andredisner
(usa Ubuntu)
Enviado em 20/02/2020 - 20:25h
Olá Boa Noite.
Esse é o meu primeiro tópico, fico grato desde já pela atenção de todos.
Realizo serviço voluntario em uma escola estadual aqui do município, nos utilizamos uma Mikrotik RB1100HX4 The Dude Edition para gerenciamento de Firewall; Hotspot; NTP Server; Acesso Remoto e outras aplicações.
Estrutura básica da rede:
Entrada: (ETH01 e ETH12)
Link 1 - 80 Mega Doados (DHCP Client, IP Dinâmico)
Link 2 - 2 Mega Oi Governo faz uma bridge e autentica o PPOE no Mikrotik IP Fixo)
Saída: (ETH's restantes em DHCP, lembrando que os demais equipamentos estão com IP fixo)
Eu utilizava perfeitamente este Link 2 PPOE para acessar remotamente o MK pois possui IP Fixo e alguns computadores e equipamentos em rede, de um dia para outro simplesmente parou de funcionar, e o mais estranho é o sintoma, se eu desligo a ETH01 a conexão PPOE começa a ter trafego perfeitamente, funciona todos os acessos, mas ao habilitar o ETH01 o PPOE continua ativo recebendo o IP Fixo, mas o trafego TX fica praticamente estático em 512bps e o RX em 0bps ah 10bps, o IP não responde mais a PING externo, como tenho configurado Backups diários os restaurei mas sem sucesso, já realizei as atualizações do equipamento e o problema persiste.
Segue configurações de Firewall; ETH e Route:
/interface bridge
add fast-forward=no name=Bridge1
/interface ethernet
set [ find default-name=ether1 ] comment="Link 1 - 80 Mega" name=\
"ETH 01 (WAN 01)" speed=100Mbps
set [ find default-name=ether2 ] name="ETH 02" speed=100Mbps
set [ find default-name=ether3 ] name="ETH 03" speed=100Mbps
set [ find default-name=ether4 ] name="ETH 04" speed=100Mbps
set [ find default-name=ether5 ] name="ETH 05" speed=100Mbps
set [ find default-name=ether6 ] name="ETH 06" speed=100Mbps
set [ find default-name=ether7 ] name="ETH 07" speed=100Mbps
set [ find default-name=ether8 ] name="ETH 08" speed=100Mbps
set [ find default-name=ether9 ] name="ETH 09" speed=100Mbps
set [ find default-name=ether10 ] name="ETH 10" speed=100Mbps
set [ find default-name=ether11 ] name="ETH 11" speed=100Mbps
set [ find default-name=ether12 ] comment="Modem ADSL" name="ETH 12" speed=100Mbps
set [ find default-name=ether13 ] comment="PC T.I" name="ETH 13" speed=100Mbps
/interface pppoe-client
add add-default-route=yes comment="Link 2 - 2 Mega Oi" default-route-distance=2 \
disabled=no interface="ETH 12" max-mtu=1500 name="PPPoE-Link Oi" password=\
XXXXXXXXXX use-peer-dns=yes user=XXXXXXXXXX
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=Bridge1 hw=no interface="ETH 03"
add bridge=Bridge1 hw=no interface="ETH 04"
add bridge=Bridge1 hw=no interface="ETH 05"
add bridge=Bridge1 hw=no interface="ETH 06"
add bridge=Bridge1 hw=no interface="ETH 07"
add bridge=Bridge1 hw=no interface="ETH 08"
add bridge=Bridge1 hw=no interface="ETH 09"
add bridge=Bridge1 hw=no interface="ETH 10"
add bridge=Bridge1 hw=no interface="ETH 11"
add bridge=Bridge1 hw=no interface="ETH 13"
add bridge=Bridge1 hw=no interface="ETH 02"
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="ETH 01 (WAN 01)" list=WAN
add interface=Bridge1 list=LAN
add interface="PPPoE-Link Oi" list=WAN
/ip firewall layer7-protocol
add name=Facebook regexp=facebook
add name=Instagram regexp=instagram
add name=Twitter regexp=twitter
add name=Jogos360 regexp=jogos360
add name=Friv regexp=friv
add name="Click Jogos" regexp=clickjogos
add name="Krunker " regexp=krunker
/ip firewall address-list
add address=cloud.mikrotik.com list="Cloud Mikrotik"
add address=e1.whatsapp.net disabled=yes list=Teste
add address=whatsapp.net disabled=yes list=Teste
add address=portalfpe.sefaz.rs.gov.br list=FPE
add list=windows_remote_blacklist
/ip firewall filter
add action=drop chain=input comment="Bloqueio Facebook Nucleo" layer7-protocol=\
Facebook src-address=172.16.0.100-172.16.0.130
