MANUAL: Mikrotik, el amigo gorrón [IPTV pululante]
- Iniciador del tema pokoyo
- Fecha de inicio
Estos serían los export de Pepe2 y Paco, no pongo Pepe1, pues funciona sin problema.
Pepe2
Paco
Es posible que en mi afán de arreglar algo, lo haya empeorado aún más.
Gracias por vuestra ayuda, he tenido problemas físicos (rotura de ligamentos y radio) y es como volver a empezar.
Salu2
Pepe2
Código:
# nov/18/2022 04:53:21 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.5 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
eoip-iptv remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=54322 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron-iptv endpoint-address=\
ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
public-key="tYq8f8UPdfo0LFsyxxxxxxxxxxxxxxxsbQXwPH9nw="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
add address=172.17.0.5/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANPaco
Código:
# nov/18/2022 19:21:27 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54321 interface=wg-sts-iptv \
persistent-keepalive=25s public-key=\
"SuByaNs5y1wbgYmpgxxxxxxxxxxxxxeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54322 interface=wg-sts-iptv-2 \
persistent-keepalive=25s public-key=\
"X42MtXG4xsFqV1xxxxxxxxxxxxxxx13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=PacoEs posible que en mi afán de arreglar algo, lo haya empeorado aún más.
Gracias por vuestra ayuda, he tenido problemas físicos (rotura de ligamentos y radio) y es como volver a empezar.
Salu2
diamuxin
Usuari@ ADSLzone
- Mensajes
- 737
hola, te cuento lo que he visto por encima.Estos serían los export de Pepe2 y Paco, no pongo Pepe1, pues funciona sin problema.
Pepe2
Código:# nov/18/2022 04:53:21 by RouterOS 7.6 # software id = B7XX-Y1Q3 # # model = RB750Gr3 # serial number = CCxxxxxxxxxx /interface bridge add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge add igmp-snooping=yes name=bridge-iptv /interface pppoe-client add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \ use-peer-dns=yes user=adslppp@telefonicanetpa /interface eoip add local-address=172.17.0.5 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\ eoip-iptv remote-address=172.17.0.6 tunnel-id=1 /interface wireguard add listen-port=54322 mtu=1420 name=wg-sts-iptv /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcp interface=bridge name=defconf /port set 0 name=serial0 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge-iptv comment=defconf interface=ether5 add bridge=bridge-iptv interface=eoip-iptv /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=pppoe-out1 list=WAN /interface wireguard peers add allowed-address=0.0.0.0/0 comment=gorron-iptv endpoint-address=\ ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \ public-key="tYq8f8UPdfo0LFsyxxxxxxxxxxxxxxxsbQXwPH9nw=" /ip address add address=192.168.88.1/24 comment=defconf interface=bridge network=\ 192.168.88.0 add address=172.17.0.5/30 interface=wg-sts-iptv network=172.17.0.4 /ip cloud set ddns-enabled=yes /ip dhcp-client add comment=defconf disabled=yes interface=ether1 /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\ 192.168.88.1 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.88.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\ 54321 protocol=udp add action=accept chain=input comment="iptv: allow gre for eoip" \ in-interface=wg-sts-iptv protocol=gre add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN /ip upnp set enabled=yes /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /system clock set time-zone-name=Europe/Madrid /system identity set name=Pepe2 /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
Paco
