Problema con red un poco compleja
- Iniciador del tema froiland78
- Fecha de inicio
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Resuelto , hay que dejar el grupo vacio y poner algo en la clave de grupo. Que cosa mas rara
Voy a seguir haciendo pruebas de velocidad y latencia
Voy a seguir haciendo pruebas de velocidad y latencia
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Sigo con las configuraciones.
He tenido que mover 2 aires a la red del wifi de AP mikrotik en lugar de la red wifi IOT y no consigo acceder a ellla desde los dispositivos de la red de IOT que estan en el rango 192.168.1.X
La red wifi del AP mikrotik esta en el rango 192.168.88.X
Desde el movil puedo llegar a los aires pero desde la red de IOT no, he probado un traceroute desde un equipo de la red 192.169.1.X y llega al router 192.168.1.1 pero de ahi no sale. Que tengo mal configurado en el bridge del router?
Saludos
He tenido que mover 2 aires a la red del wifi de AP mikrotik en lugar de la red wifi IOT y no consigo acceder a ellla desde los dispositivos de la red de IOT que estan en el rango 192.168.1.X
La red wifi del AP mikrotik esta en el rango 192.168.88.X
Desde el movil puedo llegar a los aires pero desde la red de IOT no, he probado un traceroute desde un equipo de la red 192.169.1.X y llega al router 192.168.1.1 pero de ahi no sale. Que tengo mal configurado en el bridge del router?
Saludos
- Mensajes
- 14,160
Lógico, la red de IOT, si la has configurado siguiendo algún consejo o guía por mi parte, estará configurada para no tener acceso alguno ni desde ni hasta la red principal. Y es así como debe de estar. Si quieres otro comportamiento, hay que tocar esa configuración.
Un ejemplo: el termostato de mi casa está conectado a una red de invitados que únicamente tiene salida a internet. Solo puedo acceder a él vía su propia app.
Saludos.
Un ejemplo: el termostato de mi casa está conectado a una red de invitados que únicamente tiene salida a internet. Solo puedo acceder a él vía su propia app.
Saludos.
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Y como podria configurar el acceso desde la red 192.168.1.X a la 192.168.88.X? He probado a ponerle la entrada en el addresses y con el interfaz donde esta conectado el AP y sigue sin llegar 
- Mensajes
- 14,160
Adivino aún no soy. Como no me enseñes la configuración concreta que tienes ahora mismo, mal te puedo aconsejar.
No obstante; yo no abriría esa puerta. Si esos equipos tienen que tener acceso desde la red local, mételos en la wifi lan. Sino, déjalos en IOT aislados, que es como deben estar.
Saludos!
No obstante; yo no abriría esa puerta. Si esos equipos tienen que tener acceso desde la red local, mételos en la wifi lan. Sino, déjalos en IOT aislados, que es como deben estar.
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Voy a ver si puedo volver a meterlos en la wifi IOT pero es un problema de que llega la señal debil.
Esta es la configuracion que tengo en AP
# sep/30/2021 12:55:13 by RouterOS 6.48.4
# software id = FLIG-MMXM
#
# model = RBcAPGi-5acD2nD
# serial number = E2810ECC396B
/interface bridge
add admin-mac=2C:C8:1B:35:F2:C9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=spain disabled=no distance=indoors installation=indoor mode=\
ap-bridge ssid=Wifi_SyR_Router wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=spain disabled=no distance=indoors installation=\
indoor mode=ap-bridge ssid=Wifi_SyR_Router5G wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.191 mac-address=EC:FA:BC:C7:F7:9C server=defconf
add address=192.168.88.248 mac-address=C0:E4:34:60:7B:25 server=defconf
add address=192.168.88.247 mac-address=C0:E4:34:60:8A:FB server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Y esta la que tengo en el router ppal
# sep/30/2021 12:58:27 by RouterOS 6.48.4
# software id = 7XS7-EI8J
#
# model = RB760iGS
# serial number = E1F10E004667
/interface bridge
add admin-mac=2C:C8:1B:69:43:CC auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 \
max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=\
adslppp@telefonicanetpa
/interface vlan
add disabled=yes interface=ether1 name=vlan6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=\
vpn-profile remote-address=vpn-pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.13 mac-address=1C:3B:F3:FB:35:16 server=defconf
add address=192.168.1.18 mac-address=B0:95:75:49:E3:48 server=defconf