add action=drop chain=input comment="Bloqueio Instagram Nucleo" layer7-protocol=\
Instagram src-address=172.16.0.100-172.16.0.130
add action=drop chain=input comment="Bloqueio Twitter Nucleo" layer7-protocol=Twitter \
src-address=172.16.0.100-172.16.0.130
add action=drop chain=input comment="Bloqueio Jogos360 Nucleo" layer7-protocol=\
Jogos360 src-address=172.16.0.100-172.16.0.130
add action=drop chain=input comment="Bloqueio Friv Nucleo" layer7-protocol=Friv \
src-address=172.16.0.100-172.16.0.130 tcp-flags=""
add action=drop chain=input comment="Bloqueio Click Jogos Nucleo" layer7-protocol=\
"Click Jogos" src-address=172.16.0.100-172.16.0.130 tcp-flags=""
add action=drop chain=input comment="Bloqueio Krunker Nucleo" layer7-protocol=\
"Krunker " src-address=172.16.0.100-172.16.0.130 tcp-flags=""
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=drop chain=input comment="Bloqueio de Requisi\E7\E3o de DNS Externo UDP" \
dst-port=53 in-interface=!Bridge1 protocol=udp
add action=drop chain=input comment="Bloqueio de Requisi\E7\E3o de DNS Externo TCP" \
dst-port=53 in-interface=!Bridge1 protocol=tcp src-port=""
add action=drop chain=input comment="Bloqueio de Requisi\E7\E3o de SMB Externo TCP" \
dst-port=445 in-interface=!Bridge1 protocol=tcp src-port=""
add action=drop chain=input comment="Drop RDP Linux Brute Forcers Stage 5" dst-port=\
3411 protocol=tcp src-address-list=linux_remote_blacklist
add action=add-src-to-address-list address-list=linux_remote_blacklist \
address-list-timeout=1w3d chain=input comment=\
"Drop RDP Linux Brute Forcers Stage 4" connection-state=new dst-port=3411 \
protocol=tcp src-address-list=linux_remote_stage3
add action=add-src-to-address-list address-list=linux_remote_stage3 \
address-list-timeout=1m chain=input comment="Drop RDP Linux Brute Forcers Stage 3" \
connection-state=new dst-port=3411 protocol=tcp src-address-list=\
linux_remote_stage2
add action=add-src-to-address-list address-list=linux_remote_stage2 \
address-list-timeout=1m chain=input comment="Drop RDP Linux Brute Forcers Stage 2" \
connection-state=new dst-port=3411 protocol=tcp src-address-list=\
linux_remote_stage1
add action=add-src-to-address-list address-list=linux_remote_stage1 \
address-list-timeout=1m chain=input comment="Drop RDP Linux Brute Forcers Stage 1" \
connection-state=new dst-port=3411 protocol=tcp
add action=drop chain=input comment="Drop RDP Windows Brute Forcers Stage 5" dst-port=\
3410 protocol=tcp src-address-list=windows_remote_blacklist
add action=add-src-to-address-list address-list=windows_remote_blacklist \
address-list-timeout=1w3d chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 4" connection-state=new dst-port=3410 \
protocol=tcp src-address-list=windows_remote_stage3
add action=add-src-to-address-list address-list=windows_remote_stage3 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 3" connection-state=new dst-port=3410 \
protocol=tcp src-address-list=windows_remote_stage2
add action=add-src-to-address-list address-list=windows_remote_stage2 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 2" connection-state=new dst-port=3410 \
protocol=tcp src-address-list=windows_remote_stage1
add action=add-src-to-address-list address-list=windows_remote_stage1 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 1" connection-state=new dst-port=3410 \
protocol=tcp
add action=drop chain=input comment="Drop RDP Windows Brute Forcers Stage 5" dst-port=\
3412 protocol=tcp src-address-list=windows_remote_blacklist
add action=add-src-to-address-list address-list=windows_remote_blacklist \
address-list-timeout=1w3d chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 4" connection-state=new dst-port=3412 \
protocol=tcp src-address-list=windows_remote_stage3
