проброс портов из дома к офису

Тема в разделе "Маршрутизация", создана пользователем TomIce, 24 май 2017.

  1. TomIce

    TomIce Новый участник

    Форумчане приветствую, такая проблема не работает проброс портов.
    Возможно проблема в настройке firewall, посмотрел кучу форумов мануалов но решения так и не нашел - разрешающее правило есть, но работает только подключение по winbox.
    Где ошибка?
    Конфигурацию прилагаю:

    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-inter
    set [ find default-name=ether2 ] name=ether2-local
    /ip neighbor discovery
    set ether1-inter discover=no
    /ip pool
    add name=dhcp_pool1 ranges=192.168.1.20-192.168.1.254
    add name=dhcp ranges=192.168.1.50-192.168.1.254
    /ip dhcp-server
    add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=ether2-local lease-time=6d10m name=dhcp1
    /interface l2tp-server server
    set caller-id-type=ip-address
    /ip address
    add address=X.X.X.X/17 comment=defconf interface=ether1-inter network=X.X.Y.Y
    add address=192.168.1.1/24 interface=ether2-local network=192.168.1.0
    /ip dhcp-server network
    add address=192.168.1.0/24 gateway=192.168.1.1
    /ip dns
    set servers=8.8.8.8,8.8.3.3
    /ip firewall address-list
    add address=192.0.0.0/24 list=BOGON
    add address=0.0.0.0/8 list=BOGON
    add address=10.0.0.0/8 list=BOGON
    add address=100.64.0.0/10 list=BOGON
    add address=127.0.0.0/8 list=BOGON
    add address=169.254.0.0/16 list=BOGON
    add address=172.16.0.0/12 list=BOGON
    add address=192.0.2.0/24 list=BOGON
    add address=192.168.0.0/16 list=BOGON
    add address=198.18.0.0/15 list=BOGON
    add address=198.51.100.0/24 list=BOGON
    add address=203.0.113.0/24 list=BOGON
    add address=224.0.0.0/4 list=BOGON
    add address=240.0.0.0/4 list=BOGON
    /ip firewall filter
    add action=accept chain=input comment="Allow SSH" dst-port=65522 in-interface=!ether1-inter protocol=tcp
    add action=accept chain=input comment="Allow HTTPS" dst-port=443 in-interface=!ether1-inter log=yes protocol=tcp
    add action=accept chain=input comment="Allow Winbox" dst-port=65521 in-interface=!ether1-inter log=yes protocol=tcp
    add action=accept chain=input comment="Allow cons" dst-port=50138 in-interface=!ether1-inter log=yes protocol=tcp
    add action=accept chain=input comment="Allow sbis" dst-port=50139 in-interface=!ether1-inter protocol=tcp
    add action=accept chain=input comment="Allow SNMP" dst-port=161 in-interface=!ether1-inter log=yes protocol=udp
    add action=accept chain=input comment="Allow GRE" in-interface=ether1-inter log=yes protocol=gre
    add action=accept chain=input connection-state=new dst-port=65521,50138,50139,443,65522 log=yes protocol=tcp
    add action=drop chain=input in-interface=ether1-inter src-address-list=BOGON
    add action=accept chain=input connection-state=established
    add action=accept chain=input connection-state=related
    add action=accept chain=input protocol=icmp
    add action=drop chain=input connection-state=new in-interface=!ether2-local
    add action=accept chain=forward connection-state=established
    add action=accept chain=forward connection-state=related
    add action=drop chain=forward connection-state=invalid
    add action=accept chain=ether2-local-ether1-inter
    add action=drop chain=ether1-inter-ether2-local
    add action=jump chain=forward in-interface=ether1-inter jump-target=ether1-inter-ether2-local out-interface=ether2-local
    add action=jump chain=forward in-interface=ether2-local jump-target=ether2-local-ether1-inter out-interface=ether1-inter
    add action=drop chain=input dst-port=53 in-interface=ether1-inter log=yes log-prefix=query_in_drop protocol=udp
    add action=drop chain=input dst-port=53 in-interface=ether1-inter protocol=tcp
    add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
    add action=accept chain=input comment="Allow Established connections" connection-state=established
    add action=accept chain=input in-interface=ether1-inter src-address=192.168.0.0/24
    add action=drop chain=input comment="Drop everything else"
    add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
    add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
    add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
    add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
    add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
    add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
    add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
    add action=accept chain=icmp comment="ICMP echo reply" icmp-options=0:0 protocol=icmp
