diamuxin
Usuari@ ADSLzone
- Mensajes
- 737
Muy buenas,
Siguiendo el manual de "como llevarte tu red a cuestas" he intentado hacer esta configuración con objeto de llevarme una segunda red wifi al router principal y dejarlo preparado como "segunda wan" para un futuro failover.
Me explico mejor, se ha mudado junto a mi vivienda un familiar que con su wifi (y su permiso naturalmente), pretendo coger su señal a través de un hAP ac2 y trasladarlo a un puerto en el router principal (RB4011) de cara a montar una señal de backup en caso que falle la principal que ya me llega por fibra óptica. El siguiente dibujo puede dar una idea de lo que pretendo hacer:
El ac2 en modo station tiene la siguiente configuración:
En el router principal RB4011, he creado la otra parte del EoIP (está levantado "RS") y junto con ether5, ambos los he metido en un bridge llamado "bridge-respaldo".
Ahora, pincho mi portátil en ether5 y obtengo una IP de la red wifi del vecino "192.168.1.139", hasta ahí bien. El problema es que no se que ruta me falta porque intento hacer ping al 8.8.8.8 desde ether5 como desde la propia terminal del RB4011 y no consigo salir a internet.
No se si tendré algún conflicto con la Red que viene del famoso "Paco" que coincide con 192.168.1.0/24.
¿Algún consejo por donde pueden ir los tiros?
S@lu2.
Siguiendo el manual de "como llevarte tu red a cuestas" he intentado hacer esta configuración con objeto de llevarme una segunda red wifi al router principal y dejarlo preparado como "segunda wan" para un futuro failover.
Me explico mejor, se ha mudado junto a mi vivienda un familiar que con su wifi (y su permiso naturalmente), pretendo coger su señal a través de un hAP ac2 y trasladarlo a un puerto en el router principal (RB4011) de cara a montar una señal de backup en caso que falle la principal que ya me llega por fibra óptica. El siguiente dibujo puede dar una idea de lo que pretendo hacer:
El ac2 en modo station tiene la siguiente configuración:
Bash:
/interface bridge
add name=bridge-backup
add name=bridge-lan
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee country=spain disabled=no ssid=\
SSID-DEL-VECINO
/interface eoip
add local-address=192.168.88.3 mac-address=02:CD:E1:C7:4C:BF mtu=1500 name=eoip-backup remote-address=192.168.88.1 \
tunnel-id=5
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge-lan interface=ether1
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3
add bridge=bridge-lan interface=ether4
add bridge=bridge-lan interface=ether5
add bridge=bridge-backup interface=eoip-backup
add bridge=bridge-backup interface=wlan2
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=bridge-lan
add interface=bridge-backup
/ip firewall nat
add action=masquerade chain=srcnat dst-address=192.168.1.0/24
/system clock
set time-zone-name=Europe/Madrid
/system identity
set name=RESPALDO-STEn el router principal RB4011, he creado la otra parte del EoIP (está levantado "RS") y junto con ether5, ambos los he metido en un bridge llamado "bridge-respaldo".
Bash:
/interface bridge
add admin-mac=2C:C8:1B:03:46:F2 auto-mac=no frame-types=\
admit-only-vlan-tagged igmp-snooping=yes name=bridge vlan-filtering=yes
add name=bridge-backup
add name=loopback protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] name=ether1-wan
set [ find default-name=ether2 ] name=ether2-nas
set [ find default-name=ether4 ] name=ether4-ap-salon
set [ find default-name=ether6 ] name=ether6-pc-despacho
set [ find default-name=ether10 ] name=ether10-ap-despacho
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface eoip
add local-address=192.168.88.1 mac-address=02:E3:D4:34:83:A5 mtu=1500 name=\
eoip-backup remote-address=192.168.88.3 tunnel-id=5
add local-address=10.252.252.1 mac-address=FE:5A:D4:C9:58:9A mtu=1500 name=\
eoip-iptv-to-map remote-address=10.252.252.2 tunnel-id=1
add local-address=192.168.88.1 mac-address=02:AE:2A:8B:07:DE mtu=1500 name=\
eoip-iptv-to-salon remote-address=192.168.88.2 tunnel-id=2
add local-address=10.252.252.1 mac-address=FE:4F:32:98:6A:85 mtu=1500 name=\
eoip-to-apto remote-address=10.252.252.3 tunnel-id=0
/interface vlan
add arp=reply-only interface=bridge name=vlan-guests vlan-id=66
add interface=bridge name=vlan-lan vlan-id=88
add interface=ether1-wan name=vlan20 vlan-id=20
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=GRE
add name=ISOLATED
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=pool-lan ranges=192.168.88.10-192.168.88.254
add name=pool-guests ranges=192.168.66.2-192.168.66.254
add name=pool-vpn ranges=192.168.68.10-192.168.68.254
/ip dhcp-server
add address-pool=pool-lan interface=vlan-lan lease-script="" lease-time=1h name=dhcp-bridge
add add-arp=yes address-pool=pool-guests interface=vlan-guests lease-script="" name=dhcp-guests
