Community discussions

MikroTik App
  4. RouterOS
  5. General

DMZ not accessible with PCC

Post Reply
 
cicserver
Member
Member
Topic Author
Posts: 303
Joined: Sun Jul 24, 2011 12:04 pm

DMZ not accessible with PCC

Mon May 18, 2015 6:50 am

I have mikrotik acting as pppoe server for user. DUAL WAN (wan links are pppoe client) PCC is also configured on same RB.
At one separate port I have connected my radius server in it. inside LAN I can access it but from the internet its not accessible. I created config to do port forwarding but its not working. My config is as follows ...
MANGLE SECTION
Code: Select all
/ip firewall mangle
add action=accept chain=prerouting comment="accept radius server from being processed by PCC" disabled=no dst-address=192.168.1.2

add action=mark-connection chain=input comment="Mark Connection - IN wan1,OUT wan1" disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1_conn passthrough=yes
add action=mark-routing chain=output comment="Mark Routing - IN wan1,OUT wan1" connection-mark=pppoe_out1_conn disabled=no new-routing-mark=pppoe_out1_traffic passthrough=no

add action=mark-connection chain=input comment="Mark Connection - IN wan2, OUT wan2" disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2_conn passthrough=yes
add action=mark-routing chain=output comment="Mark Routing -  IN wan2,OUT wan2" connection-mark=pppoe_out2_conn disabled=no new-routing-mark=pppoe_out2_traffic passthrough=no

add action=mark-connection chain=forward comment="Mark Connection for new conn - Packet Forward wan1, out wan1" connection-state=new disabled=no in-interface=pppoe-out1 new-connection-mark=pppoe_out1_pfw \
    passthrough=no
add action=mark-routing chain=prerouting comment="Mark Packets for new conn - Packet Forward wan1, out wan1" connection-mark=pppoe_out1_pfw disabled=no in-interface=Local new-routing-mark=\
    pppoe_out1_traffic passthrough=no

add action=mark-connection chain=forward comment="Mark Connection for new conn - Packet Forward  wan2, out wan2" connection-state=new disabled=no in-interface=pppoe-out2 new-connection-mark=pppoe_out2_pfw \
    passthrough=no
add action=mark-routing chain=prerouting comment="Mark Routing for new conn - Packet Forward  wan2, out wan2" connection-mark=pppoe_out2_pfw disabled=no in-interface=Local new-routing-mark=\
    pppoe_out2_traffic passthrough=no

add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=src-address:2/0 src-address-list="allowed users"
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=src-address:2/1 src-address-list="allowed users"

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address-list="allowed users"
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address-list="allowed users"
NAT SECTION
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat disabled=no dst-address=192.168.1.2

add action=dst-nat chain=dstnat comment="Route radius web from INTERNET LINK1" disabled=no dst-port=80 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat comment="Route radius web from  INTERNET LINK2" disabled=no dst-port=80 in-interface=pppoe-out2 protocol=tcp to-addresses=192.168.1.2 to-ports=80

add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address-list="allowed users"
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address-list="allowed users"
ROUTE SECTION
Code: Select all
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=pppoe_out1_traffic scope=30 target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=pppoe_out2_traffic scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
Top
 
antofrage
just joined
Posts: 1
Joined: Wed Nov 23, 2016 1:42 pm

Re: DMZ not accessible with PCC

Wed Nov 23, 2016 2:23 pm

Hello,
I have mikrotik acting as multi wan router with captive portal, PCC is configured on same RB and radius server is connected on the DMZ vlan.
There are 8 vlans. PCC and radius work well, but it's impossible to do NAT 1:1 with DMZ interface.

WAN IPS:
address 192.168.18.2/24 interface WAN1 network=192.168.18.0
address 192.168.19.2/24 interface WAN2 network=192.168.19.0
address 192.168.20.2/24 interface WAN3 network=192.168.20.0
WAN ALIASES:
address 192.168.18.3/24 interface WAN1 network192.168.18.0
address 192.168.19.3/24 interface WAN2 network 192.168.19.0
address 192.168.20.3/24 interface WAN3 network 192.168.20.0
VLAN ADDRESSES:
address 172.16.100.1/24 interface VLAN100-DMZ
address 172.16.10.1/24 interface VLAN10-ENERGIA
address 172.16.20.1/24 interface VLAN20-SICUREZZA
address 172.16.30.1/24 interface=VLAN30-DISTRETTO
address 172.16.40.1/24 interface VLAN40-GUESTS
address 172.16.50.1/24 interface VLAN50-VOIP
address 172.16.101.1/24 interface=VLAN101-OUTDOORWIFI
address 172.16.102.1/24 interface VLAN102-OUTDOORWIFIGUESTS network=172.16.102.0
address 172.16.200.1/24 interface VLAN200-VIDEO
address 10.0.0.1/24 interfaceMANAGEMENT

