Здравствуйте! Я в этом новичок поэтому прошу понять! Стоит задача сделать на точке А следующее 10.0.0.0/24 - подсеть выделенная для VPN 10.0.1.0/24 - подсеть выделена для LAN и WLAN клиентов, принтером и пару IP камер 10.0.2.0/24 - подсеть выделена для WLAN для детей с ограничениями через ДНС, временем пользования и т.д. Нужно чтобы все ходили в интернет без проблем и работала маршрутизация между подсетями, чтоб все могли ходить друг к другу в шары, принтер и т.д. чтоб была как единая локальная сеть! В данный момент например я не могу зайти со своего ПК1 (10.0.1.249) на ПК2 (10.0.2.254) в детской подсети в шары и наоборот, так же и когда с работы через VPN подключаюсь, нет доступа, но сетевой принтер 10.0.1.2 печатает с любой подсети что с 0.0/24 что с 1.0/24 что с 2.0/24. Роутер стоит MikroTik RB941-2nD, чуть позже заменим на более мощный, этот сейчас поставили на пробу и настройки, потом настроенный конфиг перенесем на новый MikroTik. Ниже прикладываю конфиг что и как сейчас настроено! # nov/14/2020 13:05:27 by RouterOS 6.47.7 # # model = RB941-2nD /interface bridge add arp=reply-only name=bridge-child add arp=reply-only name=bridge-local /interface ethernet set [ find default-name=ether1 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=wan \ mac-address=D4:6E:0E:7B:1E:EB set [ find default-name=ether2 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full comment=lan set [ find default-name=ether3 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full set [ find default-name=ether4 ] advertise=\ 10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full /interface l2tp-server add name=l2tp-in1 user="" /interface pwr-line set [ find default-name=pwr-line1 ] disabled=yes /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\ ap-local supplicant-identity="" add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\ ap-child supplicant-identity="" /interface wireless set [ find default-name=wlan1 ] antenna-gain=0 band=2ghz-onlyn comment=wlan \ country=russia disabled=no mode=ap-bridge security-profile=ap-local ssid=\ WN station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled \ wps-mode=disabled add disabled=no keepalive-frames=disabled mac-address=76:4D:28:9E:10:1E \ master-interface=wlan1 multicast-buffering=disabled name=wlan2 \ security-profile=ap-child ssid=WN2 wds-cost-range=0 wds-default-cost=0 \ wps-mode=disabled /interface wireless manual-tx-power-table set wlan1 comment=wlan /interface wireless nstreme set wlan1 comment=wlan enable-polling=no /ip pool add name=dhcp-pool-local ranges=10.0.1.3-10.0.1.254 add name=dhcp-pool-child ranges=10.0.2.2-10.0.2.254 add name=l2tp-pool ranges=10.0.0.2-10.0.0.50 /ip dhcp-server add add-arp=yes address-pool=dhcp-pool-local disabled=no interface=\ bridge-local lease-time=1d name=dhcp1 add add-arp=yes address-pool=dhcp-pool-child disabled=no interface=\ bridge-child lease-time=1d name=dhcp2 /ppp profile add change-tcp-mss=yes dns-server=10.0.0.1 local-address=10.0.0.1 name=l2tp \ remote-address=l2tp-pool use-upnp=yes wins-server=10.0.0.1 /user group set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\ sword,web,sniff,sensitive,api,romon,dude,tikapp" /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=wlan1 add bridge=bridge-child interface=wlan2 /ip neighbor discovery-settings set discover-interface-list=!dynamic /interface l2tp-server server set authentication=mschap2 default-profile=l2tp enabled=yes use-ipsec=yes /ip address add address=10.0.1.1/24 interface=bridge-local network=10.0.1.0 add address=10.0.2.1/24 interface=bridge-child network=10.0.2.0 /ip dhcp-client add disabled=no interface=ether1 /ip dhcp-server lease add address=10.0.1.2 mac-address=10:A4:BE:F51:02 server=dhcp1 /ip dhcp-server network add address=10.0.1.0/24 dns-server=10.0.1.1 domain=wn.ru gateway=10.0.1.1 \ netmask=24 add address=10.0.2.0/24 dns-server=10.0.2.1 domain=wn.ru gateway=10.0.2.1 \ netmask=24 /ip dns set allow-remote-requests=yes /ip dns static add address=10.0.1.1 name=wn.ru add address=10.0.1.2 name=printer.wn.ru /ip firewall address-list add address=10.0.0.0/24 list=direct add address=10.0.1.0/24 list=direct add address=10.0.2.0/24 list=direct /ip firewall filter add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp add action=accept chain=input in-interface=ether1 protocol=ipsec-esp add action=accept chain=input dst-port=500 in-interface=ether1 protocol=udp add action=accept chain=input dst-port=4500 in-interface=ether1 protocol=udp add action=accept chain=input dst-port=1701 in-interface=ether1 protocol=udp add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface=ether1 add action=accept chain=input comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=input comment="defconf: drop all from WAN" \ in-interface=ether1 add action=accept chain=forward comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface=ether1 /ip firewall nat add action=dst-nat chain=dstnat dst-port=53 in-interface=bridge-child \ protocol=udp src-address=10.0.2.0/24 to-addresses=77.88.8.7 add action=redirect chain=dstnat dst-port=53 protocol=udp add action=redirect chain=dstnat dst-port=53 protocol=tcp add action=masquerade chain=srcnat dst-address-list=!direct ipsec-policy=\ out,none out-interface=ether1 src-address=10.0.0.0/24 add action=masquerade chain=srcnat dst-address-list=!direct ipsec-policy=\ out,none out-interface=ether1 src-address=10.0.1.0/24 add action=masquerade chain=srcnat dst-address-list=!direct ipsec-policy=\ out,none out-interface=ether1 src-address=10.0.2.0/24 /ip firewall service-port set ftp disabled=yes set irc disabled=yes /ip service set telnet disabled=yes set ftp disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /ip ssh set allow-none-crypto=yes forwarding-enabled=remote /ip upnp set enabled=yes /ip upnp interfaces add interface=ether1 type=external add interface=ether2 type=internal add interface=ether3 type=internal add interface=ether4 type=internal add interface=bridge-local type=internal add interface=wlan1 type=internal add interface=wlan2 type=internal add interface=bridge-child type=internal add interface=l2tp-in1 type=internal /ppp secret add local-address=10.0.0.1 name=Kot profile=l2tp service=l2tp /system clock set time-zone-name=Asia /system identity set name=WN
