DavidGrandes
Usuari@ ADSLzone
- Mensajes
- 46
Buenas tardes,
He tenido siempre los routers de compañía en modo bridge y al cambiarme a vodafone y no dar esa opción me he empeñado en sustituir el router de vodafone.
He dejado la ONT que me dejan en vodafone y he quitado el router H500-s.
El caso es que tengo una duda con respecto a la IPTV.
Después de hacer toda la configuración y ver que funciona internet y tele sin problemas, he añadido las reglas de firewall que tenia antes y la tele ha dejado de funcionar. Se que es un tema de firewall que tengo que dejar algun paquete forward e input hacia la IPTV pero no tengo claro cual. Soy un poco novato en este sentido y me gustaría tener un poco de ayuda para no tener el router mal configurado. Adjunto el código a ver si veis lo que puede ser.
Por otro lado aprovecho para preguntar. Tengo una conexión VPN L2TP configurada en el mikrotik para dos cosas, una conectarme yo como usuario y otra para conectar otro mikrotik como cliente VPN.
Ambas se conectan sin problemas pero hay 2 cosas que no me funcionan como querria:
-Cuando me conecto como usuario VPN "David", no puedo salir a internet.
-No puedo acceder a la red del mikrotik secundario ni a el mismo estando conectado al usuario "David", sin embargo si que puedo acceder a esa red desde mi red lan interna.
Entiendo que es por alguna regla firewall que me falta pero no doy con ella.
Muchas gracias de antemano!!
He tenido siempre los routers de compañía en modo bridge y al cambiarme a vodafone y no dar esa opción me he empeñado en sustituir el router de vodafone.
He dejado la ONT que me dejan en vodafone y he quitado el router H500-s.
El caso es que tengo una duda con respecto a la IPTV.
Después de hacer toda la configuración y ver que funciona internet y tele sin problemas, he añadido las reglas de firewall que tenia antes y la tele ha dejado de funcionar. Se que es un tema de firewall que tengo que dejar algun paquete forward e input hacia la IPTV pero no tengo claro cual. Soy un poco novato en este sentido y me gustaría tener un poco de ayuda para no tener el router mal configurado. Adjunto el código a ver si veis lo que puede ser.
Por otro lado aprovecho para preguntar. Tengo una conexión VPN L2TP configurada en el mikrotik para dos cosas, una conectarme yo como usuario y otra para conectar otro mikrotik como cliente VPN.
Ambas se conectan sin problemas pero hay 2 cosas que no me funcionan como querria:
-Cuando me conecto como usuario VPN "David", no puedo salir a internet.
-No puedo acceder a la red del mikrotik secundario ni a el mismo estando conectado al usuario "David", sin embargo si que puedo acceder a esa red desde mi red lan interna.
Entiendo que es por alguna regla firewall que me falta pero no doy con ella.
Código:
# mar/03/2021 22:50:44 by RouterOS 6.48.1
# software id = E82L-C64C
#
# model = RB4011iGS+
/interface bridge
add igmp-snooping=yes name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1 name=INTERNET vlan-id=100
add interface=LAN-Bridge name=LAN vlan-id=20
add interface=ether1 name=TIVO vlan-id=105
/interface pppoe-client
add add-default-route=yes disabled=no interface=INTERNET name=PPPoE-out1 user=USUARIO@vodafone
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/ip dhcp-server option
add code=12 name=TIVO value="'TIVO'"
/ip pool
add name=LAN-Pool ranges=192.168.2.21-192.168.2.150
add name=TIVO-Pool ranges=192.168.2.251-192.168.2.253
/ip dhcp-server
add address-pool=LAN-Pool disabled=no interface=LAN-Bridge name=DHCP-LAN
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 wins-server=8.8.4.4
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=LAN-Bridge interface=ether2
add bridge=LAN-Bridge interface=ether3
add bridge=LAN-Bridge interface=ether4
add bridge=LAN-Bridge interface=ether5
add bridge=LAN-Bridge interface=ether6
add bridge=LAN-Bridge interface=ether7
add bridge=LAN-Bridge interface=ether8
add bridge=LAN-Bridge interface=ether9
add bridge=LAN-Bridge interface=ether10
/interface l2tp-server server