Código:# nov/18/2022 19:21:27 by RouterOS 7.6 # software id = ZZ3W-Y97Z # # model = RB750Gr3 # serial number = CCxxxxxxxxxx /interface bridge add igmp-snooping=yes name=bridge-iptv add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo /interface eoip add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\ eoip-iptv remote-address=172.17.0.1 tunnel-id=0 add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\ eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1 /interface wireguard add listen-port=11117 mtu=1420 name=wg-sts-iptv add listen-port=11118 mtu=1420 name=wg-sts-iptv-2 /interface list add name=WAN add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=pool-lo ranges=192.168.79.2-192.168.79.254 /ip dhcp-server add address-pool=pool-lo interface=bridge-lo name=dhcp-lo /port set 0 name=serial0 /interface bridge port add bridge=bridge-lo interface=ether2 add bridge=bridge-iptv interface=ether1 add bridge=bridge-iptv interface=eoip-iptv add bridge=bridge-iptv interface=eoip-iptv-2 /interface list member add interface=ether1 list=WAN add interface=ether2 list=LAN add interface=ether3 list=LAN add interface=ether4 list=LAN add interface=ether5 list=LAN /interface wireguard peers add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\ ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54321 interface=wg-sts-iptv \ persistent-keepalive=25s public-key=\ "SuByaNs5y1wbgYmpgxxxxxxxxxxxxxeuYauIfKsyenA=" add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\ ccxxxxxxxxxx.sn.mynetname.net endpoint-port=54322 interface=wg-sts-iptv-2 \ persistent-keepalive=25s public-key=\ "X42MtXG4xsFqV1xxxxxxxxxxxxxxx13xM4+uIaERVN252c=" /ip address add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0 add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0 add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4 add address=192.168.1.200/24 disabled=yes interface=ether2 network=\ 192.168.1.0 /ip cloud set ddns-enabled=yes /ip dhcp-client add interface=bridge-iptv /ip dhcp-server network add address=192.168.79.0/24 gateway=192.168.79.1 /ip dns set servers=8.8.8.8,8.8.4.4 /ip route add dst-address=192.168.88.0/24 gateway=172.17.0.1 /system clock set time-zone-name=Europe/Madrid /system identity set name=Paco
Es posible que en mi afán de arreglar algo, lo haya empeorado aún más.
Gracias por vuestra ayuda, he tenido problemas físicos (rotura de ligamentos y radio) y es como volver a empezar.
Salu2
Tienes un buen cacao en la configuración de Pepe2:
- El direccionamiento está mal. has puesto la 172.17.0.5 en ambos extremos, si pones en Paco la 172.17.0.5 en Pepe2 debería ser la 172.17.0.6 y ojo con poner correctamente las IPs remotas.
- Los puertos no están bien, si tienes el 54321 entre Paco-Pepe1 y 54322 entre Paco-Pepe2, respetalo en los extremos, estoy viendo que has configurado 11117 y 11118 en Paco en la interfaz de wireguard, corrigelo para que escuchen los puertos correctamente.
- Corrige en el firewall que el puerto que tienes que abrir es el 54322 y has abierto el 54321 que es el de Pepe1
En Paco:
- Tienes creadas listas de interfaces, revisa la config inicial del manual de @pokoyo y veras como no hay ninguna creada, eso te puede dar problemas también.
- los peers y la interfaz wireguard deberían tener los mismos puertos que su extremo.
- Y revisa los puertos wireguard en el HGU que estén abiertos para la ip del mikrotik.
Hazte una idea de como deberías tenerlo:
S@lu2.
- Mensajes
- 13,564
Chapó por @diamuxin y su famoso dibujo, muy explicativo.
@ZZii00, te falta soltura, y esto sólo se consigue practicando. No desesperes, pero no te conformes con copiar y pegar comandos. Primero planifica, haz un esquema (en papel, un dibujito como el compañero, lo que más sencillo te sea), pon todos los datos en él (incluso consúltalo antes) y, cundo lo hayas entendido, lo implementas.
Saludos.
@ZZii00, te falta soltura, y esto sólo se consigue practicando. No desesperes, pero no te conformes con copiar y pegar comandos. Primero planifica, haz un esquema (en papel, un dibujito como el compañero, lo que más sencillo te sea), pon todos los datos en él (incluso consúltalo antes) y, cundo lo hayas entendido, lo implementas.
Saludos.
Hola a todos.
Ya tengo preparado todo, antes de irme a probar la configuración, quiero exponerla para evitar moverme con muletas, que es un coñazo.
Adjunto la foto modificada de como tengo todo.
Y estos son los export de ambos, Router Paco y Pepe2
Paco:
Pepe2
Hoy a iniciar terminal en Paco me ha salido este mensaje:
dhcp,critical,error dhcp-client on bridge-iptv lost IP address 192.168.1.200 - received NAK from dhcp server 192.168.1.1
Desconozco si es importante o no, pero la palabra critical error suena fatal.
