Tampoco. Te voy a mandar de nuevo como tengo el Mikrotik por si se me ha pasado algo...
Código:
/interface bridge
add admin-mac=E8:1B:69:59:03:3C auto-mac=no comment=defconf igmp-snooping=yes name=LAN-Bridge
/interface ethernet
set [ find default-name=ether1 ] comment=ISP
set [ find default-name=ether2 ] comment=Switch
set [ find default-name=ether3 ] comment=PC
set [ find default-name=ether5 ] comment=AP
set [ find default-name=ether6 ] comment=LM
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] comment=IPTV
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface vlan
add interface=ether1 name=INTERNET vlan-id=100
add interface=ether1 name=TIVO vlan-id=105
/interface pppoe-client
add add-default-route=yes disabled=no interface=INTERNET name=PPPoE-out1 user=ONH0000872543@vodafone
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip dhcp-server option
add code=12 name=TIVO value="'TIVO'"
/ip pool
add name=LAN-Pool ranges=192.168.2.20-192.168.2.150
add name=vpn ranges=10.10.1.1-10.10.1.200
add name=VPN-Pool ranges=192.168.10.20-192.168.10.250
/ip dhcp-server
add address-pool=LAN-Pool disabled=no interface=LAN-Bridge name=DHCP-LAN
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.10.1 name=profile-acceso-router remote-address=VPN-Pool use-encryption=yes
set *FFFFFFFE local-address=10.10.1.1 remote-address=vpn
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=LAN-Bridge comment=defconf interface=ether2
add bridge=LAN-Bridge comment=defconf interface=ether3
add bridge=LAN-Bridge comment=defconf interface=ether4
add bridge=LAN-Bridge comment=defconf interface=ether5
add bridge=LAN-Bridge comment=defconf interface=ether6
add bridge=LAN-Bridge comment=defconf interface=ether7
add bridge=LAN-Bridge comment=defconf interface=ether8
add bridge=LAN-Bridge comment=defconf interface=ether9
add bridge=LAN-Bridge comment=defconf interface=sfp-sfpplus1
add bridge=LAN-Bridge interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set use-ipsec=required
/interface list member
add comment=defconf interface=LAN-Bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=PPPoE-out1 list=WAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.2.1/24 comment=defconf interface=LAN-Bridge network=192.168.2.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no disabled=no interface=TIVO use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=192.168.2.225 client-id=1:cc:9e:a2:62:f2:cc comment="Alexa Yoga" mac-address=CC:9E:A2:62:F2:CC server=DHCP-LAN
add address=192.168.2.222 comment="Alexa Estudio" mac-address=14:91:38:F3:DF:F0 server=DHCP-LAN
add address=192.168.2.221 client-id=1:44:0:49:4d:e4:ab comment="Alexa Salon" mac-address=44:00:49:4D:E4:AB server=DHCP-LAN
add address=192.168.2.224 client-id=1:5c:41:5a:93:bd:85 comment="Alexa Cocina" mac-address=5C:41:5A:93:BD:85 server=DHCP-LAN
add address=192.168.2.13 client-id=1:44:85:0:30:1e:61 comment="PC Curro" mac-address=44:85:00:30:1E:61 server=DHCP-LAN
add address=192.168.2.231 comment="Xiaomi Vacuum" mac-address=40:31:3C:A2:E3:3B server=DHCP-LAN
add address=192.168.2.145 client-id=1:7c:d5:66:b8:e7:90 comment=Despertador mac-address=7C:D5:66:B8:E7:90 server=DHCP-LAN
add address=192.168.2.232 client-id=1:e8:f2:e2:ab:ea:39 comment="TV Salon" mac-address=E8:F2:E2:AB:EA:39 server=DHCP-LAN
add address=192.168.2.11 client-id=1:b8:ac:6f:9d:62:d6 comment="PC Estudio" mac-address=B8:AC:6F:9D:62:D6 server=DHCP-LAN
add address=192.168.2.12 client-id=1:ea:f2:30:ce:22:b6 comment="Movil David" mac-address=EA:F2:30:CE:22:B6 server=DHCP-LAN
