Problém s routováním na RB 1100

[pospa]

Ahoj,
už několik dní sedím nad problémem s routováním. Mám MK RB 1100AHx2 fw 6.29.1 (nechodilo ani se staršími verzemi)

ETH 1-5 HW switch master port 1, Adresa 192.168.1.0/24
ETH 6-10 HW switch master port 6, Adresa 192.168.0.0/24
ETH 11 - Internet
ETH 12 - WiFi Bridge 10.0.0.0/8
ETH 13 - WiFi AP s NATem 172.16.0.0/16

Ze sítě 192.168.0.0/24 si do sítě 172.16.0.0/16 pingnu, ale ze sítě 192.168.1.0 ne.

Už mi z toho hrabe. Nevidíte někdo prosím chybu v konfiguraci níže? Děkuju moc za jakékoliv nasměrování

Kód: Vybrat vše

# jul/06/2015 22:25:46 by RouterOS 6.29.1

#
/ip firewall filter
add action=drop chain=forward comment="Drop invalid forward" \
    connection-state=invalid
add action=drop chain=input comment="Drop invalid input" connection-state=\
    invalid
add action=drop chain=output comment="Drop invalid output" connection-state=\
    invalid
add action=drop chain=input comment="Drop IN from intruder list" \
    in-interface="ether11 - Inet" src-address-list=intruders_in
add action=drop chain=forward comment="Drop FW from intruder list" \
    in-interface="ether11 - Inet" src-address-list=intruders_fw
add action=passthrough chain=forward comment="P2P FW from Inet" in-interface=\
    "ether11 - Inet" p2p=all-p2p
add action=passthrough chain=forward comment="P2P FW to Inet" out-interface=\
    "ether11 - Inet" p2p=all-p2p
add action=passthrough chain=forward comment="Traffic FW to DMZ" \
    out-interface="ether11 - Inet"
add action=passthrough chain=forward comment="Traffic FW from DMZ" \
    in-interface="ether11 - Inet"
add chain=output comment="Accept any OUT"
add chain=input comment="Accept established/related IN" connection-state=\
    established,related
add chain=forward comment="Accept established/related FW" connection-state=\
    established,related
add chain=input comment="Accept WinBox from internal wire network" dst-port=\
    8291 protocol=tcp src-address=192.168.0.0/16
add chain=input comment="Accept WinBox from internal WiFi network" dst-port=\
    8291 protocol=tcp src-address=10.0.0.0/8
add chain=input comment="Accept WinBox from WAN" dst-port=8291 in-interface=\
    "ether11 - Inet" protocol=tcp
add action=reject chain=input comment="Reject ICMP over 3 packets per second" \
    dst-limit=3,5,src-address protocol=icmp reject-with=icmp-admin-prohibited
add chain=input comment="Accept ICMP" protocol=icmp
add chain=input comment="Accept IN DNS (TCP)" dst-port=53 in-interface=\
    "!ether11 - Inet" protocol=tcp
add chain=input comment="Accept IN DNS (UDP)" dst-port=53 in-interface=\
    "!ether11 - Inet" protocol=udp
add chain=forward comment="Accept FW from internal wired network to DMZ" \
    out-interface="ether11 - Inet" src-address=192.168.0.0/16
add chain=forward comment="Accept FW from WiFi to DMZ" out-interface=\
    "ether11 - Inet" src-address=10.0.0.0/8
add chain=forward comment="Accept FW from TechOp to DMZ" out-interface=\
    "ether11 - Inet" src-address=172.16.0.0/16
add chain=forward comment="Accept from WiFi to wired" dst-address=\
    192.168.0.0/16 src-address=10.0.0.0/8
add chain=forward comment="Accept from WiFi to TechOp" dst-address=\
    172.16.0.0/16 src-address=10.0.0.0/8
add chain=forward comment="Accept from wired to WiFi" dst-address=10.0.0.0/8 \
    src-address=192.168.0.0/16
add chain=forward comment="Accept from wired to TechOp" dst-address=\
    172.16.0.0/16 src-address=192.168.0.0/16
add chain=forward comment="Accept FW wired networks #0" dst-address=\
    192.168.1.0/24 src-address=192.168.0.0/24
add chain=forward comment="Accept FW wired networks #1" dst-address=\
    192.168.0.0/24 src-address=192.168.1.0/24
add chain=forward comment="Accept SSH FW from DMZ (port 22)" dst-port=22 \
    in-interface="ether11 - Inet" protocol=tcp
add chain=forward comment="Accept deluge Web UI FW from DMZ (port 8112)" \
    dst-port=8112 in-interface="ether11 - Inet" protocol=tcp
add chain=forward comment="Accept HTTPS FW from DMZ (port 443)" dst-port=443 \
    in-interface="ether11 - Inet" protocol=tcp
add chain=input comment="Accept NTP IN" dst-port=123 protocol=udp
add chain=forward comment="Accept NTP FW" dst-port=123 out-interface=\
    "ether11 - Inet" protocol=udp
add chain=forward comment="Accept FW SMB over TCP (microsoft-ds)" dst-port=\
    445 in-interface="ether11 - Inet" protocol=tcp
add chain=forward comment="Accept FW NetBIOS sesion (netbios-ssn)" dst-port=\
    139 in-interface="ether11 - Inet" protocol=tcp
add chain=forward comment="Accept FW NetBIOS Name Service (netbios-ns)" \
    dst-port=137 in-interface="ether11 - Inet" protocol=udp
add chain=forward comment="Accept FW NetBIOS Datagram (netbios-dgm)" \
    dst-port=138 in-interface="ether11 - Inet" protocol=udp
add action=add-src-to-address-list address-list=intruders_in \
    address-list-timeout=1h chain=input comment="Store intruder IN from DMZ" \
    in-interface="ether11 - Inet"
add action=add-src-to-address-list address-list=intruders_fw \
    address-list-timeout=1h chain=forward comment=\
    "Store intruder FW from DMZ" in-interface="ether11 - Inet"
add action=reject chain=input comment="Reject IN" reject-with=\
    icmp-admin-prohibited
add action=reject chain=forward comment="Reject FW" reject-with=\
    icmp-admin-prohibited