Pepe1 sigue funcionando bien, sin problemas.
Muchas gracias por vuestros consejos, hoy todo los cambios los hice desde winbox, nada de machacar código siguiendo las indicaciones.
Salu2
Ya tengo preparado todo, antes de irme a probar la configuración, quiero exponerla para evitar moverme con muletas, que es un coñazo.
Adjunto la foto modificada de como tengo todo.
Y estos son los export de ambos, Router Paco y Pepe2
Paco:
Código:
# nov/20/2022 15:43:42 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxxxx
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\
eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
persistent-keepalive=25s public-key=\
"SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
persistent-keepalive=25s public-key=\
"X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
add address=192.168.1.200/24 disabled=yes interface=ether2 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=PacoPepe2
Código:
# nov/20/2022 15:51:23 by RouterOS 7.6
# software id = B7XX-Y1Q3
#
# model = RB750Gr3
# serial number = CCxxxxxxxxxxxx
/interface bridge
add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge
add igmp-snooping=yes name=bridge-iptv
/interface pppoe-client
add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \
user=adslppp@telefonicanetpa
/interface eoip
add local-address=172.17.0.6 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\
eoip-iptv remote-address=172.17.0.5 tunnel-id=1
/interface wireguard
add listen-port=11118 mtu=1420 name=wg-sts-iptv
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.80.10-192.168.80.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge-iptv comment=defconf interface=ether5
add bridge=bridge-iptv interface=eoip-iptv
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/interface wireguard peers
add allowed-address=172.17.0.5/32 comment=gorron-iptv endpoint-address=\
ccxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \
public-key="tYq8f8UPdfo0LFsy0DTFW32uDNvy1UbTRsbQXwPH9nw="
/ip address
add address=192.168.80.1/24 comment=defconf interface=bridge network=\
192.168.80.0
add address=172.17.0.6/30 interface=wg-sts-iptv network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.1 gateway=\
192.168.80.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.80.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\
11118 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
in-interface=wg-sts-iptv protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=Pepe2
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LANHoy a iniciar terminal en Paco me ha salido este mensaje:
dhcp,critical,error dhcp-client on bridge-iptv lost IP address 192.168.1.200 - received NAK from dhcp server 192.168.1.1
Desconozco si es importante o no, pero la palabra critical error suena fatal.
Pepe1 sigue funcionando bien, sin problemas.
Muchas gracias por vuestros consejos, hoy todo los cambios los hice desde winbox, nada de machacar código siguiendo las indicaciones.
Salu2
- Mensajes
- 13,564
En Paco cuidado, que has duplicado el EoIP, con la misma dirección MAC. Cuando lo crees (la interfaz EoIP), no especifiques la MAC, y que sea él quien la cree. Sino, vas a liar un conflicto en L2.
Por lo demás, aparentemente, tiene buena pinta.
Saludos!
Por lo demás, aparentemente, tiene buena pinta.
Saludos!
- Mensajes
- 13,564
Ejecuta esto en Paco
Saludos!
Código:
/interface eoip
remove [find]
add local-address=172.17.0.2 mtu=1500 name=\
eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mtu=1500 name=\
eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1Saludos!
diamuxin
Usuari@ ADSLzone
- Mensajes
- 737
Jeje, casi, casi... pero aún tienes bastantes fallos.Hola a todos.
Ya tengo preparado todo, antes de irme a probar la configuración, quiero exponerla para evitar moverme con muletas, que es un coñazo.
Adjunto la foto modificada de como tengo todo.
