关于【mikrotik】的问题- 第1页

Dark Dude

Asked: 2022-08-14 23:58:17 +0800 CST

将 RouterOS 6 升级到 RouterOS 7 后 Internet 停止工作

0

我想将RouterOS 6升级到RouterOS 7，一切正常，所有接口都打开了，但用户并没有出现互联网。据我了解，某些地方需要为新的 OS7 更改路线/其他东西？现在可以使用的配置如下。RouterOS 7 在哪里以及需要更改什么？

/interface bridge
add name=VLAN_99
add name=VLAN_100
add name=VLAN_200
/interface ethernet
set [ find default-name=ether1 ] comment=ISP1 name=ether1-wan
set [ find default-name=ether2 ] comment=Upl_SNR_sw1
set [ find default-name=ether6 ] comment=ISP2 name=ether6-wan
set [ find default-name=ether7 ] comment=Upl_SNR_sw2
/interface pppoe-client
add allow=pap,mschap1 disabled=no interface=ether1-wan max-mtu=1480 name=\
    pppoe_isp1 password=*** use-peer-dns=yes user=*
add allow=pap,mschap1 disabled=no interface=ether6-wan name=pppoe_isp2 \
    password=** use-peer-dns=yes user=****
/interface vlan
add interface=ether2 name=eth2-vlan99 vlan-id=99
add interface=ether2 name=eth2-vlan100 vlan-id=100
add interface=ether7 name=eth7-vlan99 vlan-id=99
add interface=ether7 name=eth7-vlan100 vlan-id=100
add interface=ether7 name=eth7-vlan200 vlan-id=200
/interface list
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=POOL_99 ranges=192.168.3.30-192.168.3.254
add name=POOL_100 ranges=192.168.1.30-192.168.1.254
add name=POOL_200 ranges=192.168.2.30-192.168.2.254
/ip dhcp-server
add address-pool=POOL_99 disabled=no interface=VLAN_99 lease-time=2d name=\
    DHCP_99
add address-pool=POOL_100 disabled=no interface=VLAN_100 lease-time=2d name=\
    DHCP_100
add address-pool=POOL_200 disabled=no interface=VLAN_200 lease-time=2d name=\
    DHCP_200
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=VLAN_99 interface=eth2-vlan99
add bridge=VLAN_100 interface=eth2-vlan100
add bridge=VLAN_100 interface=eth7-vlan100
add bridge=VLAN_200 interface=eth7-vlan200
add bridge=VLAN_99 disabled=yes interface=ether3
add bridge=VLAN_99 interface=eth7-vlan99
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=ether1-wan list=WAN
add interface=ether6-wan list=WAN
/ip address
add address=192.168.1.1/24 interface=VLAN_100 network=192.168.1.0
add address=192.168.2.1/24 interface=VLAN_200 network=192.168.2.0
add address=192.168.3.1/24 interface=VLAN_99 network=192.168.3.0
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall address-list
add address=172.16.0.0/12 list=PRIVATE_NETWORKS
add address=192.168.0.0/16 list=PRIVATE_NETWORKS
/ip firewall filter
add action=accept chain=input comment=:::::::::Established/Related \
    connection-state=established,related
add action=accept chain=input comment=:::::::::GRE in-interface-list=WAN \
    protocol=gre
add action=accept chain=input comment=:::::::::L2TP dst-port=1701 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=:::::::::IPsec dst-port=500,4500 \
    in-interface-list=WAN protocol=udp
add action=accept chain=input comment=:::::::::IPsec in-interface-list=WAN \
    protocol=ipsec-esp
add action=accept chain=input comment=:::::::::Winbox/SSH dst-port=8291,22 \
    in-interface-list=WAN protocol=tcp src-address-list=CONSOLE
add action=accept chain=input comment=":::::::::Echo Request" icmp-options=\
    8:0-255 protocol=icmp
add action=accept chain=input comment=":::::::::Echo Reply" icmp-options=\
    0:0-255 protocol=icmp
add action=accept chain=input comment=":::::::::Destination Unreachable" \
    icmp-options=3:0-255 protocol=icmp
add action=accept chain=input comment=":::::::::Time Exceeded" icmp-options=\
    11:0-255 protocol=icmp
add action=accept chain=forward dst-address=192.168.1.0/24 src-address=\
    192.168.3.0/24
add action=accept chain=forward dst-address=192.168.3.0/24 src-address=\
    192.168.1.0/24
add action=accept chain=forward dst-address=192.168.2.0/24 src-address=\
    192.168.3.0/24
add action=drop chain=input comment=":::::::::Input Drop" in-interface-list=\
    WAN
add action=reject chain=forward comment=\
    ":::::::::Reject Direct Internet Access" dst-address-list=!EXCLUSION \
    out-interface-list=WAN reject-with=icmp-admin-prohibited \
    src-address-list=PRIVATE_NETWORKS
add action=accept chain=forward comment=:::::::::Established/Related \
    connection-state=established,related
add action=drop chain=forward comment=":::::::::Forward Drop" \
    connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall mangle
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 \
    new-routing-mark=ISP1 passthrough=yes src-address=192.168.3.0/24
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 \
    new-routing-mark=ISP1 passthrough=yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting dst-address=!192.168.0.0/16 \
    new-routing-mark=ISP2 passthrough=yes src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 out-interface=\
    pppoe_isp1 src-address=192.168.3.2-192.168.3.254
add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 out-interface=\
    pppoe_isp1 src-address=192.168.1.2-192.168.3.254
add action=masquerade chain=srcnat dst-address=!192.168.0.0/16 out-interface=\
    pppoe_isp2 src-address=192.168.2.2-192.168.2.254
/ip route
add check-gateway=ping distance=1 gateway=pppoe_isp1 routing-mark=ISP1
add check-gateway=ping distance=1 gateway=pppoe_isp2 routing-mark=ISP2

