Проблем с masquerade

[gkk]

Здравейте, 

Имам проблем с рутер rb2004, имам 4 мрежи... 3 от тях имат интернет, мрежата за гости няма. Топология rb2004->cisco managed switch->unifi ap-> 3 мрежи, 2 имат интернет 3-тата няма... получавам ip адрес от рутера по dhcp, имам ping, но нямам постъпили пакети в правилото за nat. Моля за помощ. 

interface/bridge export

# oct/24/2022 13:45:43 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/interface bridge
add arp=proxy-arp name=br1 protocol-mode=none vlan-filtering=yes
/interface bridge port
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether5 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether6 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether7 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether8 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether9 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether10 pvid=50
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether13 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether14 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether15 pvid=100
add bridge=br1 frame-types=admit-only-untagged-and-priority-tagged interface=\
    ether16 pvid=100
add bridge=br1 interface=vlan49-mngmt pvid=49
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether11
add bridge=br1 frame-types=admit-only-vlan-tagged interface=ether12
add bridge=br1 interface=ether3 pvid=49
add bridge=br1 interface=ether4 multicast-router=disabled pvid=50
add bridge=br1 interface=ether2 pvid=50
/interface bridge vlan
add bridge=br1 tagged=br1,ether11,ether12,sfp-sfpplus2 vlan-ids=49
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=50
add bridge=br1 tagged=br1,ether11,ether12,ether4,sfp-sfpplus2 vlan-ids=100
add bridge=br1 tagged=br1,ether12,ether11,sfp-sfpplus2 vlan-ids=150
add bridge=br1 tagged=br1,ether11,ether12 vlan-ids=200

ip/firewall/filter export

# oct/24/2022 13:47:20 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip firewall filter
add action=accept chain=input comment="Allow VLAN" in-interface-list=VLAN
add action=accept chain=input comment="Allow admin_vlan Full Access" \
    in-interface-list=MGMT
add action=accept chain=input comment="allow ipsec nat" dst-port=4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow vpn" dst-port=500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface-list=MGMT protocol=tcp
add action=accept chain=input comment="winbox allow from vpn" dst-port=22022 \
    in-interface-list=WAN protocol=tcp src-address=1.1.1.1
add action=accept chain=input comment="winbox allow from vpn" dst-port=8291 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=input comment="pptp vpn port" dst-port=1723 \
    in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="pptp vpn port" in-interface-list=WAN \
    protocol=gre
add action=accept chain=input comment="allow ping from - wan" \
    in-interface-list=WAN protocol=icmp
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment=\
    "drop all to router from -  guest network" disabled=yes in-interface=\
    vlan150_guest
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=tcp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input comment="drop dns request from guest network" \
    disabled=yes dst-port=53 in-interface=vlan150_guest protocol=udp
add action=drop chain=input comment="drop dns request from WAN interfaces" \
    dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop all to router from - wan" disabled=\
    yes
add action=accept chain=forward comment="Allow Estab & Related" \
    connection-state=established,related
add action=accept chain=forward comment="VLAN Internet Access only" \
    connection-state=new in-interface-list=VLAN out-interface-list=WAN
add action=accept chain=forward comment="allow admin to access vlans" \
    in-interface-list=MGMT out-interface-list=VLAN
add action=accept chain=forward comment="allow admin to access internet" \
    in-interface-list=MGMT out-interface-list=WAN
add action=accept chain=forward comment="allow vpn ping internal networks" \
    in-interface=all-ppp out-interface-list=VLAN protocol=icmp
add action=accept chain=forward comment="allow vpn internet accesss" \
    in-interface=all-ppp out-interface-list=WAN
add action=accept chain=forward dst-address=192.168.100.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.50.0/24 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.77
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.50 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.123
add action=accept chain=forward dst-address=192.168.100.51 dst-port=37777 \
    protocol=tcp src-address=192.168.50.82
add action=accept chain=forward dst-address=192.168.100.220 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.100.230 in-interface=\
    all-ppp
add action=accept chain=forward dst-address=192.168.49.2 in-interface=all-ppp
add action=accept chain=forward dst-address=192.168.49.3 dst-port=8443 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-address=192.168.49.2 dst-port=22 \
    in-interface=all-ppp protocol=tcp
add action=accept chain=forward dst-port=37777 in-interface-list=WAN \
    out-interface-list=VLAN protocol=tcp
add action=drop chain=forward disabled=yes dst-address=192.168.100.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.50.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward disabled=yes dst-address=192.168.49.0/24 \
    src-address=192.168.150.0/24
add action=drop chain=forward dst-address=192.168.100.0/24 src-address=\
    192.168.50.0/24
add action=drop chain=forward comment=Drop

