Livebox Orange detrás de router neutro Mikrotik con VoIP funcionando
Segunda parte
La segunda parte de este howto está disponible aquí: Mikrotik – QoS para VoIP en Orange FTTH
Objetivos
- Evitar los cortes a Internet que el router por defecto de Orange (Livebox) genera durante el día
- Control más personalizado de la conexión a Internet
- Seguir disfrutando de la VoIP ofrecida por Livebox Orange
Diferencias con otros howtos
- Se securiza la interfaz pública del router Mikrotik. (En el resto de howtos no se cae en la cuenta de que se deja la interfaz pública abierta. Es decir, que si no cambiamos la contraseña nos pueden entrar por ssh al Mikrotik desde el exterior.)
- Está en una sola página y no has de elegir en un foro cuál es el post correcto
- Basada en red 192.168.1.1/24 (se conserva esta porque se heredó de una red de Teléfonica / Movistar ADSL)
- QoS para VozIP (En realidad esto al final no se implementó pero lo suyo sería que un howto de estas características configurase el Mikrotik para que este tráfico tuviera tráfico sobre el resto.)
- En la medida de lo posible se explican los diferentes pasos realizados y no es un simple «Copiar y pegar todos los comandos»
- Se conecta al Microtik mediante ssh en lugar de con winbox o utilidades similares
- No se sacaran passwords de SIP del Livebox para sustituir por un dispositivo VoIP
Arquitectura física antes de la mejora
- LiveBox conectado mediante «clavija Fibra» a ONT (Terminal de fibra óptica). (El modelo de la ONT es ONT F601.)
- PCs y clientes VoIP conectados a «clavija 1», «clavija 2», «clavija 3», «clavija 4» y «clavija 5» de LiveBox
Arquitectura física después de la mejora
- Mikrotik conectado mediante «puerto 2» a ONT
- Livebox conectado mediante «clavija Fibra» a «puerto 24» de Mikrotik
- Livebox conectado mediante «clavija 1» a «puerto 2» de Mikrotik
- PCs y clientes VoIP conectados a «clavija 2, «clavija 3» y «clavija 4» de Mikrotik
Arquitectura lógica antes de la mejora
- Todos los PCS y clientes VoIP tienen como puerta enlace: 192.168.1.1 que es la ip asignada al Livebox
- Los clientes VoIP se conectan contra 192.168.1.1 (Livebox)
- Microtik no existe en la red
- Livebox tiene la ip 192.168.1.1 (configurada en sus bocas LAN)
- Livebox tiene la ip pública (En su clavija Fibra)
- Livebox ofrece DHCP a la red
Arquitectura lógica después de la mejora
- Todos los PCS y clientes VoIP tienen como puerta enlace: 192.168.1.1 que es la ip asignada al Mikrotik
- Los clientes VoIP se conectan contra 192.168.1.2 (Livebox)
- Mikrotik tiene la ip 192.168.1.1 (En sus puertos 2,3 y 4)
- Mikrotik tiene la ip pública (En su puerto 1)
- Mikrotik tiene la ip 192.168.99.1 (En su puerto 5)
- Livebox tiene la ip 192.168.1.2 (configurada en sus bocas LAN)
- Livebox tiene la ip 192.168.99.2 (En su clavija Fibra)
- Livebox NO ofrece DHCP a la red
- Mikrotik ofrece DHCP a la red
Materiales
- Livebox
- Mikrotik CRS125-24G-1S-RM (También aplicable a Mikrotik 750 y otros modelos)
- PC con tarjeta de red provista de clavija ethernet RJ-45
- Dispositivo VoIP (Opcional si podemos usar el PC)
- Cable de red ( 4 cables mínimos )
Cómo conectarse al Livebox
- Podemos conectarnos por cable
- Podemos conectarnos por wifi
- El PC lo tendremos que configurar, para mayor comodidad, para trabajar con ip estática y en el mismo rango que el Livebox.
- Abrimos un navegador web y lo apuntamos a la ip (que tenga en ese momento el Livebox) es decir, por ejemplo,: http://192.168.1.1/
Cómo conectarse al Microtik
- Sólo podemos conectarnos por cable (este modelo no tiene Wifi). Aún así, aunque tuviera wifi lo recomendable es conectarse por cable.
- El PC lo tendremos que configurar, para mayor comodidad, para trabajar con ip estática y en el mismo rango que el de Microtik.
- Abrimos un cliente SSH (putty en Windows) y lo apuntamos a la ip (que tenga en ese momento el Microtik) con el usuario: admin . Por ejemplo: admin@192.168.88.1 .
