Followers 0

Помогите настроить интерактивное TV Mikrotik

4 posts in this topic

Доброго времени суток, прошу помощи, товарищи!

Проблема: При включения любого телеканала в режим "прямого эфира" - черный экран. При этом, если "отмотать" эфир на 5+ секунд назад - все хорошо, все показывает.

Линк из подъезда приходит в Mikrotik RB951G-2HnD, к нему по 2.4 по протоколу WDS подключен Mikrotik RB951Ui-2HnD и выведен в другую комнату, рядом с ним и приставка. Пробовал подключать к "головному" мику напрямую витухой - та же история. :(

 

Как побороть проблему?

Если нужен конфиг - опубликую )

Edited by Kostel
0

Share this post


Link to post
Share on other sites

Судя по описанию, у вас не настроен мультикас (он же IGMP-snooping). Проверьте, пожалуйста, его настройки (он должен быть включён). Если это не поможет, то напишите в личные сообщения номер лицевого счёта и ФИО владельца, будем детальней разбираться.

0

Share this post


Link to post
Share on other sites
Спойлер

 


/interface bridge
add fast-forward=no mtu=1526 name=bridge-Lo0
add fast-forward=no igmp-snooping=yes name=bridge-iptv protocol-mode=none
add fast-forward=no name=bridge-local
/interface ethernet
set [ find default-name=ether4 ] comment="-=network-int-ISP2-beeline=-"
set [ find default-name=ether5 ] comment="-=network-int-ISP1-onlime=-"
/interface pptp-client
/interface eoip
add allow-fast-path=no ipsec-secret=xxx local-address=xx.xx.xx.xx \
    mac-address=02:3A:AE:9C:A8:5E mtu=1526 name=eoip-tunnel-to-MAIN-BR \
    remote-address=xx.xx.xx.xx tunnel-id=0
/interface gre
add allow-fast-path=no ipsec-secret=xxx local-address=xx.xx.xx.xx \
    name=gre-tunnel-to-MAIN-BR remote-address=xx.xx.xx.xx
/interface list
add name="zone-int's-000-isp-untrust"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=profile-wlan-home supplicant-identity="" \
    wpa2-pre-shared-key=xxx
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
    allowed name=profile-wlan-guest supplicant-identity=""
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=profile-wlan-bridge supplicant-identity="" \
    wpa2-pre-shared-key=xxx
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
    frequency=auto mode=ap-bridge nv2-preshared-key=xxx \
    security-profile=profile-wlan-home ssid=mkostelcev-home
add disabled=no keepalive-frames=disabled mac-address=6E:3B:6B:9E:0C:81 \
    master-interface=wlan1 multicast-buffering=disabled name=wlan-guest \
    security-profile=profile-wlan-guest ssid=mkostelcev-guest wds-cost-range=0 \
    wds-default-cost=0
add disabled=no hide-ssid=yes keepalive-frames=disabled mac-address=\
    6E:3B:6B:9E:0C:82 master-interface=wlan1 multicast-helper=full name=\
    wlan-with-mkostelcev-home-sw01 security-profile=profile-wlan-bridge ssid=\
    mkostelcev-bridge-sw01 wds-cost-range=0 wds-default-bridge=bridge-iptv \
    wds-mode=dynamic wps-mode=disabled
/ip pool
add name=pool-home ranges=192.168.1.2-192.168.1.50
add name=pool-wlan-guest ranges=192.168.2.2-192.168.2.50
add name=pool-iptv ranges=192.168.10.3-192.168.10.6
/ip dhcp-server
add address-pool=pool-home disabled=no interface=bridge-local name=\
    dhcp-srv-home
add address-pool=pool-wlan-guest disabled=no interface=wlan-guest name=\
    dhcp-srv-wlan-guest
add address-pool=pool-iptv disabled=no interface=bridge-iptv name=\
    dhcp-srv-home-sw01-iptv relay=192.168.10.2
/queue simple
add max-limit=10M/10M name=queue-limit-20M target=192.168.2.0/24
/queue type
add kind=pcq name=pcq-download-10M pcq-classifier=dst-address \
    pcq-dst-address6-mask=64 pcq-rate=10M pcq-src-address6-mask=64
/routing ospf instance
set [ find default=yes ] router-id=100.64.1.2
/interface bridge port
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=wlan1
add bridge=bridge-iptv interface=wlan-with-mkostelcev-home-sw01
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether1
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=ether5 list="zone-int's-000-isp-untrust"
add interface=ether4 list="zone-int's-000-isp-untrust"
/ip address
add address=192.168.1.1/24 comment="-=home-net=-" interface=bridge-local \
    network=192.168.1.0
add address=192.168.2.1/24 comment="-=wlan-guest-net=-" interface=wlan-guest \
    network=192.168.2.0
add address=100.65.0.2/29 interface=eoip-tunnel-to-MAIN-BR network=\
    100.65.0.0
add address=100.64.1.2 interface=bridge-Lo0 network=100.64.1.2
add address=100.65.0.4/29 interface=gre-tunnel-to-MAIN-BR network=\
    100.65.0.0
add address=192.168.10.1/29 interface=wlan-with-mkostelcev-home-sw01 network=\
    192.168.10.0
add address=1.0.0.1/30 interface=ether5 network=1.0.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether5 use-peer-dns=no
add add-default-route=no dhcp-options=hostname,clientid disabled=no interface=\
    ether4 use-peer-dns=no
/ip dhcp-server network
add address=192.168.1.0/24 comment="-=home-net=-" dns-server=\
    100.127.0.2,8.8.8.8,77.88.8.8 domain=mkostelcev-home gateway=192.168.1.1
add address=192.168.2.0/24 comment="-=wlan-guest-net=-" dns-server=\
    8.8.8.8,77.88.8.8 domain=mkostelcev-guest gateway=192.168.2.1
