Рутер RouterBOARD 951G-2HnD и voip рутер spa3102

[pro]

Здравейте на всички форумници.

Смених рутера с  RouterBOARD 951G-2HnD за да рутира 1gb.

намерих този форум които е свързан с марката на рутера.

запитвам знаещите от този форум.

След смяната spa3102 не иска да получава изходящи обаждания прави само изходящи.

направил съм порт пренасочванията към портовете които знам, че ползва сип акаунта но не се получава. 

 

[pro]

Преди 10 часа, 111111 написа:

Лан ip на лан бриджа
само едно маскарадинг правило

това не знам как да го направа

[JohnTRIVOLTA]

Избери от адреси - 192.168.0.1/24 да е на интерфейс бридж на мястото на етер2 ! 

Не ползвай на SPA интернет порта, а ползвай локалният на който ще поставиш необходимият адрес - 192.168.0.91 , като предварително си спрял DHCP на SPAто. Спри хелпъра в микротика -  /ip fi service-port set sip ports=5060,5061 sip-direct-media=yes sip-timeout=1d disabled=yes и пробвай пак .
 

[pro]

на кое викате хелпар?

този ред какво да го права?

service port съм забранил сипа?

[JohnTRIVOLTA]

преди 16 минути, pro написа:

на кое викате хелпар?

този ред какво да го права?

service port съм забранил сипа?

Да сървис порта ! Горе в конфига не е забранен, за това този ред пастваш в терминала за по-бързо!

Поправи и тези правила или замести така:

/ip fi fi

/add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1 protocol=tcp to-addresses=192.168.0.91 to-ports=5061

/add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=tcp to-addresses=192.168.0.91 to-ports=5060

Поправи и другите такива правила за dst-nat !

Редактирано 4 Март, 2018 от JohnTRIVOLTA

[pro]

терминала кво показва ystem,error,critical login failure for user root from 191.255.159.241 via telnet

опитва се да се свърже с некав ип адрес

[JohnTRIVOLTA]

преди 20 минути, pro написа:

терминала кво показва ystem,error,critical login failure for user root from 191.255.159.241 via telnet

опитва се да се свърже с некав ип адрес

Не някой се опитва да влезе в рутера по телнет

 

[pro]

и какво да направа 

това е след промените.

 

# software id = 
#
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=4C:5E:0C:6A:F7:1F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik \
    wireless-protocol=802.11 wps-mode=disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=84.22.22.48
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8001
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat comment="sip server ip 192.168.0.91" \
    dst-port=5060 in-interface=all-ethernet protocol=udp to-addresses=\
    192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=1000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=1000
add action=dst-nat chain=dstnat dst-port=8080 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8291 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.99 to-ports=8291
add action=dst-nat chain=dstnat dst-port=5228 in-interface=all-ethernet port=\
    "" protocol=udp to-addresses=192.168.0.91 to-ports=5228
add action=dst-nat chain=dstnat dst-port=7078 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=7078 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=16384 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=16384
add action=dst-nat chain=dstnat dst-port=16385 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=16385
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=10000
/ip firewall service-port
set sip disabled=yes sip-timeout=1d
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Sofia

 

[pro]