set authentication=mschap2 enabled=yes use-ipsec=required
/ip address
add address=192.168.2.1/24 interface=LAN-Bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=TIVO use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" mac-address=CC:9E:A2:62:F2:CC server=DHCP-LAN
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 server=DHCP-LAN
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" mac-address=44:00:49:4D:E4:AB server=DHCP-LAN
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" mac-address=5C:41:5A:93:BD:85 server=DHCP-LAN
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 comment="PC Curro" mac-address=44:85:00:30:1E:61 server=DHCP-LAN
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B server=DHCP-LAN
add address=192.168.2.145 client-id=1:7c:d5:66:b8:e7:90 comment=Despertador mac-address=7C:D5:66:B8:E7:90 server=DHCP-LAN
add address=192.168.2.232 client-id=1:e8:f2:e2:ab:ea:39 comment="TV Salon" mac-address=E8:F2:E2:AB:EA:39 server=DHCP-LAN
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" mac-address=B8:AC:6F:9D:62:D6 server=DHCP-LAN
add address=192.168.2.12 client-id=1:ea:f2:30:ce:22:b6 comment="Movil David" mac-address=EA:F2:30:CE:22:B6 server=DHCP-LAN
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.2.1
add address=192.168.2.251/32 dhcp-option=TIVO gateway=192.168.2.1 netmask=29
/ip firewall address-list
add address=0.0.0.0/8 list=Bogon
add address=10.0.0.0/8 list=Bogon
add address=100.64.0.0/10 list=Bogon
add address=127.0.0.0/8 list=Bogon
add address=169.254.0.0/16 list=Bogon
add address=172.16.0.0/12 list=Bogon
add address=192.0.0.0/24 list=Bogon
add address=192.0.2.0/24 list=Bogon
add address=192.168.0.0/16 list=Bogon
add address=198.18.0.0/15 list=Bogon
add address=198.51.100.0/24 list=Bogon
add address=203.0.113.0/24 list=Bogon
add address=240.0.0.0/4 list=Bogon
add address=192.168.2.10-192.168.2.20 list=Src_Administradores
add address=192.168.2.205 list=Src_Administradores
add address=192.168.2.20-192.168.2.255 list=Src_Red_LAN
add address=192.168.2.201 list=Dst_Servidores_Usuarios
add address=192.168.2.204 list=Dst_Servidores_Usuarios
add address=192.168.2.205 list=Dst_Servidores_Usuarios
add address=192.168.2.10-192.168.2.255 list=Dst_Red_LAN
add address=192.168.2.201 list=Src_Administradores
add address=192.168.2.202 list=Src_Administradores
add address=192.168.2.3 list=Src_Administradores
add address=10.10.1.201 list=Src_Administradores
/ip firewall filter
add action=add-src-to-address-list address-list=Src_TocToc_Temporal address-list-timeout=1m chain=input comment=TocToc dst-port=5000 protocol=tcp
add action=add-src-to-address-list address-list=Src_TocToc_LM address-list-timeout=5d chain=input comment=AccesoLM dst-port=7000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=add-src-to-address-list address-list=Src_TocToc_LM_NAS address-list-timeout=5d chain=input comment=AccesoLM_NAS dst-port=8000 protocol=tcp src-address-list=Src_TocToc_Temporal
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add action=accept chain=input comment=L2TP protocol=ipsec-esp
add action=accept chain=input comment=L2TP protocol=ipsec-ah
add action=accept chain=input comment="defconf: accepr input from Src_Admin" src-address-list=Src_Administradores
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Allow services to lan users" in-interface=LAN-Bridge port=53 protocol=tcp
add action=accept chain=input comment="Allow services to lan users" in-interface=LAN-Bridge port=53 protocol=udp
add action=accept chain=input comment="Allow services to lan users" in-interface=TIVO protocol=udp
add action=drop chain=input comment="drop all else" log=yes log-prefix="Prohibido input resto"
add action=accept chain=forward log-prefix=Forward src-address-list=Src_Red_LAN
add action=accept chain=forward src-address-list=Src_Administradores
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes log-prefix="Prohibido forward invalido"
add action=accept chain=forward comment="CAMBIAR SOLO HACIA EL DISPOSITIVO" in-interface=LAN-Bridge out-interface=PPPoE-out1