Ver el adjunto 101358
Y estos son los export de ambos, Router Paco y Pepe2
Paco:
Código:# nov/20/2022 15:43:42 by RouterOS 7.6 # software id = ZZ3W-Y97Z # # model = RB750Gr3 # serial number = CCxxxxxxxxxxxxxx /interface bridge add igmp-snooping=yes name=bridge-iptv add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo /interface eoip add local-address=172.17.0.2 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\ eoip-iptv remote-address=172.17.0.1 tunnel-id=0 add local-address=172.17.0.5 mac-address=FE:13:8F:71:30:47 mtu=1500 name=\ eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1 /interface wireguard add listen-port=11117 mtu=1420 name=wg-sts-iptv add listen-port=11118 mtu=1420 name=wg-sts-iptv-2 /interface list add name=WAN add name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=pool-lo ranges=192.168.79.2-192.168.79.254 /ip dhcp-server add address-pool=pool-lo interface=bridge-lo name=dhcp-lo /port set 0 name=serial0 /interface bridge port add bridge=bridge-lo interface=ether2 add bridge=bridge-iptv interface=ether1 add bridge=bridge-iptv interface=eoip-iptv add bridge=bridge-iptv interface=eoip-iptv-2 /interface wireguard peers add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\ ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \ persistent-keepalive=25s public-key=\ "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA=" add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\ ccxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \ persistent-keepalive=25s public-key=\ "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c=" /ip address add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0 add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0 add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4 add address=192.168.1.200/24 disabled=yes interface=ether2 network=\ 192.168.1.0 /ip cloud set ddns-enabled=yes ddns-update-interval=1m /ip dhcp-client add interface=bridge-iptv /ip dhcp-server network add address=192.168.79.0/24 gateway=192.168.79.1 /ip dns set servers=8.8.8.8,8.8.4.4 /ip route add dst-address=192.168.88.0/24 gateway=172.17.0.1 /system clock set time-zone-name=Europe/Madrid /system identity set name=Paco
Pepe2
Código:# nov/20/2022 15:51:23 by RouterOS 7.6 # software id = B7XX-Y1Q3 # # model = RB750Gr3 # serial number = CCxxxxxxxxxxxx /interface bridge add admin-mac=DC:2C:6E:EA:2E:6A auto-mac=no comment=defconf name=bridge add igmp-snooping=yes name=bridge-iptv /interface pppoe-client add add-default-route=yes interface=ether1 name=pppoe-out1 use-peer-dns=yes \ user=adslppp@telefonicanetpa /interface eoip add local-address=172.17.0.6 mac-address=FE:C3:18:3E:AE:27 mtu=1500 name=\ eoip-iptv remote-address=172.17.0.5 tunnel-id=1 /interface wireguard add listen-port=11118 mtu=1420 name=wg-sts-iptv /interface list add comment=defconf name=WAN add comment=defconf name=LAN /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip hotspot profile set [ find default=yes ] html-directory=hotspot /ip pool add name=dhcp ranges=192.168.80.10-192.168.80.254 /ip dhcp-server add address-pool=dhcp interface=bridge name=defconf /port set 0 name=serial0 /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge-iptv comment=defconf interface=ether5 add bridge=bridge-iptv interface=eoip-iptv /ip neighbor discovery-settings set discover-interface-list=LAN /interface list member add comment=defconf interface=bridge list=LAN add comment=defconf interface=ether1 list=WAN add interface=pppoe-out1 list=WAN /interface wireguard peers add allowed-address=172.17.0.5/32 comment=gorron-iptv endpoint-address=\ ccxxxxxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv \ public-key="tYq8f8UPdfo0LFsy0DTFW32uDNvy1UbTRsbQXwPH9nw=" /ip address add address=192.168.80.1/24 comment=defconf interface=bridge network=\ 192.168.80.0 add address=172.17.0.6/30 interface=wg-sts-iptv network=172.17.0.4 /ip cloud set ddns-enabled=yes ddns-update-interval=1m /ip dhcp-client add comment=defconf interface=ether1 /ip dhcp-server network add address=192.168.80.0/24 comment=defconf dns-server=192.168.80.1 gateway=\ 192.168.80.1 netmask=24 /ip dns set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.80.1 comment=defconf name=router.lan /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=accept chain=input comment="vpn: allow wireguard gorron" dst-port=\ 11118 protocol=udp add action=accept chain=input comment="iptv: allow gre for eoip" \ in-interface=wg-sts-iptv protocol=gre add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related hw-offload=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN /ip upnp set enabled=yes /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6 add address=::1/128 comment="defconf: lo" list=bad_ipv6 add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6 add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6 add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6 add address=100::/64 comment="defconf: discard only " list=bad_ipv6 add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6 add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6 add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6 /ipv6 firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=\ 33434-33534 protocol=udp add action=accept chain=input comment=\ "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\ udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \ protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=input comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=input comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN add action=accept chain=forward comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6 add action=drop chain=forward comment=\ "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6 add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \ hop-limit=equal:1 protocol=icmpv6 add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\ icmpv6 add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="defconf: accept IKE" dst-port=\ 500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\ ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\ ipsec-esp add action=accept chain=forward comment=\ "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=drop chain=forward comment=\ "defconf: drop everything else not coming from LAN" in-interface-list=\ !LAN /system clock set time-zone-name=Europe/Madrid /system identity set name=Pepe2 /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN
Hoy a iniciar terminal en Paco me ha salido este mensaje:
dhcp,critical,error dhcp-client on bridge-iptv lost IP address 192.168.1.200 - received NAK from dhcp server 192.168.1.1
Desconozco si es importante o no, pero la palabra critical error suena fatal.
