зачем усложнять жизнь , у вас просто блокируется обратный пакет от сервера , у вас сервер в каком порту ? или какой порт магистроальный ?
ладно предположим все как у многих , 26 порт магистральный и за ним сервер как DHCP так и сервер куда надо разрешить.
вот список правил которые давно работают у меня , пользователи управляются последством добавления или удаления в профиль 100
#разрешаем dhcp и делаем приоритет выше
Код:
create access_profile ip destination_ip_mask 255.255.255.255 udp dst_port_mask 0xFFFF profile_id 1
config access_profile profile_id 1 add access_id 1 ip destination_ip 255.255.255.255 udp dst_port 67 port 1 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 2 ip destination_ip 255.255.255.255 udp dst_port 67 port 2 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 3 ip destination_ip 255.255.255.255 udp dst_port 67 port 3 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 4 ip destination_ip 255.255.255.255 udp dst_port 67 port 4 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 5 ip destination_ip 255.255.255.255 udp dst_port 67 port 5 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 6 ip destination_ip 255.255.255.255 udp dst_port 67 port 6 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 7 ip destination_ip 255.255.255.255 udp dst_port 67 port 7 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 8 ip destination_ip 255.255.255.255 udp dst_port 67 port 8 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 9 ip destination_ip 255.255.255.255 udp dst_port 67 port 9 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 10 ip destination_ip 255.255.255.255 udp dst_port 67 port 10 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 11 ip destination_ip 255.255.255.255 udp dst_port 67 port 11 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 12 ip destination_ip 255.255.255.255 udp dst_port 67 port 12 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 13 ip destination_ip 255.255.255.255 udp dst_port 67 port 13 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 14 ip destination_ip 255.255.255.255 udp dst_port 67 port 14 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 15 ip destination_ip 255.255.255.255 udp dst_port 67 port 15 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 16 ip destination_ip 255.255.255.255 udp dst_port 67 port 16 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 17 ip destination_ip 255.255.255.255 udp dst_port 67 port 17 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 18 ip destination_ip 255.255.255.255 udp dst_port 67 port 18 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 19 ip destination_ip 255.255.255.255 udp dst_port 67 port 19 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 20 ip destination_ip 255.255.255.255 udp dst_port 67 port 20 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 21 ip destination_ip 255.255.255.255 udp dst_port 67 port 21 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 22 ip destination_ip 255.255.255.255 udp dst_port 67 port 22 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 23 ip destination_ip 255.255.255.255 udp dst_port 67 port 23 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 24 ip destination_ip 255.255.255.255 udp dst_port 67 port 24 permit priority 5 replace_priority
config access_profile profile_id 1 add access_id 25 ip destination_ip 255.255.255.255 udp dst_port 67 port 25 permit priority 5 replace_priority
#разрешаем DNS
Код:
config access_profile profile_id 1 add access_id 27 ip destination_ip 172.22.100.1 udp dst_port 53 port 1 permit
config access_profile profile_id 1 add access_id 28 ip destination_ip 172.22.100.1 udp dst_port 53 port 2 permit
config access_profile profile_id 1 add access_id 29 ip destination_ip 172.22.100.1 udp dst_port 53 port 3 permit
config access_profile profile_id 1 add access_id 30 ip destination_ip 172.22.100.1 udp dst_port 53 port 4 permit
config access_profile profile_id 1 add access_id 31 ip destination_ip 172.22.100.1 udp dst_port 53 port 5 permit
config access_profile profile_id 1 add access_id 32 ip destination_ip 172.22.100.1 udp dst_port 53 port 6 permit
config access_profile profile_id 1 add access_id 33 ip destination_ip 172.22.100.1 udp dst_port 53 port 7 permit
config access_profile profile_id 1 add access_id 34 ip destination_ip 172.22.100.1 udp dst_port 53 port 8 permit
config access_profile profile_id 1 add access_id 35 ip destination_ip 172.22.100.1 udp dst_port 53 port 9 permit
config access_profile profile_id 1 add access_id 36 ip destination_ip 172.22.100.1 udp dst_port 53 port 10 permit
config access_profile profile_id 1 add access_id 37 ip destination_ip 172.22.100.1 udp dst_port 53 port 11 permit
config access_profile profile_id 1 add access_id 38 ip destination_ip 172.22.100.1 udp dst_port 53 port 12 permit
config access_profile profile_id 1 add access_id 39 ip destination_ip 172.22.100.1 udp dst_port 53 port 13 permit
config access_profile profile_id 1 add access_id 40 ip destination_ip 172.22.100.1 udp dst_port 53 port 14 permit
config access_profile profile_id 1 add access_id 41 ip destination_ip 172.22.100.1 udp dst_port 53 port 15 permit
config access_profile profile_id 1 add access_id 42 ip destination_ip 172.22.100.1 udp dst_port 53 port 16 permit
