Acceskonzentrator Firewall
Posted: Tue May 24, 2005 5:57 pm
Hi,
Konfiguration:
DSL dynamic Address -> Router -> Mikrotik (ether1)
IP Pool -> Mikrotik (ether2)
Mikrotik PPPoE Server (ether3)
Mirkotik Konfiguration:
/ interface ethernet
set "DSL (ether1)" name="DSL \(ether1\)" mtu=1500 \
mac-address=00:90:27:8F:35:55 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
set "static (ether2)" name="static \(ether2\)" mtu=1500 \
mac-address=00:02:B3:40:15:88 arp=proxy-arp disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
set "DDLAN (ether3)" name="DDLAN \(ether3\)" mtu=1500 \
mac-address=00:07:E9:A8:0B:38 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
/ interface bridge port
set "DSL (ether1)" bridge=none priority=128 path-cost=10
set "static (ether2)" bridge=none priority=128 path-cost=10
set ether3 bridge=none priority=128 path-cost=10
set ether4 bridge=none priority=128 path-cost=10
set "DDLAN (ether3)" bridge=none priority=128 path-cost=10
add service-name="ddlan" interface="DDLAN (ether3)" max-mtu=1480 max-mru=1480 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=yes max-sessions=0 default-profile=default \
disabled=no
/ ip address
add address=xx.xx.xx.194/26 network=xx.xx.xx.192 broadcast=xx.xx.xx.255 interface="static (ether2)" comment="" \
disabled=no
add address=172.16.0.2/16 network=172.16.0.0 broadcast=172.16.255.255 interface="DDLAN (ether3)" comment="" disabled=no
add address=192.168.102.1/24 network=192.168.102.0 broadcast=192.168.102.255 interface="DSL (ether1)" comment="" \
disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=xx.xx.xx.193 distance=1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.102.254 distance=1 scope=255 target-scope=10 routing-mark=PPPoE comment="" \
disabled=no
/ ip pool
add name="static" ranges=xx.xx.xx.196-xx.xx.xx.254
add name="PPPoE dyn" ranges=192.168.0.2-192.168.0.254
/ ppp profile
set default name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=yes change-tcp-mss=yes \
comment=""
add name="static" local-address=192.168.0.1 remote-address="static" use-compression=yes use-vj-compression=yes \
use-encryption=yes only-one=yes change-tcp-mss=yes comment=""
add name="DSL NAT" local-address=192.168.0.1 remote-address="PPPoE dyn" use-compression=yes use-vj-compression=yes \
use-encryption=yes only-one=yes change-tcp-mss=yes comment=""
add name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=yes \
change-tcp-mss=yes comment=""
/ interface pppoe-server server
add service-name="ddlan" interface="DDLAN (ether3)" max-mtu=1480 max-mru=1480 authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=default disabled=no
/ ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 dst-address=0.0.0.0/0 action=mark-routing new-routing-mark=PPPoE \
comment="" disabled=no
This koniguration works fine for both PPP Profiles
When adding:
/ ip firewall filter
add chain=forward src-address=192.168.0.0/24 action=accept comment="" disabled=no
add chain=forward src-address=xx.xx.xx.192/26 action=accept comment="" disabled=no
add chain=forward action=drop comment="" disabled=yes
then the profile "DSL NAT" works, profile "static" have no foward fom PPPoE-Server to Internet
any hints?
tnx
Thomas Böttcher
P.S. sorry for my english
Konfiguration:
DSL dynamic Address -> Router -> Mikrotik (ether1)
IP Pool -> Mikrotik (ether2)
Mikrotik PPPoE Server (ether3)
Mirkotik Konfiguration:
/ interface ethernet
set "DSL (ether1)" name="DSL \(ether1\)" mtu=1500 \
mac-address=00:90:27:8F:35:55 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
set "static (ether2)" name="static \(ether2\)" mtu=1500 \
mac-address=00:02:B3:40:15:88 arp=proxy-arp disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
set "DDLAN (ether3)" name="DDLAN \(ether3\)" mtu=1500 \
mac-address=00:07:E9:A8:0B:38 arp=enabled disable-running-check=yes \
auto-negotiation=yes full-duplex=yes cable-settings=default speed=100Mbps \
comment="" disabled=no
/ interface bridge port
set "DSL (ether1)" bridge=none priority=128 path-cost=10
set "static (ether2)" bridge=none priority=128 path-cost=10
set ether3 bridge=none priority=128 path-cost=10
set ether4 bridge=none priority=128 path-cost=10
set "DDLAN (ether3)" bridge=none priority=128 path-cost=10
add service-name="ddlan" interface="DDLAN (ether3)" max-mtu=1480 max-mru=1480 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=yes max-sessions=0 default-profile=default \
disabled=no
/ ip address
add address=xx.xx.xx.194/26 network=xx.xx.xx.192 broadcast=xx.xx.xx.255 interface="static (ether2)" comment="" \
disabled=no
add address=172.16.0.2/16 network=172.16.0.0 broadcast=172.16.255.255 interface="DDLAN (ether3)" comment="" disabled=no
add address=192.168.102.1/24 network=192.168.102.0 broadcast=192.168.102.255 interface="DSL (ether1)" comment="" \
disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=xx.xx.xx.193 distance=1 scope=255 target-scope=10 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.102.254 distance=1 scope=255 target-scope=10 routing-mark=PPPoE comment="" \
disabled=no
/ ip pool
add name="static" ranges=xx.xx.xx.196-xx.xx.xx.254
add name="PPPoE dyn" ranges=192.168.0.2-192.168.0.254
/ ppp profile
set default name="default" use-compression=no use-vj-compression=no use-encryption=no only-one=yes change-tcp-mss=yes \
comment=""
add name="static" local-address=192.168.0.1 remote-address="static" use-compression=yes use-vj-compression=yes \
use-encryption=yes only-one=yes change-tcp-mss=yes comment=""
add name="DSL NAT" local-address=192.168.0.1 remote-address="PPPoE dyn" use-compression=yes use-vj-compression=yes \
use-encryption=yes only-one=yes change-tcp-mss=yes comment=""
add name="default-encryption" use-compression=default use-vj-compression=default use-encryption=yes only-one=yes \
change-tcp-mss=yes comment=""
/ interface pppoe-server server
add service-name="ddlan" interface="DDLAN (ether3)" max-mtu=1480 max-mru=1480 authentication=pap,chap,mschap1,mschap2 \
keepalive-timeout=10 one-session-per-host=yes max-sessions=0 default-profile=default disabled=no
/ ip firewall mangle
add chain=prerouting src-address=192.168.0.0/24 dst-address=0.0.0.0/0 action=mark-routing new-routing-mark=PPPoE \
comment="" disabled=no
This koniguration works fine for both PPP Profiles
When adding:
/ ip firewall filter
add chain=forward src-address=192.168.0.0/24 action=accept comment="" disabled=no
add chain=forward src-address=xx.xx.xx.192/26 action=accept comment="" disabled=no
add chain=forward action=drop comment="" disabled=yes
then the profile "DSL NAT" works, profile "static" have no foward fom PPPoE-Server to Internet
any hints?
tnx
Thomas Böttcher
P.S. sorry for my english