- Nos conectamos al puerto 2
Describiremos cómo configuramos el Mikrotik.
Configuración de red del PC
Para conectarse al router tenemos que configurar la red de nuestro PC para interactuar con él. Recordemos que la ip por defecto de Mikrotik es: 192.168.88.1 .
IP: 192.168.88.10 Mascara de red: 255.255.255.0 service network-manager stop ifconfig eth0 192.168.88.10 netmask 255.255.255.0
Conexión inicial a Mikrotik
Nos conectamos al router por ssh en el puerto 3.
ssh -p 22 admin@192.168.88.1
Aceptamos la key.
Nos aparece algo parecido a:
MMM MMM KKK TTTTTTTTTTT KKK MMMM MMMM KKK TTTTTTTTTTT KKK MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK MikroTik RouterOS X.YY.Z (c) 1999-2016 http://www.mikrotik.com/ [?] Gives the list of available commands command [?] Gives help on the command and list of arguments [Tab] Completes the command/word. If the input is ambiguous, a second [Tab] gives possible options / Move up to base level .. Move up one level /command Use command at the base level The following default configuration has been installed on your router: ------------------------------------------------------------------------------- Switch mode: * all interfaces switched; * IP address 192.168.88.1/24 is set on LAN port LAN Configuration: switch group: ether1 (master), ether2, ether3, ether4, ether5, ether6, ether7, ether8, ether9, ether10, ether11, ether12, ether13, ether14, ether15, ether16, ether17, ether18, ether19, ether20, ether21, ether22, ether23, ether24, sfp1 ------------------------------------------------------------------------------- You can type "v" to see the exact commands that are used to add and remove this default configuration, or you can view them later with '/system default-configuration print' command. To remove this default configuration type "r" or hit any other key to continue. If you are connected using the above IP and you remove it, you will be disconnected.
Pulsamos cualquier tecla para continuar.
Ahora por comodidad vamos a hacer un dump de la configuración actual.
/export file=dump_inicial_20170522
Con scp (desde el PC) podemos obtener este dump.
scp -P 22 admin@192.168.88.1:dump_inicial_20170522.rsc .
Configuración vlan 832 ONT
Ya que todos los puertos hacen bridge por defecto con ether1-master haremos que el puerto 2 tenga configurada la vlan 832. Esto nos permitirá interactuar con la ONT de Orange.
Así mismo esto nos facilitará configurar el router de forma más sencilla más adelante para que tenga la configuración de red 192.168.1.X .
Para que Mikrotik interactue con Orange no sólo ha de configurarse la vlan 832 si no que también se ha de configurar como un cliente dhcp de la misma.
Primero separaremos el puerto 2.
/interface ethernet set [ find default-name=ether2 ] master-port=none
Lo definimos como vlan.
/interface vlan add interface=ether2 name=ether2-vlan832 vlan-id=832
Y configuramos el cliente de dhcp.
/ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=ether2-vlan832
Nueva red 192.168.1.X
Primero añadiremos una red extra a Mikrotik
/ip address add address=192.168.1.1/24 interface=ether1-master network=192.168.1.0
Ahora nos desconectamos de nuestro router Mikrotik.
/quit
Configuramos nuestro PC para trabajar con:
IP: 192.168.1.10 Mascara de red: 255.255.255.0 ifconfig eth0 192.168.1.10 netmask 255.255.255.0
y nos conectamos ahora con:
ssh -p 22 admin@192.168.1.1
(En este punto aceptamos la key ssh).
Ahora ya podemos quitar la red por defecto.
/ip address print
nos muestra:
# ADDRESS NETWORK INTERFACE 0 ;;; defconf 192.168.88.1/24 192.168.88.0 ether1-master 1 192.168.1.1/24 192.168.1.0 ether1-master
Ahí vemos como la red por defecto es 0. La quitaremos.
/ip address remove 0
con lo que nos quedará:
/ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 192.168.1.1/24 192.168.1.0 ether1-master
Así mismo configuaremos dhcp en esta red porque usaremos el propio Mikrotik como servidor dhcp.
/ip pool add name=dhcp_pool1 ranges=192.168.1.30-192.168.1.250 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master lease-time=3d /ip dhcp-server network add address=192.168.1.0/24 dns-server=62.36.225.150,62.37.228.20 gateway=\ 192.168.1.1
Puerto 24 (puerto 5 en routers más pequeños) para Livebox
Este tiene que tener la vlan 832 así así como ofrecer un servidor dhcp al Livebox.
