Доброго времени суток, нужна помощь в конфигурации. Есть Микротик, интернет от провайдера в первый порт, поднято подключение до l2tp VPN сервера, необходимо реализовать схему по которой доступ к address-list (woVPN) (внешние ip веб-ресурсов) идет через провайдера напрямую, остальной трафик в VPN. Причем, уже создано разделение по address-list (inVPN), каким локальным клиентам ходить в ВПН, каким нет. Соответственно, routing mark "throughtVPN" направляет трафик с лок. машин в ВПН. Не могу понять, почему не работает "woVPN". Заранее благодарю за помощь.
interfaces# oct/18/2018 22:06:39 by RouterOS 6.43.2
/interface bridge
add fast-forward=no name=br-LAN
/interface ethernet
set [ find default-name=ether1 ] mac-address=4C:FE:F9:CB:9D:61 name=eth1_WAN \ speed=100Mbps
set [ find default-name=ether2 ] comment=Komp name=eth2 speed=100Mbps
set [ find default-name=ether3 ] comment=NAS name=eth3 speed=100Mbps
set [ find default-name=ether4 ] comment=TV name=eth4 speed=100Mbps
set [ find default-name=ether5 ] name=eth5 speed=100Mbps
/interface l2tp-client
add allow-fast-path=yes connect-to=someIP disabled=no ipsec-secret= name=l2tp-out1 password= use-ipsec=yes \
/interface pptp-client add connect-to= name=pptp-work-lit password= user=\
/interface list
add name=wan
add name=lan_vpn
/interface bridge port
add bridge=br-LAN interface=eth3
add bridge=br-LAN interface=eth4
add bridge=br-LAN interface=eth5
add bridge=br-LAN interface=wlan_2ghz
add bridge=br-LAN interface=wlan_5ghz
add bridge=br-LAN interface=eth2
/interface list member
add interface=eth1_WAN list=wan
add interface=br-LAN list=lan_vpn
add interface=l2tp-out1 list=lan_vpn
address-list# oct/18/2018 22:06:39 by RouterOS 6.43.2
/ip firewall address-list
add address=100.0.0.111 list=inVPN
add address=100.0.0.110 list=inVPN
add address=217.16.21.102 list=woVPN
add address=185.89.12.132 list=woVPN
add address=100.0.0.106 list=inVPN
add address=192.168.8.0/24 list=work-resources
add address=100.0.0.101 comment=komp list=inVPN
firewall rules# oct/18/2018 22:06:26 by RouterOS 6.43.2
/ip firewall filter
add action=drop chain=input comment="drop outside DNS req" dst-port=53 \in-interface=eth1_WAN protocol=udp
add action=drop chain=input comment="drop outside NTP" dst-port=123 \in-interface=eth1_WAN protocol=udp
add action=accept chain=input comment="accept local NTP" in-interface=br-LAN \protocol=udp src-port=123
add action=accept chain=forward comment=ping in-interface=!eth1_WAN protocol=\icmp
add action=accept chain=input in-interface=!eth1_WAN protocol=icmp
add action=drop chain=input comment="invalid state" connection-state=invalid
add action=drop chain=forward connection-state=invalid
mangle# oct/18/2018 22:06:09 by RouterOS 6.43.2
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=throughtVPN \passthrough=no src-address-list=inVPN
add action=mark-routing chain=prerouting dst-address-list=\woVPN new-routing-mark=woVPN passthrough=no src-address=100.0.0.0/24
add action=mark-routing chain=prerouting comment=work connection-mark=\work-lit new-routing-mark=work-resources passthrough=no
add action=mark-connection chain=prerouting comment="work test" dst-address=\192.168.8.251 new-connection-mark=work-lit passthrough=no
NAT# oct/18/2018 22:06:17 by RouterOS 6.43.2
/ip firewall nat
add action=masquerade chain=srcnat comment=woVPN out-interface=eth1_WAN
add action=masquerade chain=srcnat comment=inVPN out-interface=l2tp-out1 \routing-mark=throughtVPN
add action=masquerade chain=srcnat comment=mainISP out-interface=eth1_WAN
# pptp-work-lit not ready
add action=masquerade chain=srcnat comment=work-lit out-interface=\pptp-work-lit
Средний
Простой
Средний
Простой
