I have one mikrot and a few ip addrs :
- on ether1 from uplink by dhcp,
- static addr on bridge and
- static addr on ether4.
ether4 is not in any bridge, standalone interface.
I have a dhcp server with
- iprange1 on bridge and
- iprange2 on ether4 .
both are working fine and devices get addrs successfully
Some device, let's name it device1_iprange2, connected to ether4 gets ip from iprange2.
I connect with ssh to mikrotik, try to ping device1_iprange2 ip and I get timeout, also I get timeout if i explicitly set source ip, until I explicitly set source interface ether4 with the ping command.
When I try to set dst-nat seems like the packets doesn't go through ether4 and lost somewhere because of this source ip issue.
I have tried to set another bridge with only one interface (ether4), and reconfigure dhcp to use this bridge instead of ether4, but the results are the same.
Firmware 6.49.6
Any thoughts on why mikrot doesn't use the ether4 ip address as a source and how can I make mikrot to use the correct source address?
source ip issue
Last edited by kerya on Tue Apr 19, 2022 10:59 pm, edited 2 times in total.
Re: source ip issue
Normally it does, so maybe you have something unusual in your config?
Re: source ip issue
Unusual like what? I can't imagine what makes it behave like this.
Re: source ip issue
Nor can I, without a network diagrams and a config
/export hide-sensitive file=anynameyouwish
/export hide-sensitive file=anynameyouwish
Re: source ip issue
# apr/19/2022 23:12:10 by RouterOS 6.49.6
# software id = QQD7-HGX4
#
# model = 951G-2HnD
# serial number =
/interface pptp-server
add name=pptp-in1 user=""
/interface bridge
add admin-mac=CC:2D:E0:FA:55:D2 auto-mac=no comment=defconf mtu=1500 name=\
bridge
add disabled=yes mtu=65535 name=bridge_wan
add igmp-snooping=yes name=bridge_wifi
add disabled=yes mtu=65535 name=bridge_yura protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="Inet WAN" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] comment="" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] comment="" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether4 ] l2mtu=1500 rx-flow-control=auto speed=\
100Mbps tx-flow-control=auto
set [ find default-name=ether5 ] l2mtu=4074 mtu=4074 rx-flow-control=auto \
speed=100Mbps tx-flow-control=auto
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\
20/40mhz-Ce country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower l2mtu=2290 mode=ap-bridge \
mtu=2290 ssid=xxxxxxxxxxx station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.11.16-192.168.11.63
add name=pptpvpn ranges=172.27.7.16-172.27.7.64
add name=wifi ranges=172.22.9.16-172.22.9.63
add name=yura-pool ranges=192.168.64.16-192.168.64.32
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=wifi disabled=no interface=bridge_wifi name=server_wifi
add add-arp=yes address-pool=yura-pool disabled=no interface=ether4 name=\
yura-server
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none \
stop-bits=1
/ppp profile
set *FFFFFFFE local-address=172.27.7.1 only-one=yes remote-address=pptpvpn \
use-compression=yes use-mpls=no use-upnp=yes
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 redistribute-static=as-type-1 \
router-id=192.168.11.100
/routing ospf-v3 instance
set [ find default=yes ] metric-default=10 redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 redistribute-rip=as-type-1 \
redistribute-static=as-type-1 router-id=192.168.11.100
/snmp community
set [ find default=yes ] name=mhgjkf4 security=private
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge_wifi interface=\
ether3
add bridge=bridge_yura comment=defconf disabled=yes interface=ether4 \
multicast-router=disabled
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge_wifi comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_wifi list=LAN
/interface pppoe-server server
add authentication=mschap1,mschap2 default-profile=default-encryption \
disabled=no interface=bridge keepalive-timeout=120 max-sessions=1 \
one-session-per-host=yes service-name=11-100
/interface pptp-server server
set authentication=mschap2 enabled=yes keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=cert2 default-profile=\
default-encryption enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.11.100/24 comment=defconf interface=bridge network=\
192.168.11.0
add address=172.22.9.1/26 interface=bridge_wifi network=172.22.9.0
add address=192.168.64.1 interface=ether4 network=192.168.64.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.64.32 client-id=1:c0:51:7e:2c:53:61 mac-address=\
C0:51:7E:2C:53:61 server=yura-server
/ip dhcp-server network
add address=172.22.9.0/26 dns-server=172.22.9.1,8.8.4.4,8.8.8.8 gateway=\
172.22.9.1 netmask=26
add address=172.27.7.0/24 dns-server=172.27.7.1 gateway=172.27.7.1 netmask=24 \
ntp-server=192.168.11.1
add address=192.168.11.0/24 boot-file-name=pxelinux.0 caps-manager=\
192.168.11.2 comment=defconf dns-server=192.168.11.1,192.168.11.2 \
gateway=192.168.11.100 netmask=24 next-server=192.168.11.4 ntp-server=\
192.168.11.1,192.168.11.2 wins-server=192.168.11.202
add address=192.168.64.0/24 dns-server=192.168.64.1,192.168.11.100 gateway=\
192.168.64.1 netmask=24 ntp-server=192.168.11.1,192.168.11.64
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=256 \
max-concurrent-tcp-sessions=64 servers=8.8.8.8,8.8.4.4,192.168.11.1
/ip dns static
add address=192.168.11.100 name=router.lan
/ip firewall filter
add action=accept chain=output
add action=accept chain=input protocol=gre
add action=accept chain=input comment="allow all tmp rule" disabled=yes
add action=accept chain=input comment="allow port 80 in on eth1" dst-port=\
8080 protocol=tcp
add action=accept chain=input dst-address=192.168.11.100 dst-port=80 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow wifi in" in-interface=\
bridge_wifi
add action=drop chain=input dst-port=2222 protocol=tcp src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=30m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp
add action=accept chain=input comment="allow ssh from wan" dst-port=2222 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=2222 in-interface-list=WAN protocol=\
tcp
add action=accept chain=input dst-address=192.168.11.100 dst-port=22 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=8000 protocol=tcp
add action=accept chain=input disabled=yes dst-port=88 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=172.27.7.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.27.8.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.2
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.3
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.4
add action=masquerade chain=srcnat comment=d3a73wifi out-interface-list=WAN \
src-address=192.168.11.5
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.22.4.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
10.90.90.0/26
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.12
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.64
add action=masquerade chain=srcnat comment="local wifi" out-interface-list=\
WAN src-address=172.22.9.0/26
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.22.8.0/25
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.64.0/24 to-addresses=<uplink_ext>
add action=masquerade chain=srcnat dst-address=192.168.64.0/24 out-interface=\
ether4
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.64.32 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
udp to-addresses=192.168.64.32 to-ports=8000
add action=dst-nat chain=dstnat dst-port=88 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.64.32 to-ports=88
add action=dst-nat chain=dstnat dst-port=88 in-interface-list=WAN protocol=\
udp to-addresses=192.168.64.32 to-ports=88
add action=dst-nat chain=dstnat dst-port=8080 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.11.100 to-ports=80
add action=dst-nat chain=dstnat dst-port=22222 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.11.1 to-ports=22222
add action=src-nat chain=srcnat disabled=yes out-interface=bridge \
src-address=172.27.7.0/24 to-addresses=192.168.11.100
add action=dst-nat chain=dstnat dst-address=<uplink_ext> dst-port=1194 \
in-interface-list=WAN protocol=udp to-addresses=192.168.11.1 to-ports=\
1194
add action=dst-nat chain=dstnat dst-port=1194 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.11.1 to-ports=1194
add action=src-nat chain=srcnat dst-address=192.168.11.1 dst-port=1194 \
protocol=udp src-address=<ext_addr2> to-addresses=192.168.11.100
add action=masquerade chain=srcnat disabled=yes src-address=192.168.11.52
add action=dst-nat chain=dstnat dst-port=1812 in-interface-list=WAN protocol=\
udp src-address=<ext_addr2> to-addresses=192.168.11.1 to-ports=1812
add action=dst-nat chain=dstnat dst-port=1813 in-interface-list=WAN protocol=\
udp src-address=<ext_addr2> to-addresses=192.168.11.1 to-ports=1813
add action=masquerade chain=srcnat \
src-address=172.22.10.0/25