    add action=accept chain=icmp comment="ICMP net unreachable" icmp-options=3:0 protocol=icmp
    add action=accept chain=icmp comment="ICMP host unreachable" icmp-options=3:1 protocol=icmp
    add action=accept chain=icmp comment="ICMP host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
    add action=accept chain=icmp comment="ICMP allow source quench" icmp-options=4:0 protocol=icmp
    add action=accept chain=icmp comment="ICMP allow echo request" icmp-options=8:0 protocol=icmp
    add action=accept chain=icmp comment="ICMP allow time exceed" icmp-options=11:0 protocol=icmp
    add action=accept chain=icmp comment="ICMP allow parameter bad" icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment="ICMP deny all other types"
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list=port_scanners address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input comment="dropping port scanners" src-address-list=port_scanners
    add action=drop chain=forward comment="dropping port scanners" src-address-list=port_scanners
    add action=drop chain=input comment="Drop everything else" in-interface=ether1-inter
    add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
    add action=drop chain=forward comment="Drop new forward WAN" connection-state=new in-interface=ether1-inter
    add action=accept chain=forward disabled=yes dst-address=192.168.1.2 dst-port=3389 in-interface=!ether1-inter protocol=tcp
    add action=accept chain=forward disabled=yes dst-address=192.168.1.5 dst-port=443 in-interface=!ether1-inter protocol=tcp
    add action=accept chain=forward disabled=yes dst-address=192.168.1.12 dst-port=50139 in-interface=!ether1-inter protocol=tcp
    /ip firewall nat
    add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50138 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.2 to-ports=3389
    add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50139 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.12 to-ports=50139
    add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=443 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.5 to-ports=443
    add action=masquerade chain=srcnat dst-address=192.168.1.2 dst-port=3389 protocol=tcp src-address=192.168.1.0/24
    add action=masquerade chain=srcnat dst-address=192.168.1.5 dst-port=443 protocol=tcp src-address=192.168.1.0/24
    add action=masquerade chain=srcnat dst-address=192.168.1.12 dst-port=50139 protocol=tcp src-address=192.168.1.0/24
    add action=masquerade chain=srcnat out-interface=ether1-inter
    add action=redirect chain=dstnat disabled=yes dst-port=53 in-interface=ether2-local protocol=udp
    add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp src-address=192.168.1.0/24 to-ports=8080
    add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=50138 protocol=tcp to-addresses=192.168.1.2 to-ports=3389
    add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=50139 protocol=tcp to-addresses=192.168.1.12 to-ports=50139
    add action=dst-nat chain=dstnat disabled=yes dst-address=X.X.X.X dst-port=443 protocol=tcp to-addresses=192.168.1.5 to-ports=443
    /ip firewall service-port
    set ftp disabled=yes
    set tftp disabled=yes
    /ip route
    add distance=1 gateway=X.X.X.X
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set www address=192.168.1.0/24 disabled=yes
    set ssh port=65522
    set api disabled=yes
    set winbox port=65521
    set api-ssl disabled=yes
    /tool mac-server
    set [ find default=yes ] disabled=yes
    add interface=ether2-local
    /tool mac-server mac-winbox
    set [ find default=yes ] disabled=yes
    add interface=ether2-local
     
  2. add action=dst-nat chain=dstnat dst-address=X.X.X.X dst-port=50138 in-interface=!ether1-inter protocol=tcp to-addresses=192.168.1.2 to-ports=3389 - восклицательный знак не нужен здесь.
     
  3. TomIce

    TomIce Новый участник

    Добрый день, пробовал и со знаком и без результат один и тот же, не работает, оставил со знаком.
     
  4. Mama

    Mama Участник

    А вам чем и куда подключаться надо?
     
  5. TomIce

    TomIce Новый участник

    К серверу по rdp, к веб серверу.
    Из дома к офису по IP и порту
     
  6. Mama

    Mama Участник

    в счетчике, в nat, при подключении цифры изменяются?
    на роутер или в подсеть?
     
  7. add action=dst-nat chain=dstnat comment="rdp for disa-pc" dst-port=33185 protocol=tcp to-addresses=192.168.21.254 to-ports=3389
    Вот точно работающее правило для перенаправления. Разберитесь с вашем farewall он у вас очень намудренный. Возьмите за основу фаервол по умолчанию, и добавьте в него то, что необходимо.