GKruger

Asked: 2021-10-05 13:23:45 +0800 CST

通过 Mikrotik NAT 的 SSH 失败

0

我的网络上有一台服务器，我想将其公开给外部 SSH 连接。我可以从我的网络直接 ssh 到设备（例如ssh 192.168.88.162工作正常）。我设置了一个 NAT 规则，以便到 17722 的连接重新路由到 22。但是这失败了：

PS C:\Users\Me> ssh -vvv -i .\.ssh\id_rsa -p 17722 [email protected]
OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\Me/.ssh/config
debug3: Failed to open file:C:/ProgramData/ssh/ssh_config error:2
debug2: resolve_canonicalize: hostname 160.119.XXX.XXX is address
debug2: ssh_connect_direct
debug1: Connecting to 160.119.XXX.XXX [160.119.XXX.XXX] port 17722.
debug3: finish_connect - ERROR: async io completed with error: 10060, io:00000222C310DC10
debug1: connect to address 160.119.XXX.XXX port 17722: Connection timed out
ssh: connect to host 160.119.XXX.XXX port 17722: Connection timed out

如何从外部 IP 工作中获取 ssh？

服务器上的 tcpdump 显示：

me@JanJansen:~ $ grep 64236 tcpdump
22:13:56.097727 IP 192.168.88.177.64236 > 192.168.88.162.ssh: Flags [S], seq 3490646443, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:13:56.098213 IP 192.168.88.162.ssh > 192.168.88.177.64236: Flags [S.], seq 869880002, ack 3490646444, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
22:13:57.105046 IP 192.168.88.177.64236 > 192.168.88.162.ssh: Flags [S], seq 3490646443, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:13:57.105398 IP 192.168.88.162.ssh > 192.168.88.177.64236: Flags [S.], seq 869880002, ack 3490646444, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
22:13:58.162258 IP 192.168.88.162.ssh > 192.168.88.177.64236: Flags [S.], seq 869880002, ack 3490646444, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
22:13:59.117541 IP 192.168.88.177.64236 > 192.168.88.162.ssh: Flags [S], seq 3490646443, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
22:13:59.117912 IP 192.168.88.162.ssh > 192.168.88.177.64236: Flags [S.], seq 869880002, ack 3490646444, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0
22:14:01.122237 IP 192.168.88.162.ssh > 192.168.88.177.64236: Flags [S.], seq 869880002, ack 3490646444, win 64240, options [mss 1460,nop,nop,sackOK,nop,wscale 6], length 0

