+ Responder ao Tópico



  1. 23-12-2015, 14:12 #1
    miguelmiziara
    miguelmiziara está desconectado
    Avatar de miguelmiziara
    Ingresso
    Dec 2015
    Posts
    1

    Angry Redirecionamento Portas Mikrotik PCC

    Boa tarde amigos, alguém poderia me ajudar a redirecionar portas, estou errando em algum lugar, segue abaixo:
    Estou saturado de ideias, ja testei varias configurações e não funciona o redirecionamento.
    Tenho um link bridge e outro com um modem roteado.




    # dec/23/2015 13:59:36 by RouterOS 6.34rc23
    # software id = TTFS-R1NF
    #
    /interface bridge
    add name=Bridge
    /interface ethernet
    set [ find default-name=ether5 ] name=local
    /interface pppoe-client
    add add-default-route=yes interface=ether2 max-mru=1480 max-mtu=1480 mrru=\
    1600 name=pppoeNanoStation password=linkbr [email protected]
    add add-default-route=yes disabled=no interface=ether1 max-mru=1480 max-mtu=\
    1480 mrru=1600 name=pppoeSpeedy password=linkbr [email protected]
    /interface wireless security-profiles
    add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=\
    "Security Profile Agroleite" supplicant-identity="" wpa2-pre-shared-key=\
    **********
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce \
    default-forwarding=no dfs-mode=no-radar-detect disabled=no frequency=auto \
    frequency-mode=regulatory-domain mode=ap-bridge security-profile=\
    "Security Profile Agroleite" ssid=Agroleite wireless-protocol=802.11 \
    wmm-support=enabled
    /ip firewall layer7-protocol
    add name=bradesco regexp=bradesco
    add name=itau regexp=itau
    add name=bancobrasil regexp=bancobrasil
    add name=internetbanking regexp=internetbanking
    add name=google regexp=goole
    add name=ddns regexp=ddns
    add name=alelo regexp=alelo
    /ip ipsec proposal
    set [ find default=yes ] enc-algorithms=aes-128-cbc
    /ip pool
    add name=dhcp_pool ranges=192.168.1.120-192.168.1.150
    /ip dhcp-server
    add add-arp=yes address-pool=dhcp_pool disabled=no interface=Bridge \
    lease-time=2h name=DHCP
    /queue tree
    add name="Full cache" packet-mark=cache-hits parent=global queue=default
    /interface bridge port
    add bridge=Bridge interface=local
    add bridge=Bridge interface=wlan1
    /interface bridge settings
    set use-ip-firewall-for-vlan=yes
    /ip settings
    set tcp-syncookies=yes
    /ip address
    add address=192.168.1.10/24 interface=local network=192.168.1.0
    add address=192.168.10.2/24 interface=ether1 network=192.168.10.0
    add address=192.168.20.2/24 interface=ether2 network=192.168.20.0
    /ip dhcp-server lease
    add address=192.168.1.134 client-id=1:fc:aa:14:f7:e3:cb mac-address=\
    FC:AA:14:F7:E3:CB server=DHCP
    add address=192.168.1.130 client-id=1:28:cf:e9:9b:a4:79 mac-address=\
    28:CF:E9:9B:A4:79 server=DHCP
    /ip dhcp-server network
    add address=192.168.1.0/24 dns-server=192.168.1.10,8.8.8.8,200.204.0.10 \
    gateway=192.168.1.11
    /ip dns
    set allow-remote-requests=yes cache-size=5048KiB servers="200.204.0.10,200.204\
    .0.138,208.67.222.222,8.8.8.8,208.67.220.220,200.221.11.98,200.176.2.10"
    /ip firewall address-list
    add address=200.155.0.0/16 comment=Bradesco list=sem_balance
    add address=200.155.80.0/20 list=sem_balance
    add address=200.155.80.0/23 list=sem_balance
    add address=177.92.208.0/20 list=sem_balance
    add address=200.155.82.0/23 list=sem_balance
    add address=200.155.84.0/23 list=sem_balance
    add address=200.155.86.0/24 list=sem_balance
    add address=200.155.87.0/24 list=sem_balance
    add address=200.155.88.0/23 list=sem_balance
    add address=200.155.90.0/23 list=sem_balance
    add address=200.155.92.0/24 list=sem_balance
    add address=200.155.93.0/24 list=sem_balance
    add address=200.155.94.0/23 list=sem_balance
    add address=192.168.1.111 disabled=yes list=libera_winbox
    /ip firewall filter
    add action=fasttrack-connection chain=forward comment=SQL disabled=yes \
    dst-port=1433 protocol=tcp src-address=0.0.0.0
    add chain=forward comment="RDP Totvs" disabled=yes dst-port=3389 protocol=tcp
    add action=fasttrack-connection chain=forward disabled=yes dst-port=1241 \
    protocol=tcp
    add action=fasttrack-connection chain=forward comment="RDP PC53" disabled=yes \
    dst-port=65099 protocol=tcp
    add action=fasttrack-connection chain=forward comment="Cameras Celular" \
    disabled=yes dst-port=34595-34599 protocol=tcp
    add action=fasttrack-connection chain=forward comment="Cameras CMS" disabled=\
    yes dst-port=34565-34569 protocol=tcp
