QNAP apertura porte per il cloud??

[abbio90]

Ciao a tutti...ho un mikrotik con 2 wan in load balance pcc..tutto pare funzionare egreggiamente...

riscontro dei problemi però

 

 

esso è client di una vpn...nonostante siano impostate correttamente le rotte sui vari device non riesco ad accedere alla subnet sul client

inoltre ho provato ad aprire delle porte e nel momento che apro le porte sparisce la connessione internet ai dispositivi collegati ma sul mikrotik la connessione rimane (nel senso che anche se nessuno naviga piu su internet la vpn sta su e se vado su tool e lancio un ping senza specificare l'interfaccia va a buon fine)

qualcuno sa aiutarmi??

[abbio90]

ciao a tutti...ho un'amico che mi chiede se il nas qnap necessita dell'apertura porte per accedere al cloud???

[Andrea Annoni]

Lavori con NAT oppure in maniera trasparente con rotte di ritorno?

 

La parta che apri è la 80? Hai specificato anche il source/destination address?

 

[Andrea Annoni]

Se usa il cloud di Qnap nessuna apertura.

Diversamente mi sembra che di default voglia la 9090 TCP

[abbio90]

Rotta di ritorno...non ho specificato il src Address e il dst...

Ma solo il tipo di porta la porta...poi su action ip e porta 

Ho aperto la 8080, 443, 80..

Poi strano anche che la vpn non mi faccia accedere alla subnet del client

 

[Andrea Annoni]

Se non specifichi le subnet in apertura porta tutte le richieste delle porte specificate finiranno in quella regola 

[abbio90]

Ora provo

[abbio90]

niente da fare...non funziona nemmeno cosi..provo ad allegare la configurazione

 

 

# apr/14/2019 11:15:22 by RouterOS 6.44.2
# software id = AC4B-E64F
#
# model = CRS109-8G-1S-2HnD
# serial number = 7869065F81BD

 

/interface bridge
add fast-forward=no name=bridge_LAN

 

/interface wireless
set [ find default-name=wlan1 ] antenna-gain=4 band=2ghz-b/g/n channel-width=\
    20/40mhz-Ce country=italy frequency=2437 frequency-mode=regulatory-domain \
    mode=station-pseudobridge ssid=test wireless-protocol=802.11

 

/interface ethernet
set [ find default-name=ether1 ] name=ether1-ISP1_Fast speed=100Mbps
set [ find default-name=ether2 ] name=ether2-ISP2_tim speed=100Mbps
set [ find default-name=ether3 ] speed=100Mbps
set [ find default-name=ether4 ] speed=100Mbps
set [ find default-name=ether5 ] speed=100Mbps
set [ find default-name=ether6 ] speed=100Mbps
set [ find default-name=ether7 ] name=ether7-link1_802.03ad speed=100Mbps
set [ find default-name=ether8 ] mac-address=6C:3B:6B:A7:4C:86 name=\
    ether8-link2_802.03ad speed=100Mbps
set [ find default-name=sfp1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full

 

/interface bonding
add mode=802.3ad name=bonding_qnap_802.3ad slaves=\
    ether7-link1_802.03ad,ether8-link2_802.03ad transmit-hash-policy=\
    layer-2-and-3

 

/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=\
    12345678 wpa2-pre-shared-key=12345678

 

/ip pool
add name=dhcp ranges=192.168.1.199-192.168.1.243

 

/ip dhcp-server
add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=\
    bridge_LAN name="dhcp server"

 

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0

 

/interface bridge port
add bridge=bridge_LAN hw=no interface=ether3
add bridge=bridge_LAN hw=no interface=ether4
add bridge=bridge_LAN hw=no interface=ether5
add bridge=bridge_LAN hw=no interface=ether6
add bridge=bridge_LAN hw=no interface=bonding_qnap_802.3ad
add bridge=bridge_LAN interface=wlan1
add bridge=bridge_LAN hw=no interface=sfp1
add bridge=bridge_LAN disabled=yes interface=ether1-ISP1_Fast
add bridge=bridge_LAN disabled=yes interface=ether2-ISP2_tim

 

/ip address
add address=10.10.10.2/30 interface=ether1-ISP1_Fast network=10.10.10.0
add address=10.10.11.2/29 interface=ether2-ISP2_tim network=10.10.11.0
add address=192.168.1.1/24 interface=bridge_LAN network=192.168.1.0