add action=accept chain=forward comment="allow internet from LAN-Bridge to WAN" in-interface=TIVO out-interface=LAN-Bridge
add action=accept chain=forward comment="allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=PPPoE-out1
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Prohibido forward resto"
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=TIVO
add action=set-priority chain=postrouting new-priority=4 out-interface=TIVO
add action=set-priority chain=postrouting new-priority=0 out-interface=PPPoE-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=TIVO
add action=masquerade chain=srcnat dst-address=0.0.0.0/0 log=yes out-interface=PPPoE-out1 src-address=192.168.2.0/24
add action=masquerade chain=srcnat out-interface=TIVO
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO to-addresses=192.168.2.251
add action=dst-nat chain=dstnat comment=DMZ disabled=yes in-interface=PPPoE-out1 to-addresses=192.168.2.202
add action=dst-nat chain=dstnat comment="CONTROL TOUCH" dst-port=2199 in-interface=PPPoE-out1 log=yes log-prefix="Conexion CT" protocol=tcp to-addresses=192.168.2.204 to-ports=2199
add action=dst-nat chain=dstnat comment="xxx Conexion Web (IMP. Dst type adress local para que funcionen las paginas con puerto 80)" dst-address-type=local dst-port=80 log=yes log-prefix=Conexion_Web protocol=tcp to-addresses=192.168.2.202 to-ports=\
80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 log=yes log-prefix="Conexion Web" protocol=tcp to-addresses=192.168.2.202 to-ports=443
add action=dst-nat chain=dstnat comment=MQTT_ext dst-port=41883 log=yes log-prefix="Conexion MQTT" protocol=tcp to-addresses=192.168.2.205 to-ports=1883
add action=dst-nat chain=dstnat comment=NAS dst-port=52151 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.201 to-ports=52151
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 log=yes log-prefix="Conexion Plex" protocol=tcp to-addresses=192.168.2.201 to-ports=32400
add action=dst-nat chain=dstnat comment=LM dst-port=52200 log=yes log-prefix="Conexion NAS" protocol=tcp src-address-list=Src_TocToc_LM_NAS to-addresses=192.168.2.205 to-ports=80
add action=masquerade chain=srcnat comment="Para hacer LoopBack y que no se rompa la consxion si accedemos desde dentro" dst-address=192.168.2.201 dst-port=52151 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=80 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.202 dst-port=443 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.0/24
add action=masquerade chain=srcnat dst-address=192.168.2.205 dst-port=80 out-interface=LAN-Bridge protocol=tcp src-address=192.168.2.12
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 dst-address=10.8.57.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.58.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.59.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.10.2.0/24 gateway=10.10.1.2
add distance=1 dst-address=10.15.220.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.179.32.0/23 gateway=TIVO pref-src=10.214.13.28
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add local-address=10.10.1.1 name=David profile=default-encryption remote-address=10.10.1.201
add local-address=10.10.1.1 name=Cliente_2 profile=default-encryption remote-address=10.10.1.2 service=l2tp
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=TIVO upstream=yes
add interface=LAN-Bridge
/system clock
set time-zone-name=Europe/Madrid
/system logging
add disabled=yes topics=firewall
/system ntp client
set primary-ntp=216.239.35.0 secondary-ntp=129.250.35.250
/system scheduler
add interval=15s name="Mikrotik Despierto" on-event="{\r\
\n/tool fetch url=\"http://remote:AAaa1111@192.168.2.205/scada-remote\" http-data=\"m=json&r=grp&fn=write&alias=34/3/51&value=1\" http-method=post as-value output=user; \t \r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2019 start-time=13:44:56
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Muchas gracias de antemano!!
Última edición: