    add interface=Trunk-LAN name=VLAN210 vlan-id=210
    add interface=Trunk-LAN name=VLAN222 vlan-id=222
    /interface list
    add name=lst-WAN
    /ip pool
    add name=pool-VLAN0 ranges=192.168.0.50-192.168.0.250
    add name=pool-VLAN2 ranges=192.168.2.50-192.168.2.250
    add name=pool-VLAN3 ranges=192.168.3.50-192.168.3.250
    add name=pool-VLAN15 ranges=192.168.15.50-192.168.15.250
    add name=pool-VLAN100 ranges=192.168.100.50-192.168.100.250
    add name=pool-VLAN101 ranges=192.168.101.50-192.168.101.250
    add name=pool-VLAN102 ranges=192.168.102.50-192.168.102.250
    /ip dhcp-server
    add address-pool=pool-VLAN0 disabled=no interface=br-VLAN0 name=DHCP-VLAN0
    add address-pool=pool-VLAN2 disabled=no interface=br-VLAN2 name=DHCP-VLAN2
    add address-pool=pool-VLAN3 disabled=no interface=br-VLAN3 name=DHCP-VLAN3
    add address-pool=pool-VLAN15 disabled=no interface=br-VLAN15 name=DHCP-VLAN15
    add address-pool=pool-VLAN100 disabled=no interface=br-VLAN100 name=\
        DHCP-VLAN100
    add address-pool=pool-VLAN101 disabled=no interface=br-VLAN101 name=\
        DHCP-VLAN101
    add address-pool=pool-VLAN102 disabled=no interface=br-VLAN102 name=\
        DHCP-VLAN102
    /ppp profile
    set *FFFFFFFE use-compression=yes use-upnp=yes
    /queue type
     