/routing table
add fib name=tablarutas2
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether2-nas pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether4-ap-salon pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether6-pc-despacho pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether8 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether9 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether10-ap-despacho pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=sfp-sfpplus1 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=eoip-to-apto pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether7 pvid=88
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=eoip-iptv-to-salon pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=eoip-iptv-to-map pvid=99
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
interface=ether3 pvid=99
add bridge=bridge-backup interface=eoip-backup
add bridge=bridge-backup interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge=bridge comment=lan tagged=bridge vlan-ids=88
add bridge=bridge comment=guests tagged=bridge vlan-ids=66
add bridge=bridge comment=iptv tagged=bridge vlan-ids=99
/interface list member
add interface=vlan-lan list=LAN
add interface=pppoe-out1 list=WAN
add interface=bridge-backup list=WAN
add interface=wg-ospf-to-apto list=LAN
add interface=wg-ospf-to-map list=LAN
add interface=wg-ospf-to-apto list=GRE
add interface=wg-ospf-to-map list=GRE
add interface=wg-rw list=LAN
add interface=vlan-guests list=ISOLATED
/ip address
add address=192.168.88.1/24 interface=vlan-lan network=192.168.88.0
add address=10.10.0.1/24 interface=wg-rw network=10.10.0.0
add address=172.17.20.1/30 interface=wg-ospf-to-apto network=172.17.20.0
add address=172.17.0.2/30 interface=wg-ospf-to-map network=172.17.0.0
add address=192.168.66.1/24 interface=vlan-guests network=192.168.66.0
add address=10.252.252.1 interface=loopback network=10.252.252.1
add address=10.40.0.1/24 interface=wg-rw-iptv network=10.40.0.0
/ip cloud
set ddns-enabled=yes update-time=no
/ip dhcp-server network
add address=192.168.66.0/24 dns-server=1.1.1.2,1.0.0.2 gateway=192.168.66.1 \
netmask=32
add address=192.168.88.0/24 dns-server=192.168.88.23,192.168.88.1 domain=lan \
gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="allow ipsec" dst-port=500,4500 \
protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="vpn: allow wireguard tunnels" \
dst-port=57588,57589,57591,54321 protocol=udp
add action=accept chain=input comment="iptv: allow gre for eoip" \
in-interface-list=GRE protocol=gre
add action=accept chain=input comment="allow WinBox access" src-address-list=\
admin
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=reject chain=forward comment=\
"vlans: guests can only access internet" in-interface-list=ISOLATED \
out-interface-list=!WAN reject-with=icmp-network-unreachable
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
192.168.88.0/24 src-address=192.168.88.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=NAS-Open-80 dst-address-list=\
public-ip dst-port=80 protocol=tcp to-addresses=192.168.88.247
add action=dst-nat chain=dstnat comment="OpenVPN in Synology NAS" \
dst-address-list=public-ip dst-port=1199 protocol=udp to-addresses=\
192.168.88.247
/ip route
add disabled=no distance=111 dst-address=192.168.2.0/24 gateway=172.17.20.2 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=111 dst-address=192.168.1.0/24 gateway=172.17.0.1 \
pref-src=0.0.0.0 routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=172.17.0.1 pref-src=\
0.0.0.0 routing-table=tablarutas2 scope=30 suppress-hw-offload=no \
target-scope=10
/radius incoming
set accept=yes
/routing ospf interface-template
add area=backbone disabled=no interfaces=wg-ospf-to-map networks=\
172.17.0.0/30 type=ptp
add area=backbone disabled=no interfaces=wg-ospf-to-apto networks=\
172.17.20.0/30 type=ptp
add area=backbone disabled=no networks=\
192.168.88.0/24,10.10.0.0/24,10.252.252.0/24 passive
/routing rule
add action=lookup src-address=10.40.0.2 table=tablarutas2
add action=lookup disabled=no src-address=10.40.0.3/32 table=tablarutas2
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Madrid
/system identity
set name=DespachoAhora, pincho mi portátil en ether5 y obtengo una IP de la red wifi del vecino "192.168.1.139", hasta ahí bien. El problema es que no se que ruta me falta porque intento hacer ping al 8.8.8.8 desde ether5 como desde la propia terminal del RB4011 y no consigo salir a internet.
No se si tendré algún conflicto con la Red que viene del famoso "Paco" que coincide con 192.168.1.0/24.
¿Algún consejo por donde pueden ir los tiros?
S@lu2.
Última edición:
