A
A
Alexander Postnikov2018-07-28 15:25:53
Computer networks
Alexander Postnikov, 2018-07-28 15:25:53

Mikrotik 3011UiAS. 2 LAN + DMZ and 2 WAN with recursive routing. Why does not it work?

Hello dear,
I have been trying to finish the configuration on 3011UiAS for a week now.
Tried many options and edits, but does not start.
Although I assume that I am not correctly marking the traffic and / or the routes are not built correctly, but where exactly and what jambs I can’t find.
So, given:
Router 3011UiAS;
WAN1 (ISP1-DataGroup): White IP 93.xxx.xxx.94/24 via DHCP with mac binding.
WAN2 (ISP2-Lanet): White IP 188.yyy.yy.126/24 via DHCP with mac binding.
LAN_Guest (192.168.1.0/24)
LAN_IT (192.168.2.0/24)
DMZ (192.168.3.0/24)
Wishlist:
Services in the DMZ (so far only one: 192.168.3.2:8090) must be accessible from local networks and the Internet via the above white IPs (these will be 3rd level domains).
Some services added later will probably use dynamic ports (I suppose to use UPnP).
Management of 3011UiAS should be done through Winbox alone from LAN_IT (by mac, by gateway IP 192.168.2.1 and remotely by public IP).
LAN_IT Internet access - ISP1 by default, reserve - ISP2.
LAN_Guest access to the Internet - ISP2 by default, reserve ISP1.
DMZ Internet access - ISP1 by default, reserve ISP2.
Isolate traffic between the LAN_Guest and LAN_IT subnets.
Does not work (or works but not correctly), the following:
The most critical problem is with the DMZ.
The service in the DMZ is available only via IP 188.yyy.yy.126 via the Internet and is not accessible from the LAN_IT local network.
DMZ, LAN_IT and LAN_Guest clients cannot ping their gateways (192.168.3.1, 192.168.2.1 and 192.168.1.1 respectively).
3011UiAS does not respond to pings from the Internet on IP 93.xxx.xxx.94 and 188.yyy.yy.126, but does respond to pings from local networks (to IP 93.xxx.xxx.94 and 188.yyy.yy.126 ).
Current implementation:

Router Ethernet interfaces: WAN(1,2); DMZ(3,4); IT(5,8,9); Guest(6,7)
/interface bridge
add comment="Ports 3,4 for DMZ" fast-forward=no name=bridge_dmz
add comment="Ports 5,8,9 for IT" fast-forward=no name=bridge_it
add comment="Ports 6,7 for Guest" fast-forward=no name=bridge_guest
/interface ethernet
set [ find default-name=ether1 ] comment="Port1 DataGroup-IT" mac-address=B8:00:00:00:00:6E name=WAN1
set [ find default-name=ether2 ] comment="Port2 Lanet-Guest" mac-address=A0:00:00:00:00:A4 name=WAN2
set [ find default-name=ether3 ] comment=DMZ
set [ find default-name=ether4 ] comment=DMZ
set [ find default-name=ether5 ] comment=LAN_IT
set [ find default-name=ether6 ] comment="Guest 1C"
set [ find default-name=ether7 ] comment="Guest 1st floor"
set [ find default-name=ether8 ] comment=LAN_IT
set [ find default-name=ether9 ] comment=LAN_IT

/interface list
add name=WAN

/interface bridge port
add bridge=bridge_dmz interface=ether3
add bridge=bridge_dmz interface=ether4
add bridge=bridge_it interface=ether5
add bridge=bridge_guest interface=ether6
add bridge=bridge_guest interface=ether7
add bridge=bridge_it interface=ether8
add bridge=bridge_it interface=ether9

/interface list member
add interface=WAN1 list=WAN
add interface=WAN2 list=WAN

Addressing, subnets and dhcp
/ip dhcp-client
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=WAN1
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=WAN2

