BrateloSlava
Advanced Member | Редактировать | Профиль | Сообщение | Цитировать | Сообщить модератору
To ALL
Есть установленный под VMware ESXI 7.0 виртуальный Микротик v 6.47.
Конфигурация.
Код: /interface ethernet set [ find default-name=ether1 ] name=ether1-gateway
/interface ethernet set [ find default-name=ether2 ] name=ether2-lan
/interface list add name=WAN
/interface list add name=LAN
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool add name=dhcp_pool_lan ranges=192.168.177.20-192.168.177.50
/ip dhcp-server add add-arp=yes address-pool=dhcp_pool_lan disabled=no interface=ether2-lan lease-time=8h name=DHCP-Lan
/queue interface set ether1-gateway queue=ethernet-default
/ip firewall connection tracking set tcp-established-timeout=10m
/ip neighbor discovery-settings set discover-interface-list=none
/interface list member add interface=ether1-gateway list=WAN
/interface list member add interface=ether2-lan list=LAN
/ip address add address=2.9.17.25/24 interface=ether1-gateway network=2.9.17.0
/ip address add address=192.168.177.1/24 interface=ether2-lan network=192.168.177.0
/ip cloud set update-time=no
/ip dhcp-server lease add address=192.168.177.10 client-id=1:0:c:29:ea:42:18 mac-address=00:0C:29:EA:42:18 server=DHCP-Lan
/ip dhcp-server lease add address=192.168.177.11 client-id=1:0:c:29:63:f2:65 mac-address=00:0C:29:63:F2:65 server=DHCP-Lan
/ip dhcp-server network add address=192.168.177.0/24 gateway=192.168.177.1
/ip dns set allow-remote-requests=yes servers=1.1.1.1 use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip firewall address-list add address=8.17.5.4 list=Allow_ALL
/ip firewall address-list add address=9.11.12.24 list=Allow_ALL
/ip firewall address-list add address=9.8.2.11 list=Allow_ALL
/ip firewall address-list add address=192.168.177.0/24 list=Allow-LAN
/ip firewall address-list add address=8.17.5.4 list=RemoteRDP
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related protocol=tcp
/ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related protocol=udp
/ip firewall filter add action=accept chain=forward comment="FastTrack Connection" connection-state=established,related
/ip firewall filter add chain=input comment="Allow limited pings" limit=50/5s,2 protocol=icmp
/ip firewall filter add action=drop chain=input comment="Drop excess pings" protocol=icmp
/ip firewall filter add chain=input comment="Handle already established connections" connection-state=established
/ip firewall filter add chain=input connection-state=related
/ip firewall filter add chain=output connection-state=established
/ip firewall filter add chain=output connection-state=related
/ip firewall filter add chain=forward connection-state=established
/ip firewall filter add chain=forward connection-state=related
/ip firewall filter add chain=input comment=IPsec dst-port=500 protocol=udp
/ip firewall filter add chain=input dst-port=4500 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=1701 protocol=udp
/ip firewall filter add action=accept chain=input dst-port=1723 protocol=tcp
/ip firewall filter add action=accept chain=input protocol=gre
/ip firewall filter add action=accept chain=input protocol=ipsec-esp
/ip firewall filter add action=accept chain=input protocol=ipsec-ah
/ip firewall filter add action=drop chain=input comment="Management access" connection-state=new protocol=tcp tcp-flags=!,syn,!fin,!rst,!ack
/ip firewall filter add action=drop chain=input comment="Drop DHCP request from WAN" in-interface-list=WAN port=67,68 protocol=udp
/ip firewall filter add action=accept chain=input connection-state=new src-address-list=Allow_ALL
/ip firewall filter add chain=output connection-state=new
/ip firewall filter add action=accept chain=input comment="Allow LAN IP <-> LAN IP" connection-state="" dst-address-list=Allow-LAN src-address-list=Allow-LAN
/ip firewall filter add action=accept chain=forward connection-state="" dst-address-list=Allow-LAN src-address-list=Allow-LAN
/ip firewall filter add action=accept chain=forward comment="Inside -> outside" connection-state="" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add chain=forward comment="For RDP from Internet" connection-state=new src-address-list=RemoteRDP
/ip firewall filter add action=log chain=input comment="Log and drop everything else" disabled=yes