与具有很多[P]标志而不是[S]的本地 ssh 相比，这是我看到的最大区别，但我不知道如何对此采取行动。

对于它的价值，我可以看到有效的 NAT 规则。路由器配置如下：

# oct/04/2021 23:17:07 by RouterOS 6.47.4
# software id = VBLW-UG4R
#
# model = 951Ui-2HnD
# serial number = B8710C65021A
/interface bridge
add admin-mac=48:8F:5A:79:92:71 auto-mac=no comment=defconf name=bridge
/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge ssid=MikroTik wireless-protocol=802.11
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether5 name=pppoe-out1 use-peer-dns=yes [email protected]
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge lease-time=12h name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=wlan1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN
/ip address
add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
/ip arp
add address=192.168.88.162 comment=JanJansen interface=bridge mac-address=00:0F:13:39:20:33
add address=192.168.88.177 comment=Sarevok interface=bridge mac-address=40:8D:5C:58:C0:97
add address=192.168.88.202 interface=bridge mac-address=32:63:2A:49:58:D9
add address=192.168.88.101 interface=bridge mac-address=18:56:80:24:47:12
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
add action=accept chain=forward comment="Outside SSH" dst-port=22 log=yes protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment=JanJansen dst-port=17722 in-interface=bridge log=yes protocol=tcp to-addresses=192.168.88.162 to-ports=22
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system clock
set time-zone-name=Africa/Johannesburg
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN

Christof Bodner

Asked: 2021-06-26 09:32:06 +0800 CST

Mikrotik：如何在 DCHP 服务器中预定义静态租约

1

我想用 Mikrotik (v6.48.3) 替换我当前的路由器。为了不弄乱我的网络，我想预先设置 DHCP 客户端将从服务器获取的 IP 地址。我没有找到这样的例子，有人知道怎么做吗？我在一个文件中有一个 IP 和 MAC 列表，所以我很感激 CLI 命令，我不太喜欢点击鼠标按钮 ;-)

谢谢你的回答！克里斯托夫

Master

Asked: 2021-05-19 07:06:41 +0800 CST

mikrotik 路线每秒自动出现并删除

0

Mikrotik OS v6.48.2 有路由

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          193.168.1.1               1   <<<<<<<<<<<<<<<<<<<<<
 1   S  ;;; dyno
        0.0.0.0/0                          192.168.8.1               5
 2   S  ;;; dyno
        0.0.0.0/0                          pppoe-out1                6
 3   S  ;;; dyno
        0.0.0.0/0                          193.168.1.1              10
 4 ADC  10.32.181.1/32     x.x.x.147   pppoe-out1                0
 5 ADC  10.32.238.1/32     x.x.x.250   pppoe-out2                0
 6 A S  ;;; dyno
        x.x.x.18/32                 193.168.1.1               1
 7 ADC  192.168.8.0/24     192.168.8.100   lte1                      0
 8 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 9 ADC  193.168.0.0/16     193.168.0.177   ether1                    0

但是路线 0 消失并每隔 3-5 秒再次出现。所以它变得像

 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0   S  ;;; dyno
        0.0.0.0/0                          192.168.8.1               5
 1 A S  ;;; dyno
        0.0.0.0/0                          pppoe-out1                6
 2   S  ;;; dyno
        0.0.0.0/0                          193.168.1.1              10
 3 ADC  10.32.181.1/32     x.x.x.147   pppoe-out1                0
 4 ADC  10.32.238.1/32     x.x.x.250   pppoe-out2                0
 5 A S  ;;; dyno
        x.x.x.18/32                 193.168.1.1               1
 6 ADC  192.168.8.0/24     192.168.8.100   lte1                      0
 7 ADC  192.168.88.0/24    192.168.88.1    bridge                    0
 8 ADC  193.168.0.0/16     193.168.0.177   ether1                    0

