Добрый день, уважаемые коллеги! Есть роутер RB2011UiAS-2HnD. На него приходит два провайдера, всё настроил, и до вчерашнего дня всё работало. IP адреса - выделенные, белые. Теперь получается: - по провайдеру №1 Исходящий и входящий трафик есть, пинги и трассировка на интерфейс проходят, всё нормально - по провайдеру №2 Исходяший трафик бегает нормально. Из внутренней сети через этот интерфейс доступ в интернет есть, всё работает. При попытке снаружи достучаться на этот интерфейс, доступа нет, пинги не проходят, трассировка показывает затык на последнем хопе, к интерфейсу роутера не достучаться. Принудительно открывал icmp. Не пингуется. Вопрос, собственно, в том, как и какими средствами диагностировать/увидеть затык входящего трафика на МикроТике ?
исходя из условий, что вчера все работало, а сегодня - нет, начните с источников, т.е. провайдеров, работают ли они отдельно?
Да, провайдеры работают, переключив интерфейс провайдера №2 в комп, получаем и пинг, и трэйс. Необходимо отследить входящий трафик на МикроТике, а я, к сожалению, не знаю, как В этом и прошу помочь.
Под спойлерами - выгрузка запрошенных данных. Хочу отметить, что роутинг в туннелях - работает. Внутрь сети по провайдеру KyivStar можно достучаться. По провайдеру Maximum нельзя достучаться снаружи внутрь. Разбиваю сообщение на три части, поскольку форум не пропускает всё в одном. Спойлер: /ip firewall export # may/30/2017 09:25:51 by RouterOS 6.39.1 # software id = # /ip firewall address-list add address=192.168.68.219 comment="Virtual Mashine Windows 10 x64" list=\ src-to-isp-maximum add address=192.168.68.100 comment=\ "HP ENVY dv7 Ethernet " list=\ src-to-isp-maximum add address=192.168.68.112 comment=\ "HP ProBook 450 G2 Ethernet " list=\ src-to-isp-maximum add address=192.168.68.101 comment=\ "HP ENVY dv7 WiFi " list=src-to-isp-maximum /ip firewall connection tracking set enabled=yes /ip firewall filter add action=add-src-to-address-list address-list="dns flood" \ address-list-timeout=1h chain=input comment="DNS Flood in INTERNET Interfa\ ce (Add Address to Table \"Address List\" with marker \"dns flood\")" \ dst-port=53 in-interface-list=GW-Interface protocol=udp add action=drop chain=input comment="DNS Flood in INTERNET Interface (Droop Fl\ ood from Table \"Address List\" with marker \"dns flood\")" dst-port=53 \ in-interface-list=GW-Interface protocol=udp src-address-list="dns flood" add action=add-src-to-address-list address-list="dns flood" \ address-list-timeout=1h chain=input comment="DNS Flood Maximum.net Interne\ t(Add Address to Table \"Address List\" with marker \"dns flood\")" \ disabled=yes dst-port=53 in-interface=GW-MaximumNET protocol=udp add action=drop chain=input comment="DNS Flood Maximum.net Internet(Droop Floo\ d from Table \"Address List\" with marker \"dns flood\")" disabled=yes \ dst-port=53 in-interface=GW-MaximumNET protocol=udp src-address-list=\ "dns flood" add action=accept chain=input comment=\ "Allow IGMP access IP TV Multicast in INTERNET interface" \ in-interface-list=GW-Interface protocol=igmp add action=accept chain=input comment=\ "Allow IPTV UDP incoming in INTERNET interface" dst-port=1234 \ in-interface-list=GW-Interface protocol=udp add action=accept chain=forward comment=\ "Allow IPTV UDP forwarding in INTERNET interface" dst-port=1234 \ in-interface-list=GW-Interface protocol=udp add action=accept chain=forward comment="Allow IPTV UDP forwarding" dst-port=\ 1234 protocol=udp /ip firewall mangle add action=mark-connection chain=forward comment=\ "Mark input forward connection from ISP kyivstar.net" in-interface=\ GW-KyivStarNET new-connection-mark=kyivstar-connect passthrough=yes add action=mark-connection chain=forward comment=\ "Mark input forward connection from ISP maximum.net" in-interface=\ GW-MaximumNET new-connection-mark=maksimum-connect passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark rout connection to ISP kyivstar.net" connection-mark=\ kyivstar-connect new-routing-mark=kyivstar-rout passthrough=yes \ src-address=192.168.68.0/24 add action=mark-routing chain=prerouting comment=\ "Mark rout connection to ISP