Доброго всем времени суток, уважаемые. Появилась необходимость раздать интернет в среднем на 50 +/- компьютеров, примерно 10-15 по локалке, все остальное по воздуху. Реализовано было следующим образом:
Оборудование:
- TP-link td 8961nd
- mikrotik RB2011UiAS-2HnD-IN
Доступ к интернет ADSL 8/1M
Интернет входит в eth1, 2-3Eth и wlan1 объединены в бридж с названием intranet 192.168.88.0/24
wlan2 и eth4-5 оuternet 10.10.0.0/20 с присвоением 5 интерфейсу адреса вида 10.10.0.100
Более точно в конфиге. Буду очень благодарен всем кто поможет решить данную проблему.
/interface bridge
add name=intranet
add arp=proxy-arp l2mtu=2290 name=outernet
/interface ethernet
set 0 l2mtu=1480 mtu=1480
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys wpa-pre-shared-key=419F024CA4E1 wpa2-pre-shared-key=\
419F024CA4E1
add eap-methods=passthrough management-protection=allowed name=open \
supplicant-identity=""
add authentication-types=wpa-psk,wpa2-psk eap-methods=passthrough \
group-ciphers=tkip,aes-ccm management-protection=allowed mode=\
dynamic-keys name=Corporate supplicant-identity="" unicast-ciphers=\
tkip,aes-ccm wpa-pre-shared-key=7b4tr5iyamadama wpa2-pre-shared-key=\
7b4tr5iyamadama
/interface wireless
set 0 adaptive-noise-immunity=ap-and-client-mode band=2ghz-b/g/n \
basic-rates-b="" channel-width=20/40mhz-ht-above comment=\
"Corporate wi-fi AP" country=kazakhstan default-forwarding=no disabled=no \
frequency-mode=superchannel ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 \
mode=ap-bridge periodic-calibration=enabled \
periodic-calibration-interval=10 radio-name=-HiNet- rate-set=configured \
security-profile=Corporate ssid=Corporate tx-power=18 tx-power-mode=\
all-rates-fixed wds-default-bridge=outernet wds-mode=static
add arp=disabled comment="This is public hot-spot with 10.10.x.x. IPs" \
default-forwarding=no disabled=no l2mtu=2290 mac-address=\
D6:CA:6D:E7:A2:D8 master-interface=wlan1 name=wlan2 security-profile=open \
ssid=-HiNet- wds-cost-range=0 wds-default-bridge=outernet \
wds-default-cost=0
/interface wireless manual-tx-power-table
set wlan1 comment="Corporate wi-fi AP"
set wlan2 comment="This is public hot-spot with 10.10.x.x. IPs"
/interface wireless nstreme
set wlan1 comment="Corporate wi-fi AP" enable-polling=no
set wlan2 comment="This is public hot-spot with 10.10.x.x. IPs"
/ip neighbor discovery
set wlan1 comment="Corporate wi-fi AP"
set wlan2 comment="This is public hot-spot with 10.10.x.x. IPs"
/ip hotspot profile
add hotspot-address=10.10.0.100 login-by=cookie,http-chap,trial name=hsprof1 \
trial-uptime=15m/0s
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=1m \
mac-cookie-timeout=3d session-timeout=10m
/ip pool
add name=dhcp_pool1 ranges=192.168.88.2-192.168.88.254
add name=dhcp_pool2 ranges=10.10.0.1-10.10.0.99,10.10.0.102-10.10.15.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=intranet name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=outernet lease-time=30m \
name=dhcp2
/ip hotspot
add address-pool=dhcp_pool2 interface=outernet name=hotspot1 profile=hsprof1
/port
set 0 name=serial0
/queue simple
add disabled=yes dst=ether1 max-limit=1M/3M name=queue1 target=wlan2
/queue type
add kind=pcq name=PCQ1 pcq-classifier=dst-address pcq-dst-address-mask=24 \
pcq-dst-address6-mask=64 pcq-src-address-mask=24 pcq-src-address6-mask=64
add kind=pcq name=PCQ2 pcq-classifier=src-address pcq-dst-address-mask=24 \
pcq-dst-address6-mask=64 pcq-limit=100 pcq-src-address-mask=24 \
pcq-src-address6-mask=64
/queue tree
add burst-time=10s comment="\C2\F5\EE\E4\FF\F9\E8\E9 \F2\F0\E0\F4\E8\EA \E2\ED\
\F3\F2\F0\E5\ED\ED\E5\E9 \F1\E5\F2\E8" limit-at=2M max-limit=2M name=\