/ip firewall filter add action=log chain=output disabled=yes
/ip firewall filter add action=log chain=forward disabled=yes
/ip firewall filter add action=drop chain=input
/ip firewall filter add action=drop chain=output
/ip firewall filter add action=drop chain=forward
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether1-gateway
/ip firewall nat add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall nat add action=redirect chain=dstnat dst-port=53 protocol=tcp
/ip firewall raw add action=drop chain=prerouting comment="Drop new connections from blacklisted IP's to this router" src-address-list=blacklist
/ip firewall raw add action=drop chain=prerouting comment="Drop dude connect" src-address-list=Dudiki
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip route add distance=1 gateway=2.9.7.2
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set winbox port=56421
/ip service set api-ssl disabled=yes
/ipv6 nd set [ find default=yes ] advertise-dns=no
/system clock set time-zone-name=Europe/Kiev
/system identity set name=_Coud_Gateway
/system ntp client set enabled=yes primary-ntp=62.149.0.30 secondary-ntp=31.28.161.71
/system scheduler add comment="Download and Apply malc0de list" interval=3d name=Downloadmalc0deList_Installmalc0deList on-event=Download_malc0de_Replace_malc0de policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:50:04
/system scheduler add comment="Download spamhaus list_Apply spamhaus List" interval=3d name="DownloadSpamhausList and ApplySpamhausList" on-event=DownloadSpamhaus_ReplaceSpamhaus policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jan/01/1970 start-time=00:40:04
/system scheduler add interval=5m name=Find-Dude on-event=Block-dude policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=feb/10/2020 start-time=16:02:24
/system script add dont-require-permissions=no name=Download_dshield_Replace_dshield owner=flnadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/dshield.rsc\" mode=http;\
\n:log info \"Downloaded dshield.rsc from Joshaven.com\";\
\n:delay 40;\
\n/ip firewall address-list remove [find where comment=\"DShield\"];\
\n/import file-name=dshield.rsc;\
\n:log info \"Removed old dshield records and imported new list\";\
\n"
/system script add dont-require-permissions=no name=Download_malc0de_Replace_malc0de owner=flnadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/malc0de.rsc\" mode=http;\
\n:log info \"Downloaded malc0de.rsc from Joshaven.com\";\
\n:delay 40;\
\n/ip firewall address-list remove [find where comment=\"malc0de\"];\
\n/import file-name=malc0de.rsc;\
\n:log info \"Removed old malc0de records and imported new list\";\
\n"
/system script add dont-require-permissions=no name=DownloadSpamhaus_ReplaceSpamhaus owner=flnadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
\n/tool fetch url=\"http://joshaven.com/spamhaus.rsc\" mode=http;\
\n:log info \"Downloaded spamhaus.rsc from Joshaven.com\";\
\n:delay 40;\
\n/ip firewall address-list remove [find where comment=\"SpamHaus\"];\
\n/import file-name=spamhaus.rsc;\
\n:log info \"Removed old Spamhaus records and imported new list\";\
\n"
/system script add dont-require-permissions=no name=Block-dude owner=flnadmin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":local ipi\r\
\n:local mess [/log find message~\"denied winbox/dude connect from\"]\r\
\nforeach i in=\$mess do={\r\
\n:set ipi [:pick [/log get \$i message ] 32 ([:len [/log get \$i message ]])]\r\
\nif ([/ip firewall address-list find address=\$ipi] = \"\" ) do={\r\
\n# :log warning \$ipi\r\
\n/ip firewall address-list add address=\"\$ipi\" timeout=30d list=Dudiki\r\
\n}\r\
\n}\r\
\n#:log warning \"FIN\"\r\
\n"
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
|
Вопрос.
Кто-то настраивал туннельные подключения к виртуальным Микротикам, запущенным под VMware ESXI 7.0?
Проблема в том, что никакие GRE, IPIP, EoIP туннели между физическим и этим виртуальным Микротиками не устанавливаются.
Такое ощущение, что VMware блокирует попытки установки таких туннелей.
При этом, если на этом виртуальном Микротик поднять L2TP сервер, то подключения работают. Хоть с Windows ПК, хоть с других физических Микротиков.
Не работает только установка GRE, IPIP, EoIP туннелей.
----------
Земля - держится на Слонах.
Слоны - на Черепахе.
А Черепаха - на скотче. |
|