благодарност ето го и резултата 

това ли се получава

# mar/04/2018 21:15:47 by RouterOS 6.41.2
# software id = 
#
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=4C:5E:0C:6A:F7:1F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge radio-name="" \
    ssid=MikroTik wireless-protocol=802.11 wmm-support=enabled wps-mode=\
    disabled
/interface ethernet
set [ find default-name=ether2 ] name=ether2-master
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MyRouter wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.10-192.168.0.254
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/interface bridge port
add bridge=bridge comment=defconf interface=ether2-master
add bridge=bridge comment=defconf hw=no interface=wlan1
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=bridge network=\
    192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.88.1 name=router.lan
add address=192.168.0.1 name=myrouter.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8001
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat comment="sip server ip 192.168.0.91" \
    dst-port=5060 in-interface=all-ethernet protocol=udp to-addresses=\
    192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=1000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=1000
add action=dst-nat chain=dstnat dst-port=8080 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.93 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8291 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.99 to-ports=8291
add action=dst-nat chain=dstnat dst-port=5228 in-interface=all-ethernet port=\
    "" protocol=udp to-addresses=192.168.0.91 to-ports=5228
add action=dst-nat chain=dstnat dst-port=7078 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=7078 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=16384 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=16384
add action=dst-nat chain=dstnat dst-port=16385 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=16385
add action=dst-nat chain=dstnat dst-port=5061 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000 in-interface=all-ethernet \
    protocol=tcp to-addresses=192.168.0.91 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=all-ethernet \
    protocol=udp to-addresses=192.168.0.91 to-ports=10000
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.93 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.93 to-ports=8001
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=1000 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.91 to-ports=1000
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.93 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8291 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.99 to-ports=8291
add action=dst-nat chain=dstnat dst-port=5228 in-interface=ether1 port="" \
    protocol=udp to-addresses=192.168.0.91 to-ports=5228
add action=dst-nat chain=dstnat dst-port=7078 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=7078 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=7078
add action=dst-nat chain=dstnat dst-port=16384 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=16384
add action=dst-nat chain=dstnat dst-port=16385 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=16385
add action=dst-nat chain=dstnat dst-port=5061 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=5061
add action=dst-nat chain=dstnat dst-port=5060 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=5060
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.91 to-ports=10000
add action=dst-nat chain=dstnat dst-port=10000 in-interface=ether1 protocol=\
    udp to-addresses=192.168.0.91 to-ports=10000
/ip firewall raw
add action=drop chain=prerouting comment="deny dns" dst-port=53 in-interface=\
    ether1 protocol=tcp
add action=drop chain=prerouting comment="deny dns" dst-port=53 in-interface=\
    ether1 protocol=udp
/ip firewall service-port
set sip disabled=yes sip-timeout=1d
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Sofia
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

 

[JohnTRIVOLTA]

Ъпдейтни си ROS от System-packages-check for updates, защото още си със суич група с мастър етер2 !!! После рисетни борда без деф.конфига и тогава пейстни през терминала !

[pro]

System-packages-check for updates 

това къде се намира само за bugfix only        current         release candidate     development           само това намерих за упдеит.

[JohnTRIVOLTA]

чекваш current и download and install       

[pro]

това съм направил

[pro]

това е резултата

 

# mar/04/2 by RouterOS 6.42rc37
# software id = 
#
# model = 951G-2HnD
# serial number = 4F4304D301B9
/interface bridge
add admin-mac=4C:5E:0C:6A:F7:1F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge radio-name="" \
    ssid=MikroTik wireless-protocol=802.11 wmm-support=enabled wps-mode=\
    disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MyRouter wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.0.254
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.0.1 name=myrouter.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Sofia
/system routerboard settings
set silent-boot=no

 

[JohnTRIVOLTA]

Сега отиваш на System - Routrboard и цъкаш на upgrade и потвърждаваш. Рестарираш борда system - reboot и пробвай какво се случва. Надявам се и със SPAто да си готов както ти казах! Не виждам dst-nat правилата - добави ги! Май пак не си рисетнал , както ти казах, ако те е страх нещо си направи бекъп на сегашната конфигурация!

Редактирано 4 Март, 2018 от JohnTRIVOLTA

[pro]

това е резултата

 

 

#  by RouterOS 6.41.2
# software id = 
#
# model = 951G-2HnD
# serial number = 
/interface bridge
add admin-mac=4C:5E:0C:6A:F7:1F auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    disabled=no distance=indoors frequency=auto mode=ap-bridge radio-name="" \
    ssid=MikroTik wireless-protocol=802.11 wmm-support=enabled wps-mode=\
    disabled
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys supplicant-identity=MyRouter wpa-pre-shared-key= \
    wpa2-pre-shared-key=
/ip pool
add name=dhcp ranges=192.168.0.1-192.168.0.254
add name=default-dhcp ranges=192.168.0.100-192.168.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf hw=no interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set rp-filter=strict tcp-syncookies=yes
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=192.168.0.1/24 interface=bridge network=192.168.0.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,4.2.2.1
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.0.1 name=myrouter.lan
/ip firewall filter
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=input comment="accept established,related,untracked" \
    connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow winbox,http from LAN" dst-port=\
    80,8291 in-interface=bridge protocol=tcp
add action=accept chain=input comment="Allow TCP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000 protocol=tcp
add action=accept chain=input comment="Allow UDP ports...." dst-port=\
    5060,5061,1000,7078,8000,8001,8080,10000,16384,16385 protocol=udp
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface=!bridge
add action=accept chain=forward comment="accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" \
    connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether1
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.93 to-ports=8000
add action=dst-nat chain=dstnat dst-port=8001 in-interface=ether1 protocol=\
    tcp to-addresses=192.168.0.93 to-ports=8001
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Sofia