This is my full configuration:
Code: Select all
# nov/21/2016 19:43:30 by RouterOS 6.36.3
# software id = AVTQ-DG04
#

/interface ethernet
set [ find default-name=ether1 ] name=WAN1
set [ find default-name=ether2 ] name=WAN2
set [ find default-name=ether3 ] name=WAN3
set [ find default-name=ether4 ] name=LAN
set [ find default-name=ether5 ] name=MANAGEMENT

/ip neighbor discovery
set WAN1 discover=no

/interface vlan
add interface=LAN name=VLAN10-ENERGIA vlan-id=10
add interface=LAN name=VLAN20-SICUREZZA vlan-id=20
add interface=LAN name=VLAN30-DISTRETTO vlan-id=30
add interface=LAN name=VLAN40-GUESTS vlan-id=40
add interface=LAN name=VLAN50-VOIP vlan-id=50
add interface=LAN name=VLAN100-DMZ vlan-id=100
add interface=LAN name=VLAN101-OUTDOORWIFI vlan-id=101
add interface=LAN name=VLAN102-OUTDOORWIFIGUESTS vlan-id=102
add interface=LAN name=VLAN200-VIDEO vlan-id=200

/ip hotspot profile
add dns-name=energia.domus.local hotspot-address=172.16.10.1 login-by=http-chap name=hotspot-VLAN10-ENERGIA use-radius=yes
add dns-name=sicurezza.domus.local hotspot-address=172.16.20.1 login-by=http-chap name=hotspot-VLAN20-SICUREZZA use-radius=yes
add dns-name=distretto.domus.local hotspot-address=172.16.30.1 login-by=http-chap name=hotspot-VLAN30-DISTRETTO use-radius=yes
add dns-name=distretto.guests.domus.local hotspot-address=172.16.40.1 login-by=http-chap name=hotspot-VLAN40-GUESTS use-radius=yes
add dns-name=wifioutdoor.domus.local hotspot-address=172.16.101.1 login-by=http-chap name=hotspot-VLAN101-OUTDOORWIFI use-radius=yes
add dns-name=wifioutdoor.guests.domus.local hotspot-address=172.16.102.1 login-by=http-chap name=hotspot-VLAN102-OUTDOORWIFIGUESTS use-radius=yes

/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp-pool-VLAN100-DMZ ranges=172.16.100.2-172.16.100.240
add name=dhcp-pool-MANAGEMENT ranges=10.0.0.2-10.0.0.20
add name=dhcp-pool-VLAN10-ENERGIA ranges=172.16.10.2-172.16.10.240
add name=dhcp-pool-VLAN20-SICUREZZA ranges=172.16.20.2-172.16.20.254
add name=dhcp-pool-VLAN30-DISTRETTO ranges=172.16.30.2-172.16.30.254
add name=dhcp-pool-VLAN40-GUESTS ranges=172.16.40.2-172.16.40.254
add name=dhcp-pool-VLAN50-VOIP ranges=172.16.50.2-172.16.50.254
add name=dhcp-pool-VLAN101-OUTDOORWIFI ranges=172.16.101.2-172.16.101.254
add name=dhcp-pool-VLAN102-OUTDOORWIFIGUESTS ranges=172.16.102.2-172.16.102.254
add name=dhcp-pool-VLAN200-VIDEO ranges=172.16.200.2-172.16.200.254

