Cliente fica com IP de rede interna!!

[renatosoa]

Boa noite turma afiada em MK, estou com o seguinte problema:
Certo dia fui em um cliente fazer teste de velocidade e eu nunca tinha reparado que ao abrir o site o ip que aparece eh o proprio ip da minha rede interna, tipo 192.168.1.X, geralmente aparece o IP que o cable modem, modem roteado e ou ip fixo do MK tipo 189.71.X.X.

Meu MK esta configurado como HotSpot o modem nao esta em bridge, mas se conecto meu notebook diretamente ao modem o teste de velocidade aparece com o ip certinho da Wan ou seja, o MK esta deixando passar o ip interno.

Obrigado.

[sosouteiro]

As placas de rede do MK devem estar setadas para "ARP: proxy-arp"

e o mais correto seria: na placa local ARP: reply-only (somente macs e ips cadastrados na aba IP >> ARP irão receber resposta do MK) e na placa da internet ARP: enabled

[renatosoa]

Desculpe pela demora em responder, masssssss, nao deu certo sosouteiro, continuam passando os ips internos, sera q teria alguma regra em firewall para isso?? No firewall uso um redirect com chain pre-hotspot para a porta 80 nas interfaces q vao para os clientes.

[sosouteiro]

Desculpe pela demora em responder, masssssss, nao deu certo sosouteiro, continuam passando os ips internos, sera q teria alguma regra em firewall para isso?? No firewall uso um redirect com chain pre-hotspot para a porta 80 nas interfaces q vao para os clientes.

Posta as suas regras de firewall.

[renatosoa]

Logo abaixo :

/ ip firewall mangle
add chain=output protocol=tcp src-port=3128 content="X-Cache: HIT" action=mark-connection new-connection-mark=Cache-Connection passthrough=yes comment=">> \
CACHE FULL <<" disabled=no
add chain=output connection-mark=Cache-Connection action=mark-packet new-packet-mark=Cache-Packet passthrough=yes comment="" disabled=no
add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn passthrough=yes comment=">> Controle P2P <<" disabled=no
add chain=prerouting connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p passthrough=yes comment="" disabled=no

/ ip firewall nat
add chain=srcnat out-interface=Link action=masquerade comment="masquerade hotspot network" disabled=no
add chain=pre-hotspot dst-address=175.25.0.0/16 protocol=tcp dst-port=80 hotspot=auth action=redirect to-ports=64873 comment="Paginas de status do hotspot" \
disabled=no
add chain=pre-hotspot in-interface=Clientes protocol=tcp dst-port=80 hotspot=auth action=redirect to-ports=3128 comment=">> Redirecionamento do HotSopt para

/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-close-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no

/ ip firewall filter
add chain=input in-interface=Link protocol=tcp dst-port=3128 action=drop comment=">> Bloqueio Externo do Proxy <<" disabled=no
add chain=forward src-address=175.25.100.0/24 protocol=tcp tcp-flags=syn connection-limit=35,24 action=drop comment=">> Limitar Conexoes Ethernet <<" \
disabled=no
add chain=forward src-address=175.25.50.0/24 protocol=tcp tcp-flags=syn connection-limit=35,24 action=drop comment=">> Limitar Conexoes Wireless <<" \
disabled=no
add chain=input protocol=tcp dst-port=3128 action=accept comment=">> Aceitar Conexoes no Proxy <<" disabled=no
add chain=forward protocol=tcp action=jump jump-target=virus comment="Cria jumps para novas chains" disabled=yes

/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no

[sosouteiro]

Aqui está tudo normal. Posta como estão as suas regras de web-proxy e as configurações das suas interfaces de rede.

[renatosoa]

Entao vamos la:

/ interface ethernet
set Link name="Link" mtu=1500 mac-address=00:00:00:00: arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set Clientes name="Clientes" mtu=1500 mac-address=00:00:00:00: \
arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless
set wlan1 name="wlan1" mtu=1500 mac-address=00:00:00:00: arp=enabled \
disable-running-check=no radio-name="MK RHSuporte" mode=ap-bridge \
ssid="Empresarial" area="" frequency-mode=superchannel \
country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b/g \
scan-list=default rate-set=default \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 \
ack-timeout=dynamic tx-power=25 tx-power-mode=card-rates \
noise-floor-threshold=default periodic-calibration=default \
periodic-calibration-interval=300 burst-time=disabled dfs-mode=none \
antenna-mode=ant-a wds-mode=dynamic wds-default-bridge=none \
wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no \
update-stats-interval=disabled default-authentication=yes \
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 \
proprietary-extensions=post-2.9.25 hide-ssid=no security-profile=RHSuporte \
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both \
compression=no allow-sharedkey=no comment="" disabled=no
/ interface wireless nstreme
set wlan1 enable-nstreme=no enable-polling=yes framer-policy=none \
framer-limit=3200
/ interface wireless manual-tx-power-table
set wlan1 manual-tx-powers=1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbp\
s:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17
/ interface wireless security-profiles
set default name="default" mode=dynamic-keys authentication-types=wpa-psk \
unicast-ciphers=tkip group-ciphers=tkip \
wpa-pre-shared-key="***********" wpa2-pre-shared-key="" \
tls-mode=no-certificates tls-certificate=none static-algo-0=none \
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none \
static-key-2="" static-algo-3=none static-key-3="" \
static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
add name="RHSuporte" mode=dynamic-keys authentication-types=wpa-psk \
unicast-ciphers=tkip group-ciphers=tkip \
wpa-pre-shared-key="************" \
wpa2-pre-shared-key="***********" tls-mode=no-certificates \
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none \
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none \
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receive-errors=no \
memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \
streaming-server=0.0.0.0 streaming-max-rate=0
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption

/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="[email protected]" max-object-size=30960KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
add url="https://" action=deny comment="no cache dynamic https pages" \
disabled=no

[sosouteiro]

Entao vamos la:

/ interface ethernet
set Link name="Link" mtu=1500 mac-address=00:00:00:00: arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set Clientes name="Clientes" mtu=1500 mac-address=00:00:00:00: \
arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless
set wlan1 name="wlan1" mtu=1500 mac-address=00:00:00:00: arp=enabled \
disable-running-check=no radio-name="MK RHSuporte" mode=ap-bridge \
ssid="Empresarial" area="" frequency-mode=superchannel \
country=no_country_set antenna-gain=0 frequency=2412 band=2.4ghz-b/g \
scan-list=default rate-set=default \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
basic-rates-b=1Mbps basic-rates-a/g=6Mbps max-station-count=2007 \
ack-timeout=dynamic tx-power=25 tx-power-mode=card-rates \
noise-floor-threshold=default periodic-calibration=default \
periodic-calibration-interval=300 burst-time=disabled dfs-mode=none \
antenna-mode=ant-a wds-mode=dynamic wds-default-bridge=none \
wds-default-cost=100 wds-cost-range=50-150 wds-ignore-ssid=no \
update-stats-interval=disabled default-authentication=yes \
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 \
proprietary-extensions=post-2.9.25 hide-ssid=no security-profile=RHSuporte \
disconnect-timeout=3s on-fail-retry-time=100ms preamble-mode=both \
compression=no allow-sharedkey=no comment="" disabled=no
/ interface wireless nstreme
set wlan1 enable-nstreme=no enable-polling=yes framer-policy=none \
framer-limit=3200
/ interface wireless manual-tx-power-table
set wlan1 manual-tx-powers=1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbp\
s:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17
/ interface wireless security-profiles
set default name="default" mode=dynamic-keys authentication-types=wpa-psk \
unicast-ciphers=tkip group-ciphers=tkip \
wpa-pre-shared-key="***********" wpa2-pre-shared-key="" \
tls-mode=no-certificates tls-certificate=none static-algo-0=none \
static-key-0="" static-algo-1=none static-key-1="" static-algo-2=none \
static-key-2="" static-algo-3=none static-key-3="" \
static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
add name="RHSuporte" mode=dynamic-keys authentication-types=wpa-psk \
unicast-ciphers=tkip group-ciphers=tkip \
wpa-pre-shared-key="************" \
wpa2-pre-shared-key="***********" tls-mode=no-certificates \
tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none \
static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none \
static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none \
static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receive-errors=no \
memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \
streaming-server=0.0.0.0 streaming-max-rate=0
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
keepalive-timeout=30 default-profile=default-encryption

/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=yes parent-proxy=0.0.0.0:0 \
cache-administrator="[email protected]" max-object-size=30960KiB \
cache-drive=system max-cache-size=unlimited max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
add url="https://" action=deny comment="no cache dynamic https pages" \
disabled=no

No web-proxy adicione uma regra para aceitar os ips da sua rede e após esta regra insira uma outra que bloqueie todo o restante de IPs.

[renatosoa]

Seria mais ou menos assim??
Mas acrescentei a porta do web proxy, sem ela da erro de conexao a qualquer site.
E caso sejam essas regras abaixo nao deu certo ou as fiz errado.
Ei sosouteiro, vlz mesmo ai forca ai cara, to muito agradecido !!! (Y)

/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add src-address=175.25.50.0/32 dst-port=3128 action=allow comment="Aceitar \
conexao ao proxy" disabled=no
add src-address=175.25.100.0/32 dst-port=3128 action=allow comment="Aceitar \
conexao ao proxy" disabled=no
add dst-port=3128 action=deny comment="Bloquear demais conexoes ao proxy" \
disabled=no

[sosouteiro]

Seria mais ou menos assim??
Mas acrescentei a porta do web proxy, sem ela da erro de conexao a qualquer site.
E caso sejam essas regras abaixo nao deu certo ou as fiz errado.
Ei sosouteiro, vlz mesmo ai forca ai cara, to muito agradecido !!! (Y)

/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
add src-address=175.25.50.0/32 dst-port=3128 action=allow comment="Aceitar \
conexao ao proxy" disabled=no
add src-address=175.25.100.0/32 dst-port=3128 action=allow comment="Aceitar \
conexao ao proxy" disabled=no
add dst-port=3128 action=deny comment="Bloquear demais conexoes ao proxy" \
disabled=no

Isso, agora você tem que especificar, nessa ultima regra o IP: 0.0.0.0 de origem. src-address 0.0.0.0

Você nem precisa especificar a porta do proxy, essa 3128 que você está utilizando.

[renatosoa]

Eitaaa q esse negocio ta cabuloso, pq se eu habilto isso, paro de navegar e me da aquela tela " ERROR The request URL could not be retrived"

[sosouteiro]

Eitaaa q esse negocio ta cabuloso, pq se eu habilto isso, paro de navegar e me da aquela tela " ERROR The request URL could not be retrived"

Você tem que revisar como estão suas regrado no web-proxy. Se uma ordem de bloqueo vem antes de uma de liberação, a segunda se torna inútil.

Opa! Seus ips estão como /32, se você quer aplicar a regra para a rede completa tem que ser /24.