I have RB850 with some strange issue, which appeared "out of nowhere".
My configuration is:
ETH1 - WAN with static IP
ETH2 - LAN 192.168.0.0/16
ETH3, ETH4 - LAN 44.150.168.0/24, bridged with sstp
The issue I have is between LAN 192.168.0.0/16 and WAN. When I set the local address to 192.168.1.x I could not access WAN (internet), internally I can see all other IPs.
But when I set the local address to 192.168.2.x everything works.
Could someone take a quick check on the config below (preserving few last hair remaing on my head after pulling for last two days....)
Thank you.
Here is my config:
Code: Select all
# model = 850Gx2
/interface bridge
add name=bridge-s5net
/interface ethernet
set [ find default-name=ether1 ] name=eth1-WAN speed=100Mbps
set [ find default-name=ether2 ] name=eth2-LAN speed=100Mbps
set [ find default-name=ether3 ] name=eth3-Radioamaterji speed=100Mbps
set [ find default-name=ether4 ] name=eth4-radioamaterji speed=100Mbps
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=pool-LAN ranges=192.168.2.10-192.168.2.250
add name=radioamaterji-pool ranges=44.150.168.110-44.150.168.159
/ip dhcp-server
add address-pool=pool-LAN authoritative=after-2sec-delay disabled=no \
interface=eth2-LAN lease-time=1d name=dhcp-LAN
add address-pool=radioamaterji-pool authoritative=after-2sec-delay disabled=\
no interface=bridge-s5net lease-time=1d name=DHCP-radioamaterji
/interface sstp-client
add add-default-route=yes connect-to=vpn.net.hamradio.si disabled=no name=\
sstp-vtik-lj profile=default-encryption user=s54mtb-mtik \
verify-server-address-from-certificate=no
/queue tree
/queue type
add kind=pcq name=pcq-download pcq-classifier=dst-address
add kind=pcq name=pcq-upload pcq-classifier=src-address
/routing ospf instance
set [ find default=yes ] router-id=44.150.168.1
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-protocol=SHA1 \
encryption-protocol=AES
/system logging action
set 1 disk-file-count=100 disk-lines-per-file=500 disk-stop-on-full=yes
set 3 bsd-syslog=yes remote=192.168.1.111 remote-port=5140 syslog-facility=\
local0
/user group
add name=sniffer policy="ssh,read,!local,!telnet,!ftp,!reboot,!write,!policy,!\
test,!winbox,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
/interface bridge port
add bridge=bridge-s5net interface=eth3-Radioamaterji
add bridge=bridge-s5net interface=eth4-radioamaterji
/ip neighbor discovery-settings
set discover-interface-list=all
/ip settings
set rp-filter=strict
/interface list member
add interface=eth2-LAN list=discover
add interface=eth3-Radioamaterji list=discover
add interface=eth4-radioamaterji list=discover
add interface=eth2-LAN list=mactel
add interface=eth3-Radioamaterji list=mactel
add interface=eth4-radioamaterji list=mactel
add interface=eth2-LAN list=mac-winbox
add interface=eth3-Radioamaterji list=mac-winbox
add interface=eth4-radioamaterji list=mac-winbox
/ip accounting
set enabled=yes threshold=2560
/ip address
add address=192.168.1.254/16 comment="LAN address" interface=eth2-LAN \
network=192.168.0.0
add address=89.212.19.180/16 comment="WAN address" interface=eth1-WAN \
network=89.212.0.0
add address=44.150.168.1/24 interface=eth3-Radioamaterji network=44.150.168.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
eth1-WAN
/ip dhcp-server network
add address=44.150.168.0/24 gateway=44.150.168.1 netmask=24
add address=192.168.0.0/16 comment="default configuration" gateway=\
192.168.1.254 netmask=16
/ip dns
set allow-remote-requests=yes servers=\
84.255.209.79,84.255.210.79,8.8.8.8,4.4.4.4
/ip firewall address-list
add address=192.168.0.0/16 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=0.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=44.0.0.0/8 list=Bogon
/ip firewall filter
add action=accept chain=input comment="Enable ICMP" log-prefix=ICMP protocol=\
icmp
add action=accept chain=input comment="Accept Established/Related - Input" \
connection-state=established,related
add action=drop chain=input comment="Drop everything else - input" \
in-interface=eth1-WAN log-prefix="INPUT DROP"
add action=fasttrack-connection chain=forward comment=\
"FastTrack Established/Related - Forward" connection-state=\
established,related
add action=accept chain=forward comment=\
"Accept Established/Related - Forward" connection-state=\
established,related log-prefix=TEST-ACCEPT
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" \
out-interface=eth1-WAN src-address=192.168.0.0/16
add action=accept chain=forward comment="Allow forward traffic LAN >> WAN" \
out-interface=eth1-WAN src-address=44.150.168.0/24
add action=drop chain=forward comment="Drop Bogon Forward >> WAN" \
in-interface=eth1-WAN log-prefix="BOGON FORWARD DROP" src-address-list=\
Bogon
add action=drop chain=forward comment="Drop everything else - Forward" \
connection-state=invalid log-prefix="FORWARD DROP"
add action=drop chain=forward comment="Drop un-NATed forwarded connections" \
connection-nat-state=!dstnat connection-state=new in-interface=eth1-WAN
add action=drop chain=forward in-interface=bridge-s5net out-interface=\
eth2-LAN
add action=accept chain=forward connection-state=established,related \
dst-address=192.168.0.0/16 src-address=44.0.0.0/8
add action=drop chain=forward connection-state=invalid,new dst-address=\
192.168.0.0/16 src-address=44.0.0.0/8
add action=drop chain=input dst-address=192.168.1.254 src-address=44.0.0.0/8
/ip firewall mangle
add action=mark-connection chain=forward new-connection-mark=users-con \
passthrough=yes src-address=192.168.0.0/16
add action=mark-packet chain=forward connection-mark=users-con \
new-packet-mark=users passthrough=yes
add action=mark-connection chain=forward new-connection-mark=server-con \
passthrough=yes src-address=192.168.1.111
add action=mark-packet chain=forward connection-mark=server-con \
new-packet-mark=server passthrough=yes
/ip firewall nat
add action=dst-nat chain=dstnat comment=OpenVPN dst-port=1194 log-prefix=\
OpenVPN- protocol=udp to-addresses=192.168.2.83 to-ports=1194
add action=dst-nat chain=dstnat comment="1. Services hairpin to .80 " \
dst-address=!192.168.0.0/16 dst-address-type=local dst-port=\
80,21,443,3389,4430,24001 protocol=tcp to-addresses=192.168.2.80
add action=dst-nat chain=dstnat comment="Emajlirana po\9Ata" dst-address=\
!192.168.0.0/16 dst-address-type=local dst-port=25,587,993,995 protocol=\
tcp to-addresses=192.168.2.78
add action=dst-nat chain=dstnat comment="And the rest goes to the DMZ host" \
in-interface=eth1-WAN to-addresses=192.168.1.80
add action=masquerade chain=srcnat comment=\
"2. NAT all traffic from local to internet" out-interface=eth1-WAN \
src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment=\
"2. NAT all traffic from local to internet" out-interface=eth1-WAN \
src-address=44.150.168.0/24
add action=masquerade chain=srcnat comment=\
"3. NAT all traffic from local to local" dst-port=\
80,21,443,3389,4430,24001,25,587,993,995 protocol=tcp src-address=\
192.168.0.0/16
/ip route
add distance=1 gateway=89.212.0.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no domain=PAVLIN interfaces=eth2-LAN
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/routing ospf network
add area=backbone network=44.150.0.0/16
/snmp
set contact=jan@pavlin.si enabled=yes location=Kurilnica
/system clock
set time-zone-name=Europe/Ljubljana
/system identity
set name=mtik-s54mtb
/system logging
add action=disk topics=critical
add topics=critical
add action=remote topics=firewall
add action=remote disabled=yes topics=critical
add topics=dhcp
add action=remote disabled=yes topics=error
add action=remote disabled=yes topics=warning
add action=disk topics=warning
add action=disk topics=error
add action=remote disabled=yes topics=system
add action=remote disabled=yes prefix=SNIFFER topics=packet
/system ntp client
set enabled=yes primary-ntp=193.2.1.117 secondary-ntp=193.2.1.92
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing queue
add allow-address=192.168.1.0/24
/tool graphing resource
add allow-address=192.168.1.0/24
/tool mac-server
set allowed-interface-list=mactel
/tool mac-server mac-winbox
set allowed-interface-list=mac-winbox