ip/firewall/nat export

# oct/24/2022 13:47:04 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number =
/ip firewall nat
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade office network" out-interface=ether1 src-address=\
    192.168.51.0/24
add action=masquerade chain=srcnat comment="Default masquerade admin network" \
    out-interface=ether1 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "Default masquerade security network" out-interface=ether1 src-address=\
    192.168.100.0/24
add action=masquerade chain=srcnat out-interface=ether1 src-address=\
    192.168.200.0/24
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.50.244 to-ports=\
    80
add action=dst-nat chain=dstnat comment="port forwarding from WAN - 192.168.10\
    0.50 (copy this rule for new device and change ip:port)" dst-port=88 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-port=37777 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.100.50 to-ports=\
    37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 in-interface-list=WAN protocol=tcp \
    src-address=192.168.50.0/24 to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.100.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="hairpin nat nvr" dst-address=\
    78.130.219.76 dst-port=37777 protocol=tcp src-address=192.168.49.0/24 \
    to-addresses=192.168.100.50 to-ports=37777
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (admin network)" dst-address=\
    192.168.100.50 src-address=192.168.49.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (office network)" dst-address=\
    192.168.100.50 src-address=192.168.50.0/24
add action=masquerade chain=srcnat comment=\
    "port forwarding from local net (security network)" dst-address=\
    192.168.100.50 src-address=192.168.100.0/24
add action=dst-nat chain=dstnat comment="port forwarding from local net (admin\
    \_network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.49.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (offic\
    e network) 192.168.100.50 - copy this rule for new device and change ip:po\
    rt" dst-address=!192.168.50.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat comment="port forwarding from local net (secur\
    ity network) 192.168.100.50 - copy this rule for new device and change ip:\
    port" dst-address=!192.168.100.1 dst-address-type=local dst-port=37777 \
    protocol=tcp to-addresses=192.168.100.50 to-ports=37777
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.49.2 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=8443 in-interface=\
    ether1 protocol=tcp to-addresses=192.168.49.3 to-ports=8443
add action=dst-nat chain=dstnat dst-port=37779 in-interface-list=WAN \
    protocol=tcp to-addresses=192.168.100.51 to-ports=37777

ip/addreess export

# oct/24/2022 13:46:37 by RouterOS 7.4
# software id = 1FV8-28MX
#
# model = CCR2004-16G-2S+
# serial number
/ip address
add address=192.168.49.1/24 interface=vlan49-mngmt network=192.168.49.0
add address=192.168.50.1/24 interface=vlan50_office network=192.168.50.0
add address=192.168.100.1/24 interface=vlan100-security network=192.168.100.0
add address=192.168.160.1/24 interface=vlan150_guest network=192.168.160.0
add address=192.168.1.1/24 interface=vlan100-security network=192.168.1.0
add address=192.168.200.1/24 interface=vlan200 network=192.168.200.0

 

[JohnTRIVOLTA]

На първо четене нямаш сорс нат на мрежата за гости 192.168.160.0/24 vid150 !

[gkk]

Здравей, това е старата мрежа за гости... експорта е с нова мрежа vlan200, но всяка мрежа която добавя е все едно и също... няма интернет, пинг има ама няма пакети стигащи до nat правилото за мрежата. Явно версия 7 не е толкова за production както го водят

 

Редактирано 24 Октомври, 2022 от gkk

[JohnTRIVOLTA]

преди 59 минути, gkk написа:

Здравей, това е старата мрежа за гости... експорта е с нова мрежа vlan200, но всяка мрежа която добавя е все едно и също... няма интернет, пинг има ама няма пакети стигащи до nat правилото за мрежата. Явно версия 7 не е толкова за production както го водят

 

За да нямаш пакети на сорс нат означава , че някое правило във forward къса връзката за да стигне пакета до пострутинг веригата! Може да пробваш да добавиш в началото глобално правило за разрешаване на forward на мрежа 200 .

[111111]

7-цата ли е виновна, че си задал адреси на подчинени на бриджа интерфейси?

[JohnTRIVOLTA]

Възможно да е пропуснато да се добави вилан интерфейса в листата за вилани и по този начин да не сработва в стената.

[gkk]

Здравей,

Точно това беше проблема, вече ще гледам повече какво се е объркало

Благодаря  и лек ден

[JohnTRIVOLTA]

преди 32 минути, gkk написа:

Здравей,

Точно това беше проблема, вече ще гледам повече какво се е объркало

Благодаря  и лек ден

Извинявай, кое точно с оказа проблема - пропуск да се добави в листата вилана ли?

[gkk]

Точно това... в листа с другите влан-и