/ip address
add address=192.168.1.1/24 comment="Guest LAN" interface=bridge_guest network=192.168.1.0
add address=192.168.2.1/24 comment="IT LAN" interface=bridge_it network=192.168.2.0
add address=192.168.3.1/24 comment="DMZ LAN" interface=bridge_dmz network=192.168.3.0

/ip pool
add comment="Guest LAN" name=dhcp_pool_guest ranges=192.168.1.2-192.168.1.254
add comment="IT LAN" name=dhcp_pool_it ranges=192.168.2.2-192.168.2.254
add comment="DMZ LAN" name=dhcp_pool_dmz ranges=192.168.3.2-192.168.3.254

/ip dhcp-server network
add address=192.168.1.0/24 comment="Guest LAN" dns-server=192.168.1.1 gateway=192.168.1.1
add address=192.168.2.0/24 comment="IT LAN" dns-server=192.168.2.1 gateway=192.168.2.1
add address=192.168.3.0/24 comment="DMZ LAN" dns-server=192.168.3.1 gateway=192.168.3.1

/ip dhcp-server
add address-pool=dhcp_pool_guest disabled=no interface=bridge_guest lease-time=1h name=dhcp_server_guest
add address-pool=dhcp_pool_it disabled=no interface=bridge_it lease-time=1d name=dhcp_server_it
add address-pool=dhcp_pool_dmz disabled=no interface=bridge_dmz lease-time=1d name=dhcp_server_dmz

ARP and mac-IP bindings
/ip arp
add address=192.168.1.2 comment="Guest 1C Router" interface=bridge_rent mac-address=00:00:00:00:00:C6
add address=192.168.3.2 comment=GitLab interface=bridge_dmz mac-address=10:00:00:00:00:C9
add address=192.168.2.2 comment="IT InterTelecom Router" interface=bridge_it mac-address=EC:00:00:00:00:4F

/ip dhcp-server lease
add address=192.168.1.2 comment="Guest 1C Router" mac-address=00:00:00:00:00:C6 server=dhcp_server_guest
add address=192.168.2.2 comment="IT InterTelecom Router" mac-address=EC:00:00:00:00:4F server=dhcp_server_it
add address=192.168.3.2 comment=GitLab lease-time=1d mac-address=10:00:00:00:00:C9 server=dhcp_server_dmz

firewall filter, NAT
/ip firewall nat
add action=masquerade chain=srcnat comment="Outgoing LANs masquerade from WAN1" out-interface=WAN1
add action=masquerade chain=srcnat comment="Outgoing LANs masquerade from WAN2" out-interface=WAN2
add action=netmap chain=dstnat comment="GitLab Lanet Port Forwarding" \
    dst-address=188.yyy.yy.126 dst-port=8090 protocol=tcp to-addresses=\
    192.168.3.2 to-ports=8090
add action=netmap chain=dstnat comment=\
    "GitLab from DataGroup Port Forwarding" dst-address=93.xxx.xxx.94 \
    dst-port=8090 protocol=tcp to-addresses=192.168.3.2 to-ports=8090

/ip firewall address-list
add address=192.168.1.0/24 list=LocalNet
add address=192.168.2.0/24 list=LocalNet
add address=192.168.3.0/24 list=LocalNet

/ip firewall filter
add action=accept chain=input comment=Winbox dst-port=8291 protocol=tcp
add action=accept chain=input comment=icmp protocol=icmp
add action=accept chain=forward comment="PortForward to GitLab" dst-address=\
    192.168.3.2 dst-port=8090 protocol=tcp
add action=accept chain=input comment=Established_Wan_Accept \
    connection-state=established
add action=drop chain=input comment="Drop DNS requests from internet" \
    disabled=yes dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment=Established_Wan_Accept connection-state=established
add chain=input comment=Related_Wan_Accept connection-state=related
add action=drop chain=input comment=Bogon_Wan_Drop in-interface-list=WAN \
    src-address-list=BOGONS