    Последнее редактирование: 27 ноя 2018
  7. Gungster

    Gungster Новый участник

    Код:
    add kind=pcq name=pcq-download-10M pcq-classifier=dst-address \
        pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
    add kind=pcq name=pcq-upload-10M pcq-classifier=src-address \
        pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
    /queue simple
    add max-limit=50M/50M name=GuestWiFi-limit-10M queue=\
        pcq-upload-10M/pcq-download-10M target=192.168.3.0/24
    /interface bridge port
    add bridge=br-VLAN0 interface=VLAN0
    add bridge=br-VLAN2 interface=VLAN2
    add bridge=br-VLAN3 interface=VLAN3
    add bridge=br-VLAN15 interface=VLAN15
    add bridge=br-VLAN100 interface=VLAN100
    add bridge=br-VLAN101 interface=VLAN101
    add bridge=br-VLAN102 interface=VLAN102
    add bridge=br-VLAN210 interface=VLAN210
    add bridge=br-VLAN222 interface=VLAN222
    /interface l2tp-server server
    set authentication=mschap2 enabled=yes
    /interface list member
    add interface=ether1-WAN1 list=lst-WAN
    add interface=ether2-WAN2 list=lst-WAN
    add interface=ether3-WAN3 list=lst-WAN
    add interface=ether4-WAN4 list=lst-WAN
    /ip address
    add address=192.168.222.1/24 interface=br-VLAN222 network=192.168.222.0
    add address=1.1.1.1 interface=ether1-WAN1 network=5.5.5.5
    add address=2.2.2.2 interface=ether2-WAN2 network=5.5.5.5
    add address=3.3.3.3 interface=ether3-WAN3 network=5.5.5.5
    add address=4.4.4.4 interface=ether4-WAN4 network=5.5.5.5
    add address=192.168.0.1/24 interface=br-VLAN0 network=192.168.0.0
    add address=192.168.2.1/24 interface=br-VLAN2 network=192.168.2.0
    add address=192.168.3.1/24 interface=br-VLAN3 network=192.168.3.0
    add address=192.168.15.1/24 interface=br-VLAN15 network=192.168.15.0
    add address=192.168.100.1/24 interface=br-VLAN100 network=192.168.100.0
    add address=192.168.101.1/24 interface=br-VLAN101 network=192.168.101.0
    add address=192.168.102.1/24 interface=br-VLAN102 network=192.168.102.0
    add address=192.168.210.1/24 interface=br-VLAN210 network=192.168.210.0
    /ip dhcp-server network
    add address=192.168.0.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.0.2 \
        netmask=24 ntp-server=192.168.0.1
    add address=192.168.2.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.2.2 \
        netmask=24 ntp-server=192.168.2.1
    add address=192.168.3.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.3.2 \
        netmask=24 ntp-server=192.168.3.1
    add address=192.168.15.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.15.2 \
        netmask=24 ntp-server=192.168.15.1
    add address=192.168.100.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.100.2 \
        netmask=24 ntp-server=192.168.100.1
    add address=192.168.101.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.101.2 \
        netmask=24 ntp-server=192.168.101.1
    add address=192.168.102.0/24 dns-server=\
        192.168.0.11,10.100.100.1,10.100.100.6,8.8.8.8 gateway=192.168.102.2 \
        netmask=24 ntp-server=192.168.102.1
    /ip dns
    set allow-remote-requests=yes servers=10.100.100.1,10.100.100.6
    /ip firewall address-list
    add address=192.168.0.21 list=LiterAvto
    add address=192.168.0.22 list=LiterAvto
    add address=192.168.0.9 list=LiterAvto
    add address=192.168.0.50-192.168.0.250 list=IPAveryanov
    add address=192.168.2.0/24 list=IPAveryanov
    add address=192.168.3.0/24 list=IPAveryanov
    add address=192.168.102.0/24 list=IPAveryanov
    add address=192.168.0.23 list=IPAveryanov
    add address=192.168.0.24 list=IPAveryanov
    add address=192.168.0.25 list=AvtoSnabDetal
    add address=192.168.0.26 list=AvtoSnabDetal
    add address=192.168.0.27 list=AkkordAvto
    add address=192.168.0.71 list=AvtoSnabDetal
    add address=192.168.0.28 list=AkkordAvto
    add address=192.168.0.47 list=AkkordAvto
    add address=192.168.0.90 list=AkkordAvto
    add address=0.0.0.0/8 list=BOGON
    add address=10.0.0.0/8 list=BOGON
    add address=100.64.0.0/10 list=BOGON
    add address=127.0.0.0/8 list=BOGON
    add address=169.254.0.0/16 list=BOGON
    add address=172.16.0.0/12 list=BOGON
    add address=192.0.0.0/24 list=BOGON
    add address=192.0.2.0/24 list=BOGON
    add address=192.168.0.0/16 list=BOGON
    add address=198.18.0.0/15 list=BOGON
    add address=198.51.100.0/24 list=BOGON
    add address=203.0.113.0/24 list=BOGON
    add address=224.0.0.0/4 list=BOGON
    add address=240.0.0.0/4 list=BOGON
    /ip firewall filter
    add action=accept chain=input connection-state=new dst-port=8291 protocol=tcp
    add action=accept chain=input dst-port=1701 in-interface=ether1-WAN1 \
        protocol=udp
    add action=drop chain=input comment="BOGON Drop" in-interface=ether1-WAN1 \
        src-address-list=BOGON
    add action=drop chain=input comment="BOGON Drop" in-interface=ether4-WAN4 \
        src-address-list=BOGON
    add action=drop chain=input comment="BOGON Drop" in-interface=ether3-WAN3 \
        src-address-list=BOGON
    add action=drop chain=input comment="BOGON Drop" in-interface=ether2-WAN2 \
        src-address-list=BOGON
    add action=accept chain=input protocol=icmp
    add action=accept chain=input connection-state=established,related
    add action=accept chain=forward connection-state=established,related
    add action=drop chain=input connection-state=invalid
    add action=drop chain=input connection-state=new in-interface=!Trunk-LAN
    /ip firewall mangle
    add action=mark-connection chain=prerouting new-connection-mark=con-WAN1 \
        src-address-list=LiterAvto
    add action=mark-connection chain=prerouting new-connection-mark=con-WAN2 \
        src-address-list=IPAveryanov
    add action=mark-connection chain=prerouting new-connection-mark=con-WAN3 \
    