    add action=fasttrack-connection chain=forward comment=Totvs disabled=yes \
    dst-port=1234-1243 protocol=tcp
    add action=add-src-to-address-list address-list=knock address-list-timeout=\
    15s chain=input dst-port=2771 protocol=tcp
    add action=add-src-to-address-list address-list=libera_winbox \
    address-list-timeout=15m chain=input dst-port=7127 protocol=tcp \
    src-address-list=knock
    add chain=input dst-port=8291 protocol=tcp src-address-list=libera_winbox
    add action=drop chain=input dst-port=8291 protocol=tcp
    add action=drop chain=forward connection-state=invalid
    add chain=input comment="Aceita 30 mensagens ICMP por segundo" limit=30,5 \
    protocol=icmp
    add action=drop chain=input comment="Dropa todo ICMP" protocol=icmp
    add action=drop chain=input comment="Drop Invalid connections" \
    connection-state=invalid
    add chain=input comment="Allow ICMP" protocol=icmp
    add chain=input in-interface=!Bridge src-address=192.168.1.0
    add action=drop chain=forward src-address=0.0.0.0/8
    add action=drop chain=forward dst-address=0.0.0.0/8
    add action=drop chain=forward src-address=127.0.0.0/8
    add action=drop chain=forward dst-address=127.0.0.0/8
    add action=drop chain=forward src-address=224.0.0.0/3
    add action=drop chain=forward dst-address=224.0.0.0/3
    add action=jump chain=forward jump-target=tcp protocol=tcp
    add action=jump chain=forward jump-target=udp protocol=udp
    add action=jump chain=forward jump-target=icmp protocol=icmp
    add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
    protocol=tcp
    add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
    add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
    add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
    protocol=tcp
    add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
    add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
    tcp
    add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
    add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
    protocol=udp
    add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
    protocol=udp
    add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
    add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
    add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
    udp
    add chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
    add chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
    add chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
    add chain=icmp comment="host unreachable fragmentation required" \
    icmp-options=3:4 protocol=icmp
    add chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
    add chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
    add chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
    add chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
    add action=drop chain=icmp comment="deny all other types"
    add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
    add chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
    add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Port scanners to list " \
    protocol=tcp psd=21,3s,3,1
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" \
    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp \
    tcp-flags=fin,syn
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp \
    tcp-flags=syn,rst
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=\
    tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
    add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
    add action=drop chain=input comment="dropping port scanners" \
    src-address-list="port scanners"
    add action=tarpit chain=input connection-limit=3,32 disabled=yes protocol=tcp \
    src-address-list=dos
    add action=add-src-to-address-list address-list=dos address-list-timeout=1d \
    chain=input comment="Suprimindo um ataque DoS" connection-limit=0,32 \
    disabled=yes protocol=tcp tcp-flags=syn
    add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
    add chain=SYN-Protect connection-state=new disabled=yes limit=400,5 protocol=\
    tcp tcp-flags=syn
    add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=\
    tcp tcp-flags=syn
    add action=drop chain=input comment="Drop everything else" disabled=yes
    /ip firewall mangle
    add chain=prerouting comment="Sem Balance" dst-address-list=sem_balance \
    in-interface=Bridge
    add chain=prerouting comment=\
    "====================================================================" \
    dst-address=192.168.1.0/24 src-address=192.168.1.0/24
    add chain=prerouting dst-address=192.168.10.0/24 src-address=192.168.1.0/24
