Portál AbcLinuxu, 6. června 2024 07:45
Ahoj, mam takovej divnej problem, mam 2 identicky mikrotiky s poslednim FW, oba v podstate nakonfigurovany stejne, firewall je vypnuty, pouze maskarada, je to firma A a B mezi nima je EoIP, na firme A mam VLAN10 10.0.1.1 (plus nejaky dalsi), ale o ty me nejde, mikrotik ma 10 portu rozdelenych do switch1 a switch2, vsechny porty jsou v bridge, VLANy maji nastaveny interface BRIDGE. SFP1 je trunk na switch, eth1 je internet, eth2 je trunk do dalsiho mikrotiku AP, eth3-9 jsou nastaveny na VLAN10. Na Eth3-5(interni switch1) mam problem co budu popisovat. Na eth3-5 pripojim linux server (10.0.1.20) a pustim ping na seznam.cz, s kazdym novym pingem se dotazuje DNS serveru mikrotiku na adresu a tam nastavaji timeouty
1) Firma:A, Port:ETH5, DNS:10.0.1.1, pingy se posilaji asi po 5ti sekundach. Projde ping(0-7), pak dotaz na DNS(timeout na DNS odpoved, neni prirazena vlan10)(8-9), pak projde ping(10-15), pak (16-17) zase DNS timeout, ....
Toto je zaznam ze snifferu z mikrotiku:
# TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-PROTOCOL SIZE CPU
0 3.915 ether5 10.0.1.20:52494 10.0.1.1:53 (dns) udp 89 0
1 3.915 bridge 10.0.1.20:52494 10.0.1.1:53 (dns) udp 89 0
2 3.915 vlan10 10.0.1.20:52494 10.0.1.1:53 (dns) udp 85 0
3 3.916 ether1 192.168.1.201:37366 8.8.8.8:53 (dns) udp 85 0
4 3.93 ether1 8.8.8.8:53 (dns) 192.168.1.201:37366 udp 112 0
5 3.93 vlan10 10.0.1.1:53 (dns) 10.0.1.20:52494 udp 112 0
6 3.93 bridge 10.0.1.1:53 (dns) 10.0.1.20:52494 udp 116 0
7 3.93 ether5 10.0.1.1:53 (dns) 10.0.1.20:52494 udp 116 0
8 3.943 ether5 10.0.1.20:37912 10.0.1.1:53 (dns) udp 85 0
9 3.943 bridge 10.0.1.20:37912 10.0.1.1:53 (dns) udp 85 0
10 8.948 ether5 10.0.1.20:37912 10.0.1.1:53 (dns) udp 89 0
11 8.948 bridge 10.0.1.20:37912 10.0.1.1:53 (dns) udp 89 0
12 8.948 vlan10 10.0.1.20:37912 10.0.1.1:53 (dns) udp 85 0
13 8.949 vlan10 10.0.1.1:53 (dns) 10.0.1.20:37912 udp 112 0
14 8.949 bridge 10.0.1.1:53 (dns) 10.0.1.20:37912 udp 116 0
15 8.949 ether5 10.0.1.1:53 (dns) 10.0.1.20:37912 udp 116 0
16 8.962 ether5 10.0.1.20:37165 10.0.1.1:53 (dns) udp 85 0
17 8.962 bridge 10.0.1.20:37165 10.0.1.1:53 (dns) udp 85 0
18 13.967 ether5 10.0.1.20:37165 10.0.1.1:53 (dns) udp 89 0
19 13.967 bridge 10.0.1.20:37165 10.0.1.1:53 (dns) udp 89 0
20 13.967 vlan10 10.0.1.20:37165 10.0.1.1:53 (dns) udp 85 0
21 13.968 vlan10 10.0.1.1:53 (dns) 10.0.1.20:37165 udp 112 0
22 13.968 bridge 10.0.1.1:53 (dns) 10.0.1.20:37165 udp 116 0
23 13.968 ether5 10.0.1.1:53 (dns) 10.0.1.20:37165 udp 116 0
24 13.98 ether5 10.0.1.20:33125 10.0.1.1:53 (dns) udp 85 0
25 13.98 bridge 10.0.1.20:33125 10.0.1.1:53 (dns) udp 85 0
2) Stejne jka 1), pouze na serveru nastavim DNS na 10.0.2.1 (coz je firma B pres EoIP) a vse jede jak ma
3) Stejne jak 1), pouze na serveru nastavim DNS na 172.16.20.1 (coz je adresa VPN na mikrotiku) a vse jede jak ma
4) Stejne jak 1), pouze na serveru nastavim DNS na 8.8.8.8 a vse jede jak ma
5) Pokud nastavim DNS na 10.0.1.1(VLAN10) a pripojim se na Eth6-9 coz uz je interni switch2 nebo se pripojim do AP nebo switche, ktere jsou pripojeny k mikrotiku pres trunk a taky maji na portech nastaveny vlany, tak vsechno jede jak ma
6) Pokud zmenim adresu serveru na 10.0.2.20 a prijim do stejne konfigurace do mikrotiku firmy B na stejne porty eth3-5, tak taky vse funguje jak ma
- VLAN maji interface BRIDGE(ten je pouze vytvoren a neni vnem zadne dalsi nastaveni)
- Interni porty switch mikrotiku jsou nastaveny tako:
# NAME SWITCH VLAN-MODE VLAN-HEADER DEFAULT-VLAN-ID
0 ether1 switch1 disabled leave-as-is auto
1 ether2 switch1 secure add-if-missing auto
2 ether3 switch1 secure always-strip 10
3 ether4 switch1 secure always-strip 10
