Diferencias

Muestra las diferencias entre dos versiones de la página.

Enlace a la vista de comparación

Ambos lados, revisión anterior Revisión previa
Próxima revisión		 Revisión previa
doc:tec:net:router:ros:faq:duo:inicio [2025/04/13 12:41] – borrado - editor externo (Fecha desconocida) 127.0.0.1doc:tec:net:router:ros:faq:duo:inicio [2025/04/13 12:41] (actual) – ↷ Enlaces adaptados debido a una operación de mover fepg
Línea 1: Línea 1:
 +====== Interacción entre dos routers ======
  
 +<WRAP center round tip>
 +Se trata de estudiar las diferentes combinaciones para disponer de un router neutro, en nuestra oficina o casa, que se conecte al router proporcionado por el distribuidor de internet ISP. De esta manera se esperan conseguir mayores prestaciones y control de nuestra red que lo que permite el router de la compañía ISP.
 +</WRAP>
 +
 +<WRAP center round help>
 +
 +  * Artículos
 +    * [[https://naseros.com/2021/04/07/doble-nat-que-es-y-como-solucionar-un-doble-nat-mediante-rutas-estaticas/|DOBLE NAT. Qué es, cómo quitar y solucionar un doble NAT en un router]]
 +
 +  * Vídeos
 +    * [[https://youtu.be/Sza0ypXXc3Q|DOBLE NAT. Qué es, cómo quitar y solucionar un doble NAT en un router]]
 +
 +</WRAP>
 +\\ 
 +===== Configuración de router Mikrotik para Vodafone con IPTV =====
 +
 +<WRAP center round help>
 +
 +  * [[https://juandyb.com/configuracion-de-router-mikrotik-para-vodafone-con-iptv/|Configuración de router Mikrotik para Vodafone con IPTV]]
 +
 +</WRAP>
 +
 +{{ doc:tec:net:router:ros:faq:duo:vodafonemikrotikesquema-1024x288.jpg?nolink |}}
 +
 +<code>
 +#Creación de Bridge
 +/interface bridge
 +add name=switch0-lan priority=0x1000
 +#Asignación de nombres a interfaces
 +/interface ethernet
 +set [ find default-name=ether7 ] name=ether7-deco
 +set [ find default-name=ether8 ] name=ether8-wan
 +#Creación de VLANs sobre el puerto ethernet WAN
 +/interface vlan
 +add interface=ether8-wan name=eth8-vlan100 vlan-id=100
 +add comment=WAN-IPTV interface=ether8-wan name=eth8-vlan105 vlan-id=105
 +#Listas de interfaces
 +/interface list
 +add name=LAN-IPTV
 +add name=WAN-IPTV
 +add name=WAN
 +add name=LAN
 +add include=WAN,WAN-IPTV name=EXT-ALL
 +#DHCP Flag aplicado posteriormente en el DHP de la IPTV
 +/ip dhcp-server option
 +add code=12 name=VF_Tivo value="'TIVO'"
 +#Dos pool de direcciones. Uno para LAN y otro para IPTV
 +/ip pool
 +add name=dhcp-lan-pool ranges=192.168.0.100-192.168.0.200
 +add name=dhcp-iptv-pool ranges=192.168.10.10-192.168.10.15
 +#Creación de dos servidores DHCP
 +/ip dhcp-server
 +add address-pool=dhcp-lan-pool interface=switch0-lan name=dhcp-lan
 +add address-pool=dhcp-iptv-pool interface=ether7-deco name=dhcp-iptv
 +#Cliente PPPoE sobre la interfaz virtual creada con la VLAN de datos
 +/interface pppoe-client
 +add add-default-route=yes comment=WAN disabled=no interface=eth8-vlan100 max-mru=1492 max-mtu=1492 name=pppoe0-wan profile=default-encryption user=XXXXXXXXXX@vodafone
 +#Asignación de puertos al Bridge
 +/interface bridge port
 +add bridge=switch0-lan fast-leave=yes interface=ether1
 +add bridge=switch0-lan fast-leave=yes interface=ether2
 +add bridge=switch0-lan fast-leave=yes interface=ether3
 +add bridge=switch0-lan fast-leave=yes interface=ether4
 +#Asignación de interfaces a listas
 +/interface list member
 +add interface=ether7-deco list=LAN-IPTV
 +add interface=eth8-vlan105 list=WAN-IPTV
 +add interface=switch0-lan list=LAN
 +add interface=eth8-vlan100 list=WAN
 +add interface=pppoe0-wan list=WAN
 +add interface=ether8-wan list=WAN
 +#Asignación de direcciones IP a las interfaces
 +/ip address
 +add address=192.168.0.1/24 interface=switch0-lan network=192.168.0.0
 +add address=192.168.10.1/24 interface=ether7-deco network=192.168.10.0
 +#Cliente DHCP sobre la interfaz virtual creada con la VLAN de IPTV
 +/ip dhcp-client
 +add add-default-route=no interface=eth8-vlan105 use-peer-dns=no
 +#Asignaciones estáticas de servidor DHCP (incluyo la asignación del decodificador)
 +/ip dhcp-server lease
 +add address=192.168.10.10 comment="VF Deco TIVO" dhcp-option=VF_Tivo mac-address=XX:XX:XX:XX:XX:XX server=dhcp-iptv
 +#Creación de servidores DHCP
 +/ip dhcp-server network
 +add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 netmask=24
 +add address=192.168.10.0/24 domain=Tivo gateway=192.168.10.1 netmask=24
 +#Configuración resolución DNS por DoH con Cloudflare
 +/ip dns
 +set allow-remote-requests=yes use-doh-server=https://1.1.1.2/dns-query verify-doh-cert=yes
 +#Listas de direcciones para firewall