add action=dst-nat chain=dstnat dst-port=28967 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.11.64 to-ports=28967
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=3 gateway=192.168.11.2
add check-gateway=ping distance=4 gateway=192.168.11.64
add check-gateway=ping distance=5 gateway=192.168.11.1
add distance=1 dst-address=10.90.90.0/26 gateway=192.168.11.4
add check-gateway=ping distance=1 dst-address=<ext_addr1>/32 gateway=ether1
add check-gateway=ping distance=1 dst-address=172.22.4.0/25 gateway=\
192.168.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set www-ssl certificate=cert2
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add disabled=yes interface=bridge type=internal
add interface=ether1 type=external
add interface=ether4 type=internal
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set use-circuit-id-in-nas-port-id=yes use-radius=yes
/ppp secret
add local-address=172.27.9.1 name=ppp1 profile=default-encryption
add name=vpn
/radius
add address=192.168.11.1 service=ppp,ipsec
/radius incoming
set accept=yes
/routing filter
add action=accept chain=ospf-in disabled=yes
add action=accept chain=ospf-out disabled=yes
/routing ospf interface
add interface=bridge
add interface=bridge_wifi network-type=broadcast
add interface=bridge_yura
/routing ospf nbma-neighbor
add address=192.168.11.2 disabled=yes poll-interval=1m
/routing ospf network
add area=backbone network=192.168.11.0/24
add area=backbone network=172.27.7.0/24
/routing ospf-v3 interface
add area=backbone disabled=yes interface=bridge
/snmp
set contact=xxxxxxxxx.xxx enabled=yes location=D1 trap-interfaces=bridge \
trap-version=3
/system clock
set time-zone-name=Europe/Kiev
/system console
set [ find ] disabled=yes
/system identity
set name=xxxxxxxxx
/system logging
add disabled=yes topics=sstp
add disabled=yes topics=ppp
/system ntp client
set enabled=yes primary-ntp=62.149.0.30 secondary-ntp=31.28.161.71
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1d name=schedule_backup on-event=\
"system backup save name=today.backup" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/05/2020 start-time=02:03:30
/system ups
add disabled=yes min-runtime=5m name=ups1 offline-time=5m port=usb1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
# software id = QQD7-HGX4
#
# model = 951G-2HnD
# serial number =
/interface pptp-server
add name=pptp-in1 user=""
/interface bridge
add admin-mac=CC:2D:E0:FA:55:D2 auto-mac=no comment=defconf mtu=1500 name=\
bridge
add disabled=yes mtu=65535 name=bridge_wan
add igmp-snooping=yes name=bridge_wifi
add disabled=yes mtu=65535 name=bridge_yura protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] comment="Inet WAN" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether2 ] comment="" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether3 ] comment="" l2mtu=4074 mtu=4074 \
rx-flow-control=auto speed=100Mbps tx-flow-control=auto
set [ find default-name=ether4 ] l2mtu=1500 rx-flow-control=auto speed=\
100Mbps tx-flow-control=auto
set [ find default-name=ether5 ] l2mtu=4074 mtu=4074 rx-flow-control=auto \
speed=100Mbps tx-flow-control=auto
/interface wireless
set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-g/n channel-width=\
20/40mhz-Ce country=no_country_set disabled=no distance=indoors \
frequency=auto frequency-mode=manual-txpower l2mtu=2290 mode=ap-bridge \
mtu=2290 ssid=xxxxxxxxxxx station-roaming=enabled wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=\
tkip,aes-ccm mode=dynamic-keys supplicant-identity=MikroTik \
unicast-ciphers=tkip,aes-ccm
/ip pool
add name=dhcp ranges=192.168.11.16-192.168.11.63
add name=pptpvpn ranges=172.27.7.16-172.27.7.64
add name=wifi ranges=172.22.9.16-172.22.9.63
add name=yura-pool ranges=192.168.64.16-192.168.64.32
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
add address-pool=wifi disabled=no interface=bridge_wifi name=server_wifi
add add-arp=yes address-pool=yura-pool disabled=no interface=ether4 name=\
yura-server
/port
set 0 baud-rate=115200 data-bits=8 flow-control=none name=usb1 parity=none \
stop-bits=1
/ppp profile
set *FFFFFFFE local-address=172.27.7.1 only-one=yes remote-address=pptpvpn \
use-compression=yes use-mpls=no use-upnp=yes
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 redistribute-static=as-type-1 \
router-id=192.168.11.100
/routing ospf-v3 instance
set [ find default=yes ] metric-default=10 redistribute-connected=as-type-1 \
redistribute-other-ospf=as-type-1 redistribute-rip=as-type-1 \