add address=192.168.1.21 mac-address=B0:95:75:FC:C7:76 server=defconf
add address=192.168.1.22 client-id=1:50:d4:f7:1a:4d:f0 mac-address=\
504:F7:1A:4D:F0 server=defconf
add address=192.168.1.23 mac-address=1C:3B:F3:FB:2B:C2 server=defconf
add address=192.168.1.48 client-id=1:dc:a6:32:73:d5:9c mac-address=\
DC:A6:32:735:9C server=defconf
add address=192.168.1.73 client-id=1:34:64:a9:9a:56:91 mac-address=\
34:64:A9:9A:56:91 server=defconf
add address=192.168.1.49 client-id=1:40:8d:5c:52:2c:e7 mac-address=\
40:8D:5C:52:2C:E7 server=defconf
add address=192.168.1.45 client-id=1:0:40:ad:ae:10:a1 mac-address=\
00:40:AD:AE:10:A1 server=defconf
add address=192.168.1.39 client-id=1:84:d8:1b:ef:ba:da mac-address=\
848:1B:EF:BAA server=defconf
add address=192.168.1.43 client-id=1:2c:c8:1b:35:f2:c8 mac-address=\
2C:C8:1B:35:F2:C8 server=defconf
add address=192.168.1.15 mac-address=00:1C:7B:E1:90:EB server=defconf
add address=192.168.1.17 mac-address=00:56:A8:5A:00:0C server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=80.58.61.250 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=e1f10e004667.sn.mynetname.net list=public-ip
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Redirecciones puertos" disabled=yes \
dst-port=6767 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.1.70 to-ports=6767
add action=dst-nat chain=dstnat disabled=yes dst-port=3000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.1.189 to-ports=3000
add action=dst-nat chain=dstnat disabled=yes dst-port=1880 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.1.48 to-ports=1880
add action=dst-nat chain=dstnat dst-port=8090 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.99 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8100 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.24 to-ports=8100
add action=dst-nat chain=dstnat comment=Grafana dst-address-list=public-ip \
dst-port=3000 protocol=tcp to-addresses=192.168.1.189 to-ports=3000
add action=dst-nat chain=dstnat comment=Loxone dst-address-list=public-ip \
dst-port=6767 protocol=tcp to-addresses=192.168.1.70 to-ports=6767
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.100.0/24
/ip service
set www address=192.168.1.0/24,192.168.88.0/24,192.168.100.0/24
set winbox address=192.168.1.0/24,192.168.88.0/24,192.168.100.0/24
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=salonica service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Esta es la configuracion que tengo en AP
# sep/30/2021 12:55:13 by RouterOS 6.48.4
# software id = FLIG-MMXM
#
# model = RBcAPGi-5acD2nD
# serial number = E2810ECC396B
/interface bridge
add admin-mac=2C:C8:1B:35:F2:C9 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
country=spain disabled=no distance=indoors installation=indoor mode=\
ap-bridge ssid=Wifi_SyR_Router wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX country=spain disabled=no distance=indoors installation=\
indoor mode=ap-bridge ssid=Wifi_SyR_Router5G wireless-protocol=802.11
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=hotspot
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
192.168.88.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1
/ip dhcp-server lease
add address=192.168.88.191 mac-address=EC:FA:BC:C7:F7:9C server=defconf
add address=192.168.88.248 mac-address=C0:E4:34:60:7B:25 server=defconf
add address=192.168.88.247 mac-address=C0:E4:34:60:8A:FB server=defconf
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/system clock
set time-zone-name=Europe/Madrid
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add comment=defconf dont-require-permissions=no name=dark-mode owner=*sys \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
source="\r\
\n :if ([system leds settings get all-leds-off] = \"never\") do={\r\
\n /system leds settings set all-leds-off=immediate \r\
\n } else={\r\
\n /system leds settings set all-leds-off=never \r\
\n }\r\
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Y esta la que tengo en el router ppal
# sep/30/2021 12:58:27 by RouterOS 6.48.4
# software id = 7XS7-EI8J
#
# model = RB760iGS
# serial number = E1F10E004667
/interface bridge
add admin-mac=2C:C8:1B:69:43:CC auto-mac=no comment=defconf name=bridge \
protocol-mode=none
/interface pppoe-client
add add-default-route=yes allow=pap,chap disabled=no interface=ether1 \
max-mru=1492 max-mtu=1492 name=pppoe-out1 use-peer-dns=yes user=\
