Início
boa tarde a todos
temos uma RB751G-2HnD v5.23 para uso interno na empresa, com a ajuda de
muitos tutorias disponibilizados fiz a configuração inclusive com
balanceamento de carga.
Minha dificuldade está que preciso acessar um cliente remoto externo a
minha rede através do RDP e não estou conseguindo, me retorna a mensagem
de que o cliente está desligado, mas não está, por outra conexão acesso
normalmente.
Segue config firewall, não sei se ajuda, mas:
/ip firewall layer7-protocol
add name=redes regexp=facebook.com
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no
add action=drop chain=input comment="bloqueio do proxy externo" disabled=no \
dst-port=8080 in-interface=ether1-TdKom protocol=tcp
add action=drop chain=input disabled=no dst-port=8080 in-interface=\
ether2-Embratel protocol=tcp
add action=drop chain=forward comment="bloquear comunica\E7\E3o entre redes" \
disabled=no dst-address=192.168.10.64/29 src-address=192.168.1.0/24
add action=drop chain=forward comment=\
"bloquear comunica\E7\E3o entre redes externas" disabled=yes \
in-interface=ether1-TdKom out-interface=ether2-Embratel
add action=drop chain=forward disabled=yes in-interface=ether2-Embratel \
out-interface=ether1-TdKom
add action=drop chain=forward comment="bloquear redes porta 443 https" \
disabled=no layer7-protocol=redes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=p2p disabled=no \
new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting connection-mark=p2p_conn disabled=no \
new-packet-mark=p2p passthrough=yes
add action=mark-connection chain=prerouting comment=voip disabled=no \
new-connection-mark=Voip passthrough=yes protocol=udp src-port=\
60000-60100
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
Voip passthrough=yes protocol=udp src-port=5060-5062
add action=mark-connection chain=prerouting disabled=no dscp=63 \
new-connection-mark=Voip passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Voip disabled=no \
new-packet-mark=Voip passthrough=yes
add action=change-dscp chain=prerouting connection-mark=Voip disabled=no \
new-dscp=63 passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-address=\
192.168.10.66 new-connection-mark=Voip passthrough
add action=mark-connection chain=input comment=balance
in-interface=ether1-TdKom new-connection-mark=wan1
add action=mark-connection chain=input disabled=no in-
ether2-Embratel new-connection-mark=wan2_conn pass
add action=mark-routing chain=output connection-mark=w
new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=w
new-routing-mark=to_wan2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default co
yes out-interface=ether2-Embratel to-addresses=0.0
add action=masquerade chain=srcnat comment="default co
yes out-interface=ether1-TdKom to-addresses=0.0.0.
add action=masquerade chain=srcnat disabled=no out-int
add action=masquerade chain=srcnat disabled=no out-int
add action=redirect chain=dstnat comment="redirecionar
disabled=no dst-port=80 in-interface=bridge1 proto
add action=dst-nat chain=dstnat comment="redirecionar
dst-port=3389 protocol=tcp to-addresses=192.168.10
add action=dst-nat chain=dstnat comment=cameras disabl
protocol=tcp to-addresses=192.168.10.76 to-ports=8
add action=dst-nat chain=dstnat disabled=no dst-port=6
to-addresses=192.168.10.76 to-ports=6036
add action=dst-nat chain=dstnat comment=FTP disabled=n
tcp to-addresses=192.168.10.75 to-ports=21
add action=dst-nat chain=dstnat disabled=no dst-port=2
to-addresses=192.168.10.75 to-ports=20
add action=dst-nat chain=dstnat comment="PABX, pelo se
dst-port=61080 protocol=tcp to-add
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 si
set pptp disabled=no
temos uma RB751G-2HnD v5.23 para uso interno na empresa, com a ajuda de
muitos tutorias disponibilizados fiz a configuração inclusive com
balanceamento de carga.
Minha dificuldade está que preciso acessar um cliente remoto externo a
minha rede através do RDP e não estou conseguindo, me retorna a mensagem
de que o cliente está desligado, mas não está, por outra conexão acesso
normalmente.