Pepe1 sigue funcionando bien, sin problemas.
Muchas gracias por vuestros consejos, hoy todo los cambios los hice desde winbox, nada de machacar código siguiendo las indicaciones.
Salu2
A ver, lo que yo veo:
Paco
- Como dice @pokoyo has puesto las mismas direcciones MAC en las interfaces EoIP
- Elimina las listas de interfaces WAN y LAN, no las necesitas.
- Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
- Has asignado a ether2 una IP manual (192.168.1.200), no es correcto ya que este es el puerto de administración y la IP se la da el servidor DHCP que has creado con el rango 192.168.79.0
Pepe2
- Aquí también has repetido el mismo error, la network correcta es 172.17.0.0 y no la .0.4
- Otra cosa, doy por hecho que el dhcp-client se conecta bien a internet verdad?
S@lu2.
Última edición:
- Mensajes
- 13,564
Es posible que, al eliminar dichas interfaces EoIP, te toque borrar dichos puertos del bridge-iptv y volver a meterlos (además de todo lo que te ha dicho el compañero, que se ha leído tu config mucho mejor que yo)
Saludos!
Saludos!
diamuxin
Usuari@ ADSLzone
- Mensajes
- 737
Que me corrija @pokoyo si no, pero quizás necesites una subred diferente para cada interfaz wireguard (así lo tengo yo actualmente). Por probar que no quede.Direccionamiento IP erróneo de la interfaz wireguard, a la IP 172.17.0.5 le corresponde la network 172.17.0.0 y has puesto la .0.4.
Cuando lo intento cambiar automaticamente winbox me pone 127.17.0.4 tanto en Paco como en Pepe2 172.17.0.6.
Salu2
Por ejemplo:
site 1: 172.17.0.2 <-----> 172.17.0.1
site 2: 172.17.10.2 <------> 172.17.10.1 (en vez de 172.17.0.5 <----->172.17.0.6)
CONSEJO: Creo que lo mejor es empezar el manual de nuevo a rajatabla y las dudas las posteas por aquí, creo que con lo ya comentado hasta ahora ya tienes más o menos la idea de como debe ir.