LAN 没有任何改变。没有脚本正在运行。每隔 3-5 秒，它就会再次出现和消失。

/ip 地址打印

#   ADDRESS            NETWORK         INTERFACE                                                  
 0   ;;; defconf
     192.168.88.1/24    192.168.88.0    bridge                                                     
 1 D 193.168.0.177/16   193.168.0.0     ether1                                                     
 2 D 192.168.8.100/24   192.168.8.0     lte1                                                       
 3 D x.x.x.250/32   10.32.238.1     pppoe-out2                                                 
 4 D x.x.x.147/32   10.32.181.1     pppoe-out1

如何解决这个问题？

Norbox

Asked: 2021-03-26 03:09:10 +0800 CST

如何从具有相同外部 IP 的另一个子网连接到 vpn

0

我在一栋大楼里工作，在那里你租了一个房间供办公室工作。我们的服务器在其中一个房间，其他员工在其他房间。

问题是服务器需要自己的网络（不要问为什么。解释太多了）所以我们在 Mikrotik 路由器（RouterOS 6.48.1）上设置了一个 VPN。虽然在家中连接可以完美运行，但在其他房间进行连接却行不通。

我搜索了很多关于防火墙和 NAT 规则的信息，但找不到任何对我有帮助的东西。图片剪切区域中是外部地址。假设它是 2.2.2.2 Traceroute 图像

所以我希望其他房间的员工能够从我的房间连接到 VPN 到 192.168.43.2 路由器，以便他/她能够连接到那里可用的设备。我们的网络形象

Eugene

Asked: 2021-03-11 15:17:30 +0800 CST

亿联电话通过 DHCP 分配语音 VLAN 后无法获取 IP (Mikrotik)

0

我正在以下 newtork 设备上部署 Yealink IP 电话（T40G、T23G）：
CCR1009-7G-1C-1S+ 作为路由器
CRS328-24P-4S+ 作为交换机

有问题的交换机的配置在这里。

我设置了 DHCP 选项 132 来为电话配置 VLAN。

在生产中部署此类配置之前，已证明它适用于 hAP AC^2。然而，在现场部署它时，我遇到了一个奇怪的错误，看起来像这样。

电话使用选项 132 成功从未标记 VLAN 获取 IP。然后它释放此 IP 并从语音 VLAN 请求新 IP。DHCP 服务器分配这个新 IP 并发送“ACK”消息，电话永远不会收到该消息。

问题似乎与开关有关。在这里（小心，它是俄语的！）管理员通过禁用 VLAN MAC 学习来克服这个问题。然而，这个选项对 SwitchOS 有效，而我的交换机运行的是 RouterOS。

此外，这个 reddit 线程简要总结了需要配置的内容，但它已经过时了（今天 5 年）。

这就是在电话端口嗅探所显示的内容。
请注意来自 192.168.10.40 的 49.348 处的回复数据包，并且它在 50.0 子网中不存在：

交换机有 6.48.1 稳定的 ROS。我尝试了长期 6.47.9，它没有帮助。有问题的交换机有自己的 VLAN 50 IP 地址，可以从路由器 ping 通。防火墙被禁用。手机已更新最新固件。

我应该怎么做才能找到原因并解决问题？

Falcon Momot

Asked: 2021-02-13 00:45:33 +0800 CST

如何在我的 Mikrotik CCR2004 路由器和运行 Strongswan 的 Linux 主机之间设置使用 ipsec 加密的点对点 IPv6 GRE 隧道？

0

为了路由目的，我需要将 IPv4 封装在 IPv6 中。一端是运行 quagga 的 Linux 机器，另一端是 Mikrotik CCR2004。如何？

Falcon Momot

Asked: 2021-02-11 20:17:08 +0800 CST

如何为 Mikrotik 路由器生成 SSHFP 记录？

1

我想为运行 RouterOS 6.47.4 的 Mikrotik CCR2004 生成 SSHFP 记录，而无需通过网络获取密钥。如何从控制台执行此操作？

Yazid Shayau

Asked: 2021-01-03 12:54:55 +0800 CST

Mikrotik 路由器板通过 Cisco 2900 路由器连接到 ISP

0

对不起，这有点长，我不得不掩盖一些信息。

话虽如此，我遇到了难题，需要帮助。我们的网络人员离开了，我的任务是整理好房子。我确实有一点网络背景，但那是十多年前的事了。

关键细节：

大约 2,000 名员工大部分通过全向和部门 WLAN 连接

购买了 Cisco 2900 路由器和 Mikrotik RouterBoard

DIA通过微波

连接应该是 ISP IDU 到 Cisco 路由器到 Mikrotik RouterBoard 到最终用户

ISP 给定的地址：

IP 1xx.xx.x.162

NM 255.255.255.252

GW 1xx.xx.x.161

ISP 给定的 DNS：

xxx.xxx.xxx.1

xxx.xxx.xxx.2

总结一下，我配置了思科：

#GE0/0 - 1xx.xx.x.162 255.255.255.252
#GE0/1 - 192.168.xx.1 255.255.255.0

#DHCP pool 192.168.xx.0 255.255.255.0

#Default Route 1xx.xx.x.162

#dns-server xxx.xxx.xxx.1 xxx.xxx.xxx.2

#excluded 192.168.xx.241 192.168.xx.254

#GE0/0 nat outside

#GE0/1 nat inside (also source list & overloaded)

#ip route 0.0.0.0 0.0.0.0 1xx.xx.x.161

自从我这样做以来已经有一段时间了，但我相信没关系（如果不是这样，将不胜感激）

我的挑战是 Mikrotik。我已经复习了，我相信设置热点、配置文件和用户不会成为问题，而是 IP 寻址、DHCP 和 NAT，因为可能与 Cisco 存在双重/冲突。

所以，我配置了 Mikrotik：

**eth1:** 192.168.xx.1/24 (IP of Cisco GE0/1)

**eth2:** 192.168.1.0/24


**DHCP client:** eth1

路线：

Destination 0.0.0.0/0
 
Gateway 1xx.xx.x.161 (or should I use IP of GE0/1 i.e., 192.168.xx.1?)


**NAT:**
Source 192.168.1.0/24

目的地 0.0.0.0/0，行动伪装

使用 DHCP 设置的 DHCP 服务器：

Int 2

Address 192.168.1.0/24

Gateway 192.168.1.1(IP of Mikrotik)

Address to give out (192.168.1.2, 192.168.1.254)

DNS servers (192,168.1.1, xxx.xxx.xxx.1, xxx,xxx,xxx,2)

NAT：

port-forwarding using netmap on port 80.

Mikrotik 就是这样，就像我说的，热点、配置文件和用户不会成为问题，但我真的需要其他方面的帮助。

Andrew

Asked: 2020-11-17 15:13:18 +0800 CST

无法将 Mikrotik OpenVPN 客户端连接到 Linux 服务器

0

问候！

我真的很感激任何帮助！

在过去的两天里，我无法让 Mikrotik 路由器连接到 Debian 10 OpenVPN 服务器。

对于每次连接尝试，路由器都会显示以下错误消息：

Status: terminating... - could not add address: netmask cannot be /0 (6)

这是我的配置：

客户端： Mikrotik RB2011UiAS-2HnD-IN / RouterOS：7.1b2 / 6.46.8（两种固件都试过）

"White" IP: 195.111.111.2/30    Gateway: 195.111.111.1

[admin@MikroTik] > /interface print                                                                                                                                     
Flags: R - RUNNING; S - SLAVE      
   #      NAME            TYPE      ACTU  L2MT  MAX-  MAC-ADDRESS          
   0  R   ether1-gateway  ether     1500  1598  4074  D4:CA:6D:00:E0:03    
   1  RS  ether2          ether     1500  1598  4074  D4:CA:6D:00:E0:04    
   2  RS  ether3          ether     1500  1598  4074  D4:CA:6D:00:E0:05    
   3  RS  ether4          ether     1500  1598  4074  D4:CA:6D:00:E0:06    
   4   S  ether5          ether     1500  1598  4074  D4:CA:6D:00:E0:07    
   5   S  ether6          ether     1500  1598  2028  D4:CA:6D:00:E0:08    
   6   S  ether7          ether     1500  1598  2028  D4:CA:6D:00:E0:09    
   7   S  ether8          ether     1500  1598  2028  D4:CA:6D:00:E0:0A    
   8   S  ether9          ether     1500  1598  2028  D4:CA:6D:00:E0:0B    
   9   S  ether10         ether     1500  1598  2028  D4:CA:6D:00:E0:0C  
  10      sfp1            ether     1500  1598  4074  D4:CA:6D:00:E0:02    
  11  RS  wlan1           wlan      1500  1600  2290  D4:CA:6D:00:E0:0D    
  12      office          ovpn-out                    02:FF:F4:DF:C3:9A    
  13  R   bridge1         bridge    1500  1598        D4:CA:6D:00:E0:0D

[admin@MikroTik] > /interface ovpn-client print                                                                                             
Flags: X - disabled; R - running     
 0    name="office" mac-address=02:F2:F2:2F:CC:1A max-mtu=1500 connect-to=195.222.222.2 port=1198 mode=ip protocol=tcp user="mikrotik" password="" profile=default     
      certificate=cert_2 verify-server-certificate=no auth=sha1 cipher=aes256 use-peer-dns=no add-default-route=no 

[admin@MikroTik] > /ip route print                                                                                                          
Flags: D - DYNAMIC; X - DISABLED, I - INACTIVE, A - ACTIVE; C - CONNECT, S - STATIC, m - MODEM        
  #       DST-ADDRESS        GATEWAY         D    
     AS   0.0.0.0/0          195.111.111.1  1    
     DAC  192.168.47.0/24    bridge1         0    
     DAC  195.111.111.2/30   ether1-gateway  0


[admin@MikroTik] > /ip firewall nat print     
Flags: X - disabled, I - invalid; D - dynamic     
 0    chain=srcnat action=masquerade dst-address=0.0.0.0 out-interface=ether1-gateway log=no log-prefix=""

服务器： Debian 10 + Xen 4.11 桥接

# ip addr

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master xenbr0 state UP group default qlen 1000
    link/ether 2c:2f:6b:20:2e:24 brd ff:ff:ff:ff:ff:ff
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 2c:2f:2b:20:2e:25 brd ff:ff:ff:ff:ff:ff
    inet 195.222.222.2/30 brd 195.222.222.1 scope global eno2
       valid_lft forever preferred_lft forever
4: xenbr0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 2c:2f:2b:20:2e:24 brd ff:ff:ff:ff:ff:ff
    inet 192.168.48.1/24 brd 192.168.48.255 scope global xenbr0
       valid_lft forever preferred_lft forever
5: vif1.0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq master xenbr0 state UP group default qlen 32
    link/ether fe:ff:ff:ff:ff:ff brd ff:ff:ff:ff:ff:ff
6: tun1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 500
    link/none
    inet 10.101.0.1/24 scope global tun1
       valid_lft forever preferred_lft forever

# cat /etc/openvpn/server.conf:

local 195.222.222.2
port 1198
proto tcp
dev tun1
ca /etc/openvpn/keys/ca.crt
cert /etc/openvpn/keys/server.crt
key /etc/openvpn/keys/server.key  
dh /etc/openvpn/keys/dh.pem
data-ciphers AES-256-CBC
cipher AES-256-CBC
auth SHA1
topology subnet
server 10.101.0.0 255.255.255.0
ifconfig-pool-persist ipp_tcp.txt
client-config-dir ccd
push "route 192.168.48.0 255.255.255.0"
push "route 192.168.47.0 255.255.255.0"
route 192.168.47.0/24 255.255.255.0
client-to-client
keepalive 10 120
;comp-lzo
;max-clients 100
user nobody
group nogroup
persist-key
persist-tun
status  /var/log/openvpn/openvpn-status.log
log     /var/log/openvpn/openvpn.log
verb 6
;mute 20

#/etc/openvpn/ccd/mikrotik

iroute 192.168.47.0 255.255.255.0 10.101.0.2
ifconfig-push 10.101.0.2 10.101.0.1 255.255.255.252

# iptables -S

-P INPUT DROP
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p tcp -m tcp --dport 1198 -m state --state NEW -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i xenbr0 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o xenbr0 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# iptables -t nat -S

-P PREROUTING ACCEPT
-P INPUT ACCEPT
-P POSTROUTING ACCEPT
-P OUTPUT ACCEPT
-A POSTROUTING -s 192.168.48.0/24 -d 192.168.48.0/24 -j ACCEPT
-A POSTROUTING -s 192.168.48.0/24 -d 10.0.0.0/8 -j ACCEPT
-A POSTROUTING -s 192.168.48.0/24 -j SNAT --to-source 195.222.222.2