     
    Последнее редактирование: 27 ноя 2018
  8. Gungster

    Gungster Новый участник

    Код:
    src-address-list=AvtoSnabDetal
    add action=mark-connection chain=prerouting new-connection-mark=con-WAN4 \
        src-address-list=AkkordAvto
    add action=mark-routing chain=prerouting connection-mark=con-WAN1 \
        in-interface-list=!lst-WAN new-routing-mark=WAN1 passthrough=yes \
        src-address-list=LiterAvto
    add action=mark-routing chain=prerouting connection-mark=con-WAN2 \
        in-interface-list=!lst-WAN new-routing-mark=WAN2 passthrough=yes \
        src-address-list=IPAveryanov
    add action=mark-routing chain=prerouting connection-mark=con-WAN3 \
        in-interface-list=!lst-WAN new-routing-mark=WAN3 passthrough=yes \
        src-address-list=AvtoSnabDetal
    add action=mark-routing chain=prerouting connection-mark=con-WAN4 \
        in-interface-list=!lst-WAN new-routing-mark=WAN4 passthrough=yes \
        src-address-list=AkkordAvto
    /ip firewall nat
    add action=masquerade chain=srcnat comment="VPN Masquarading" out-interface=\
        all-ppp
    add action=netmap chain=dstnat comment="to RDP 1C" dst-port=60086 \
        in-interface=ether3-WAN3 protocol=tcp to-addresses=192.168.0.4 to-ports=\
        3389
    add action=netmap chain=dstnat comment="to RDP Autodealer" dst-port=60087 \
        in-interface=ether4-WAN4 protocol=tcp to-addresses=192.168.0.241 \
        to-ports=3389
    add action=netmap chain=dstnat comment="to SecurOS Mobile Client" dst-port=\
        7777 in-interface=ether2-WAN2 protocol=tcp to-addresses=192.168.102.10 \
        to-ports=7777
    add action=src-nat chain=srcnat out-interface=ether1-WAN1 to-addresses=\
        1.1.1.1
    add action=src-nat chain=srcnat out-interface=ether2-WAN2 to-addresses=\
        2.2.2.2
    add action=src-nat chain=srcnat out-interface=ether3-WAN3 to-addresses=\
        3.3.3.3
    add action=src-nat chain=srcnat out-interface=ether4-WAN4 to-addresses=\
        4.4.4.4
    /ip route
    add check-gateway=ping distance=1 gateway=5.5.5.5%ether1-WAN1 \
        routing-mark=WAN1
    add check-gateway=ping distance=1 gateway=5.5.5.5%ether2-WAN2 \
        routing-mark=WAN2
    add check-gateway=ping distance=1 gateway=5.5.5.5%ether3-WAN3 \
        routing-mark=WAN3
    add check-gateway=ping distance=1 gateway=5.5.5.5%ether4-WAN4 \
        routing-mark=WAN4
    add distance=1 gateway="5.5.5.5%ether2-WAN2,5.5.5.5%ether4-WAN4,\
        5.5.5.5%ether1-WAN1,5.5.5.5%ether3-WAN3"
    add distance=1 dst-address=192.168.32.0/24 gateway=172.16.30.2 pref-src=\
        172.16.30.1
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www disabled=yes
    set ssh disabled=yes
    set api disabled=yes
    set winbox address=192.168.0.0/24,192.168.222.0/24
    set api-ssl disabled=yes
    /ppp secret
    add local-address=172.16.30.1 name=Germes password=XXXXXXXXXXXXXXX \
        profile=default-encryption remote-address=172.16.30.2 service=l2tp
    /system clock
    set time-zone-autodetect=no time-zone-name=Asia/Yekaterinburg
    /system ntp client
    set enabled=yes primary-ntp=88.147.254.232 secondary-ntp=88.147.254.230
    /system ntp server
    set enabled=yes
    