4 ether5 switch1 secure always-strip 10
5 ether6 switch2 secure always-strip 10
6 ether7 switch2 secure always-strip 10
7 ether8 switch2 secure always-strip 10
8 ether9 switch2 secure always-strip 10
9 ether10-service switch2 disabled leave-as-is auto
10 switch1-cpu switch1 secure leave-as-is auto
11 switch2-cpu switch2 secure leave-as-is auto
- VLANy na switch mikrotiku jsou nastaveny takto:
# SWITCH VLAN-ID PORTS
0 switch2 10 ether6 ether7 ether8 ether9 switch2-cpu
1 switch1 100 ether2 switch1-cpu
2 switch1 110 ether2 switch1-cpu
3 switch1 10 ether2 ether3 ether4 ether5 switch1-cpu
4 switch1 1 ether2
Uz stim laboruju asi den a porad nic, zkousel deaktivovat EoiP a vsechny ostatni VLANy krom VLAN10, odpojil jsem vsechny TRUNKy a porty nastavil na VLAN10, ale proste interni switch 1 na mikrotiku firma A se chova nejak divne.
Nejaka rada prosim, uz fakt nevim ?
16.8.2023 11:21
Max | skóre: 72
| blog: Max_Devaine
# 2023-08-16 12:10:25 by RouterOS 7.11
# software id = GA2P-451I
#
# model = RB3011UiAS
/interface bridge
add admin-mac=78:9A:18:19:04:BD auto-mac=no name=bridge protocol-mode=none
/interface ethernet
set [ find default-name=ether10 ] name=ether10-service
/interface eoip
add mac-address=02:11:8E:E5:5E:4F name=eoip-tunnel1 remote-address=\
172.16.20.2 tunnel-id=100
/interface vlan
add interface=bridge name=vlan10 vlan-id=10
add interface=bridge name=vlan100 vlan-id=100
add interface=bridge name=vlan110 vlan-id=110
/interface ethernet switch port
set 1 vlan-header=add-if-missing vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 5 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 6 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 7 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 8 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 10 vlan-mode=secure
set 11 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=dhcp_pool_firma ranges=10.0.1.50-10.0.1.250
add name=dhcp_pool_najemnici ranges=10.0.100.10-10.0.100.250
add name=l2tp-pool ranges=172.16.20.10-172.16.20.250
add name=dhcp_pool_navsteva ranges=10.0.110.10-10.0.110.250
add name=dhcp_pool_service ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool_firma interface=vlan10 lease-time=10m name=dhcp1
add address-pool=dhcp_pool_najemnici interface=vlan100 lease-time=10m name=\
dhcp2
add address-pool=dhcp_pool_navsteva interface=vlan110 name=dhcp3
add address-pool=dhcp_pool_service interface=ether10-service name=dhcp4
/port
set 0 name=serial0
/ppp profile
add dns-server=172.16.20.1 local-address=172.16.20.1 name=l2tp-vpn \
remote-address=l2tp-pool
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge ingress-filtering=no interface=ether2
add bridge=bridge ingress-filtering=no interface=ether3
add bridge=bridge ingress-filtering=no interface=ether4
add bridge=bridge ingress-filtering=no interface=ether5
add bridge=bridge ingress-filtering=no interface=ether7
add bridge=bridge ingress-filtering=no interface=ether8
add bridge=bridge ingress-filtering=no interface=ether9
add bridge=bridge ingress-filtering=no interface=eoip-tunnel1
add bridge=bridge ingress-filtering=no interface=ether6
add bridge=bridge interface=sfp1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=no ports=ether6,ether7,ether8,ether9,switch2-cpu \
switch=switch2 vlan-id=10
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=\
100
add independent-learning=no ports=ether2,switch1-cpu switch=switch1 vlan-id=\
110
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=10
add independent-learning=no ports=ether2 switch=switch1 vlan-id=1
/interface l2tp-server server
set default-profile=l2tp-vpn enabled=yes use-ipsec=required
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip address