add address=192.168.10.0/29 dns-server=8.8.8.8,77.88.8.8 gateway=192.168.10.1
/ip dns
set cache-max-ttl=1d servers=8.8.8.8
/ip firewall address-list
add address=192.168.0.0/16 list=rfc-1918
add address=100.64.0.0/10 list=rfc-1918
add address=172.16.0.0/12 list=rfc-1918
add address=10.0.0.0/8 list=rfc-1918
add address=8.8.8.8 list=trust-white-ip
add address=77.88.8.8 list=trust-white-ip
/ip firewall filter
add action=drop chain=forward comment="-=drop guest traffic to home network=-" \
    in-interface=bridge-local out-interface=wlan-guest
add action=accept chain=input comment="-=Allow IGMP (IPTV)=-" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=igmp
add action=accept chain=forward comment=\
    "-=default allow rule rfc-net don't change=-" dst-address-list=rfc-1918 \
    src-address-list=rfc-1918
add action=accept chain=input comment=\
    "-=default allow rule from white-ip don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" src-address-list=trust-white-ip
add action=accept chain=forward comment=\
    "-=default allow rule from white-ip don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" src-address-list=trust-white-ip
add action=drop chain=input comment=\
    "-=default allow rule from black-ip don't change=-" dst-address-list=\
    trust-black-ip in-interface-list="zone-int's-000-isp-untrust"
add action=drop chain=forward comment=\
    "-=default allow rule from black-ip don't change=-" dst-address-list=\
    trust-black-ip in-interface-list="zone-int's-000-isp-untrust"
add action=jump chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    connection-state=new in-interface-list="zone-int's-000-isp-untrust" \
    jump-target=block-ddos
add action=return chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    dst-limit=20,15,src-and-dst-addresses/10s in-interface-list=\
    "zone-int's-000-isp-untrust"
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1w3d30m chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" connection-limit=\
    30,32 in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ddoser to list " \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NMAP FIN Stealth scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SYN/FIN scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SYN/RST scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- FIN/PSH/URG scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ALL/ALL scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=input comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NMAP NULL scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=input comment=\
    "-=default access WinBox rules don't change=-" dst-port=8291 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp
add action=accept chain=input comment=\
    "-=default access ICMP rules don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" protocol=icmp
add action=accept chain=input comment=\
    "-=default access SSTP rules don't change=-" dst-port=443 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp
add action=accept chain=input comment=\
    "-=default access PPTP / L2TP rules don't change=-" dst-port=1723 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp
add action=accept chain=input comment=\
    "-=default access PPTP / L2TP rules don't change=-" dst-port=1701 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=udp
add action=accept chain=input comment=\
    "-=default access PPTP rules don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" protocol=gre
add action=accept chain=input comment=\
    "-=default access IPsec IKE / L2TP rules don't change=-" dst-port=500 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=udp
add action=accept chain=input comment=\
    "-=default access OpenVPN rules don't change=-" dst-port=1194 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp
add action=accept chain=input comment=\
    "-=default access IPsec IKE rules don't change=-" dst-port=4500 \
    in-interface-list="zone-int's-000-isp-untrust" protocol=udp
add action=accept chain=input comment=\
    "-=default access IPsec ESP / L2TP rules don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" protocol=ipsec-esp
add action=accept chain=input comment=\
    "-=default access IPsec AH rules don't change=-" in-interface-list=\
    "zone-int's-000-isp-untrust" protocol=ipsec-ah
add action=accept chain=input comment=\
    "-=default access established rules don't change=-" connection-state=\
    established in-interface-list="zone-int's-000-isp-untrust"
add action=accept chain=input comment=\
    "-=default access related rules don't change=-" connection-state=related \
    in-interface-list="zone-int's-000-isp-untrust"
add action=drop chain=input comment="-=default deny rules don't change=-" \
    connection-state=invalid in-interface-list="zone-int's-000-isp-untrust"
add action=drop chain=input comment="-=default deny rules don't change=-" \
    in-interface-list="zone-int's-000-isp-untrust"
add action=accept chain=forward comment=\
    "-=default access established rules don't change=-" connection-state=\
