+ Responder ao Tópico



  1. 28-08-2009, 18:28 #1
    anarchist
    anarchist está desconectado
    Avatar de anarchist
    Ingresso
    May 2007
    Posts
    360

    Padrão Problema Hotspot e VirtualAP

    Galera,

    Estou com um problema meio estranho.

    Tenho 2 routerboards em um POP e estava fazendo um sistema de fail-over nelas.

    Quando uma travar a outra assumia a rede e SSID da outra automaticamente com VIRTUAL APs nas interfaces wlan.

    O problema é o seguinte:

    Na wlan normal está rodando um hotspot.
    na VirtualAP dessa mesma wlan, boto pra rodar IPxMAC apenas com criptografia wep 128 pre-shared key.

    Na Hotspot da Wlan principal funciona tudo redondo, inclusive tenho vários clientes em produção nela, mas no virtual-ap não consigo resolver nomes (DNS).

    Foi criado regra de mascarade tudo direitinho, inclusive joguei ela pra antes das regras do hotspot.

    Na VirtualAP Todos os outros serviços funcionam perfeitamente bem, ping, acessar winbox, navegar na internet usando IP ao inves do nome, etc. Apenas DNS não resolve de maneira alguma.

    Notei que tem algumas regras dinamicas no hotspot relativas a porta 53. Mas como no VirtualAP não uso hotspot, será que elas estariam interferindo em algo?

    Seria algum conflito com as regras dinamicas do Hotspot?

    Alguem tem uma idéia do que está ocorrendo?

    Segue regras de nat e filter para análise.

    Código :
    /ip firewall filter
 add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=\
    icmp
add action=accept chain=services comment="allow http, webbox" disabled=no dst-port=8081 protocol=tcp
add action=accept chain=services comment="allow winbox" disabled=no dst-port=8291 protocol=tcp
add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=tcp
add action=accept chain=services comment="allow DNS request" disabled=no dst-port=53 protocol=udp
add action=accept chain=services comment="alllow MACwinbox" disabled=no dst-port=20561 protocol=udp
add action=accept chain=services comment=" MT Discovery Protocol" disabled=no dst-port=5678 protocol=udp
add action=accept chain=forward comment="Bloqueio Inadimplentes" disabled=yes dst-port=81 protocol=tcp
add action=drop chain=forward comment="" disabled=yes src-address-list=bloqueio
add action=add-src-to-address-list address-list=spammer address-list-timeout=3d chain=forward comment=\
    "Detect and add-list SMTP virus or spammers" connection-limit=30,32 disabled=no dst-port=25 limit=10/1m,1 protocol=\
    tcp
add action=drop chain=forward comment="BLOCK SPAMMERS OR INFECTED USERS" disabled=no dst-port=25 protocol=tcp \
    src-address-list=spammer
add action=drop chain=virus comment="BLOQUEIO LISTA DE VIRUS CONHECIDOS" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="BLOQUEIO WAREZ/ARES" disabled=no dst-port=0 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=0 protocol=tcp
add action=drop chain=forward comment="" disabled=no p2p=warez
add action=drop chain=virus comment="!!! DROP PORTA PROXY !!!" disabled=yes dst-port=3127-3128 protocol=tcp
add action=drop chain=input comment="BLOQUEIO DE SSH - PORTA 22 e 23" disabled=no dst-port=22-23 protocol=tcp
add action=drop chain=output comment="drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=output comment="accept related packets" connection-state=related disabled=no
add action=accept chain=output comment="accept established packets" connection-state=established disabled=no
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no
add action=drop chain=input comment="detect and drop port scan connections" disabled=no protocol=tcp psd=21,3s,3,1
add action=jump chain=input comment="!!! Check for well-known viruses !!!" disabled=no jump-target=virus
add action=drop chain=forward comment="BLOQUEIO ENTRE USUARIOS" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=445 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=forward comment="" disabled=no dst-port=1900 protocol=udp
add action=drop chain=forward comment="" disabled=no protocol=udp src-port=1900
add action=drop chain=forward comment="drop invalid packets" connection-state=invalid disabled=no
add action=accept chain=forward comment="accept related packets" connection-state=related disabled=no
add action=drop chain=forward comment="CONEXOES SIMULTANEAS ESPECIAIS" connection-limit=60,32 disabled=yes protocol=tcp \
    src-address=192.168.2.201 tcp-flags=syn
add action=drop chain=forward comment="## CONTROLE CONEXOES SIMULTANEAS CLIENTES ##" connection-limit=20,24 disabled=no \
    protocol=tcp src-address=192.168.5.0 tcp-flags=syn
add action=drop chain=forward comment="" connection-limit=20,24 disabled=yes protocol=tcp src-address=192.168.3.0 \
    tcp-flags=syn
add action=accept chain=input comment="Allow limited pings" disabled=no limit=50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no protocol=icmp
add action=accept chain=forward comment="" disabled=no dst-port=25 protocol=tcp src-address-list=spammer
add action=add-src-to-address-list address-list=excess_ping address-list-timeout=0s chain=forward comment="" \
    connection-limit=30,32 disabled=no dst-port=25 limit=50,5 protocol=tcp

    Código :
    /ip firewall nat
 add action=masquerade chain=srcnat comment="Equador - Fail-over" disabled=no src-address=192.168.3.0/24
 
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=dst-nat chain=dstnat comment="Redirecionamento para APs Clientes CUIDADO" disabled=yes dst-address=\
    189.77.28.231 dst-port=80 protocol=tcp to-addresses=192.168.5.42 to-ports=80
add action=dst-nat chain=dstnat comment=PROXY disabled=no dst-port=80 in-interface=!ether3 protocol=tcp to-addresses=\
    189.77.28.232 to-ports=3128
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.6.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=192.168.5.0/24

    Vlw galera, quem puder ajudar agradeço muito.
    Citação Citação
  2. 29-08-2009, 20:47 #2
    anarchist
    anarchist está desconectado
    Avatar de anarchist
    Ingresso
    May 2007
    Posts
    360

    Padrão

    ninguem tem uma luz??
    Citação Citação



« Tópico Anterior | Próximo Tópico »