/ip dhcp-server
add address-pool=default-dhcp interface=WAN2 name=defconf
add address-pool=dhcp-pool-VLAN100-DMZ disabled=no interface=VLAN100-DMZ name=dhcp-server-VLAN100-DMZ
add address-pool=dhcp-pool-MANAGEMENT disabled=no interface=MANAGEMENT name=dhcp-server-MANAGEMENT
add address-pool=dhcp-pool-VLAN10-ENERGIA disabled=no interface=VLAN10-ENERGIA lease-time=1h name=dhcp-server-VLAN10-ENERGIA
add address-pool=dhcp-pool-VLAN20-SICUREZZA disabled=no interface=VLAN20-SICUREZZA lease-time=1h name=dhcp-server-VLAN20-SICUREZZA
add address-pool=dhcp-pool-VLAN30-DISTRETTO disabled=no interface=VLAN30-DISTRETTO lease-time=1h name=dhcp-server-VLAN30-DISTRETTO
add address-pool=dhcp-pool-VLAN40-GUESTS disabled=no interface=VLAN40-GUESTS lease-time=1h name=dhcp-server-VLAN40-GUESTS
add address-pool=dhcp-pool-VLAN50-VOIP disabled=no interface=VLAN50-VOIP lease-time=1h name=dhcp-server-VLAN50-VOIP
add address-pool=dhcp-pool-VLAN101-OUTDOORWIFI disabled=no interface=VLAN101-OUTDOORWIFI lease-time=1h name=dhcp-server-VLAN101-OUTDOORWIFI
add address-pool=dhcp-pool-VLAN102-OUTDOORWIFIGUESTS disabled=no interface=VLAN102-OUTDOORWIFIGUESTS lease-time=1h name=dhcp-server-VLAN102-OUTDOORWIFIGUESTS
add address-pool=dhcp-pool-VLAN200-VIDEO disabled=no interface=VLAN200-VIDEO lease-time=1h name=dhcp-server-VLAN200-VIDEO

/ip hotspot
add address-pool=dhcp-pool-VLAN10-ENERGIA disabled=no interface=VLAN10-ENERGIA name=hs-VLAN10-ENERGIA profile=hotspot-VLAN10-ENERGIA
add address-pool=dhcp-pool-VLAN20-SICUREZZA disabled=no interface=VLAN20-SICUREZZA name=hs-VLAN20-SICUREZZA profile=hotspot-VLAN20-SICUREZZA
add address-pool=dhcp-pool-VLAN30-DISTRETTO disabled=no interface=VLAN30-DISTRETTO name=hs-VLAN30-DISTRETTO profile=hotspot-VLAN30-DISTRETTO
add address-pool=dhcp-pool-VLAN40-GUESTS disabled=no interface=VLAN40-GUESTS name=hs-VLAN40-GUESTS profile=hotspot-VLAN40-GUESTS
add address-pool=dhcp-pool-VLAN101-OUTDOORWIFI disabled=no interface=VLAN101-OUTDOORWIFI name=hs-VLAN101-OUTDOORWIFI profile=hotspot-VLAN101-OUTDOORWIFI
add address-pool=dhcp-pool-VLAN102-OUTDOORWIFIGUESTS disabled=no interface=VLAN102-OUTDOORWIFIGUESTS name=hs-VLAN102-OUTDOORWIFIGUESTS profile=hotspot-VLAN102-OUTDOORWIFIGUESTS

/ip address
add address=192.168.88.1/24 comment=defconf disabled=yes interface=WAN2 network=192.168.88.0
add address=192.168.18.2/24 interface=WAN1 network=192.168.18.0
add address=192.168.19.2/24 interface=WAN2 network=192.168.19.0
add address=192.168.20.2/24 interface=WAN3 network=192.168.20.0
add address=172.16.100.1/24 interface=VLAN100-DMZ network=172.16.100.0
add address=172.16.10.1/24 comment="hotspot network" interface=VLAN10-ENERGIA network=172.16.10.0
add address=172.16.20.1/24 comment="hotspot network" interface=VLAN20-SICUREZZA network=172.16.20.0
add address=172.16.30.1/24 comment="hotspot network" interface=VLAN30-DISTRETTO network=172.16.30.0
add address=172.16.40.1/24 interface=VLAN40-GUESTS network=172.16.40.0
add address=172.16.50.1/24 interface=VLAN50-VOIP network=172.16.50.0
add address=172.16.101.1/24 comment="hotspot network" interface=VLAN101-OUTDOORWIFI network=172.16.101.0
add address=172.16.102.1/24 comment="hotspot network" interface=VLAN102-OUTDOORWIFIGUESTS network=172.16.102.0
add address=172.16.200.1/24 interface=VLAN200-VIDEO network=172.16.200.0
add address=10.0.0.1/24 interface=MANAGEMENT network=10.0.0.0
add address=192.168.18.3/24 interface=WAN1 network=192.168.18.0
add address=192.168.19.3/24 interface=WAN2 network=192.168.19.0
add address=192.168.20.3/24 interface=WAN3 network=192.168.20.0