    established in-interface-list="zone-int's-000-isp-untrust"
add action=accept chain=forward comment=\
    "-=default access established rules don't change=-" connection-state=\
    related in-interface-list="zone-int's-000-isp-untrust"
add action=return chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    dst-limit=20,15,src-and-dst-addresses/10s in-interface-list=\
    "zone-int's-000-isp-untrust"
add action=jump chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    connection-state=new in-interface-list="zone-int's-000-isp-untrust" \
    jump-target=block-ddos
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    1w3d1h chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d1h chain=block-ddos comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" connection-limit=\
    50,32 in-interface-list="zone-int's-000-isp-untrust"
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ddoser to list " \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NMAP FIN Stealth sca\
    n" in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SYN/FIN scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,syn
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- SYN/RST scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    syn,rst
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- FIN/PSH/URG scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ALL/ALL scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    1w3d30m chain=forward comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=\
    -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- NMAP NULL scan" \
    in-interface-list="zone-int's-000-isp-untrust" protocol=tcp tcp-flags=\
    !fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward comment=\
    "-=default access dst-nat rules don't change=-" connection-nat-state=dstnat \
    in-interface-list="zone-int's-000-isp-untrust"
add action=drop chain=forward comment="-=default access rules don't change=-" \
    connection-state=invalid in-interface-list="zone-int's-000-isp-untrust"
add action=drop chain=forward comment="-=default access rules don't change=-" \
    in-interface-list="zone-int's-000-isp-untrust"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="-=mark-isp2-resources-IN=-" \
    in-interface=ether4 new-routing-mark=main passthrough=no
add action=mark-routing chain=prerouting comment=\
    "-=mark-my-resources-OUT=-" dst-address-list=my-resources \
    new-routing-mark=my-resources passthrough=no
add action=mark-routing chain=prerouting comment="-=mark-isp2-resources-OUT=-" \
    dst-address-list=access-via-isp2-beeline new-routing-mark=isp-2-beeline \
    passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="-=network-int-ISP1-masquerade=-" \
    out-interface=ether5
add action=masquerade chain=srcnat comment="-=network-int-ISP2-masquerade=-" \
    out-interface=ether4
/ip firewall raw
add action=drop chain=prerouting comment="=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-\
    =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-" \
    in-interface-list="zone-int's-000-isp-untrust" src-address-list=ddoser
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add comment="-=route-for-access-my-resources=-" distance=1 gateway=\
    eoip-tunnel-to-MAIN-BR routing-mark=my-resources
add comment="-=route-for-access-my-resources=-" distance=2 gateway=\
    gre-tunnel-to-MAIN-BR routing-mark=my-resources
add comment="-=route-for-access-via-isp2=-" distance=1 gateway=89.178.168.1 \
    routing-mark=isp-2-beeline
/ip route vrf
add interfaces=ether4 routing-mark=isp-2-beeline
add interfaces=eoip-tunnel-to-MAIN-BR,gre-tunnel-to-MAIN-BR \
    routing-mark=my-resources
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/mpls interface
set [ find default=yes ] interface=bridge-Lo0 mpls-mtu=1526
add interface=gre-tunnel-to-MAIN-BR mpls-mtu=1526
add interface=eoip-tunnel-to-MAIN-BR mpls-mtu=1526
/mpls ldp
set enabled=yes lsr-id=100.64.1.2 transport-address=100.64.1.2
/mpls ldp interface
add interface=bridge-Lo0
add interface=eoip-tunnel-to-MAIN-BR
add interface=gre-tunnel-to-MAIN-BR
/routing bgp network
add network=192.168.1.0/25 synchronize=no
add network=100.64.1.0/30 synchronize=no
add network=100.65.0.0/30 synchronize=no
add network=100.65.1.0/30 synchronize=no
/routing bgp peer
add address-families=ip,l2vpn,l2vpn-cisco,vpnv4 disabled=yes in-filter=ospf-in \
    name=iBGP-with-MAIN-BR-Unitia out-filter=ospf-out remote-address=100.65.1.1 \
    remote-as=64600 ttl=default update-source=bridge-Lo0 use-bfd=yes
/routing igmp-proxy
set query-interval=1m quick-leave=yes
/routing igmp-proxy interface
add alternative-subnets=0.0.0.0/0 interface=ether5 upstream=yes
add interface=bridge-iptv
/routing ospf network
add area=backbone network=100.64.1.2/32
add area=backbone network=192.168.1.0/24
add area=backbone network=100.65.0.0/28
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=mkostelcev-home-gw-01
/system routerboard settings
set silent-boot=no
/tool sniffer
set filter-interface=bridge-Lo0