Global_to parent=global queue=default
add name=queue1 packet-mark=GlobalToConf parent=Global_to queue=PCQ2
add comment="\C8\F1\F5\EE\E4\FF\F9\E8\E9 \F2\F0\E0\F4\E8\EA \E2\ED\F3\F2\F0\E5\
\ED\ED\E5\E9 \F1\E5\F2\E8" limit-at=512k max-limit=800k name=to_Global \
parent=global queue=default
add burst-time=10s comment="\C2\F5\EE\E4\FF\F9\E8\E9 \F2\F0\E0\F4\E8\EA \E2\ED\
\E5\F8\ED\E5\E9 \F1\E5\F2\E8" max-limit=6M name=hot_down parent=global \
queue=default
add comment="\C8\F1\F5\EE\E4\FF\F9\E8\E9 \F2\F0\E0\F4\E8\EA \E2\ED\E5\F8\ED\E5\
\E9 \F1\E5\F2\E8" limit-at=512k max-limit=815k name=hot_up packet-mark="" \
parent=global queue=default
add name=queue2 packet-mark=HotspotToGlobal parent=hot_up queue=PCQ1
add name=queue3 packet-mark=ConfToGlobal parent=to_Global queue=PCQ1
add name=queue4 packet-mark=GlobalToHotspot parent=hot_down queue=PCQ2
/interface bridge port
add bridge=intranet interface=ether2
add bridge=intranet interface=ether3
add bridge=intranet interface=wlan1
add bridge=outernet interface=ether5
add bridge=outernet interface=ether4
add bridge=outernet interface=wlan2
add bridge=outernet interface=ether10
/ip address
add address=192.168.1.7/24 interface=ether1 network=192.168.1.0
add address=192.168.88.1/24 interface=wlan1 network=192.168.88.0
add address=10.10.0.100/20 interface=ether5 network=10.10.0.0
/ip dhcp-server lease
add address=10.10.0.101 client-id=1:24:a:64:8c:53:48 mac-address=\
24:0A:64:8C:53:48 server=dhcp2
/ip dhcp-server network
add address=10.10.0.0/20 dns-server=10.10.0.100 gateway=10.10.0.100
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,212.154.163.162
/ip firewall filter
add action=drop chain=input comment="Seample for drop packets for MAC" \
disabled=yes src-mac-address=00:22:F4:07:AA:CC
add action=drop chain=input disabled=yes src-mac-address=E0:06:E6:51:B2:EA
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Traceroute block" icmp-options=11 \
protocol=icmp
add action=drop chain=forward comment="torrent block" p2p=all-p2p
add action=drop chain=forward content=d1:ad2:id20: dst-port=1025-65535 \
packet-size=95-190 protocol=udp
add action=drop chain=forward content="info_hash=" dst-port=2710,80 protocol=\
tcp
/ip firewall mangle
add action=mark-packet chain=forward dst-address=192.168.88.0/24 \
new-packet-mark=GlobalToConf passthrough=no
add action=mark-packet chain=forward dst-address=10.10.0.0/20 \
dst-address-list="" new-packet-mark=GlobalToHotspot passthrough=no
add action=mark-packet chain=forward dst-address-list="" new-packet-mark=\
ConfToGlobal src-address=192.168.88.0/24
add action=mark-packet chain=forward dst-address-list="" new-packet-mark=\
HotspotToGlobal src-address=10.10.0.0/20
/ip firewall nat
add action=masquerade chain=srcnat comment=Test disabled=yes src-address=\
192.168.1.0/24
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat src-address=192.168.88.0/24
add action=masquerade chain=srcnat src-address=10.10.0.0/20
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=yes src-address=10.10.0.0/20
add action=redirect chain=dstnat disabled=yes dst-port=80 protocol=tcp \
src-address=10.10.0.0/20 to-ports=8080
/ip hotspot user
add name=user1 password=111111
/ip proxy
set max-client-connections=1500 max-server-connections=1500
/ip route
add distance=1 gateway=192.168.1.1
/ip route rule
add action=unreachable dst-address=10.10.0.0/20 src-address=192.168.88.0/24
add action=unreachable dst-address=192.168.88.0/24 src-address=10.10.0.0/20
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.10.0.101/32
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/lcd
set backlight-timeout=5m current-interface=ether1 read-only-mode=yes