add address=192.168.2.129 client-id=1:20:9a:7d:72:48:a0 comment=TIVO mac-address=20:9A:7D:72:48:A0 server=DHCP-LAN
/ip dhcp-server network
add address=192.168.2.0/24 comment=defconf gateway=192.168.2.1 netmask=24
add address=192.168.2.251/32 dhcp-option=TIVO gateway=192.168.2.1 netmask=29
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.2.1 comment=defconf name=router.lan
/ip firewall address-list
add address=b8f60a38c7a4.sn.mynetname.net list=public-ip
add address=4ac704c13b00.sn.mynetname.net list=ip-aitas
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Accept TIVO traffic" in-interface=TIVO
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=forward in-interface-list=LAN
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=set-priority chain=postrouting new-priority=4 out-interface=TIVO
add action=set-priority chain=postrouting new-priority=0 out-interface=PPPoE-out1
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.10.0/24
add action=masquerade chain=srcnat comment="TIVO masquerade" out-interface=TIVO
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO protocol=udp src-port=161 to-addresses=192.168.2.129 to-ports=161
add action=dst-nat chain=dstnat comment=NAS disabled=yes dst-address-list=public-ip dst-port=52151 log=yes log-prefix="Conexi\F3n NAS" protocol=tcp to-addresses=192.168.2.201
add action=dst-nat chain=dstnat comment="Solamente para instalar los certificados Lets Encrypt" disabled=yes dst-address-list=public-ip dst-port=80 protocol=tcp to-addresses=192.168.2.201 to-ports=40080
add action=dst-nat chain=dstnat comment="Hacia Proxy Inverso" dst-address-list=public-ip dst-port=443 protocol=tcp to-addresses=192.168.2.201 to-ports=40443
add action=dst-nat chain=dstnat comment=Plex disabled=yes dst-address-list=ip-aitas dst-port=32400 protocol=tcp src-address-list=ip-aitas to-addresses=192.168.2.201
add action=dst-nat chain=dstnat comment=LM disabled=yes dst-address-list=public-ip dst-port=52200 protocol=tcp to-addresses=192.168.2.205 to-ports=443
/ip route
add distance=1 dst-address=10.8.57.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.58.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.8.59.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.10.2.0/24 gateway=10.10.1.2
add distance=1 dst-address=10.15.220.0/24 gateway=TIVO pref-src=10.214.13.28
add distance=1 dst-address=10.179.32.0/23 gateway=TIVO pref-src=10.214.13.28
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api address=192.168.2.205/32
set winbox port=8299
set api-ssl disabled=yes
/ppp secret
add name=David profile=profile-acceso-router service=l2tp
add local-address=10.10.1.1 name=Cliente_2 profile=default-encryption remote-address=10.10.1.2 service=l2tp
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=TIVO upstream=yes
add interface=LAN-Bridge
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=D_Router
/system scheduler
add interval=15s name="Mikrotik Despierto" on-event="{\r\
\n/tool fetch url=\"http://remote:AAaa1111@192.168.2.205/scada-remote\" http-data=\"m=json&r=grp&fn=write&alias=34/3/51&value=1\" http-method=post as-value output=user; \t \r\
\n}" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=nov/16/2019 start-time=13:44:56
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Bueno. Pues vamos a hacer algo que quizás debiéramos haber hecho al principio, pero que no quise para no liarte, ya que te estaba funcionando la TV: crear un IPTV-Bridge separado. Esto tiene varios beneficios.
1) Nos va a permitir crear un pool para las tres direcciones del desco, tal y como viene el el Sercomm y sendas reglas NAT. A ver si así chuta de una maldita vez.