maximum.net" connection-mark=\ maksimum-connect new-routing-mark=maximum-rout passthrough=yes \ src-address=192.168.68.0/24 add action=mark-routing chain=prerouting comment=\ "Mark new connection from Table src-to isp-kyivstar to KYIVSTAR Internet" \ connection-state=new log=yes new-routing-mark=kyivstar-rout passthrough=\ yes src-address-list=src-to-isp-kyivstar add action=mark-routing chain=prerouting comment=\ "Mark new connection from Table src-to isp-maximum to MAXIMUM Internet" \ connection-state=new log=yes new-routing-mark=maximum-rout passthrough=\ yes src-address-list=src-to-isp-maximum add action=mark-connection chain=forward comment="Mark GRE Tunnel [KyivStar] i\ nput forward connection from GRE connect " dst-address=\ 172.16.1.1 new-connection-mark=gre-center-connect-ks passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark rout connection to interface GRE Tunnel [KyivStar] " \ connection-mark=gre-center-connect-ks new-routing-mark=gre-center-rout-ks \ passthrough=yes src-address=192.168.68.0/24 add action=mark-routing chain=prerouting comment=\ "Mark new connection GRE Tunnel [KyivStar] To LAN" \ connection-state=new dst-address=192.168.10.0/24 log=yes \ new-routing-mark=gre-center-rout-ks passthrough=yes add action=mark-connection chain=forward comment=\ "Mark VPN input forward connection from l2tp interface " \ dst-address=10.10.0.1 new-connection-mark=vpn-mystyle-connect \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark rout connection to l2tp VPN interface " \ connection-mark=vpn-mystyle-connect new-routing-mark=vpn-mystyle-rout \ passthrough=yes src-address=192.168.68.0/24 add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 1 TradePoint LAN" \ connection-state=new dst-address=192.168.31.0/24 log=yes \ new-routing-mark=vpn-mystyle-rout passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 2 TradePoint LAN" \ connection-state=new dst-address=192.168.32.0/24 log=yes \ new-routing-mark=vpn-mystyle-rout passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 3 LAN" \ connection-state=new dst-address=192.168.33.0/24 log=yes \ new-routing-mark=vpn-mystyle-rout passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 4 LAN" \ connection-state=new dst-address=192.168.34.0/24 log=yes \ new-routing-mark=vpn-mystyle-rout passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 5 LAN" connection-state=new \ dst-address=192.168.35.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 6 LAN" connection-state=\ new dst-address=192.168.36.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 7 LAN (Server)" \ connection-state=new dst-address=192.168.38.0/24 log=yes \ new-routing-mark=vpn-mystyle-rout passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 8 LAN" connection-state=new \ dst-address=192.168.58.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 9 LAN" connection-state=new \ dst-address=192.168.60.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 10 LAN" connection-state=new \ dst-address=192.168.78.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes add action=mark-routing chain=prerouting comment=\ "Mark new connection VPN to 11 LAN" connection-state=new \ dst-address=192.168.88.0/24 log=yes new-routing-mark=vpn-mystyle-rout \ passthrough=yes /ip firewall nat add action=masquerade chain=srcnat comment=\ "Access Local LAN to MAXIMUM.NET INTERNET (Masquerade)" out-interface=\ GW-MaximumNET src-address=192.168.68.0/24 add action=masquerade chain=srcnat comment=\ "Access Local LAN to KYIVSTAR.NET INTERNET (Masquerade)" out-interface=\ GW-KyivStarNET src-address=192.168.68.0/24
Спойлер: /ip route export # may/30/2017 09:26:45 by RouterOS 6.39.1 # software id = # /ip route add comment="Kyivstar.net MARK Route" distance=3 gateway=134.249.123.254 \ routing-mark=kyivstar-rout add comment="Maximum.net MARK Route" distance=4 gateway=109.207.206.129 \ routing-mark=maximum-rout add comment="GRE [KyivStar] MARKED Primary Route " distance=1 \ dst-address=172.16.1.0/24 gateway=172.16.1.1 pref-src=172.16.1.2 \ routing-mark=gre-center-rout-ks add comment="VPN MARKED Primary Route to VPN" distance=1 dst-address=\ 10.10.0.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 routing-mark=\ vpn-mystyle-rout add comment="Kyivstar.net Static Route" distance=1 gateway=134.249.123.254 add comment="Maximum.net Static Route" distance=2 gateway=109.207.206.129 add comment="Test Activity Cannal" disabled=yes distance=1 dst-address=\ 8.8.4.4/32 gateway=109.207.206.129 add comment="VPN Primary Route " distance=1 dst-address=\ 10.10.0.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="GRE [KyivStar] Route " distance=1 dst-address=\ 192.168.10.0/24 gateway=172.16.1.1 pref-src=172.16.1.2 add comment="VPN Route to 1 LAN" distance=1 \ dst-address=192.168.31.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 2 LAN" distance=1 \ dst-address=192.168.32.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 3 LAN" distance=1 \ dst-address=192.168.33.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 4 LAN" distance=1 \ dst-address=192.168.34.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 5 LAN" distance=1 dst-address=\ 192.168.35.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 6 LAN" distance=1 dst-address=\ 192.168.36.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 7 LAN (Server)" distance=1 \ dst-address=192.168.38.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 8 LAN" distance=1 dst-address=\ 192.168.58.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 9 LAN" distance=1 dst-address=\ 192.168.60.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 10 LAN" distance=1 dst-address=\ 192.168.78.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 add comment="VPN Route to 11 LAN" distance=1 dst-address=\ 192.168.88.0/24 gateway=10.10.0.1 pref-src=10.10.0.68 /ip route rule add comment="[KyivStar Internet] DELL Latitude " disabled=yes src-address=\ 192.168.68.106/32 table=mark-kyivstar add comment="[KyivStar Internet] Virtual Mashine Windows XP SP3 " disabled=yes src-address=\ 192.168.68.219/32 table=mark-kyivstar Спойлер: /ip route print [merlin@MikroTik] > /ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 A S ;;; Kyivstar.net MARK Route 0.0.0.0/0 134.249.123.254 3 1 A S ;;; Maximum.net MARK Route 0.0.0.0/0 109.207.206.129 4 2 A S ;;; GRE [KyivStar] MARKED Primary Route GRE 172.16.1.0/24 172.16.1.2 172.16.1.1 1 3 A S ;;; VPN MARKED Primary Route to VPN 10.10.0.0/24 10.10.0.68 10.10.0.1 1 4 A S ;;; Kyivstar.net Static Route 0.0.0.0/0 134.249.123.254 1 5 S ;;; Maximum.net Static Route 0.0.0.0/0 109.207.206.129 2 6 X S ;;; Test Activity Cannal 8.8.4.4/32 109.207.206.129 1 7 A S ;;; VPN Primary Route 10.10.0.0/24 10.10.0.68 10.10.0.1 1 8 ADC 10.10.0.1/32 10.10.0.68 l2tp 0 9 ADC 109.207.206.128/27 109.207.206.132 GW-MaximumNET 0 10 ADC 134.249.120.0/22 134.249.120.30 GW-KyivStarNET 0 11 ADC 172.16.1.0/30 172.16.1.2 GRE 0 12 A S ;;; GRE [KyivStar] Route To GRE LAN 192.168.10.0/24 172.16.1.2 172.16.1.1 1 13 A S ;;; VPN Route to 1 TradePoint LAN 192.168.31.0/24 10.10.0.68 10.10.0.1 1 14 A S ;;; VPN Route to 2 TradePoint LAN 192.168.32.0/24 10.10.0.68 10.10.0.1 1 15 A S ;;; VPN Route to 3 TradePoint LAN 192.168.33.0/24 10.10.0.68 10.10.0.1 1 16 A S ;;; VPN Route to 4 TradePoint LAN 192.168.34.0/24 10.10.0.68 10.10.0.1 1 17 A S ;;; VPN Route to 5 TradePoint LAN 192.168.35.0/24 10.10.0.68 10.10.0.1 1 18 A S ;;; VPN Route to 6 TradePoint LAN 192.168.36.0/24 10.10.0.68 10.10.0.1 1 19 A S ;;; VPN Route to 7 MainOFFICE LAN (Server) 192.168.38.0/24 10.10.0.68 10.10.0.1 1 20 A S ;;; VPN Route to 8 LAN 192.168.58.0/24 10.10.0.68 10.10.0.1 1 21 A S ;;; VPN Route to 9 LAN 192.168.60.0/24 10.10.0.68 10.10.0.1 1 22 ADC 192.168.68.0/24 192.168.68.5 LAN 0 23 A S ;;; VPN Route to 10 LAN 192.168.78.0/24 10.10.0.68 10.10.0.1 1 24 A S ;;; VPN Route to 11 LAN 192.168.88.0/24 10.10.0.68 10.10.0.1 1 [merlin@MikroTik] >
Логично. Пакеты назад уходят в Киевстар. Маркируйте маршруты и пакеты. Тема для изучения 3Wan маршрутизация и балансировка + доступ к локальным ресурсам
Спасибо, пошёл изучать. Только не понятно мне, как неделю назад при такой конфигурации работало, а сейчас - не работает. Но это уже другой вопрос... Важно сейчас настроить, чтобы работало.