adslppp@telefonicanetpa
/interface vlan
add disabled=yes interface=ether1 name=vlan6 vlan-id=6
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.10-192.168.1.254
add name=vpn-pool ranges=192.168.100.2-192.168.100.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/ppp profile
add change-tcp-mss=yes interface-list=LAN local-address=192.168.100.1 name=\
vpn-profile remote-address=vpn-pool use-encryption=yes
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set authentication=mschap2 default-profile=vpn-profile enabled=yes use-ipsec=\
yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server lease
add address=192.168.1.13 mac-address=1C:3B:F3:FB:35:16 server=defconf
add address=192.168.1.18 mac-address=B0:95:75:49:E3:48 server=defconf
add address=192.168.1.21 mac-address=B0:95:75:FC:C7:76 server=defconf
add address=192.168.1.22 client-id=1:50:d4:f7:1a:4d:f0 mac-address=\
50
4:F7:1A:4D:F0 server=defconfadd address=192.168.1.23 mac-address=1C:3B:F3:FB:2B:C2 server=defconf
add address=192.168.1.48 client-id=1:dc:a6:32:73:d5:9c mac-address=\
DC:A6:32:73
5:9C server=defconfadd address=192.168.1.73 client-id=1:34:64:a9:9a:56:91 mac-address=\
34:64:A9:9A:56:91 server=defconf
add address=192.168.1.49 client-id=1:40:8d:5c:52:2c:e7 mac-address=\
40:8D:5C:52:2C:E7 server=defconf
add address=192.168.1.45 client-id=1:0:40:ad:ae:10:a1 mac-address=\
00:40:AD:AE:10:A1 server=defconf
add address=192.168.1.39 client-id=1:84:d8:1b:ef:ba:da mac-address=\
84
8:1B:EF:BAA server=defconfadd address=192.168.1.43 client-id=1:2c:c8:1b:35:f2:c8 mac-address=\
2C:C8:1B:35:F2:C8 server=defconf
add address=192.168.1.15 mac-address=00:1C:7B:E1:90:EB server=defconf
add address=192.168.1.17 mac-address=00:56:A8:5A:00:0C server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf dns-server=80.58.61.250 gateway=\
192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 comment=defconf name=router.lan
/ip firewall address-list
add address=e1f10e004667.sn.mynetname.net list=public-ip
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="allow IPsec" dst-port=4500,500 \
protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=hairpin-nat dst-address=\
192.168.1.0/24 src-address=192.168.1.0/24
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="Redirecciones puertos" disabled=yes \
dst-port=6767 in-interface=pppoe-out1 protocol=tcp to-addresses=\
192.168.1.70 to-ports=6767
add action=dst-nat chain=dstnat disabled=yes dst-port=3000 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.1.189 to-ports=3000
add action=dst-nat chain=dstnat disabled=yes dst-port=1880 in-interface=\
pppoe-out1 protocol=tcp to-addresses=192.168.1.48 to-ports=1880
add action=dst-nat chain=dstnat dst-port=8090 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.99 to-ports=8090
add action=dst-nat chain=dstnat dst-port=8100 in-interface=pppoe-out1 \
protocol=tcp to-addresses=192.168.1.24 to-ports=8100
add action=dst-nat chain=dstnat comment=Grafana dst-address-list=public-ip \
dst-port=3000 protocol=tcp to-addresses=192.168.1.189 to-ports=3000
add action=dst-nat chain=dstnat comment=Loxone dst-address-list=public-ip \
dst-port=6767 protocol=tcp to-addresses=192.168.1.70 to-ports=6767
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.100.0/24
/ip service
set www address=192.168.1.0/24,192.168.88.0/24,192.168.100.0/24
set winbox address=192.168.1.0/24,192.168.88.0/24,192.168.100.0/24
/ip upnp
set enabled=yes
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
33434-33534 protocol=udp
add action=accept chain=input comment=\
"defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=input comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
add action=accept chain=forward comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
"defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
ipsec-esp
add action=accept chain=forward comment=\
"defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
"defconf: drop everything else not coming from LAN" in-interface-list=\
!LAN
/ppp secret
add name=salonica service=l2tp
/system clock
set time-zone-name=Europe/Madrid
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
He estado haciendo pruebas desabilitando todos los drop de ambos firewall y sigue sin llegar. Yo creo que es un problema de rutas, se pueden definir rutas para 2 ips particulares para poder acceder desde la red de IOT?