     
    Последнее редактирование: 27 ноя 2018
  9. Gungster

    Gungster Новый участник

    И вот конфиг R2 Mikrotik:

    Код:
    # nov/27/2018 10:48:00 by RouterOS 6.38.5
    # software id = XTYC-NVP5
    #
    /interface bridge
    add name=bridge1-lan
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-WAN
    set [ find default-name=ether5 ] name=ether5-LAN
    /interface l2tp-client
    add allow=mschap2 connect-to=1.1.1.1 disabled=no name=\
        l2tp-Office_connection password=XXXXXXXXXXXX user=user1
    add add-default-route=yes connect-to=10.255.255.138 default-route-distance=1 \
        disabled=no mrru=1600 name=l2tp-out1 password=XXXXXXXX user=user0
    /ip dhcp-client option
    add code=55 name=parameter_request_list value=0x01f90321062a
    /ip pool
    add name=dhcp_pool1 ranges=192.168.32.10-192.168.32.200
    /ip dhcp-server
    add address-pool=dhcp_pool1 disabled=no interface=bridge1-lan name=dhcp1
    /ppp profile
    add name=profile1 use-compression=no use-encryption=yes use-mpls=no
    set *FFFFFFFE use-compression=yes use-upnp=yes
    /tool user-manager customer
    set admin access=\
        own-routers,own-users,own-profiles,own-limits,config-payment-gw
    /interface bridge port
    add bridge=bridge1-lan interface=ether2
    add bridge=bridge1-lan interface=ether3
    add bridge=bridge1-lan interface=ether4
    add bridge=bridge1-lan interface=ether5-LAN
    add bridge=bridge1-lan interface=wlan1
    /ip address
    add address=192.168.32.254/24 interface=bridge1-lan network=192.168.32.0
    /ip dhcp-client
    add default-route-distance=10 dhcp-options=\
        hostname,parameter_request_list,clientid disabled=no interface=ether1-WAN
    /ip dhcp-server lease
    add address=192.168.32.108 mac-address=90:2B:34:76:73:E7 server=dhcp1
    add address=192.168.32.32 client-id=1:c:38:3e:4:c9:d5 mac-address=\
        0C:38:3E:04:C9:D5 server=dhcp1
    add address=192.168.32.107 client-id=1:94:de:80:4a:70:5a mac-address=\
        94:DE:80:4A:70:5A server=dhcp1
    /ip dhcp-server network
    add address=192.168.32.0/24 dns-server=\
        10.100.100.1,10.100.100.6,192.168.32.254 gateway=192.168.32.254
    /ip firewall filter
    add action=accept chain=input protocol=icmp
    add action=accept chain=input dst-port=1701 protocol=udp
    add action=accept chain=input connection-state=established,related
    add action=accept chain=output connection-state=!invalid
    add action=accept chain=forward protocol=tcp
    add action=accept chain=forward protocol=udp
    add action=drop chain=input connection-state=invalid
    add action=drop chain=forward connection-state=invalid disabled=yes
    add action=drop chain=input disabled=yes
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=all-ppp
    add action=masquerade chain=srcnat out-interface=ether1-WAN src-address=\
        192.168.32.0/24
    /ip route
    add distance=1 dst-address=10.100.100.0/24 gateway=10.255.255.145
    add distance=1 dst-address=192.168.0.0/24 gateway=172.16.30.1 pref-src=\
        172.16.30.2
    add disabled=yes distance=1 dst-address=192.168.0.0/24 gateway=l2tp-out1
    add distance=1 dst-address=192.168.102.0/24 gateway=172.16.30.1 pref-src=\
        172.16.30.2
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www address=192.168.32.0/24
    set ssh disabled=yes
    set api disabled=yes
    set winbox address=192.168.0.0/24,192.168.32.0/24
    set api-ssl disabled=yes
    В общем "I need help", как правильно сделать, чтобы все друг друга видели. Заодно покритикуйте, конфиг R1 Mikrotik.
     
    Последнее редактирование: 3 дек 2018