config access_profile profile_id 1 add access_id 43 ip destination_ip 172.22.100.1 udp dst_port 53 port 17 permit
config access_profile profile_id 1 add access_id 44 ip destination_ip 172.22.100.1 udp dst_port 53 port 18 permit
config access_profile profile_id 1 add access_id 45 ip destination_ip 172.22.100.1 udp dst_port 53 port 19 permit
config access_profile profile_id 1 add access_id 46 ip destination_ip 172.22.100.1 udp dst_port 53 port 20 permit
config access_profile profile_id 1 add access_id 47 ip destination_ip 172.22.100.1 udp dst_port 53 port 21 permit
config access_profile profile_id 1 add access_id 48 ip destination_ip 172.22.100.1 udp dst_port 53 port 22 permit
config access_profile profile_id 1 add access_id 49 ip destination_ip 172.22.100.1 udp dst_port 53 port 23 permit
config access_profile profile_id 1 add access_id 50 ip destination_ip 172.22.100.1 udp dst_port 53 port 24 permit
config access_profile profile_id 1 add access_id 51 ip destination_ip 172.22.100.1 udp dst_port 53 port 25 permit
# разрешаем ходить на веб страницу 172.22.100.10
Код:
create access_profile ip destination_ip_mask 255.255.255.255 tcp dst_port_mask 0xFFFF profile_id 2
config access_profile profile_id 2 add access_id 1 ip destination_ip 172.22.100.10 tcp dst_port 80 port 1 permit
config access_profile profile_id 2 add access_id 2 ip destination_ip 172.22.100.10 tcp dst_port 80 port 2 permit
config access_profile profile_id 2 add access_id 3 ip destination_ip 172.22.100.10 tcp dst_port 80 port 3 permit
config access_profile profile_id 2 add access_id 4 ip destination_ip 172.22.100.10 tcp dst_port 80 port 4 permit
config access_profile profile_id 2 add access_id 5 ip destination_ip 172.22.100.10 tcp dst_port 80 port 5 permit
config access_profile profile_id 2 add access_id 6 ip destination_ip 172.22.100.10 tcp dst_port 80 port 6 permit
config access_profile profile_id 2 add access_id 7 ip destination_ip 172.22.100.10 tcp dst_port 80 port 7 permit
config access_profile profile_id 2 add access_id 8 ip destination_ip 172.22.100.10 tcp dst_port 80 port 8 permit
config access_profile profile_id 2 add access_id 9 ip destination_ip 172.22.100.10 tcp dst_port 80 port 9 permit
config access_profile profile_id 2 add access_id 10 ip destination_ip 172.22.100.10 tcp dst_port 80 port 10 permit
config access_profile profile_id 2 add access_id 11 ip destination_ip 172.22.100.10 tcp dst_port 80 port 11 permit
config access_profile profile_id 2 add access_id 12 ip destination_ip 172.22.100.10 tcp dst_port 80 port 12 permit
config access_profile profile_id 2 add access_id 13 ip destination_ip 172.22.100.10 tcp dst_port 80 port 13 permit
config access_profile profile_id 2 add access_id 14 ip destination_ip 172.22.100.10 tcp dst_port 80 port 14 permit
config access_profile profile_id 2 add access_id 15 ip destination_ip 172.22.100.10 tcp dst_port 80 port 15 permit
config access_profile profile_id 2 add access_id 16 ip destination_ip 172.22.100.10 tcp dst_port 80 port 16 permit
config access_profile profile_id 2 add access_id 17 ip destination_ip 172.22.100.10 tcp dst_port 80 port 17 permit
config access_profile profile_id 2 add access_id 18 ip destination_ip 172.22.100.10 tcp dst_port 80 port 18 permit
config access_profile profile_id 2 add access_id 19 ip destination_ip 172.22.100.10 tcp dst_port 80 port 19 permit
config access_profile profile_id 2 add access_id 20 ip destination_ip 172.22.100.10 tcp dst_port 80 port 20 permit
config access_profile profile_id 2 add access_id 21 ip destination_ip 172.22.100.10 tcp dst_port 80 port 21 permit
config access_profile profile_id 2 add access_id 22 ip destination_ip 172.22.100.10 tcp dst_port 80 port 22 permit
config access_profile profile_id 2 add access_id 23 ip destination_ip 172.22.100.10 tcp dst_port 80 port 23 permit
config access_profile profile_id 2 add access_id 24 ip destination_ip 172.22.100.10 tcp dst_port 80 port 24 permit
config access_profile profile_id 2 add access_id 25 ip destination_ip 172.22.100.10 tcp dst_port 80 port 25 permit
# разрешаем ARP и запрешаем broodcast
Код:
create access_profile ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type profile_id 3
config access_profile profile_id 3 add access_id 1 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 1 permit
config access_profile profile_id 3 add access_id 2 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 2 permit
config access_profile profile_id 3 add access_id 3 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 3 permit
config access_profile profile_id 3 add access_id 4 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 4 permit
config access_profile profile_id 3 add access_id 5 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 5 permit
config access_profile profile_id 3 add access_id 6 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 6 permit
config access_profile profile_id 3 add access_id 7 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 7 permit
config access_profile profile_id 3 add access_id 8 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 8 permit
config access_profile profile_id 3 add access_id 9 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 9 permit