add address=10.0.1.1/24 interface=vlan10 network=10.0.1.0
add address=192.168.1.201/24 interface=ether1 network=192.168.1.0
add address=10.0.100.1/24 interface=vlan100 network=10.0.100.0
add address=10.0.50.1/24 interface=eoip-tunnel1 network=10.0.50.0
add address=10.0.110.1/24 interface=vlan110 network=10.0.110.0
add address=192.168.88.1/24 interface=ether10-service network=192.168.88.0
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.1 domain=tis gateway=10.0.1.1 \
netmask=24
add address=10.0.100.0/24 dns-server=10.0.100.1 gateway=10.0.100.1
add address=10.0.110.0/24 dns-server=10.0.110.1 gateway=10.0.110.1 netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=500 \
max-concurrent-tcp-sessions=100 servers=8.8.8.8
/ip dns static
add disabled=yes forward-to=10.0.2.1 regexp=".*\\.brn" type=FWD
add address=10.0.1.2 disabled=yes name=switch1.tis
add address=10.0.1.1 name=gw.tis
add address=10.0.1.3 disabled=yes name=wifi1.tis
/ip firewall filter
add action=fasttrack-connection chain=forward comment=\
"Povolit rychle odbaveni navazaneho spojeni FORWARD" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="Povolit navazana spojeni na FORWARD" \
connection-state=established,related
add action=accept chain=input comment="Povolit navazana spojeni na INPUT" \
connection-state=established,related,untracked
add action=accept chain=input comment="Povolit ICMP" protocol=icmp
add action=accept chain=input comment="Allow L2PT / IPSec VPN access" \
dst-port=500,1701,4500 in-interface-list=WAN protocol=udp
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=forward dst-address-list=Firma src-address-list=Firma
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
add disabled=no dst-address=10.0.2.0/24 gateway=10.0.50.2
/lcd
set backlight-timeout=never default-screen=stats
/ppp secret
add name=test-user profile=l2tp-vpn
add name=MikrotikBrn profile=l2tp-vpn remote-address=172.16.20.2
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-port=dns
# 2023-08-16 17:31:09 by RouterOS 7.11
# software id = 3F52-2YL3
#
# model = RB3011UiAS
# serial number = HER0927FV0Z
/interface ethernet
set [ find default-name=ether1 ] mac-address=78:9A:18:19:04:BC
set [ find default-name=ether2 ] mac-address=78:9A:18:19:04:BD
set [ find default-name=ether3 ] mac-address=78:9A:18:19:04:BE
set [ find default-name=ether4 ] mac-address=78:9A:18:19:04:BF
set [ find default-name=ether5 ] mac-address=78:9A:18:19:04:C0
set [ find default-name=ether6 ] mac-address=78:9A:18:19:04:C2
set [ find default-name=ether7 ] mac-address=78:9A:18:19:04:C3
set [ find default-name=ether8 ] mac-address=78:9A:18:19:04:C4
set [ find default-name=ether9 ] mac-address=78:9A:18:19:04:C5
set [ find default-name=ether10 ] mac-address=78:9A:18:19:04:C6 name=\
ether10-service
set [ find default-name=sfp1 ] mac-address=78:9A:18:19:04:C1
/interface vlan
add interface=ether5 name=vlan10 vlan-id=10
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 10 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=dhcp_pool_firma ranges=10.0.1.50-10.0.1.250
add name=dhcp_pool_service ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool_service interface=ether10-service name=dhcp4
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=10
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=vlan10 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether9 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.1.1/24 interface=vlan10 network=10.0.1.0
add address=192.168.1.201/24 interface=ether1 network=192.168.1.0
add address=192.168.88.1/24 interface=ether10-service network=192.168.88.0
/ip dhcp-server
add address-pool=dhcp_pool_firma interface=*D lease-time=10m name=dhcp1