 

 

Вот моя конфигурация.

Здесь, правда, для вас может быть много лишнего(BGP, MPLS, gre и eoip-туннели), но все же. 

IGMP-snooping настроен на бридже bridge-iptv, в который входит интерфейс wlan-with-....-sw01, к этому мику подключена приставка. IGMP-Proxy также настроен.

0

Share this post


Link to post
Share on other sites

Решил в итоге проблему.

Оказывается, пограничник (первый мик, в который как раз и приходит кабель ОнЛайма), отказывался обновляться на новую версию ROS (была 6.42.6, к тому моменту вышла 6.42.7). То есть, жмешь "Download&Install", он перезагружается, и все равно версия оставалась старой.

Что сделал: запустил его в режиме PXE-загрузки, воспользовался NetInstall для того, чтобы отформатировать его внутреннюю память, накатил через него же начисто новую прошивку, сконфигурировал все заново - все завелось, проблемы исчезли)

Почему я так сделал?: ну, потому, что, во-первых "семь бед - один резет"(кстати, полный резет конфигурации не помогал), а во-вторых - раз сломалось, значит, где-то баг в работе ОС. Учитывая, что есть конфиг и бэкап - развернуть заново все - не составит труда. Перекатил просто начисто и все.

Спасибо, тему можно закрывать :)

Edited by Kostel
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Followers 0