 

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m update-time=no

 

/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 \
    netmask=24

 

/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1

 

/ip firewall mangle
add action=accept chain=prerouting dst-address=10.10.10.0/30 in-interface=\
    bridge_LAN
add action=accept chain=prerouting dst-address=10.10.11.0/29 in-interface=\
    bridge_LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether1-ISP1_Fast new-connection-mark=ISP1_conn passthrough=\
    yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
    in-interface=ether2-ISP2_tim new-connection-mark=ISP2_conn passthrough=\
    yes
add action=mark-connection chain=prerouting comment="bilance pcc" \
    connection-mark=no-mark dst-address-type=!local in-interface=bridge_LAN \
    new-connection-mark=ISP1_conn passthrough=yes per-connection-classifier=\
    both-addresses:2/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-type=!local in-interface=bridge_LAN new-connection-mark=\
    ISP2_conn passthrough=yes per-connection-classifier=both-addresses:2/1
add action=mark-routing chain=prerouting connection-mark=ISP1_conn \
    in-interface=bridge_LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2_conn \
    in-interface=bridge_LAN new-routing-mark=to_ISP2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP1_conn \
    new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2_conn \
    new-routing-mark=to_ISP2 passthrough=yes

 

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-ISP1_Fast
add action=masquerade chain=srcnat out-interface=ether2-ISP2_tim
add action=dst-nat chain=dstnat comment="porte nas" disabled=yes \
    dst-port=443 protocol=tcp src-address=10.10.11.0/29 to-addresses=\
    192.168.1.85 to-ports=443
add action=dst-nat chain=dstnat comment="porte nas" disabled=yes \
    dst-port=8080 protocol=tcp src-address=10.10.11.0/29 \
    to-addresses=192.168.1.85 to-ports=8080

 

/ip route

add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 routing-mark=\
    to_ISP1 target-scope=30
add check-gateway=ping comment=ISP2 distance=1 gateway=8.8.4.4 routing-mark=\
    to_ISP2 target-scope=30
add check-gateway=ping comment=ISP1 distance=1 gateway=8.8.8.8 target-scope=\
    30
add comment=ISP2 distance=2 gateway=8.8.4.4 target-scope=30
add distance=1 dst-address=8.8.4.4/32 gateway=10.10.11.1
add distance=1 dst-address=8.8.8.8/32 gateway=10.10.10.1
add distance=1 dst-address=10.246.159.50/32 gateway=192.168.90.1

 

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.1.0/24
set ssh disabled=yes
set winbox address=192.168.1.0/24,192.168.90.0/24
/lcd
set time-interval=hour
/lcd interface pages
set 0 interfaces=wlan1
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=Router_CRS109_balance_pcc
/system ntp client
set enabled=yes primary-ntp=193.204.114.105 secondary-ntp=10.0.32.138
/system routerboard settings
set silent-boot=yes
/system scheduler
add interval=1w3d name="Upgrade Firmware Routerboard" on-event=\
    Update_Routerboard_script policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=\
    apr/26/2018 start-time=03:30:00
add interval=2d name="Upgrade RouterOS" on-event=Update_RouterOS_script \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=apr/25/2018 start-time=03:00:00
add interval=1w3d name="flush dns cache" on-event="ip dns cache flush" \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=may/19/2018 start-time=04:00:00
/system script
add dont-require-permissions=no name=Update_RouterOS_script owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="\
    /system package update\r\
    \ncheck-for-updates once\r\
    \n:delay 3s;\r\
    \n:if ( [get status] = \"New version is available\") do={ install };\r\
    \n\r\
    \n/system reboot"
add dont-require-permissions=no name=Update_Routerboard_script owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source="\
    /system routerboard upgrade\r\
    \n\r\
    \n:delay 3s;\r\
    \n\r\
    \n /system reboot\r\
    \n"

 

[abbio90]

Poi su src Address devo mettere il gateway interessato o tutta la subnet?

 

Su dst l.ip su cui aprire la porta come su action to address?

[abbio90]

risolto inserendo su dst address la subnet del gw interessato

il 17/4/2019 at 22:57 , abbio90 scrisse:

Poi strano anche che la vpn non mi faccia accedere alla subnet del client

 

su questo mi sai aiutare Andrea??