- Mensajes
- 14,160
A ver, que yo pensaba que tenías todo montado en los mikrotik ya y, por el export, veo que no. ¿Sigues teniendo este esquema?
Ahora mismo el router principal tiene el segmento 192.168.1.1/24 como su red principal y el chisme negro con antenas que pone "Red IOT" es un chisme funcionando en modo AP, ¿es así? Si lo es, la solución es una ruta estática que diga que a la subred 192.168.88.1/24 se llega por la IP que tenga asignada hora miso el cAP-AC en su WAN, del segmento 192.168.1.X. Imaginemos que la IP WAN del cAP es una de las que tienes reservada ahora mismo en el router principal, tipo la 192.168.1.43. En este caso, tu ruta estática sería algo así
No obstante, estás abriendo la puerta de los truenos permitiendo que el tráfico de IOT llegue donde no debe. Yo reestructuraría tu red por completo.
Saludos!
Ahora mismo el router principal tiene el segmento 192.168.1.1/24 como su red principal y el chisme negro con antenas que pone "Red IOT" es un chisme funcionando en modo AP, ¿es así? Si lo es, la solución es una ruta estática que diga que a la subred 192.168.88.1/24 se llega por la IP que tenga asignada hora miso el cAP-AC en su WAN, del segmento 192.168.1.X. Imaginemos que la IP WAN del cAP es una de las que tienes reservada ahora mismo en el router principal, tipo la 192.168.1.43. En este caso, tu ruta estática sería algo así
Código:
/ip route add dst-address=192.168.88.0/24 gateway=192.168.1.43No obstante, estás abriendo la puerta de los truenos permitiendo que el tráfico de IOT llegue donde no debe. Yo reestructuraría tu red por completo.
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Si el chisme negro es un AP antiguo Asus que tengo en la zona de "calderas" donde tengo casi todos los dispositivos IOT excepto los A/C , el que reparte en esa zona es el router ppal en el rango 192.168.1.X
He probado a añadir la ruta como me pones sin saber porque es el .43 porque entiendo que el gateway esta en el .1
y luego he probado a modificarlo con el .1 En ambos casos no llega a destino
[18:55:46] openhabian@openhab:~$ traceroute 192.168.88.248
traceroute to 192.168.88.248 (192.168.88.24
, 30 hops max, 60 byte packets1 192.168.1.1 (192.168.1.1) 0.452 ms 0.353 ms *^C
[18:55:59] openhabian@openhab:~$ traceroute 192.168.88.248
traceroute to 192.168.88.248 (192.168.88.24
, 30 hops max, 60 byte packets1 192.168.1.1 (192.168.1.1) 0.380 ms 0.338 ms 0.307 ms
2 192.168.1.43 (192.168.1.43) 0.574 ms 0.459 ms 0.394 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * *^C
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Nada no pasa de la 192.168.1.43
[09:41:42] openhabian@openhab:~$ traceroute 192.168.88.248
traceroute to 192.168.88.248 (192.168.88.24
, 30 hops max, 60 byte packets1 192.168.1.1 (192.168.1.1) 0.580 ms 0.541 ms 0.519 ms
2 192.168.1.43 (192.168.1.43) 5.606 ms 5.591 ms 5.575 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
[09:43:24] openhabian@openhab:~$
Si miro en el Route list esa ruta me aparece com AS en lugar de DAS o DAC , no se si es relevante :S
- Mensajes
- 14,160
Pero no habíamos quedado en que la .43 no era el cAP-AC? O ahora sí lo es?Nada no pasa de la 192.168.1.43
[09:41:42] openhabian@openhab:~$ traceroute 192.168.88.248
traceroute to 192.168.88.248 (192.168.88.24
1 192.168.1.1 (192.168.1.1) 0.580 ms 0.541 ms 0.519 ms
2 192.168.1.43 (192.168.1.43) 5.606 ms 5.591 ms 5.575 ms
3 * * *
4 * * *
5 * * *
6 * * *
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
[09:43:24] openhabian@openhab:~$
Si miro en el Route list esa ruta me aparece com AS en lugar de DAS o DAC , no se si es relevante :S
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
La .43 es la del bridge del router ppal , tal y como yo lo entiendo , la IP del cAP-AC es la 192.168.88.1
- Mensajes
- 14,160
No, no lo has entendido. El router principal tiene la subred 192.168.1.0/24 (se cual sea la IP que este tenga él mismo), y asigna IP's de ese pool a los equipos que se conectan a él, entre ellos, el cAP-AC. El cAP-AC maneja dos direcciones, la WAN y la LAN. La LAN es del tipo 192.168.88.0/24 (a donde queremos llegar) y se llega a ella vía una IP concreta, que es la que tiene ese equipo en su parte WAN. La WAN del cAP-AC es una IP del segmento 192.168.1.0/24, puesto que está conectado físicamente al hEX-S, que obtendrá de manera dinámica o tendrá asignada estáticamente a su ether1. Esa IP es la que no s interesa. La ruta que vamos a crear, estática, lo que dice literalmente es: A la subred 192.168.88.0/24 se llega por el gateway (la IP) que asigna el hEX-S al cAP-AC.