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=WAN1

/ip dhcp-server network
add address=10.0.0.0/24 comment="Dhcp MANAGEMENT" dns-server=10.0.0.1 domain=MANAGEMENT.domus.local gateway=10.0.0.1
add address=172.16.10.0/24 comment="hotspot network" dns-server=172.16.10.1 domain=energia.domus.local gateway=172.16.10.1
add address=172.16.20.0/24 comment="hotspot network" dns-server=172.16.20.1 domain=sicurezza.domus.local gateway=172.16.20.1
add address=172.16.30.0/24 comment="hotspot network" dns-server=172.16.30.1 domain=distretto.domus.local gateway=172.16.30.1
add address=172.16.40.0/24 comment="hotspot network" dns-server=172.16.40.1 domain=distretto.guests.domus.local gateway=172.16.40.1
add address=172.16.50.0/24 comment="hotspot network" dns-server=172.16.50.1 domain=voip.domus.local gateway=172.16.50.1
add address=172.16.100.0/24 comment="Dhcp VLAN100-DMZ" dns-server=172.16.100.1 domain=VLAN100-DMZ.domus.local gateway=172.16.100.1
add address=172.16.101.0/24 comment="hotspot network" dns-server=172.16.101.1 domain=wifioutdoor.domus.local gateway=172.16.101.1
add address=172.16.102.0/24 comment="hotspot network" dns-server=172.16.102.1 domain=wifioutdoor.guests.domus.local gateway=172.16.102.1
add address=172.16.200.0/24 comment="hotspot network" dns-server=172.16.200.1 domain=videosorveglianza.domus.local gateway=172.16.200.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4

/ip dns static
add address=192.168.88.1 name=router

/ip firewall address-list 
add address=172.16.10.1-172.16.10.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers" 
add address=172.16.20.1-172.16.20.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.30.1-172.16.30.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.40.1-172.16.40.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.50.1-172.16.50.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.100.1-172.16.100.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.101.1-172.16.101.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.102.1-172.16.102.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"
add address=172.16.200.1-172.16.200.255 comment="Allowed Users to Use Internet" disabled=no list="AllowedUsers"

/ip firewall address-list 
add address=172.16.10.1-172.16.10.255 comment="VLAN10-ENERGIA" disabled=no list="VLAN10-ENERGIA-NET"
add address=172.16.20.1-172.16.20.255 comment="VLAN10-SICUREZZA" disabled=no list="VLAN20-SICUREZZA-NET"
add address=172.16.30.1-172.16.30.255 comment="VLAN30-DISTRETTO" disabled=no list="VLAN30-DISTRETTO-NET"
add address=172.16.40.1-172.16.40.255 comment="VLAN40-GUESTS" disabled=no list="VLAN40-GUESTS-NET"
add address=172.16.50.1-172.16.50.255 comment="VLAN50-VOIP" disabled=no list="VLAN50-VOIP-NET"
add address=172.16.100.1-172.16.100.255 comment="VLAN100-DMZ" disabled=no list="VLAN100-DMZ-NET"
add address=172.16.101.1-172.16.101.255 comment="VLAN101-OUTDOORWIFI" disabled=no list="VLAN101-OUTDOORWIFI-NET"
add address=172.16.102.1-172.16.102.255 comment="VLAN102-OUTDOORWIFIGUESTS" disabled=no list="VLAN102-OUTDOORWIFIGUESTS-NET"
add address=172.16.200.1-172.16.200.255 comment="VLAN200-VIDEO" disabled=no list="VLAN200-VIDEO-NET"