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.1 domain=tis gateway=10.0.1.1 \
netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=500 \
max-concurrent-tcp-sessions=100 servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/lcd
set backlight-timeout=never default-screen=stats
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-port=dns
2) Eth1: Internet, VLAN10 na interface BRIDGE, v BRIDGE je jenom Eth5
# 2023-08-16 17:35:24 by RouterOS 7.11
# software id = 3F52-2YL3
#
# model = RB3011UiAS
# serial number = HER0927FV0Z
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mac-address=78:9A:18:19:04:BC
set [ find default-name=ether2 ] mac-address=78:9A:18:19:04:BD
set [ find default-name=ether3 ] mac-address=78:9A:18:19:04:BE
set [ find default-name=ether4 ] mac-address=78:9A:18:19:04:BF
set [ find default-name=ether5 ] mac-address=78:9A:18:19:04:C0
set [ find default-name=ether6 ] mac-address=78:9A:18:19:04:C2
set [ find default-name=ether7 ] mac-address=78:9A:18:19:04:C3
set [ find default-name=ether8 ] mac-address=78:9A:18:19:04:C4
set [ find default-name=ether9 ] mac-address=78:9A:18:19:04:C5
set [ find default-name=ether10 ] mac-address=78:9A:18:19:04:C6 name=\
ether10-service
set [ find default-name=sfp1 ] mac-address=78:9A:18:19:04:C1
/interface vlan
add interface=bridge1 name=vlan10 vlan-id=10
/interface ethernet switch port
set 1 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 2 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 3 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 4 default-vlan-id=10 vlan-header=always-strip vlan-mode=secure
set 10 vlan-mode=secure
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip pool
add name=dhcp_pool_firma ranges=10.0.1.50-10.0.1.250
add name=dhcp_pool_service ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool_firma interface=bridge1 lease-time=10m name=dhcp1
add address-pool=dhcp_pool_service interface=ether10-service name=dhcp4
/port
set 0 name=serial0
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes forward=no max-neighbor-entries=8192
/interface ethernet switch vlan
add independent-learning=no ports=ether2,ether3,ether4,ether5,switch1-cpu \
switch=switch1 vlan-id=10
/interface l2tp-server server
set default-profile=default use-ipsec=required
/interface list member
add comment=defconf interface=vlan10 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether9 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=10.0.1.1/24 interface=vlan10 network=10.0.1.0
add address=192.168.1.201/24 interface=ether1 network=192.168.1.0
add address=192.168.88.1/24 interface=ether10-service network=192.168.88.0
/ip dhcp-server network
add address=10.0.1.0/24 dns-server=10.0.1.1 domain=tis gateway=10.0.1.1 \
netmask=24
add address=192.168.88.0/24 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes max-concurrent-queries=500 \
max-concurrent-tcp-sessions=100 servers=8.8.8.8
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1
/lcd
set backlight-timeout=never default-screen=stats
/routing bfd configuration
add disabled=no interfaces=all min-rx=200us min-tx=200us multiplier=5
/system clock
set time-zone-name=Europe/Prague
/system identity
set name=RouterOS
/system note
set show-at-login=no
/system ntp client
set mode=broadcast
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-port=dns
Rozdil je opravdu pouze v tom, ze VLAN10 prirazuji primo na Eth5 a VLAN10 prirazuji na BRIDGE ve ktrem je pouze Eth5.
A jeste kdyz se chci vrati z nefunkcni konfigurace tak, ze vymazu BRIDGE, tak to taky nefunguje, musim udelat reboot mikrotiku, neco nekde visi, nevim co.
Tiskni
Sdílej:
ISSN 1214-1267, (c) 1999-2007 Stickfish s.r.o.