Saludos!
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
- Mensajes
- 14,160
Pues entonces la regla que te pasé está bien. Si no llegas, prueba a dehabilitar temporalmente en el firewall del cAP-AC la regla que pone defconf: drop all from WAN not DSTNATed. Si eso corrige tu problema, necesitarías una regla de firewall en el chain de forward, justo delante de esa, que aceptase el tráfico de la subred 192.168.1.0/24 (o de la IP concreta del chisme de IOT que necesite acceder) a la 192.168.88.0/24.
El principal problema que estás teniendo es que tienes dos routers en la LAN. Cuando el cAP ac no debería ser un router, sino un AP, al igual que lo es el otro que lleva el IOT. Y, si me preguntas consejo, ese AP debería estar manejado vía CAPsMAN, y tener ambas redes, la tuya personal y la de IOT.
Saludos!
El principal problema que estás teniendo es que tienes dos routers en la LAN. Cuando el cAP ac no debería ser un router, sino un AP, al igual que lo es el otro que lleva el IOT. Y, si me preguntas consejo, ese AP debería estar manejado vía CAPsMAN, y tener ambas redes, la tuya personal y la de IOT.
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Funciona! Deshabilitando esa entrada del firewall del cAP-AC y con esa ruta llega. Lo del CAPSMAN es algo que tengo que hacer mas pronto que tarde a ver si hago unos cuantos backups y me animo y lo dejo ya fino fino.
[11:39:14] openhabian@openhab:~$ ping 192.168.88.247
PING 192.168.88.247 (192.168.88.247) 56(84) bytes of data.
64 bytes from 192.168.88.247: icmp_seq=15 ttl=254 time=401 ms
64 bytes from 192.168.88.247: icmp_seq=16 ttl=254 time=66.9 ms
64 bytes from 192.168.88.247: icmp_seq=17 ttl=254 time=40.0 ms
64 bytes from 192.168.88.247: icmp_seq=18 ttl=254 time=1.65 ms
64 bytes from 192.168.88.247: icmp_seq=19 ttl=254 time=0.947 ms
64 bytes from 192.168.88.247: icmp_seq=20 ttl=254 time=399 ms
Muchas gracias!
- Mensajes
- 14,160
OK, pues ya sabes lo que te está pasando. El cAP ac está bloqueando todo tráfico en forward que no cumpla estas dos condiciones: que lo hayas originado tú desde la red del cAP-AC o que no lleve un regla de dstnat (una apertura de puertos). Ese es el comportamiento normal de un router.
Si ese equipo hiciera de AP, no llevaría firewall alguno, y no tendrías ese problema (amén de trabajar en segmentos de red que manejaría el router principal).
Saludos!
Si ese equipo hiciera de AP, no llevaría firewall alguno, y no tendrías ese problema (amén de trabajar en segmentos de red que manejaría el router principal).
Saludos!
froiland78
Usuari@ ADSLzone
- Mensajes
- 36
Si , pero a mayores , entiendo que es una medida extra de seguridad no? Penaliza el rendimiento que este asi demasiado?