S@lu2
Paco
Esta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Salu2
Código:
# nov/20/2022 21:10:52 by RouterOS 7.6
# software id = ZZ3W-Y97Z
#
# model = RB750Gr3
# serial number = CCXXXXXXXXXX
/interface bridge
add igmp-snooping=yes name=bridge-iptv
add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo
/interface eoip
add local-address=172.17.0.2 mac-address=FE:A5:F9:A8:CA:CF mtu=1500 name=\
eoip-iptv remote-address=172.17.0.1 tunnel-id=0
add local-address=172.17.0.5 mac-address=FE:1E:BE:B7:37:65 mtu=1500 name=\
eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1
/interface wireguard
add listen-port=11117 mtu=1420 name=wg-sts-iptv
add listen-port=11118 mtu=1420 name=wg-sts-iptv-2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lo ranges=192.168.79.2-192.168.79.254
/ip dhcp-server
add address-pool=pool-lo interface=bridge-lo name=dhcp-lo
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-lo interface=ether2
add bridge=bridge-iptv interface=ether1
add bridge=bridge-iptv interface=eoip-iptv
add bridge=bridge-iptv interface=eoip-iptv-2
/interface wireguard peers
add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\
ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \
persistent-keepalive=25s public-key=\
"SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA="
add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\
ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \
persistent-keepalive=25s public-key=\
"X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c="
/ip address
add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0
add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add interface=bridge-iptv
/ip dhcp-server network
add address=192.168.79.0/24 gateway=192.168.79.1
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add dst-address=192.168.88.0/24 gateway=172.17.0.1
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=PacoEsta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Salu2
diamuxin
Usuari@ ADSLzone
- Mensajes
- 737
Eso es por la limitación de la máscara /30 --> cambiala en ambos extremos a /29 por ejemplo y ya te dejará ponerlo a 0.0Paco
Código:# nov/20/2022 21:10:52 by RouterOS 7.6 # software id = ZZ3W-Y97Z # # model = RB750Gr3 # serial number = CCXXXXXXXXXX /interface bridge add igmp-snooping=yes name=bridge-iptv add admin-mac=DC:2C:6E:E1:FB:92 auto-mac=no name=bridge-lo /interface eoip add local-address=172.17.0.2 mac-address=FE:A5:F9:A8:CA:CF mtu=1500 name=\ eoip-iptv remote-address=172.17.0.1 tunnel-id=0 add local-address=172.17.0.5 mac-address=FE:1E:BE:B7:37:65 mtu=1500 name=\ eoip-iptv-2 remote-address=172.17.0.6 tunnel-id=1 /interface wireguard add listen-port=11117 mtu=1420 name=wg-sts-iptv add listen-port=11118 mtu=1420 name=wg-sts-iptv-2 /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik /ip pool add name=pool-lo ranges=192.168.79.2-192.168.79.254 /ip dhcp-server add address-pool=pool-lo interface=bridge-lo name=dhcp-lo /port set 0 name=serial0 /interface bridge port add bridge=bridge-lo interface=ether2 add bridge=bridge-iptv interface=ether1 add bridge=bridge-iptv interface=eoip-iptv add bridge=bridge-iptv interface=eoip-iptv-2 /interface wireguard peers add allowed-address=0.0.0.0/0 comment=gorron1 endpoint-address=\ ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11117 interface=wg-sts-iptv \ persistent-keepalive=25s public-key=\ "SuByaNs5y1wbgYmpg7IF2XG301hHNJeuYauIfKsyenA=" add allowed-address=0.0.0.0/0 comment=gorron2 endpoint-address=\ ccxxxxxxxxxx.sn.mynetname.net endpoint-port=11118 interface=wg-sts-iptv-2 \ persistent-keepalive=25s public-key=\ "X42MtXG4xsFqV1cKrYxNTwjpDU13xM4+uIaERVN252c=" /ip address add address=192.168.79.1/24 interface=bridge-lo network=192.168.79.0 add address=172.17.0.2/30 interface=wg-sts-iptv network=172.17.0.0 add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4 /ip cloud set ddns-enabled=yes ddns-update-interval=1m /ip dhcp-client add interface=bridge-iptv /ip dhcp-server network add address=192.168.79.0/24 gateway=192.168.79.1 /ip dns set servers=8.8.8.8,8.8.4.4 /ip route add dst-address=192.168.88.0/24 gateway=172.17.0.1 /system clock set time-zone-name=Europe/Madrid /system identity set name=Paco
Esta linea:
add address=172.17.0.5/30 interface=wg-sts-iptv-2 network=172.17.0.4
tanto en Paco (172.17.0.5/30) como en Pepe2 (172.17.0.6/30) me dan error al editarlas si pongo 172.17.0.0, se cambian auto a 172.17.0.4
Muchas gracias a los dos por vuestro tiempo.
Salu2
S@lu2.