    add chain=prerouting dst-address=192.168.20.0/30 src-address=192.168.1.0/24
    add action=mark-connection chain=prerouting comment=\
    "====================================================================" \
    connection-mark=no-mark in-interface=pppoeSpeedy new-connection-mark=\
    ether1_conn
    add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2 new-connection-mark=ether2_conn
    add action=jump chain=prerouting comment=\
    "====================================================================" \
    in-interface=Bridge jump-target=policy_router
    add action=mark-routing chain=prerouting comment=\
    "====================================================================" \
    connection-mark=ether1_conn new-routing-mark=ether1_trafic src-address=\
    192.168.1.0/24
    add action=mark-routing chain=prerouting connection-mark=ether2_conn \
    new-routing-mark=ether2_trafic src-address=192.168.1.0/24
    add action=mark-routing chain=output connection-mark=ether1_conn \
    new-routing-mark=ether1_trafic
    add action=mark-routing chain=output connection-mark=ether2_conn \
    new-routing-mark=ether2_trafic
    add action=mark-routing chain=prerouting dst-port=3389 new-routing-mark=\
    ether2_trafic protocol=tcp
    add action=mark-connection chain=policy_router comment=\
    "====================================================================" \
    dst-address-type=!local in-interface=Bridge new-connection-mark=\
    ether1_conn per-connection-classifier=both-addresses-and-ports:3/0
    add action=mark-connection chain=policy_router dst-address-type=!local \
    in-interface=Bridge new-connection-mark=ether2_conn \
    per-connection-classifier=both-addresses-and-ports:3/1
    add action=mark-connection chain=policy_router dst-address-type=!local \
    in-interface=Bridge new-connection-mark=ether2_conn \
    per-connection-classifier=both-addresses-and-ports:3/2
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    comment=\
    "====================================================================" \
    dst-address-list=!192.168.1.0/24 layer7-protocol=bradesco protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    dst-address-list=!192.168.1.0/24 layer7-protocol=bancobrasil protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    dst-address-list=!192.168.1.0/24 layer7-protocol=internetbanking \
    protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    dst-address-list=!192.168.1.0/24 layer7-protocol=itau protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    disabled=yes dst-address-list=!192.168.1.0/24 dst-port=1234-1243 \
    protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    disabled=yes dst-address-list=!192.168.1.0/24 dst-port=1433 protocol=tcp
    add action=add-dst-to-address-list address-list=sem_balance chain=forward \
    dst-address-list=!192.168.1.0/24 layer7-protocol=alelo protocol=tcp
    add action=mark-packet chain=output comment="CACHE HIT/Zaib" disabled=yes \
    dscp=4 new-packet-mark=cache-hits passthrough=no protocol=tcp src-port=\
    3129
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=ether2
    add action=masquerade chain=srcnat out-interface=pppoeSpeedy
    add action=masquerade chain=srcnat disabled=yes out-interface=Bridge
    add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=ether2 \
    protocol=tcp src-address=192.168.1.0/24 to-ports=3129
    add action=redirect chain=dstnat disabled=yes dst-port=80 in-interface=ether1 \
    protocol=tcp src-address=192.168.1.0/24 to-ports=3129
    add action=dst-nat chain=dstnat dst-port=1433 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.94 to-ports=1433
    add action=dst-nat chain=dstnat dst-port=1433 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.94 to-ports=1433
    add action=dst-nat chain=dstnat dst-port=34567 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.90 to-ports=34567
    add action=dst-nat chain=dstnat dst-port=34567 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.90 to-ports=34567
    add action=dst-nat chain=dstnat dst-port=34596 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.90 to-ports=34596
    add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    pppoeSpeedy protocol=tcp to-addresses=192.168.1.50 to-ports=3389
    add action=dst-nat chain=dstnat disabled=yes dst-port=3389 in-interface=\
    ether2 protocol=tcp to-addresses=192.168.1.50 to-ports=3389
    add action=dst-nat chain=dstnat dst-port=65099 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.111 to-ports=8933