# Separamos /interface ethernet set [ find default-name=ether24 ] master-port=none # Vlan /interface vlan add interface=ether24 name=ether24-vlan832 vlan-id=832 # Servidor DHCP /ip pool add name=dhcp_pool2 ranges=192.168.99.2 /ip dhcp-server add address-pool=dhcp_pool2 disabled=no interface=ether24-vlan832 lease-time=3d /ip dhcp-server network add address=192.168.99.0/24 gateway=192.168.99.1
Salir a Internet por la ONT
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether2-vlan832
Firewall para Internet
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=input comment=\ "Drop de todo lo que viene desde nuestra WAN" in-interface=ether2-vlan832 add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "Drop de todo lo que viene de la WAN que no esta DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface=\ ether2-vlan832
Recuperar red en PC de configuración
Opcionalmente podemos hacer:
service network-manager start
Cambiar contraseña
/user set 0 password="MuYSecr3to"
Desactivar accesos alternativos a ssh (opcional)
/ip service set telnet disabled=yes set www disabled=yes set api disabled=yes set winbox disabled=yes set api-ssl disabled=yes
Desconectar y conectar todo de nuevo
Apagamos con:
/system shutdown
y pulsamos y para confirmar.
Ahora ya podemos poner el router en su localización final.
- El PC de prueba (que esta vez deberá configurarse como un cliente dhcp normal) se conecta al puerto 3 del Mikrotik.
- La ONT se conecta al puerto 2 del Mikrotik.
- Livebox conectado mediante «clavija Fibra» a «puerto 24» de Mikrotik.
Mejoras posibles
- Tráfico VoIP priorizado
- Actualización del firmware del router
Referencia – Configuración Mikrotik – Dump inicial
# jan/02/1970 00:46:30 by RouterOS X.YY.Z # software id = LLYC-IDAG # /interface ethernet set [ find default-name=ether1 ] name=ether1-master set [ find default-name=ether2 ] master-port=ether1-master set [ find default-name=ether3 ] master-port=ether1-master set [ find default-name=ether4 ] master-port=ether1-master set [ find default-name=ether5 ] master-port=ether1-master set [ find default-name=ether6 ] master-port=ether1-master set [ find default-name=ether7 ] master-port=ether1-master set [ find default-name=ether8 ] master-port=ether1-master set [ find default-name=ether9 ] master-port=ether1-master set [ find default-name=ether10 ] master-port=ether1-master set [ find default-name=ether11 ] master-port=ether1-master set [ find default-name=ether12 ] master-port=ether1-master set [ find default-name=ether13 ] master-port=ether1-master set [ find default-name=ether14 ] master-port=ether1-master set [ find default-name=ether15 ] master-port=ether1-master set [ find default-name=ether16 ] master-port=ether1-master set [ find default-name=ether17 ] master-port=ether1-master set [ find default-name=ether18 ] master-port=ether1-master set [ find default-name=ether19 ] master-port=ether1-master set [ find default-name=ether20 ] master-port=ether1-master set [ find default-name=ether21 ] master-port=ether1-master set [ find default-name=ether22 ] master-port=ether1-master set [ find default-name=ether23 ] master-port=ether1-master set [ find default-name=ether24 ] master-port=ether1-master set [ find default-name=sfp1 ] master-port=ether1-master /interface ethernet switch port set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" /ip address add address=192.168.88.1/24 comment=defconf interface=ether1-master network=\ 192.168.88.0 /system routerboard settings set boot-device=flash-boot protected-routerboot=disabled
Referencia – Configuración Mikrotik final
# jan/02/1970 03:12:33 by RouterOS X.YY.Z # software id = LLYC-IDAG # /interface ethernet set [ find default-name=ether1 ] name=ether1-master set [ find default-name=ether3 ] master-port=ether1-master set [ find default-name=ether4 ] master-port=ether1-master set [ find default-name=ether5 ] master-port=ether1-master set [ find default-name=ether6 ] master-port=ether1-master set [ find default-name=ether7 ] master-port=ether1-master set [ find default-name=ether8 ] master-port=ether1-master set [ find default-name=ether9 ] master-port=ether1-master set [ find default-name=ether10 ] master-port=ether1-master set [ find default-name=ether11 ] master-port=ether1-master set [ find default-name=ether12 ] master-port=ether1-master set [ find default-name=ether13 ] master-port=ether1-master set [ find default-name=ether14 ] master-port=ether1-master set [ find default-name=ether15 ] master-port=ether1-master set [ find default-name=ether16 ] master-port=ether1-master set [ find default-name=ether17 ] master-port=ether1-master set [ find default-name=ether18 ] master-port=ether1-master set [ find default-name=ether19 ] master-port=ether1-master set [ find default-name=ether20 ] master-port=ether1-master set [ find default-name=ether21 ] master-port=ether1-master set [ find default-name=ether22 ] master-port=ether1-master set [ find default-name=ether23 ] master-port=ether1-master set [ find default-name=sfp1 ] master-port=ether1-master /interface vlan add interface=ether2 name=ether2-vlan832 vlan-id=832 add interface=ether24 name=ether24-vlan832 vlan-id=832 /ip pool add name=dhcp_pool1 ranges=192.168.1.30-192.168.1.250 add name=dhcp_pool2 ranges=192.168.99.2 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether1-master lease-time=3d \ name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=ether24-vlan832 lease-time=\ 3d name=dhcp2 /interface ethernet switch port set 0 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 1 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 2 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 3 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 4 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 5 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 6 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 7 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 8 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 9 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0:\ 8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 10 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 11 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 12 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 13 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 14 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 15 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 16 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 17 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 18 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 19 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 20 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 21 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 22 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 23 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 24 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" set 25 per-queue-scheduling="wrr-group0:1,wrr-group0:2,wrr-group0:4,wrr-group0\ :8,wrr-group0:16,wrr-group0:32,wrr-group0:64,wrr-group0:128" /ip address add address=192.168.1.1/24 interface=ether1-master network=192.168.1.0 /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=ether2-vlan832 /ip dhcp-server network add address=192.168.1.0/24 dns-server=62.36.225.150,62.37.228.20 gateway=\ 192.168.1.1 add address=192.168.99.0/24 gateway=192.168.99.1 /ip firewall filter add chain=input comment="defconf: accept ICMP" protocol=icmp add chain=input comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=input comment=\ "Drop de todo lo que viene desde nuestra WAN" in-interface=ether2-vlan832 add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add chain=forward comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "Drop de todo lo que viene de la WAN que no esta DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface=\ ether2-vlan832 /ip firewall nat add action=masquerade chain=srcnat out-interface=ether2-vlan832 /system routerboard settings set boot-device=flash-boot protected-routerboot=disabled
Referencia – Configuración Mikrotik final (Sistema alternativo 750)
# En este sistema antiguo los puertos tenían bridge # por defecto con ether2-master y no con ether1-master # se decidió pues usar el puerto 1 para conectar con la ONT. # mar/31/2017 09:01:00 by RouterOS X.YY.Z # software id = NQ5I-YFZV # /interface ethernet set [ find default-name=ether2 ] name=ether2-master set [ find default-name=ether3 ] master-port=ether2-master set [ find default-name=ether4 ] master-port=ether2-master /ip neighbor discovery set ether1 discover=no /interface vlan add interface=ether1 name=eth1-vlan832 vlan-id=832 add interface=ether5 name=eth5-vlan832 vlan-id=832 /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 add name=dhcp_pool1 ranges=192.168.1.30-192.168.1.250 add name=dhcp_pool2 ranges=192.168.99.2 /ip dhcp-server add address-pool=dhcp_pool1 disabled=no interface=ether2-master lease-time=3d \ name=dhcp1 add address-pool=dhcp_pool2 disabled=no interface=eth5-vlan832 lease-time=3d \ name=dhcp2 /tool user-manager customer set admin access=\ own-routers,own-users,own-profiles,own-limits,config-payment-gw /ip address add address=192.168.1.1/24 interface=ether2-master network=192.168.1.0 add address=192.168.99.1/24 interface=eth5-vlan832 network=192.168.99.0 /ip dhcp-client add dhcp-options=hostname,clientid disabled=no interface=eth1-vlan832 /ip dhcp-server network add address=192.168.1.0/24 dns-server=62.36.225.150,62.37.228.20 gateway=\ 192.168.1.1 add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1 add address=192.168.99.0/24 gateway=192.168.99.1 /ip dns set allow-remote-requests=yes /ip dns static add address=192.168.88.1 name=router /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=input comment=\ "Drop de todo lo que viene desde nuestra WAN" in-interface=eth1-vlan832 add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related add action=accept chain=forward comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid add action=drop chain=forward comment=\ "Drop de todo lo que viene de la WAN que no esta DSTNATed" \ connection-nat-state=!dstnat connection-state=new in-interface=\ eth1-vlan832 /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ out-interface=ether1 add action=masquerade chain=srcnat out-interface=eth1-vlan832 /ip service set telnet disabled=yes set www disabled=yes set api disabled=yes set winbox disabled=yes set api-ssl disabled=yes /system clock set time-zone-name=Europe/Madrid /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-master /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master /tool user-manager database set db-path=user-manager
Deja un comentario