S@ludos
- Mensajes
- 13,564
El direccionamiento estaba bien chicos. Una subred /24, se puede partir en 64 subredes de tipo /30, cada una con dos IPs usables y dos de red y broadcast. Lo único que el compañero tenía "mal" (esto ya es una pijada mía, podéis ponerlo como querais) es que, para uno de los pepes (el primero) Paco se quedaba con la primera de esas IPs usables de esa subred /30, mientras que para el segundo lo hacía con la última (.6, en Paco y .5 en Pepe, en lugar del al revés).
Os pongo un ejemplo de cómo se parte la subred 172.17.0.0/24 en 64 subredes más pequeñitas /30, todas ellas independientes entre sí
(256 IPs que tiene la subred grande 172.17.0.0/24, a 4 direcciones que tiene cada subred /30 = 64 posibles subredes)
Así no se desaprovenchan segmentos. Lo que creo que sugería @diamuxin es configurarlos todos como /24, así tendrías, por ejemplo
172.17.0.1/24 = Paco -> Pepe1 = 172.17.0.2/24
172.17.1.1/24 = Paco -> Pepe2 = 172.17.1.2/24
Que también es otra opción, igual de válida, si os aclaráis mejor. Así que, cuando pasaba esto
Saludos!
Os pongo un ejemplo de cómo se parte la subred 172.17.0.0/24 en 64 subredes más pequeñitas /30, todas ellas independientes entre sí
(256 IPs que tiene la subred grande 172.17.0.0/24, a 4 direcciones que tiene cada subred /30 = 64 posibles subredes)
| Subred | CIDR Subred | IP de Red | Primera IP usable | Segunda IP Usable | IP de Broadcast |
|---|---|---|---|---|---|
| 0 | 172.17.0.0/30 | 172.17.0.0 | 172.17.0.1 | 172.17.0.2 | 172.17.0.3 |
| 1 | 172.17.0.4/30 | 172.17.0.4 | 172.17.0.5 | 172.17.0.6 | 172.17.0.7 |
| 2 | 172.17.0.8/30 | 172.17.0.8 | 172.17.0.9 | 172.17.0.10 | 172.17.0.11 |
| 3 | 172.17.0.12/30 | 172.17.0.12 | 172.17.0.13 | 172.17.0.14 | 172.17.0.15 |
| ... 63 | 172.17.0.252/30 | 172.17.0.252 | 172.17.0.253 | 172.17.0.254 | 172.17.0.255 |
Así no se desaprovenchan segmentos. Lo que creo que sugería @diamuxin es configurarlos todos como /24, así tendrías, por ejemplo
172.17.0.1/24 = Paco -> Pepe1 = 172.17.0.2/24
172.17.1.1/24 = Paco -> Pepe2 = 172.17.1.2/24
Que también es otra opción, igual de válida, si os aclaráis mejor. Así que, cuando pasaba esto
Era totalmente normal, puesto que la dirección de red de la IP 172.17.0.5/30 esa la 172.17.0.4, como podéis comprobar en la tabla, no la 172.17.0.0. No obstante, si lo entendéis mejor con redes /24, que son las que acostumbramos a manejar, hacedlo así, que funciona igualmente.
Saludos!
GuilleGs
Usuari@ ADSLzone
- Mensajes
- 9
Buenas!
Antes de nada muchas gracias por todo, increíble la cantidad de info que compartís. Deciros que tengo montado un Paco y un Pepe sin problemas y funcionando a tope
La cuestión es que he intentado agregar un nuevo peer a Paco para desde cualquier sitio, poder gestionarlo, tanto a Paco como al router de la operadora en caso de necesidad y no tener que ir a Pepe o a Paco en persona.
A parte de añadir el peer tengo que hacer algo más en Paco?
Gracias!!
Antes de nada muchas gracias por todo, increíble la cantidad de info que compartís. Deciros que tengo montado un Paco y un Pepe sin problemas y funcionando a tope
La cuestión es que he intentado agregar un nuevo peer a Paco para desde cualquier sitio, poder gestionarlo, tanto a Paco como al router de la operadora en caso de necesidad y no tener que ir a Pepe o a Paco en persona.
A parte de añadir el peer tengo que hacer algo más en Paco?
Gracias!!