    add action=dst-nat chain=dstnat dst-port=65099 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.111 to-ports=8933
    add action=dst-nat chain=dstnat dst-port=34596 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.90 to-ports=34596
    add action=dst-nat chain=dstnat dst-port=34566 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.9 to-ports=34566
    add action=dst-nat chain=dstnat dst-port=34566 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.9 to-ports=34566
    add action=dst-nat chain=dstnat dst-port=34597 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.9 to-ports=34597
    add action=dst-nat chain=dstnat dst-port=34597 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.9 to-ports=34597
    add action=dst-nat chain=dstnat dst-port=34568 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.7 to-ports=34568
    add action=dst-nat chain=dstnat dst-port=34568 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.7 to-ports=34568
    add action=dst-nat chain=dstnat dst-port=34599 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.7 to-ports=34599
    add action=dst-nat chain=dstnat dst-port=34599 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.7 to-ports=34599
    add action=dst-nat chain=dstnat dst-port=34598 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.18 to-ports=34598
    add action=dst-nat chain=dstnat dst-port=34598 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.18 to-ports=34598
    add action=dst-nat chain=dstnat dst-port=34569 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.18 to-ports=34569
    add action=dst-nat chain=dstnat dst-port=34569 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.18 to-ports=34569
    add action=dst-nat chain=dstnat dst-port=34595 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.15 to-ports=34595
    add action=dst-nat chain=dstnat dst-port=34595 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.15 to-ports=34595
    add action=dst-nat chain=dstnat dst-port=34565 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.15 to-ports=34565
    add action=dst-nat chain=dstnat dst-port=34565 in-interface=ether2 protocol=\
    tcp to-addresses=192.168.1.15 to-ports=34565
    add action=dst-nat chain=dstnat dst-port=1234-1245 in-interface=pppoeSpeedy \
    protocol=tcp to-addresses=192.168.1.50 to-ports=1234-1241
    add action=dst-nat chain=dstnat dst-port=1234-1245 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.1.50 to-ports=1234-1241
    /ip firewall service-port
    set sip ports=5060,5061,20561
    /ip hotspot ip-binding
    add address=192.168.5.1 disabled=yes to-address=192.168.5.20
    /ip proxy
    set cache-on-disk=yes cache-path=disk1 max-cache-size=2048KiB \
    max-client-connections=1000 max-server-connections=1000 port=3129 \
    src-address=192.168.1.13
    /ip proxy access
    add src-address=192.168.1.0/24
    add action=deny
    /ip route
    add distance=1 gateway=pppoeSpeedy routing-mark=ether1_trafic
    add distance=1 gateway=192.168.20.1 routing-mark=ether2_trafic
    add disabled=yes distance=1 dst-address=192.168.1.50/32 gateway=ether2 \
    routing-mark=ether2_trafic scope=255
    add comment=NanoStation distance=2 gateway=192.168.20.1
    add comment=Agroleite distance=3 gateway=pppoeSpeedy
    /ip service
    set telnet disabled=yes
    set ftp disabled=yes
    set ssh disabled=yes
    /system clock
    set time-zone-name=America/Sao_Paulo
    /system leds
    set 0 leds=user-led type=interface-activity
    add interface=ether1 leds="" type=interface-activity
    add interface=ether2 leds="" type=interface-activity
    add interface=local leds=wlan-led type=interface-activity
    /system ntp client
    set enabled=yes primary-ntp=200.160.0.8 secondary-ntp=200.189.40.8 \
    server-dns-names=8.8.8.8
    /system package update
    set channel=release-candidate
    /system scheduler
    add interval=1d name=exec_reboot on-event="/system script run reboot" policy=\
    reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    jan/01/1970 start-time=01:00:00
    /system script
    add name=reboot owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
    "/system reboot"
    /tool graphing resource
    add
    /tool romon port
    add
    Citação Citação
  2. 24-12-2015, 11:55 #2
    isaquebrumel
    isaquebrumel está desconectado
    Avatar de isaquebrumel
    Ingresso
    Apr 2008
    Posts
    297

    Padrão Re: Redirecionamento Portas Mikrotik PCC

    são necessarios fazer o redirecionamento primeiro no concentrador para o ip do cliente e depois do balance para o concentrador. vc usa o que ai pppoe?
    Citação Citação



« Tópico Anterior | Próximo Tópico »