Telekom je počeo da jajari u poslednje vreme, pa ne daje više toliko široke blokove ip adresa.
Dodelio nam je WAN blok /31 i LAN blok /32, odnosno samo jednu ip adresu.
Ja sam napravio loopback interfejsa na mikrotiku (prazan bridge) i na njega asocirao tu /32 adresu.
LAN mreža mi je na bridge interfejsu u kome su svi fizički portovi (sem ether1), 192.168.3.0/24 vlan 10 (imam i 10.168.3.0/24 wifi za goste vlan 20) i za te adrese sam stavio src-nat da ide na tu jednu IP adresu iz telekomovog LAN bloka.
I to lepo radi, kada odem na whatismyip, računarima iz LAN i wifi za goste stoji IP adresa.
Međutim, kada preko samog rutera iniciram wireguard konekciju ka vpn serveru u centrali, ta vpn konekcija ide preko telekomovog WAN IP bloka.
Mislim, ništa strašno, VPN radi normalno punom brzinom i stabilno, ali eto čisto me kopka kako da izvedem da i sam ruter ide preko IP adrese od Telekomovog LAN bloka.
Evo config fajla.
Citat:
# 2024-08-16 19:30:40 by RouterOS 7.15.1
# software id = *
#
# model = RB2011iL
# serial number = *
/interface bridge
add name=bridge1 port-cost-mode=short protocol-mode=none
add name=bridge2 port-cost-mode=short protocol-mode=none
add comment="Telekom LAN blok" mtu=1500 name=internet protocol-mode=none
/interface ethernet
set [ find default-name=ether4 ] comment="Link ka magacinu potrosnog"
set [ find default-name=ether9 ] comment=\
"*"
set [ find default-name=ether10 ] comment="*\
*\9*" poe-out=forced-on
/interface wireguard
add listen-port=13231 mtu=1380 name=firma
/interface vlan
add comment="LAN za zaposlene i pristup mrezi firme" interface=bridge1 \
name=vlan10 vlan-id=10
add comment="LAN za goste i wifi za zaposlene" interface=bridge1 name=vlan20 \
vlan-id=20
add comment="Telekom WAN blok" interface=ether1 name=vlan1200 vlan-id=1200
/interface ethernet switch port
set 0 default-vlan-id=0 vlan-mode=fallback
set 1 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 5 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 6 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 9 default-vlan-id=10 vlan-header=add-if-missing vlan-mode=secure
set 10 default-vlan-id=0 vlan-header=add-if-missing vlan-mode=secure
set 11 vlan-header=add-if-missing
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=WiFi
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-server option
add code=119 name="domain search" value=0xfirma
add code=46 name="netbios node type" value=0x08
add code=67 name=boot value="'boot\\x64\\wdsmgfw.efi'"
add code=66 name=tftp value="'192.168.0.254'"
add code=60 name=pxeclient value="'pxeclient'"
/ip dhcp-server option sets
add name=vlan10 options="domain search,netbios node type,boot,tftp,pxeclient"
/ip pool
add name=vlan10 ranges=192.168.3.2-192.168.3.60
add name=vlan20 ranges=10.168.3.100-10.168.3.200
/ip dhcp-server
add address-pool=vlan10 dhcp-option-set=vlan10 interface=vlan10 lease-time=\
4w2d name=vlan10
add address-pool=vlan20 interface=vlan20 lease-time=1h name=vlan20
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface=ether2 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether3 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether4 internal-path-cost=\
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether5 internal-path-cost=\
10 path-cost=10
add bridge=bridge2 ingress-filtering=no interface=ether6 internal-path-cost=\
10 path-cost=10
add bridge=bridge2 ingress-filtering=no interface=ether7 internal-path-cost=\
10 path-cost=10
add bridge=bridge2 ingress-filtering=no interface=ether8 internal-path-cost=\
10 path-cost=10
add bridge=bridge2 ingress-filtering=no interface=ether9 internal-path-cost=\
10 path-cost=10
add bridge=bridge2 ingress-filtering=no interface=ether10 internal-path-cost=\
10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=10
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=10
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=20
add ports=ether6,ether7,ether8,ether9,ether10 switch=switch2 vlan-id=20
/interface list member
add comment=defconf interface=vlan10 list=LAN
add interface=vlan20 list=WiFi
add interface=firma list=LAN
add interface=ether1 list=WAN
add interface=vlan1200 list=WAN
add interface=internet list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=\
* \
endpoint-address=vpn.firma.com endpoint-port=10011 interface=\
firma name=peer2 persistent-keepalive=25s preshared-key=\
"*=" public-key=\
"*="
/ip address
add address=192.168.3.1/26 interface=vlan10 network=192.168.3.0
add address=10.168.3.1/24 interface=vlan20 network=10.168.3.0
add address=10.10.8.8 interface=firma network=10.10.8.1
add address=212.200.xxx.yyy/31 interface=vlan1200 network=212.200.xxx.yyy - Telekom WAN blok IP
add address=79.101.xx.yy interface=internet network=79.101.xx.yy - Telekom LAN blok IP
/ip dhcp-server lease
****
/ip dhcp-server network
add address=10.168.3.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.168.3.1
add address=192.168.3.0/26 dns-server=192.168.0.254 domain=firma.co.yu \
gateway=192.168.3.1 next-server=192.168.0.254 ntp-server=192.168.0.254 \
wins-server=192.168.0.254
/ip dns
set servers=212.200.190.166,212.200.191.166
/ip firewall address-list
add address=192.168.3.0/24 list=NAT
add address=10.168.3.0/24 list=NAT
/ip firewall filter
add action=drop chain=forward in-interface-list=LAN out-interface-list=WiFi
add action=drop chain=forward in-interface-list=WiFi out-interface-list=LAN
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
/ip firewall nat
add action=src-nat chain=srcnat out-interface=vlan1200 src-address-list=NAT \
to-addresses=79.101.xx.yy
/ip route
add disabled=no distance=200 dst-address=192.168.0.0/18 gateway=firma \
routing-table=main suppress-hw-offload=no
add disabled=no distance=200 dst-address=10.10.8.0/21 gateway=firma \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=200 dst-address=192.168.255.0/24 gateway=firma \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=200 dst-address=192.0.2.0/24 gateway=firma \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=10 dst-address=0.0.0.0/0 gateway=212.200.xxx.yyy \
routing-table=main suppress-hw-offload=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ip socks
set version=5
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Belgrade
/system identity
set name=*
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
... Vladimir Vučićević aka. Bachi
~~~
www.bachi.in.rs <<<<>>>>
[email protected]
>>> It's nice to be important, but it's more important to be nice...
Re: Telekom optika + Mikrotik
