Gabatarwar
Ɗaukar labarin, ban da aikin banza, ya samo asali ne ta hanyar ɓacin rai na yawan tambayoyi game da wannan batu a cikin ƙungiyoyin bayanan martaba na al'ummar telegram masu magana da Rasha. Labarin yana nufin novice Mikrotik RouterOS (wanda ake kira ROS) masu gudanarwa. Yana mu'amala da multivan kawai, tare da mai da hankali kan tuƙi. A matsayin kari, akwai wadatattun saituna don tabbatar da aiki mai aminci da dacewa. Wadanda suke neman bayyana batutuwan jerin gwano, daidaita nauyin kaya, vlans, gadoji, bincike mai zurfi na matakai masu yawa game da yanayin tashar da makamantansu - bazai ɓata lokaci da karatun ƙoƙari ba.
Asalin bayanai
A matsayin batun gwaji, an zaɓi na'ura mai ba da hanya tsakanin hanyoyin sadarwa Mikrotik mai tashar jiragen ruwa biyar tare da sigar ROS 6.45.3. Zai tafiyar da zirga-zirga tsakanin hanyoyin sadarwa na gida biyu (LAN1 da LAN2) da masu samarwa uku (ISP1, ISP2, ISP3). Tashar zuwa ISP1 tana da adreshin "launin toka", ISP2 - "farar fata", wanda aka samu ta DHCP, ISP3 - "farar fata" tare da izinin PPPoE. Ana nuna zanen haɗin gwiwa a cikin adadi:
Ayyukan shine saita MTK na'ura mai ba da hanya tsakanin hanyoyin sadarwa bisa tsarin don haka:
- Samar da sauyawa ta atomatik zuwa mai bada wariyar ajiya. Babban mai bada sabis shine ISP2, ajiyar farko shine ISP1, ajiyar na biyu shine ISP3.
- Tsara hanyar sadarwar LAN1 zuwa Intanet ta hanyar ISP1 kawai.
- Bayar da ikon tafiyar da zirga-zirga daga cibiyoyin sadarwa na gida zuwa Intanet ta hanyar zaɓin mai bada dangane da jerin adireshi.
- Samar da yuwuwar buga sabis daga cibiyar sadarwar gida zuwa Intanet (DSTNAT)
- Saita matatar wuta don samar da mafi ƙarancin tsaro daga Intanet.
- Mai ba da hanya tsakanin hanyoyin sadarwa zai iya ba da nasa zirga-zirga ta kowane ɗayan masu samarwa uku, dangane da adireshin tushen da aka zaɓa.
- Tabbatar cewa an tura fakitin amsawa zuwa tashar da suka fito (ciki har da LAN).
Sake alamar. Za mu saita na'ura mai ba da hanya tsakanin hanyoyin sadarwa "daga karce" don tabbatar da rashin abubuwan ban mamaki a cikin saitunan farawa "daga cikin akwatin" wanda ke canzawa daga sigar zuwa sigar. An zaɓi Winbox azaman kayan aikin daidaitawa, inda za'a nuna canje-canje a gani. Za a saita saitunan da kansu ta umarni a cikin Winbox Terminal. Ana haɗa haɗin jiki don daidaitawa ta hanyar haɗin kai tsaye zuwa ƙirar Ether5.
Wani ɗan tunani game da abin da multivan yake, shin matsala ce ko masu wayo ne a kusa da saƙa da hanyoyin sadarwa
Mai gudanar da bincike da lura, ya kafa irin wannan ko makamancin haka da kansa, ba zato ba tsammani ya gane cewa yana aiki kamar yadda aka saba. Ee, ee, ba tare da tebur na tuƙi na al'ada da sauran ka'idodin hanya ba, waɗanda yawancin labaran kan wannan batu ke cike da su. Mu duba?
Za mu iya saita adireshi akan musaya da ƙofofin tsoho? Ee:
A kan ISP1, an yi rajistar adireshin da ƙofa da su nesa=2 и check-gateway=ping.
A kan ISP2, tsohuwar saitin abokin ciniki na dcp - don haka, nisa zai zama daidai da ɗaya.
A kan ISP3 a cikin saitunan abokin ciniki na pppoe lokacin add-default-route=e saka tsoho-route-distance=3.
Kar a manta da yin rijistar NAT akan hanyar fita:
/ ip Firewall nat add mataki = sarkar masquerade = srcnat out-interface-list = WAN
Sakamakon haka, masu amfani da rukunin yanar gizon suna jin daɗin zazzage kuliyoyi ta hanyar babban mai bada ISP2 kuma akwai ajiyar tashar ta amfani da injin. duba ƙofa Duba bayanin kula 1
Ana aiwatar da batu na 1 na aikin. Ina multivan da alamominsa? A'a…
Bugu da kari. Kuna buƙatar sakin takamaiman abokan ciniki daga LAN ta ISP1:
/ip Firewall mangle ƙara mataki = sarkar hanya = prerouting dst-address-list =! BOGONS
passthrough = eh hanya-dst=100.66.66.1 src-address-list=Ta_ISP1
/ip Firewall mangle ƙara mataki = sarkar hanya = prerouting dst-address-list =! BOGONS
passthrough = babu hanya-dst=100.66.66.1 src-address=192.168.88.0/24
An aiwatar da abubuwa na 2 da 3 na aikin. Lakabi, tambari, dokokin hanya, ina kuke?!