/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=WAN1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface=WAN1
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes protocol=icmp
add action=accept chain=input comment="defconf: accept establieshed,related" connection-state=established,related disabled=yes
add action=drop chain=input comment="defconf: drop all from WAN" disabled=yes in-interface=WAN1
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related disabled=yes
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid disabled=yes
#add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new disabled=yes in-interface=WAN1
add action=reject chain=hs-input comment="Block Communication between all vlan subnets in captive portal" dst-address=172.16.20.1-172.16.20.254 reject-with=icmp-net-prohibited src-address=172.16.10.1-172.16.10.254
add action=reject chain=hs-input comment="Block Communication between all vlan subnets in captive portal" dst-address=172.16.10.1-172.16.10.254 reject-with=icmp-net-prohibited src-address=172.16.20.1-172.16.20.254
add action=reject chain=hs-input comment="Block Communication between all vlan subnets in captive portal" dst-address=172.16.30.1-172.16.30.254 reject-with=icmp-net-prohibited src-address=172.16.10.1-172.16.10.254
add action=reject chain=hsinput comment="Block Communication between all vlan subnets in captive portal" dst
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=WAN1
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=WAN2
add action=accept chain=forward connection-nat-state=dstnat connection-state=established,related in-interface=WAN3

############################################ 
#  PORT FORWARDING RELATED MANGLE SECTION STARTS 
############################################ 
/ip firewall mangle  
# This section is related to packet marking for Marking connections/packets arrived at WAN1 link 
add action=mark-connection chain=input comment="Mark Connection - IN WAN1,OUT WAN1" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes 
add action=mark-routing chain=output comment="Mark Routing - IN WAN1,OUT WAN1" connection-mark=WAN1_conn disabled=no new-routing-mark=WAN1_traffic passthrough=no  
# This section is related to packet marking for Marking connections/packets arrived at WAN2 link 
add action=mark-connection chain=input comment="Mark Connection - IN WAN2, OUT WAN2" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes 
add action=mark-routing chain=output comment="Mark Routing -  IN WAN2,OUT WAN2" connection-mark=WAN2_conn disabled=no new-routing-mark=WAN2_traffic passthrough=no 
# This section is related to packet marking for Marking connections/packets arrived at WAN3 link 
add action=mark-connection chain=input comment="Mark Connection - IN WAN3, OUT WAN3" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes 
add action=mark-routing chain=output comment="Mark Routing -  IN WAN3,OUT WAN3" connection-mark=WAN3_conn disabled=no new-routing-mark=WAN3_traffic passthrough=no 

add action=mark-connection chain=forward comment="Mark Connection for new conn - Packet Forward WAN1, out WAN1" connection-state=new disabled=no in-interface=WAN1 new-connection-mark=WAN1_pfw passthrough=no 
add action=mark-routing chain=prerouting comment="Mark Packets for new conn - Packet Forward WAN1, out WAN1" connection-mark=WAN1_pfw disabled=no in-interface=VLAN100-DMZ new-routing-mark=WAN1_traffic passthrough=no 
add action=mark-connection chain=forward comment="Mark Connection for new conn - Packet Forward  WAN2, out WAN2" connection-state=new disabled=no in-interface=WAN2 new-connection-mark=WAN2_pfw passthrough=no 
add action=mark-routing chain=prerouting comment="Mark Routing for new conn - Packet Forward  WAN2, out WAN2" connection-mark=WAN2_pfw disabled=no in-interface=VLAN100-DMZ new-routing-mark=WAN2_traffic passthrough=no 
add action=mark-connection chain=forward comment="Mark Connection for new conn - Packet Forward  WAN3, out WAN3" connection-state=new disabled=no in-interface=WAN3 new-connection-mark=WAN3_pfw passthrough=no 
add action=mark-routing chain=prerouting comment="Mark Routing for new conn - Packet Forward  WAN3, out WAN3" connection-mark=WAN2_pfw disabled=no in-interface=VLAN100-DMZ new-routing-mark=WAN3_traffic passthrough=no 