OpenVPN 服务器日志：

2020-11-17 01:53:40 us=127869 MULTI: multi_create_instance called
2020-11-17 01:53:40 us=127918 Re-using SSL/TLS context
2020-11-17 01:53:40 us=127965 Control Channel MTU parms [ L:1623 D:1210 EF:40 EB:0 ET:0 EL:3 ]
2020-11-17 01:53:40 us=127977 Data Channel MTU parms [ L:1623 D:1450 EF:123 EB:406 ET:0 EL:3 ]
2020-11-17 01:53:40 us=128002 Local Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_SERVER,cipher AES-256-CBC,auth SHA1,key$
2020-11-17 01:53:40 us=128010 Expected Remote Options String (VER=V4): 'V4,dev-type tun,link-mtu 1559,tun-mtu 1500,proto TCPv4_CLIENT,cipher AES-256-CBC,aut$
2020-11-17 01:53:40 us=128035 TCP connection established with [AF_INET]195.111.111.2:34720
2020-11-17 01:53:40 us=128045 TCPv4_SERVER link local: (not bound)
2020-11-17 01:53:40 us=128053 TCPv4_SERVER link remote: [AF_INET]195.111.111.2:34720
2020-11-17 01:53:40 us=132062 195.111.111.2:34720 TCPv4_SERVER READ [14] from [AF_INET]195.111.111.2:34720: P_CONTROL_HARD_RESET_CLIENT_V2 kid=0 [ ] pid=0$
2020-11-17 01:53:40 us=132100 195.111.111.2:34720 TLS: Initial packet from [AF_INET]195.111.111.2:34720, sid=d0dc4e5c 860c785f
2020-11-17 01:53:40 us=132124 195.111.111.2:34720 TCPv4_SERVER WRITE [26] to [AF_INET]195.111.111.2:34720: P_CONTROL_HARD_RESET_SERVER_V2 kid=0 [ 0 ] pid=$
2020-11-17 01:53:40 us=136840 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 0 ]
2020-11-17 01:53:40 us=183931 195.111.111.2:34720 TCPv4_SERVER READ [116] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=1 DATA len=102
2020-11-17 01:53:40 us=184699 195.111.111.2:34720 TCPv4_SERVER WRITE [1196] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 1 ] pid=1 DATA len=1170
2020-11-17 01:53:40 us=184741 195.111.111.2:34720 TCPv4_SERVER WRITE [1078] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1064
2020-11-17 01:53:40 us=190449 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 1 ]
2020-11-17 01:53:40 us=235548 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 2 ]
2020-11-17 01:53:40 us=841342 195.111.111.2:34720 TCPv4_SERVER READ [1282] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=2 DATA len=1268
2020-11-17 01:53:40 us=841519 195.111.111.2:34720 VERIFY OK: depth=1, CN=Easy-RSA CA
2020-11-17 01:53:40 us=841600 195.111.111.2:34720 VERIFY OK: depth=0, CN=mikrotik
2020-11-17 01:53:40 us=841809 195.111.111.2:34720 TCPv4_SERVER WRITE [77] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 2 ] pid=3 DATA len=51
2020-11-17 01:53:40 us=846294 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 3 ]
2020-11-17 01:53:40 us=891974 195.111.111.2:34720 TCPv4_SERVER READ [303] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=3 DATA len=289
2020-11-17 01:53:40 us=892064 195.111.111.2:34720 TCPv4_SERVER WRITE [259] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ 3 ] pid=4 DATA len=233
2020-11-17 01:53:40 us=896730 195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 4 ]
2020-11-17 01:53:40 us=896755 195.111.111.2:34720 Control Channel: TLSv1.2, cipher TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2020-11-17 01:53:40 us=896771 195.111.111.2:34720 [mikrotik] Peer Connection Initiated with [AF_INET]195.111.111.2:34720
