по теме "Настройка фильтрации трафика"

RizONE · 22 апр 2018

RB2011UiAS-RM
Порты 1-5 в LAN
Порты 6-8 в DMZ
Почему то не работают правила фильтрации и пакеты из DMZ уходят в WAN

# model = 2011UiAS
# serial number = 6088053FF51C
/interface bridge
add name=DMZ
add name=LAN
/interface ethernet
set [ find default-name=ether10 ] name=WAN
set [ find default-name=ether1 ] comment=LAN name=ether1_M
set [ find default-name=ether2 ] master-port=ether1_M
set [ find default-name=ether3 ] master-port=ether1_M
set [ find default-name=ether4 ] master-port=ether1_M
set [ find default-name=ether5 ] master-port=ether1_M
set [ find default-name=ether6 ] comment=DMZ name=ether6_M
set [ find default-name=ether7 ] master-port=ether6_M
set [ find default-name=ether8 ] master-port=ether6_M
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN name=pppoe-out1 password=****** service-name=79.153.128.27 use-peer-dns=yes user=*******
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=DMZ name=dhcp2
/interface bridge port
add bridge=LAN interface=ether1_M
add bridge=DMZ interface=ether6_M
/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=10.10.10.1/24 interface=DMZ network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input connection-state=established,related disabled=yes
add action=drop chain=input connection-state=new disabled=yes in-interface=!LAN
add action=accept chain=forward connection-state=established,related disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=jump chain=forward in-interface=WAN jump-target=WAN-LAN out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-WAN out-interface=WAN
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-LAN out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-DMZ out-interface=DMZ
add action=jump chain=forward in-interface=WAN jump-target=WAN-DMZ out-interface=DMZ
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-WAN out-interface=WAN
add action=drop chain=WAN-LAN
add action=drop chain=WAN-DMZ
add action=accept chain=LAN-WAN
add action=accept chain=LAN-DMZ
add action=drop chain=DMZ-WAN
add action=drop chain=DMZ-LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=LAN

Денис Друженков · 24 апр 2018

RizONE сказал(а): ↑

RB2011UiAS-RM
Порты 1-5 в LAN
Порты 6-8 в DMZ
Почему то не работают правила фильтрации и пакеты из DMZ уходят в WAN

# model = 2011UiAS
# serial number = 6088053FF51C
/interface bridge
add name=DMZ
add name=LAN
/interface ethernet
set [ find default-name=ether10 ] name=WAN
set [ find default-name=ether1 ] comment=LAN name=ether1_M
set [ find default-name=ether2 ] master-port=ether1_M
set [ find default-name=ether3 ] master-port=ether1_M
set [ find default-name=ether4 ] master-port=ether1_M
set [ find default-name=ether5 ] master-port=ether1_M
set [ find default-name=ether6 ] comment=DMZ name=ether6_M
set [ find default-name=ether7 ] master-port=ether6_M
set [ find default-name=ether8 ] master-port=ether6_M
/interface pppoe-client
add add-default-route=yes disabled=no interface=WAN name=pppoe-out1 password=****** service-name=79.153.128.27 use-peer-dns=yes user=*******
/ip pool
add name=dhcp_pool0 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool1 ranges=10.10.10.2-10.10.10.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=LAN name=dhcp1
add address-pool=dhcp_pool1 disabled=no interface=DMZ name=dhcp2
/interface bridge port
add bridge=LAN interface=ether1_M
add bridge=DMZ interface=ether6_M
/ip address
add address=192.168.88.1/24 interface=LAN network=192.168.88.0
add address=10.10.10.1/24 interface=DMZ network=10.10.10.0
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall filter
add action=accept chain=input connection-state=established,related disabled=yes
add action=drop chain=input connection-state=new disabled=yes in-interface=!LAN
add action=accept chain=forward connection-state=established,related disabled=yes
add action=drop chain=forward connection-state=invalid disabled=yes
add action=jump chain=forward in-interface=WAN jump-target=WAN-LAN out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-WAN out-interface=WAN
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-LAN out-interface=LAN
add action=jump chain=forward in-interface=LAN jump-target=LAN-DMZ out-interface=DMZ
add action=jump chain=forward in-interface=WAN jump-target=WAN-DMZ out-interface=DMZ
add action=jump chain=forward in-interface=DMZ jump-target=DMZ-WAN out-interface=WAN
add action=drop chain=WAN-LAN
add action=drop chain=WAN-DMZ
add action=accept chain=LAN-WAN
add action=accept chain=LAN-DMZ
add action=drop chain=DMZ-WAN
add action=drop chain=DMZ-LAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=LAN
Нажмите, чтобы раскрыть...

применяйте правило не к физическом интерфейсу WAN, а к клиенту pppoe-out1

Вход

по теме "Настройка фильтрации трафика"

RizONE Новый участник

Денис Друженков Эксперт

Вход

по теме "Настройка фильтрации трафика"

RizONE Новый участник

Денис Друженков Эксперт

Быстрый поиск