  
######################## 
#  GENERAL PCC SECTION 
######################## 
  /ip firewall mangle
add action=mark-connection chain=input hotspot=auth in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
add action=mark-connection chain=input hotspot=auth in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn new-routing-mark=to_WAN3 passthrough=yes
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN10-ENERGIA
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN10-ENERGIA
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN10-ENERGIA
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN20-SICUREZZA
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN20-SICUREZZA
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN20-SICUREZZA
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN30-DISTRETTO
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN30-DISTRETTO
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN30-DISTRETTO
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN40-GUESTS
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN40-GUESTS
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN40-GUESTS
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN50-VOIP
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN50-VOIP
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN50-VOIP
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN100-DMZ
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN100-DMZ
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN100-DMZ
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN101-OUTDOORWIFI
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN101-OUTDOORWIFI
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN101-OUTDOORWIFI
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS
add action=accept chain=prerouting dst-address=192.168.18.0/24 hotspot=auth in-interface=VLAN200-VIDEO
add action=accept chain=prerouting dst-address=192.168.19.0/24 hotspot=auth in-interface=VLAN200-VIDEO
add action=accept chain=prerouting dst-address=192.168.20.0/24 hotspot=auth in-interface=VLAN200-VIDEO
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN10-ENERGIA new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN10-ENERGIA new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN10-ENERGIA new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN10-ENERGIA new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN10-ENERGIA new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN20-SICUREZZA new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN20-SICUREZZA new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN20-SICUREZZA new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN20-SICUREZZA new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN20-SICUREZZA new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN20-SICUREZZA new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN30-DISTRETTO new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN30-DISTRETTO new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN30-DISTRETTO new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN30-DISTRETTO new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN30-DISTRETTO new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN30-DISTRETTO new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN40-GUESTS new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN40-GUESTS new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN40-GUESTS new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN40-GUESTS new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN40-GUESTS new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN40-GUESTS new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN50-VOIP new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN50-VOIP new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN50-VOIP new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=VLAN50-VOIP new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=VLAN50-VOIP new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=VLAN50-VOIP new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN100-DMZ new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN100-DMZ new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN100-DMZ new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=VLAN100-DMZ new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=VLAN100-DMZ new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=VLAN100-DMZ new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn hotspot=auth in-interface=VLAN102-OUTDOORWIFIGUESTS new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN200-VIDEO new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN200-VIDEO new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local in-interface=VLAN200-VIDEO new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=VLAN200-VIDEO new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=VLAN200-VIDEO new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN3_conn in-interface=VLAN200-VIDEO new-routing-mark=to_WAN3 passthrough=yes
#add action=mark-routing chain=prerouting connection-mark=WAN2_conn hotspot=auth in-interface=VLAN101-OUTDOORWIFI new-routing-mark=to_WAN2 passthrough=yes

/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=WAN1
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat dst-port=5900 in-interface=WAN2 protocol=tcp src-port="" to-addresses=172.16.100.11 to-ports=5900
add action=dst-nat chain=dstnat dst-port=5900 in-interface=WAN1 protocol=tcp src-port="" to-addresses=172.16.100.11 to-ports=5900
add action=dst-nat chain=dstnat dst-port=5900 in-interface=WAN3 protocol=tcp src-port="" to-addresses=172.16.100.11 to-ports=5900
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
add action=masquerade chain=srcnat out-interface=WAN3
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.16.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.16.20.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.16.30.0/24
add action=masquerade chain=srcnat comment="masquerade VOIP network" src-address=172.16.40.0/24
add action=masquerade chain=srcnat comment="masquerade Outdoor Wifi network" src-address=172.16.102.0/24
add action=masquerade chain=srcnat comment="masquerade Dmz network" src-address=172.16.100.0/24

/ip hotspot user
add name=admin password=firewall

################################################## 
#  ROUTE SECTION FOR PCC AND PORT FORWARD PACKETS 
################################################## 
# Add routes for general PCC 
#/ip route 
#add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN1 routing-mark=to_WAN1 scope=30 target-scope=10 
#add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=WAN2 routing-mark=to_WAN2 scope=30 target-scope=10 
#add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=WAN3 routing-mark=to_WAN3 scope=30 target-scope=10 

/ip route
add check-gateway=ping distance=1 gateway=192.168.18.254%WAN1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.19.254%WAN2 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.20.254%WAN3 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=192.168.18.254%WAN1
add check-gateway=ping distance=2 gateway=192.168.19.254%WAN2
add check-gateway=ping distance=3 gateway=192.168.20.254%WAN3

# Add routes for IN/OUT port forwarding packets 
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN1 routing-mark=WAN1_traffic scope=30 target-scope=10 
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN2 routing-mark=WAN2_traffic scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=WAN3 routing-mark=WAN3_traffic scope=30 target-scope=10

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes

/radius
add address=172.16.100.240 secret=testing123 service=hotspot

/system clock
set time-zone-name=Europe/Rome

/system identity
set name=mktkfwgw.domus.local

/system routerboard settings
set protected-routerboot=disabled
Top
Post Reply

Who is online

Users browsing this forum: CBVista, rwf and 53 guests
  4. RouterOS
  5. General