Segue config firewall, não sei se ajuda, mas:
/ip firewall layer7-protocol
add name=redes regexp=facebook.com
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
protocol=icmp
add action=accept chain=input comment="default configuration" \
connection-state=established disabled=no
add action=accept chain=input comment="default configuration" \
connection-state=related disabled=no
add action=drop chain=input comment="bloqueio do proxy externo" disabled=no \
dst-port=8080 in-interface=ether1-TdKom protocol=tcp
add action=drop chain=input disabled=no dst-port=8080 in-interface=\
ether2-Embratel protocol=tcp
add action=drop chain=forward comment="bloquear comunica\E7\E3o entre redes" \
disabled=no dst-address=192.168.10.64/29 src-address=192.168.1.0/24
add action=drop chain=forward comment=\
"bloquear comunica\E7\E3o entre redes externas" disabled=yes \
in-interface=ether1-TdKom out-interface=ether2-Embratel
add action=drop chain=forward disabled=yes in-interface=ether2-Embratel \
out-interface=ether1-TdKom
add action=drop chain=forward comment="bloquear redes porta 443 https" \
disabled=no layer7-protocol=redes
/ip firewall mangle
add action=mark-connection chain=prerouting comment=p2p disabled=no \
new-connection-mark=p2p_conn p2p=all-p2p passthrough=yes
add action=mark-packet chain=prerouting connection-mark=p2p_conn disabled=no \
new-packet-mark=p2p passthrough=yes
add action=mark-connection chain=prerouting comment=voip disabled=no \
new-connection-mark=Voip passthrough=yes protocol=udp src-port=\
60000-60100
add action=mark-connection chain=prerouting disabled=no new-connection-mark=\
Voip passthrough=yes protocol=udp src-port=5060-5062
add action=mark-connection chain=prerouting disabled=no dscp=63 \
new-connection-mark=Voip passthrough=yes
add action=mark-packet chain=prerouting connection-mark=Voip disabled=no \
new-packet-mark=Voip passthrough=yes
add action=change-dscp chain=prerouting connection-mark=Voip disabled=no \
new-dscp=63 passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-address=\
192.168.10.66 new-connection-mark=Voip passthrough
add action=mark-connection chain=input comment=balance
in-interface=ether1-TdKom new-connection-mark=wan1
add action=mark-connection chain=input disabled=no in-
ether2-Embratel new-connection-mark=wan2_conn pass
add action=mark-routing chain=output connection-mark=w
new-routing-mark=to_wan1 passthrough=yes
add action=mark-routing chain=output connection-mark=w
new-routing-mark=to_wan2 passthrough=yes
/ip firewall nat
add action=masquerade chain=srcnat comment="default co
yes out-interface=ether2-Embratel to-addresses=0.0
add action=masquerade chain=srcnat comment="default co
yes out-interface=ether1-TdKom to-addresses=0.0.0.
add action=masquerade chain=srcnat disabled=no out-int
add action=masquerade chain=srcnat disabled=no out-int
add action=redirect chain=dstnat comment="redirecionar
disabled=no dst-port=80 in-interface=bridge1 proto
add action=dst-nat chain=dstnat comment="redirecionar
dst-port=3389 protocol=tcp to-addresses=192.168.10
add action=dst-nat chain=dstnat comment=cameras disabl
protocol=tcp to-addresses=192.168.10.76 to-ports=8
add action=dst-nat chain=dstnat disabled=no dst-port=6
to-addresses=192.168.10.76 to-ports=6036
add action=dst-nat chain=dstnat comment=FTP disabled=n
tcp to-addresses=192.168.10.75 to-ports=21
add action=dst-nat chain=dstnat disabled=no dst-port=2
to-addresses=192.168.10.75 to-ports=20
add action=dst-nat chain=dstnat comment="PABX, pelo se
dst-port=61080 protocol=tcp to-add
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 si
set pptp disabled=no
firewall.txt 