config access_profile profile_id 3 add access_id 10 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 10 permit
config access_profile profile_id 3 add access_id 11 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 11 permit
config access_profile profile_id 3 add access_id 12 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 12 permit
config access_profile profile_id 3 add access_id 13 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 13 permit
config access_profile profile_id 3 add access_id 14 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 14 permit
config access_profile profile_id 3 add access_id 15 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 15 permit
config access_profile profile_id 3 add access_id 16 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 16 permit
config access_profile profile_id 3 add access_id 17 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 17 permit
config access_profile profile_id 3 add access_id 18 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 18 permit
config access_profile profile_id 3 add access_id 19 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 19 permit
config access_profile profile_id 3 add access_id 20 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 20 permit
config access_profile profile_id 3 add access_id 21 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 21 permit
config access_profile profile_id 3 add access_id 22 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 22 permit
config access_profile profile_id 3 add access_id 23 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 23 permit
config access_profile profile_id 3 add access_id 24 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 24 permit
config access_profile profile_id 3 add access_id 25 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x806 port 25 permit
config access_profile profile_id 3 add access_id 26 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 1 deny
config access_profile profile_id 3 add access_id 27 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 2 deny
config access_profile profile_id 3 add access_id 28 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 3 deny
config access_profile profile_id 3 add access_id 29 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 4 deny
config access_profile profile_id 3 add access_id 30 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 5 deny
config access_profile profile_id 3 add access_id 31 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 6 deny
config access_profile profile_id 3 add access_id 32 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 7 deny
config access_profile profile_id 3 add access_id 33 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 8 deny
config access_profile profile_id 3 add access_id 34 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 9 deny
config access_profile profile_id 3 add access_id 35 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 10 deny
config access_profile profile_id 3 add access_id 36 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 11 deny
config access_profile profile_id 3 add access_id 37 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 12 deny
config access_profile profile_id 3 add access_id 38 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 13 deny
config access_profile profile_id 3 add access_id 39 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 14 deny
config access_profile profile_id 3 add access_id 40 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 15 deny
config access_profile profile_id 3 add access_id 41 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 16 deny
config access_profile profile_id 3 add access_id 42 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 17 deny
config access_profile profile_id 3 add access_id 43 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 18 deny
config access_profile profile_id 3 add access_id 44 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 19 deny
config access_profile profile_id 3 add access_id 45 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 20 deny
config access_profile profile_id 3 add access_id 46 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 21 deny
config access_profile profile_id 3 add access_id 47 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 22 deny
config access_profile profile_id 3 add access_id 48 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 23 deny
config access_profile profile_id 3 add access_id 49 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 24 deny
config access_profile profile_id 3 add access_id 50 ethernet destination_mac FF-FF-FF-FF-FF-FF ethernet_type 0x800 port 25 deny
# вбиваем список пользователей которым будет разрешено всё остальное
Код:
create access_profile ethernet source_mac FF-FF-FF-FF-FF-FF profile_id 100
config access_profile profile_id 100 add access_id 1 ethernet source_mac 00-11-22-33-44-55 port 25 permit
#запрещаем все остальное
Код:
create access_profile ip source_ip_mask 0.0.0.0 destination_ip_mask 0.0.0.0 profile_id 200
config access_profile profile_id 200 add access_id auto_assign ip source_ip 0.0.0.0 destination_ip 0.0.0.0 port 1-25 deny
Вход
Регистрация
FAQ
Поиск