 +/ip firewall address-list
 +add address=192.168.10.0/24 list=LAN-IPTV
 +add address=192.168.0.0/24 list=LAN
 +#Reglas de Firewall
 +/ip firewall filter
 +add action=accept chain=input comment="IN - Accept Winbox" dst-port=XXXXX,XXXXX in-interface-list=LAN protocol=tcp src-address-list=LAN
 +add action=add-src-to-address-list address-list=Blacklist address-list-timeout=10h chain=input comment="IN - Add Src to Blacklist" connection-state=new dst-port=20-25,80,110,161,443,445,3128,3306,3333,3389,7547,8291,8080-8082 \
 +    in-interface-list=WAN log=yes log-prefix="FWALL- ADD BLACKLIST" protocol=tcp
 +add action=accept chain=input comment="IN - Accept Established and related" connection-state=established,related
 +add action=drop chain=input comment="IN - Drop Invalid" connection-state=invalid
 +add action=accept chain=input comment="IN - Accept ICMP" protocol=icmp
 +add action=accept chain=input comment="IN WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
 +add action=accept chain=input comment="IN WAN IPTV - Accept IGMP" in-interface-list=WAN-IPTV protocol=igmp
 +add action=accept chain=input comment="IN LAN - Accept 53 UDP (DNS)" dst-port=53 protocol=udp src-address-list=LAN
 +add action=accept chain=input comment="IN LAN IPTV - Allow IGMP" protocol=igmp src-address-list=LAN-IPTV
 +add action=accept chain=input comment="IN LAN IPTV - Allow UDP" protocol=udp src-address-list=LAN-IPTV
 +add action=drop chain=input comment="IN - Drop all not comming from LAN" log=yes log-prefix="FWALL - IN DROP" src-address-list=!LAN
 +add action=fasttrack-connection chain=forward comment="FW - FastTrack" connection-state=established,related hw-offload=yes
 +add action=accept chain=forward comment="FW - Accept Established and related" connection-state=established,related
 +add action=drop chain=forward comment="FW - Drop Invalid" connection-state=invalid
 +add action=accept chain=forward comment="FW WAN IPTV - Allow IPTV Multicast UDP" in-interface-list=WAN-IPTV protocol=udp
 +add action=drop chain=forward comment="FW - Drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=EXT-ALL log=yes log-prefix="FWALL - FW DROP"
 +#Priorizar paquetes de IPTV
 +/ip firewall mangle
 +add action=set-priority chain=postrouting new-priority=4 out-interface-list=WAN-IPTV passthrough=yes
 +add action=set-priority chain=postrouting new-priority=1 out-interface-list=WAN passthrough=no
 +#Reglas de NAT 
 +/ip firewall nat
 +add action=masquerade chain=srcnat comment="NAT - WAN-IPTV" out-interface-list=WAN-IPTV
 +add action=masquerade chain=srcnat comment="NAT - WAN" out-interface-list=WAN
 +/ip firewall raw
 +add action=drop chain=prerouting comment="Drop Address From Blacklist" log=yes log-prefix="FWALL - BLACKLIST DROP" src-address-list=Blacklist
 +add action=add-dst-to-address-list address-list=Blacklist address-list-timeout=10m chain=output comment="add a device performing unsuccessful authorization to BlackList" content="invalid user name or password" log=yes log-prefix=\
 +    BRUTEFORCE
 +#Rutas estáticas necesarias para Vodafone IPTV
 +/ip route
 +add disabled=no distance=1 dst-address=10.8.57.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 +add disabled=no distance=1 dst-address=10.8.58.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 +add disabled=no distance=1 dst-address=10.8.59.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 +add disabled=no distance=1 dst-address=10.15.220.0/24 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 +add disabled=no distance=1 dst-address=10.179.32.0/23 gateway=10.214.80.1 pref-src="" routing-table=main scope=30 suppress-hw-offload=no target-scope=10
 +#Deshabilito servicios de acceso al router por seguridad
 +/ip service
 +set telnet disabled=yes
 +set ftp disabled=yes
 +set www disabled=yes
 +set ssh address=192.168.0.0/24 port=XXXXXX
 +set www-ssl address=192.168.0.0/24 port=XXXX
 +set api disabled=yes
 +set winbox address=192.168.0.0/24 port=XXXXX
 +set api-ssl disabled=yes
 +#Configuración de IGMP Proxy
 +/routing igmp-proxy
 +set quick-leave=yes
 +/routing igmp-proxy interface
 +add alternative-subnets=0.0.0.0/0 interface=eth8-vlan105 upstream=yes
 +add interface=ether7-deco
 +#Configuración Reloj del sistema
 +/system clock
 +set time-zone-name=Europe/Madrid
 +/system ntp client
 +set enabled=yes
 +/system ntp client servers
 +add address=0.es.pool.ntp.org
 +add address=1.es.pool.ntp.org
 +add address=2.es.pool.ntp.org
 +add address=3.es.pool.ntp.org
 +/system routerboard settings
 +set cpu-frequency=auto
 +</code>
 +\\