2020-11-17 01:53:40 us=896788 mikrotik/195.111.111.2:34720 MULTI_sva: pool returned IPv4=10.101.0.2, IPv6=(Not enabled)
2020-11-17 01:53:40 us=896826 mikrotik/195.111.111.2:34720 OPTIONS IMPORT: reading client specific options from: ccd-tcp/mikrotik
2020-11-17 01:53:40 us=896884 mikrotik/195.111.111.2:34720 MULTI: Learn: 10.101.0.2 -> mikrotik/195.111.111.2:34720
2020-11-17 01:53:40 us=896894 mikrotik/195.111.111.2:34720 MULTI: primary virtual IP for mikrotik/195.111.111.2:34720: 10.101.0.2
2020-11-17 01:53:40 us=896902 mikrotik/195.111.111.2:34720 MULTI: internal route 192.168.47.0/24 -> mikrotik/195.111.111.2:34720
2020-11-17 01:53:40 us=896911 mikrotik/195.111.111.2:34720 MULTI: Learn: 192.168.47.0/24 -> mikrotik/195.111.111.2:34720
2020-11-17 01:53:40 us=896967 mikrotik/195.111.111.2:34720 Outgoing Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2020-11-17 01:53:40 us=896978 mikrotik/195.111.111.2:34720 Outgoing Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-11-17 01:53:40 us=896987 mikrotik/195.111.111.2:34720 Incoming Data Channel: Cipher 'AES-256-CBC' initialized with 256 bit key
2020-11-17 01:53:40 us=896995 mikrotik/195.111.111.2:34720 Incoming Data Channel: Using 160 bit message hash 'SHA1' for HMAC authentication
2020-11-17 01:53:40 us=943781 mikrotik/195.111.111.2:34720 TCPv4_SERVER READ [56] from [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=4 DATA len$
2020-11-17 01:53:40 us=943836 mikrotik/195.111.111.2:34720 PUSH: Received control message: 'PUSH_REQUEST'
2020-11-17 01:53:40 us=943858 mikrotik/195.111.111.2:34720 SENT CONTROL [mikrotik]: 'PUSH_REPLY,route-gateway 10.101.0.1,topology subnet,ping 10,ping-resta$
2020-11-17 01:53:40 us=943876 mikrotik/195.111.111.2:34720 TCPv4_SERVER WRITE [22] to [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 4 ]
2020-11-17 01:53:40 us=943918 mikrotik/195.111.111.2:34720 TCPv4_SERVER WRITE [156] to [AF_INET]195.111.111.2:34720: P_CONTROL_V1 kid=0 [ ] pid=5 DATA len$
2020-11-17 01:53:41 us=251 mikrotik/195.111.111.2:34720 TCPv4_SERVER READ [22] from [AF_INET]195.111.111.2:34720: P_ACK_V1 kid=0 [ 5 ]
2020-11-17 01:53:41 us=76161 mikrotik/195.111.111.2:34720 Connection reset, restarting [0]
2020-11-17 01:53:41 us=76196 mikrotik/195.111.111.2:34720 SIGUSR1[soft,connection-reset] received, client-instance restarting
2020-11-17 01:53:41 us=76272 TCP/UDP: Closing socket

提前致谢！

将 RouterOS 6 升级到 RouterOS 7 后 Internet 停止工作

通过 Mikrotik NAT 的 SSH 失败

Mikrotik：如何在 DCHP 服务器中预定义静态租约

mikrotik 路线每秒自动出现并删除

如何从具有相同外部 IP 的另一个子网连接到 vpn

亿联电话通过 DHCP 分配语音 VLAN 后无法获取 IP (Mikrotik)

如何在我的 Mikrotik CCR2004 路由器和运行 Strongswan 的 Linux 主机之间设置使用 ipsec 加密的点对点 IPv6 GRE 隧道？

如何为 Mikrotik 路由器生成 SSHFP 记录？

Mikrotik 路由器板通过 Cisco 2900 路由器连接到 ISP

无法将 Mikrotik OpenVPN 客户端连接到 Linux 服务器

新安装后 postgres 的默认超级用户用户名/密码是什么？

SFTP 使用什么端口？

命令行列出 Windows Active Directory 组中的用户？

什么是 Pem 文件，它与其他 OpenSSL 生成的密钥文件格式有何不同？

如何确定bash变量是否为空？

问题[mikrotik](server)