add action=add-src-to-address-list address-list=windows_remote_stage3 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 3" connection-state=new dst-port=3412 \
protocol=tcp src-address-list=windows_remote_stage2
add action=add-src-to-address-list address-list=windows_remote_stage2 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 2" connection-state=new dst-port=3412 \
protocol=tcp src-address-list=windows_remote_stage1
add action=add-src-to-address-list address-list=windows_remote_stage1 \
address-list-timeout=1m chain=input comment=\
"Drop RDP Windows Brute Forcers Stage 1" connection-state=new dst-port=3412 \
protocol=tcp
/ip firewall mangle
add action=accept chain=prerouting comment="Bypass Rede Interna" dst-address=\
172.16.0.0/21 src-address=172.16.0.0/21
add action=mark-connection chain=prerouting comment="Entrada Conex\E3o Link 1" \
connection-mark=no-mark in-interface="ETH 01 (WAN 01)" new-connection-mark=\
Link1-Conexao passthrough=yes
add action=mark-connection chain=prerouting comment="Entrada Conex\E3o Link 2" \
connection-mark=no-mark in-interface="PPPoE-Link Oi" new-connection-mark=\
Link2-Conexao passthrough=yes
add action=mark-routing chain=output comment="Sa\EDda Conex\E3o Link 1" \
connection-mark=Link1-Conexao new-routing-mark=Link1-Rota passthrough=yes
add action=mark-routing chain=output comment="Sa\EDda Conex\E3o Link 2" \
connection-mark=Link2-Conexao new-routing-mark=Link2-Rota passthrough=yes
add action=mark-routing chain=output dst-address-list="Cloud Mikrotik" \
new-routing-mark=Clound-Mikrotik passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here"
add action=masquerade chain=srcnat comment="NAT Link 1 - 80 Mega" out-interface=\
"ETH 01 (WAN 01)"
add action=redirect chain=dstnat comment=\
"Redirecionamento de DNS Interno para o Mikrotik" dst-port=53 in-interface=Bridge1 \
protocol=udp to-ports=53
add action=masquerade chain=srcnat comment="NAT Link 2 - 2 Mega" out-interface=\
"PPPoE-Link Oi"
add action=dst-nat chain=dstnat comment=\
"Desktop Remote - Computador Windows T.I - PORT 3410" dst-port=3410 \
in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.15 to-ports=3389
add action=dst-nat chain=dstnat comment=\
"Ultra VNC - Computador Windows T.I - PORT 3410" disabled=yes dst-port=\
3570 in-interface="PPPoE-Link Oi" log=yes protocol=tcp to-addresses=172.16.0.15 \
to-ports=35560
add action=dst-nat chain=dstnat comment=\
"Ferramenta - UniFi Controller Ubiquiti Networks - PORT 3420" dst-port=3420 \
in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.15 to-ports=8443
add action=dst-nat chain=dstnat comment=\
"Ferramenta - Zabbix - PORT 3421" \
dst-port=3421 in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.2 \
to-ports=80
add action=dst-nat chain=dstnat comment=\
"Equipamento - Open WRT Corredor - PORT 3431" dst-port=\
3431 in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.31 to-ports=\
80
add action=dst-nat chain=dstnat comment=\
"Equipamento - Open WRT Bloco I - PORT 3430" dst-port=\
3430 in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.32 to-ports=\
80
add action=dst-nat chain=dstnat comment=\
"Desktop Remote - Notebook Biblioteca Cadastro - PORT 3412" dst-port=3412 \
in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.54 to-ports=3389
add action=dst-nat chain=dstnat comment=\
"Equipamento - Open WRT Secretaria - PORT 3432" dst-port=3432 \
in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.33 to-ports=80
add action=dst-nat chain=dstnat comment=\
"Desktop Remote - Computador Linux - PORT 3411" dst-port=\
3411 in-interface="PPPoE-Link Oi" protocol=tcp to-addresses=172.16.0.2 to-ports=\
3389
/ip firewall service-port
set ftp disabled=yes
/ip route
add distance=1 gateway=192.168.2.1 routing-mark=Link1-Rota
add distance=2 gateway=X.X.X.X routing-mark=Link2-Rota
add distance=2 gateway="PPPoE-Link Oi" routing-mark=Clound-Mikrotik