2) Además, al separar el tráfico de IPTV y enchufarlo sólo al puerto ether10, al bridge principal le puedes quitar el IGMP-snooping y te funcionará el Hardware Offloading (aceleración hardware) en el switch para los otros puertos. Con ello aprovecharás esa facilidad e irá como una moto, sobre todo en tráfico entre puertos.
3) Por último, si conseguimos que funcione IPTV, y en algún momento quisieras llevarte un desco y la IPTV a otra localización (casa de la playa), lo podrías hacer con un túnel EoiP desde el IPTV-Bridge precisamente.
Manos a la obra:
a) Crea un IPTV-Bridge. Le vas a poner la MAC de la LAN del Sercomm (se la clonamos) y al LAN-Bridge, le pones la original que te daba el MT, que creo que es esta. Como ves, le he quitado el igmp-snooping al LAN-Bridge, para que tenga HW Offloading
/interface bridge
add admin-mac=LA

E:EL:SE:RC:OM:MM auto-mac=no igmp-snooping=yes name=IPTV-Bridge
add admin-mac=74:4D:28:89:9B:11 auto-mac=no comment=defconf name=LAN-Bridge
b) Saca el ether10 del LAN-Bridge. Para ello vas a Bridge -> Ports y eliminas el puerto ether10
c) Añade ether10 a IPTV-Bridge.
/interface bridge port
add bridge=IPTV-Bridge hw=no interface=ether10
d) Añadimos el IPTV-Bridge a la lista LAN.
/interface list member
add interface=IPTV-Bridge list=LAN
e) Creamos un pool para el IPTV-Bridge.
/ip pool
add comment="Pool for IPTV-bridge subnet" name=IPTV-pool ranges=192.168.3.129-192.168.3.131
f) Damos dirección al IPTV-Bridge.
/ip address
add address=192.168.3.1/24 comment="IPTV subnet" interface=IPTV-Bridge \
network=192.168.3.0
g) Elimina la lease estática que tenías al desco desde el LAN-Bridge, y apaga el desco.
h) Definimos la red para el DHCP del IPTV-Bridge. (Si te diera error la máscara /25, cambia el valor de la misma a /24, que no lo he probado en mi equipo)
/ip dhcp-server network
add address=192.168.3.129/25 comment="IPTV-Bridge subnet" dhcp-option=TIVO \
gateway=192.168.3.1 netmask=24
i) Arrancamos el DHCP para el IPTV-Bridge
/ip dhcp-server
add address-pool=IPTV-pool disabled=no interface=IPTV-Bridge \
lease-time=22h name=IPTV-dhcp-server
j) Ahora toca las reglas NAT. NO pongas el protocolo, por si necesitara UDP y TCP.
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO dst-port=161 to-addresses=192.168.3.129 to-ports=161
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO dst-port=10001 to-addresses=192.168.3.130 to-ports=161
add action=dst-nat chain=dstnat dst-address-type=local in-interface=TIVO dst-port=10002 to-addresses=192.168.3.131 to-ports=161
k) Ahora toca modificar el IGMP-Proxy. Con esto SOLO inyectará tráfico IPTV al IPTV-Bridge y al puerto ether10, a él conectado. Sólo debes cambiar la interfaz de salida.
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=TIVO upstream=yes
add interface=IPTV-Bridge
L) Y ahora toca reboot, por si acaso.
m) Y por fin, los consabidos pasos para poner la dirección del desco estática a 192.168.3.129. Ya sabes.
Ahora verás que en todos los puertos del LAN-Bridge te aparece a su lado un H. Eso es que se ha puesto en marcha la aceleración hardware. Si no te apareciera, debes entrar en el LAN-Bridge y poner el protocolo a "none". (NO recuerdo si el 4011 es compatible con STP/RSTP, pero creo que sí, por lo que esto no haría falta: /interface bridge add name=LAN-Bridge protocol-mode=none)
A ver si hay suerte. Ya me cuentas.