firewall mangle
/ip firewall mangle
add action=mark-routing chain=prerouting connection-mark=inWAN1 \
    dst-address-list=!LocalNet dst-address-type="" log-prefix=skymr \
    new-routing-mark=1WAN passthrough=yes src-address-list=LocalNet
add action=mark-routing chain=prerouting connection-mark=inWAN2 \
    dst-address-list=!LocalNet dst-address-type="" log-prefix=tktmr \
    new-routing-mark=2WAN passthrough=yes src-address-list=LocalNet
add action=mark-routing chain=output connection-mark=WAN1 dst-address-type=\
    !local new-routing-mark=WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2 dst-address-type=\
    !local new-routing-mark=WAN2 passthrough=yes
add action=mark-connection chain=prerouting dst-address=93.xxx.xxx.94 \
    in-interface=WAN1 new-connection-mark=inWAN1 passthrough=yes
add action=mark-connection chain=input dst-address=93.xxx.xxx.94 \
    in-interface=WAN1 new-connection-mark=inWAN1 passthrough=yes
add action=mark-connection chain=prerouting dst-address=188.yyy.yy.126 \
    in-interface=WAN2 new-connection-mark=inWAN2 passthrough=yes
add action=mark-connection chain=input dst-address=188.yyy.yy.126 \
    in-interface=WAN2 new-connection-mark=inWAN2 passthrough=yes

Recursive routes and rules
/ip route
add check-gateway=ping comment="WAN1 main" distance=1 gateway=8.8.8.8 \
    routing-mark=WAN1 target-scope=15
add check-gateway=ping comment="WAN1 reserve" distance=2 gateway=8.8.4.4 \
    routing-mark=WAN1 target-scope=15
add check-gateway=ping comment="WAN2 main" distance=1 gateway=8.8.4.4 \
    routing-mark=WAN2 target-scope=15
add check-gateway=ping comment="WAN2 reserve" distance=2 gateway=8.8.8.8 \
    routing-mark=WAN2 target-scope=15
add comment="WAN2 Lanet route" distance=1 dst-address=8.8.4.4/32 gateway=\
    188.yyy.yy.1 scope=15
add comment="WAN1 DataGroup route" distance=1 dst-address=8.8.8.8/32 gateway=\
    93.xxx.xxx.1 scope=15

/ip route rule
add comment="Guest LAN-WAN2 rule" src-address=192.168.1.0/24 table=WAN2
add comment="IT LAN-WAN1 rule" src-address=192.168.2.0/24 table=WAN1
add comment="DMZ LAN-WAN1 rule" src-address=192.168.3.0/24 table=WAN2

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
Arthur Weird, 2018-08-01
@rAHDoJlbEP

here 100% you need to look with pens

I
Ivan Eliseev, 2018-08-07
@ivaneliseeff

In general, everything is smooth.
1. But I would start by not using netmap.
With new versions of ros, there is no need for such an assignment.
2. Too lazy to write out in your implementation, I share my
Telephony - you need access from the Internet and from the network. Without any there.
This is what we released on tyrnet
add action=dst-nat chain=dstnat comment="pbx inbound" dst-port=6666 in-interface=sfp-sfpplus1 log=yes log-prefix="pbx inbound" protocol=udp to-addresses= \
192.168.8.254 to-ports=5060
made it visible from the network, as well as from tyrnet
add action=dst-nat chain=dstnat dst-address=xxx.yyy.zzz.qqq dst-port=6666 protocol=udp src -address=10.0.254.0/24 to-addresses=192.168.8.254 to-ports=5060
In this example - 10.0.254.0/24 is one of the internal networks
192,168,8,254 - the address of the PBX
with pings is not clear, of course. but not critical. you can also turn off all the rules in turn and check on which of them the
isolation plugging starts - you can do it just like this:
add action=drop chain=forward comment="block boss network" dst-address=10.0.254.0/24 src-address=10.10 .30.0/24
Overall, not a particularly complex configuration. I hope, according to my examples, there will be fewer questions.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question