redistribute-static=as-type-1 router-id=192.168.11.100
/snmp community
set [ find default=yes ] name=mhgjkf4 security=private
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge_wifi interface=\
ether3
add bridge=bridge_yura comment=defconf disabled=yes interface=ether4 \
multicast-router=disabled
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge_wifi comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 enabled=yes use-ipsec=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=bridge_wifi list=LAN
/interface pppoe-server server
add authentication=mschap1,mschap2 default-profile=default-encryption \
disabled=no interface=bridge keepalive-timeout=120 max-sessions=1 \
one-session-per-host=yes service-name=11-100
/interface pptp-server server
set authentication=mschap2 enabled=yes keepalive-timeout=120
/interface sstp-server server
set authentication=mschap2 certificate=cert2 default-profile=\
default-encryption enabled=yes force-aes=yes pfs=yes tls-version=only-1.2
/ip address
add address=192.168.11.100/24 comment=defconf interface=bridge network=\
192.168.11.0
add address=172.22.9.1/26 interface=bridge_wifi network=172.22.9.0
add address=192.168.64.1 interface=ether4 network=192.168.64.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.64.32 client-id=1:c0:51:7e:2c:53:61 mac-address=\
C0:51:7E:2C:53:61 server=yura-server
/ip dhcp-server network
add address=172.22.9.0/26 dns-server=172.22.9.1,8.8.4.4,8.8.8.8 gateway=\
172.22.9.1 netmask=26
add address=172.27.7.0/24 dns-server=172.27.7.1 gateway=172.27.7.1 netmask=24 \
ntp-server=192.168.11.1
add address=192.168.11.0/24 boot-file-name=pxelinux.0 caps-manager=\
192.168.11.2 comment=defconf dns-server=192.168.11.1,192.168.11.2 \
gateway=192.168.11.100 netmask=24 next-server=192.168.11.4 ntp-server=\
192.168.11.1,192.168.11.2 wins-server=192.168.11.202
add address=192.168.64.0/24 dns-server=192.168.64.1,192.168.11.100 gateway=\
192.168.64.1 netmask=24 ntp-server=192.168.11.1,192.168.11.64
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-concurrent-queries=256 \
max-concurrent-tcp-sessions=64 servers=8.8.8.8,8.8.4.4,192.168.11.1
/ip dns static
add address=192.168.11.100 name=router.lan
/ip firewall filter
add action=accept chain=output
add action=accept chain=input protocol=gre
add action=accept chain=input comment="allow all tmp rule" disabled=yes
add action=accept chain=input comment="allow port 80 in on eth1" dst-port=\
8080 protocol=tcp
add action=accept chain=input dst-address=192.168.11.100 dst-port=80 \
protocol=tcp
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec NAT" disabled=yes \
dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" disabled=yes dst-port=500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" disabled=yes dst-port=1701 \
protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=accept chain=input comment=OpenVPN dst-port=1194 \
in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow wifi in" in-interface=\
bridge_wifi
add action=drop chain=input dst-port=2222 protocol=tcp src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=30m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=2222 \
protocol=tcp
add action=accept chain=input comment="allow ssh from wan" dst-port=2222 \
in-interface-list=WAN protocol=tcp
add action=accept chain=input dst-port=2222 in-interface-list=WAN protocol=\
tcp
add action=accept chain=input dst-address=192.168.11.100 dst-port=22 \
protocol=tcp
add action=accept chain=input disabled=yes dst-port=8000 protocol=tcp
add action=accept chain=input disabled=yes dst-port=88 protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid disabled=yes
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN src-address=172.27.7.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.27.8.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.2
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.3
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.4
add action=masquerade chain=srcnat comment=d3a73wifi out-interface-list=WAN \
src-address=192.168.11.5
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.22.4.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
10.90.90.0/26
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.12
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.11.64
add action=masquerade chain=srcnat comment="local wifi" out-interface-list=\
WAN src-address=172.22.9.0/26
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
172.22.8.0/25