/ip firewall nat
add chain=dstnat comment="Proxy dstnat from WiFi to TechOp" dst-address=\
    172.16.0.0/16 protocol=tcp src-address=10.0.0.0/8 to-addresses=10.0.0.1 \
    to-ports=8080
add chain=dstnat comment="Proxy dstnat from WiFi to Wired" dst-address=\
    192.168.0.0/16 protocol=tcp src-address=10.0.0.0/8 to-addresses=10.0.0.1 \
    to-ports=8080
add chain=dstnat comment="Proxy dstnat from TechOp to WiFi" dst-address=\
    10.0.0.0/8 protocol=tcp src-address=172.16.0.0/16 to-addresses=10.0.0.1 \
    to-ports=8080
add chain=dstnat comment="Proxy dstnat from TechOp to Wired" dst-address=\
    192.168.0.0/16 protocol=tcp src-address=172.16.0.0/16 to-addresses=\
    10.0.0.1 to-ports=8080
add chain=dstnat comment="Proxy dstnat from Wired to WiFi" dst-address=\
    10.0.0.0/8 protocol=tcp src-address=192.168.0.0/16 to-addresses=10.0.0.1 \
    to-ports=8080
add chain=dstnat comment="Proxy dstnat from Wired to TechOp" dst-address=\
    172.16.0.0/16 protocol=tcp src-address=192.168.0.0/16 to-addresses=\
    10.0.0.1 to-ports=8080
add action=masquerade chain=srcnat comment="Masquerade for internal network" \
    out-interface="ether11 - Inet" src-address=192.168.0.0/16
add action=masquerade chain=srcnat comment="Masquerade for WiFi" \
    out-interface="ether11 - Inet" src-address=10.0.0.0/8
add action=masquerade chain=srcnat comment="Masquerade for TechOp" \
    out-interface="ether11 - Inet" src-address=172.16.0.0/16
add action=dst-nat chain=dstnat comment="Dst NAT TCP 8080 > 80  for Turris" \
    dst-port=8080 in-interface="ether11 - Inet" protocol=tcp to-addresses=\
    172.16.0.100 to-ports=80
add action=dst-nat chain=dstnat comment="Dst NAT TCP 8888 > 443  for Turris" \
    dst-port=8888 in-interface="ether11 - Inet" protocol=tcp to-addresses=\
    172.16.0.100 to-ports=443
add action=dst-nat chain=dstnat comment="Pospa Pi port 22" dst-port=22 \
    in-interface="ether11 - Inet" protocol=tcp to-addresses=192.168.0.100 \
    to-ports=22
add action=dst-nat chain=dstnat comment=\
    "SMB over TCP to Raspberry Pi (microsoft-ds)" dst-port=445 in-interface=\
    "ether11 - Inet" protocol=tcp to-addresses=192.168.0.100
add action=dst-nat chain=dstnat comment=\
    "Dst NAT deluge Web UI on Raspberry Pi" dst-port=8112 in-interface=\
    "ether11 - Inet" protocol=tcp to-addresses=192.168.0.100 to-ports=8112