ho da poco acquistato un RB4011iGS+5HacQ2HnD-IN per utilizzarlo in modalità dual WAN/dual bridge (no failover no load-balancing) sulle mie due linee FTTH domestiche ed ho eseguite le configurazioni basilari corrispondenti alle mie attuali esigenze.
A livello connettività mi pare tutto - abbastanza
- operativo, con una evidente eccezione: via socks proxy SSH (su connessione diretta alla RB) non risultano raggiungibili i virtual server (al momento si tratta delle porte TCP 80 e 443) configurati sulla mia LAN (errori classici di tipo ERR_SOCKET_NOT_CONNECTED oppure ERR_CONNECTION_ABORTED), regolarmente raggiungibili da altri IP pubblici piuttosto che da IP delle due subnet private (anche via socks proxy SSH con connessione ad uno qualsiasi degli host di LAN).Considerato che le mie competenze di networking sono amatoriali, giro la domanda agli esperti del Forum: è possibile configurare regole a livello di routing/firewall/altro tali da consentire tale tipo di connettività oppure è un limite intrinseco non aggirabile?
Segue export della configurazione:
- Codice: Seleziona tutto
# mar/22/2019 14:03:02 by RouterOS 6.44.1
# software id = VKGL-DSQM
#
# model = RB4011iGS+5HacQ2HnD
# serial number = ***
/interface wireless
set [ find default-name=wlan1 ] ssid=***
set [ find default-name=wlan2 ] ssid=***
/interface bridge
add name=bridge1
add name=bridge2
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] disabled=yes name=sfp
set [ find default-name=ether1 ] name=wan1
set [ find default-name=ether6 ] name=wan2
/interface vlan
add interface=wan1 name="vlan TIM" vlan-id=835
add interface=wan2 name="vlan Tiscali" vlan-id=835
/interface pppoe-client
add disabled=no interface="vlan TIM" name="pppoe1 TIM" password=tim \
user=tim
add disabled=no interface="vlan Tiscali" name="pppoe2 Tiscali" password=\
*** user=***@ftth.tiscali.it
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=***
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
add name=dhcp_pool1 ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=bridge2 name=dhcp2
/system logging action
set 0 memory-lines=100
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge2 interface=ether7
add bridge=bridge2 interface=ether8
add bridge=bridge2 interface=ether9
add bridge=bridge2 interface=ether10
/ip address
add address=192.168.1.1/24 interface=bridge1 network=192.168.1.0
add address=192.168.2.1/24 interface=bridge2 network=192.168.2.0
/ip cloud
set update-time=no
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 domain=lan gateway=\
192.168.1.1
add address=192.168.2.0/24 dns-server=192.168.2.1 domain=lan gateway=\
192.168.2.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.1.1 name=router
add address=192.168.2.2 name=server
/ip firewall address-list
add address=192.168.1.0/24 list=bridge1
add address=192.168.2.0/24 list=bridge2
/ip firewall filter
add action=reject chain=input comment="Reject WAN to router" dst-port=\
8291 in-interface="pppoe1 TIM" protocol=tcp reject-with=\
icmp-network-unreachable
add action=reject chain=input comment="Reject WAN to router" dst-port=\
8291 in-interface="pppoe2 Tiscali" protocol=tcp reject-with=\
icmp-network-unreachable
add action=reject chain=input comment="Reject LAN to router" disabled=\
yes dst-port=8443 protocol=tcp reject-with=icmp-network-unreachable \
src-address=192.168.1.0/24
add action=accept chain=input comment="Accept established related new" \
connection-state=established,related,new
add action=accept chain=input comment=\
"Allow LAN access to router/internet" src-address=192.168.1.0/24
add action=accept chain=input comment=\
"Allow LAN access to router/internet" src-address=192.168.2.0/24
add action=drop chain=input comment="Drop all other input"
add action=accept chain=forward comment="Accept established related" \
connection-state=established,related
add action=accept chain=forward comment=\
"Allow LAN access to router/internet" connection-state=new \
src-address=192.168.1.0/24
add action=accept chain=forward comment=\
"Allow LAN access to router/internet" connection-state=new \
src-address=192.168.2.0/24
add action=accept chain=forward comment="Accept port forwards" \
connection-nat-state=dstnat
add action=drop chain=forward comment="Drop all other forward"
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 \
dst-address-list="" dst-address-type=!local new-routing-mark=TIM \
passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 \
dst-address-type=!local new-routing-mark=Tiscali passthrough=no \
src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="Hairpin NAT masquerade" \
out-interface=bridge1 src-address-list=bridge1
add action=masquerade chain=srcnat comment="Hairpin NAT masquerade" \
out-interface=bridge2 src-address-list=bridge2
add action=dst-nat chain=dstnat comment="Hairpin NAT" dst-address-type=local \
dst-port=80 protocol=tcp src-address-list=bridge1 to-addresses=\
192.168.2.2 to-ports=80
add action=dst-nat chain=dstnat comment="Hairpin NAT" dst-address-type=local \
dst-port=80 protocol=tcp src-address-list=bridge2 to-addresses=\
192.168.2.2 to-ports=80
add action=dst-nat chain=dstnat comment="Hairpin NAT" dst-address-type=local \
dst-port=443 protocol=tcp src-address-list=bridge1 to-addresses=\
192.168.2.2 to-ports=443
add action=dst-nat chain=dstnat comment="Hairpin NAT" dst-address-type=local \
dst-port=443 protocol=tcp src-address-list=bridge2 to-addresses=\
192.168.2.2 to-ports=443
add action=masquerade chain=srcnat comment="PPP NAT masquerade" \
out-interface="pppoe1 TIM"
add action=masquerade chain=srcnat comment="PPP NAT masquerade" \
out-interface="pppoe2 Tiscali"
add action=dst-nat chain=dstnat comment="HTTP server" dst-port=80 \
in-interface="pppoe2 Tiscali" protocol=tcp to-addresses=192.168.2.2 \
to-ports=80
add action=dst-nat chain=dstnat comment="HTTPS server" dst-port=443 \
in-interface="pppoe2 Tiscali" protocol=tcp to-addresses=192.168.2.2 \
to-ports=443
add action=dst-nat chain=dstnat comment="OVPN server" dst-port=*** \
in-interface="pppoe2 Tiscali" protocol=tcp to-addresses=192.168.2.2 \
to-ports=1194
/ip route
add distance=1 gateway="pppoe2 Tiscali" routing-mark=Tiscali
add distance=1 gateway="pppoe1 TIM" routing-mark=TIM
add check-gateway=ping distance=1 gateway="pppoe2 Tiscali,pppoe1 TIM"
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set ssh port=***
set www-ssl port=***
set api disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=router
/system leds
add interface=wlan2 leds="wlan2_signal1-led,wlan2_signal2-led,wlan2_signal3-le\
d,wlan2_signal4-led,wlan2_signal5-led" type=wireless-signal-strength
add interface=wlan2 leds=wlan2_tx-led type=interface-transmit
add interface=wlan2 leds=wlan2_rx-led type=interface-receive
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
PS. se vi sovvengono eventuali suggerimenti in merito al miglioramento della configurazione...sono tutto orecchioni