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.64.0/24 to-addresses=<uplink_ext>
add action=masquerade chain=srcnat dst-address=192.168.64.0/24 out-interface=\
ether4
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.64.32 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8000 in-interface-list=WAN protocol=\
udp to-addresses=192.168.64.32 to-ports=8000
add action=dst-nat chain=dstnat dst-port=88 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.64.32 to-ports=88
add action=dst-nat chain=dstnat dst-port=88 in-interface-list=WAN protocol=\
udp to-addresses=192.168.64.32 to-ports=88
add action=dst-nat chain=dstnat dst-port=8080 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.11.100 to-ports=80
add action=dst-nat chain=dstnat dst-port=22222 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.11.1 to-ports=22222
add action=src-nat chain=srcnat disabled=yes out-interface=bridge \
src-address=172.27.7.0/24 to-addresses=192.168.11.100
add action=dst-nat chain=dstnat dst-address=<uplink_ext> dst-port=1194 \
in-interface-list=WAN protocol=udp to-addresses=192.168.11.1 to-ports=\
1194
add action=dst-nat chain=dstnat dst-port=1194 in-interface-list=WAN protocol=\
tcp to-addresses=192.168.11.1 to-ports=1194
add action=src-nat chain=srcnat dst-address=192.168.11.1 dst-port=1194 \
protocol=udp src-address=<ext_addr2> to-addresses=192.168.11.100
add action=masquerade chain=srcnat disabled=yes src-address=192.168.11.52
add action=dst-nat chain=dstnat dst-port=1812 in-interface-list=WAN protocol=\
udp src-address=<ext_addr2> to-addresses=192.168.11.1 to-ports=1812
add action=dst-nat chain=dstnat dst-port=1813 in-interface-list=WAN protocol=\
udp src-address=<ext_addr2> to-addresses=192.168.11.1 to-ports=1813
add action=masquerade chain=srcnat \
src-address=172.22.10.0/25
add action=dst-nat chain=dstnat dst-port=28967 in-interface-list=WAN \
protocol=tcp to-addresses=192.168.11.64 to-ports=28967
/ip firewall service-port
set ftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=3 gateway=192.168.11.2
add check-gateway=ping distance=4 gateway=192.168.11.64
add check-gateway=ping distance=5 gateway=192.168.11.1
add distance=1 dst-address=10.90.90.0/26 gateway=192.168.11.4
add check-gateway=ping distance=1 dst-address=<ext_addr1>/32 gateway=ether1
add check-gateway=ping distance=1 dst-address=172.22.4.0/25 gateway=\
192.168.11.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set www-ssl certificate=cert2
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/ip upnp
set enabled=yes
/ip upnp interfaces
add disabled=yes interface=bridge type=internal
add interface=ether1 type=external
add interface=ether4 type=internal
/ipv6 dhcp-client
add add-default-route=yes interface=ether1 request=address
/ipv6 nd
set [ find default=yes ] advertise-dns=no
/ppp aaa
set use-circuit-id-in-nas-port-id=yes use-radius=yes
/ppp secret
add local-address=172.27.9.1 name=ppp1 profile=default-encryption
add name=vpn
/radius
add address=192.168.11.1 service=ppp,ipsec
/radius incoming
set accept=yes
/routing filter
add action=accept chain=ospf-in disabled=yes
add action=accept chain=ospf-out disabled=yes
/routing ospf interface
add interface=bridge
add interface=bridge_wifi network-type=broadcast
add interface=bridge_yura
/routing ospf nbma-neighbor
add address=192.168.11.2 disabled=yes poll-interval=1m
/routing ospf network
add area=backbone network=192.168.11.0/24
add area=backbone network=172.27.7.0/24
/routing ospf-v3 interface
add area=backbone disabled=yes interface=bridge
/snmp
set contact=xxxxxxxxx.xxx enabled=yes location=D1 trap-interfaces=bridge \
trap-version=3
/system clock
set time-zone-name=Europe/Kiev
/system console
set [ find ] disabled=yes
/system identity
set name=xxxxxxxxx
/system logging
add disabled=yes topics=sstp
add disabled=yes topics=ppp
/system ntp client
set enabled=yes primary-ntp=62.149.0.30 secondary-ntp=31.28.161.71
/system ntp server
set enabled=yes multicast=yes
/system scheduler
add interval=1d name=schedule_backup on-event=\
"system backup save name=today.backup" policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=sep/05/2020 start-time=02:03:30
/system ups
add disabled=yes min-runtime=5m name=ups1 offline-time=5m port=usb1
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Re: source ip issue [SOLVED]
Use address with correct mask, your current address=192.168.64.1 means address=192.168.64.1/32.
Re: source ip issue
@kerya
Слава Україні!
Я з тобою...
Слава Україні!
Я з тобою...