Mangle forward + route rule. Пометить соединение за nat1 и отправить туда, откуда пришло в nat2

Тема в разделе "Маршрутизация", создана пользователем anti, 5 мар 2021.

  1. anti

    anti Новый участник

    Здравствуйте.
    Подскажите по возможности от чего трафик не идёт куда нужно, опишу положение:

    upload_2021-3-5_15-50-30.png

    Подключено вот так.
    В теории описывается вот так:
    PC1 нужно забрать tcp\udp у Reg1.
    Для этого на R1 есть маршрут к 192.168.29.0/24 через bridge_video R2. И dst.nat на Reg1.
    Пинги ходят. В Torch на R2 вижу что пакеты приходят от PC1 с dst.adr Reg1
    Далее согласно packet flow после conntrack соединение уходит в mangle forward и prerouting там метится соединение и маршрут.
    После этого соединение из mangle идет в route rule, используя помеченную таблицу
    И добавляется маршрут в 192.168.223.0/24 с помеченной таблицей.

    Я должно быть напутал, прикладываю выдержку из конфига:
    R1:
    /ip firewall filter
    add action=accept chain=input comment="defconf: accept established,related,untracked" \
    connection-state=established,related,untracked
    add action=accept chain=input comment="WAN web access" dst-port=80 in-interface-list=WAN \
    protocol=tcp
    add action=accept chain=input comment="WAN winbox access" dst-port=8291 in-interface-list=\
    WAN protocol=tcp
    add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=\
    in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=\
    out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes
    add action=accept chain=forward comment="defconf: accept established,related, untracked" \
    connection-state=established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none \
    out-interface-list=WAN
    add action=dst-nat chain=dstnat comment="Reg 29.200 web/data port" dst-port=37774 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.29.200 to-ports=37777
    add action=dst-nat chain=dstnat dst-port=22030 in-interface-list=WAN protocol=tcp \
    to-addresses=192.168.29.200 to-ports=80

    # DST-ADDRESS PREF-SRC GATEWAY DISTANCE

    0 A S 0.0.0.0/0 192.168.220.2 1
    3 ADC 192.168.29.0/24 192.168.29.250 bridge_video 0
    5 ADC 192.168.99.0/24 192.168.99.250 bridge_video 0
    7 ADC 192.168.220.0/24 192.168.220.250 ether1 0
    8 A S 192.168.223.0/24 192.168.220.24 1
    9 A S 192.168.224.0/24 192.168.220.24 1


    # ADDRESS NETWORK INTERFACE
    1 ;;; Mainlan
    192.168.220.250/24 192.168.220.0 ether1
    2 ;;; Videolan_100
    192.168.129.250/24 192.168.129.0 ether4
    3 ;;; Videolan_30
    192.168.29.250/24 192.168.29.0 ether4



    R2:

    ip firewall filter
    add action=accept chain=input comment="WAN web access" dst-port=80 \
    in-interface=ether1 protocol=tcp
    add action=accept chain=input comment="WAN winbox access" dst-port=8291 \
    in-interface=ether1 protocol=tcp
    add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
    add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
    invalid
    add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

    /ip firewall mangle
    add action=mark-connection chain=forward comment=\
    Connetcion_To_REG_1_FROM_OFFICE connection-state="" dst-address=\
    192.168.29.200 in-interface=bridge_video new-connection-mark=\
    Connetcion_To_REG_1_FROM_OFFICE passthrough=yes src-address=\
    192.168.223.0/24
    add action=mark-routing chain=prerouting comment=Route_to_REG1_from_OFFICE \
    connection-mark=To_REG_1_FROM_OFFICE dst-address=192.168.29.200 \
    in-interface=bridge_video new-routing-mark=Route_to_REG1_from_OFFICE \
    passthrough=yes src-address=192.168.223.0/24
    add action=passthrough chain=forward comment=OFFICE_2_REG_COUNTER_1 disabled=\
    yes dst-address=192.168.29.200
    add action=passthrough chain=forward comment=OFFICE_2_REG_COUNTER_2 disabled=\
    yes src-address=192.168.223.41

    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
    add action=dst-nat chain=dstnat comment="REG web\\data\\rtsp" dst-port=8080 \
    in-interface=ether1 protocol=tcp to-addresses=192.168.29.200 to-ports=80
    add action=dst-nat chain=dstnat dst-port=37777 in-interface=ether1 protocol=tcp \
    to-addresses=192.168.29.200
    add action=dst-nat chain=dstnat comment=To_REG_1 connection-mark=To_REG_1 \
    in-interface=bridge_video to-addresses=192.168.29.200

    /ip firewall raw
    add action=passthrough chain=prerouting in-interface=bridge_video src-address=\
    192.168.223.41

    /ip route
    0 A S dst-address=192.168.223.0/24 gateway=192.168.29.250
    gateway-status=192.168.29.250 reachable via bridge_video distance=1
    scope=30 target-scope=10 routing-mark=Route_to_REG1_from_OFFICE

    3 ADC dst-address=192.168.29.0/24 pref-src=192.168.29.220 gateway=bridge_video
    gateway-status=bridge_video reachable distance=0 scope=10

    5 A S dst-address=192.168.223.0/24 gateway=192.168.30.2
    gateway-status=192.168.30.2 reachable via ether1 distance=1 scope=30
    target-scope=10

    /ip route rule print
    0 ;;; Rule_to reg1_from_office
    routing-mark=Route_to_REG1_from_OFFICE action=lookup-only-in-table
    table=Route_to_REG1_from_OFFICE

    /ip address
    # ADDRESS NETWORK INTERFACE
    0 192.168.29.220/24 192.168.29.0 bridge_video
    1 192.168.30.220/24 192.168.30.0 ether1
     
    Последнее редактирование: 5 мар 2021
    anti, 5 мар 2021
    #1
    Проект создания беспроводной сети wi-fi в ресторане
    Проект создания беспроводной сети wi-fi в ресторане
    Радиообследование в коворкинге
    Радиообследование в коворкинге
    Аудит WiFi-сети в магазинах одежды премиум-класса
    Аудит WiFi-сети в магазинах одежды премиум-класса