Kuna buƙatar ba da dama ga uwar garken OpenVPN da kuka fi so tare da adireshin 172.17.17.17 don abokan ciniki daga Intanet? Don Allah:
/ip girgije saita ddns-enabled=e
A matsayinmu na takwarorinmu, muna ba abokin ciniki sakamakon fitarwa: ": sanya [ip Cloud samu dns-name]"
Muna yin rijistar tura tashar jiragen ruwa daga Intanet:
/ ip Firewall nat ƙara mataki = sarkar dst-nat = dstnat dst-port = 1194
in-interface-list= WAN protocol=udp zuwa adireshi=172.17.17.17
Abu na 4 yana shirye.
Mun kafa bangon wuta da sauran tsaro don maki 5, a lokaci guda muna farin ciki cewa komai yana aiki don masu amfani kuma mun isa ga akwati tare da abin sha da aka fi so ...
A! An manta da ramuka.
l2tp-abokin ciniki, wanda labarin google ya daidaita, ya tashi zuwa VDS Dutch ɗin da kuka fi so? Ee.
l2tp-uwar garke tare da IPsec ya tashi kuma abokan ciniki ta sunan DNS daga IP Cloud (duba sama). Ee.
Jingine baya kan kujera, shan abin sha, muna la'akari da maki 6 da 7 na aikin. Muna tunanin - muna buƙatar shi? Duk iri ɗaya, yana aiki kamar haka (c) ... Don haka, idan har yanzu ba a buƙata ba, to shi ke nan. Multivan aiwatar.
Menene multivan? Wannan shine haɗin tashoshin Intanet da yawa zuwa na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Ba lallai ne ku kara karanta labarin ba, saboda menene zai iya kasancewa baya ga nuna shakku game da amfani?
Ga waɗanda suka rage, waɗanda ke sha'awar maki 6 da 7 na aikin, kuma suna jin ƙaiƙayi na kamala, muna nutsewa cikin zurfi.
Babban aiki mafi mahimmanci na aiwatar da multivan shine daidaitaccen hanyar zirga-zirga. Wato: ko da wane (ko wane) Duba. bayanin kula 3 tashar (s) ta ISP dubi hanyar da aka saba akan na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ya kamata ya mayar da martani ga ainihin tashar da fakitin ya fito. Aikin a bayyane yake. Ina matsalar take? Lallai, a cikin hanyar sadarwar gida mai sauƙi, aikin ɗaya ne, amma babu wanda ke damun ƙarin saiti kuma baya jin matsala. Bambance-bambancen shine cewa duk wani kumburin da aka yi amfani da shi akan Intanet ana samun damar ta kowace tashoshi namu, kuma ba ta takamaiman takamaiman ba, kamar a cikin LAN mai sauƙi. Kuma "matsala" ita ce idan buƙatar ta zo mana don adireshin IP na ISP3, to, a cikin yanayinmu amsar za ta bi ta hanyar ISP2, tun lokacin da aka ba da izinin ƙofa a can. Bar kuma mai badawa zai yi watsi da shi ba daidai ba. An gano matsalar. Yadda za a warware shi?
Maganin ya kasu kashi uku:
- Saita. A wannan mataki, za a saita saitunan asali na na'ura mai ba da hanya tsakanin hanyoyin sadarwa: cibiyar sadarwar gida, tacewar zaɓi, jerin adireshi, gashin gashi NAT, da dai sauransu.
- Multivan. A wannan matakin, za a yi alama masu haɗin haɗin da suka wajaba kuma a jera su a cikin tebur na tuƙi.
- Haɗa zuwa ISP. A wannan mataki, za a daidaita mu'amalar da ke ba da haɗin kai zuwa Intanet, za a iya sarrafa ta, kuma za a kunna aikin ajiyar tashar Intanet.
1. Saita
1.1. Muna share tsarin na'ura mai ba da hanya tsakanin hanyoyin sadarwa tare da umarni:
/system reset-configuration skip-backup=yes no-defaults=yesyarda da"Mai haɗari! Sake saiti ko ta yaya? [y/N]:” kuma, bayan sake kunnawa, muna haɗawa da Winbox ta hanyar MAC. A wannan mataki, an share saitin da tushe mai amfani.
1.2. Ƙirƙiri sabon mai amfani:
/user add group=full name=knight password=ultrasecret comment=”Not horse”ku shiga karkashinsa kuma ku goge tsohon:
/user remove adminSake alamar. Cire ne da rashin kashe tsohon mai amfani wanda marubucin ya ɗauka mafi aminci kuma ya ba da shawarar don amfani.
1.3. Mun ƙirƙiri jerin abubuwan dubawa na asali don dacewa da aiki a cikin Tacewar zaɓi, saitunan ganowa da sauran sabar MAC:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Shiga musaya tare da sharhi
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"kuma cika jerin abubuwan dubawa:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Sake alamar. Rubutun maganganun da za a iya fahimta ya cancanci lokacin da aka kashe akan wannan, kuma yana ba da sauƙin magance matsala da fahimtar tsarin.
Marubucin ya yi la'akari da cewa ya zama dole, don dalilai na tsaro, don ƙara ƙirar ether3 zuwa jerin abubuwan dubawa na "WAN", duk da cewa ka'idar ip ba za ta shiga ba.
Kar ka manta cewa bayan an tayar da ƙirar PPP akan ether3, Hakanan za'a buƙaci ƙarawa zuwa jerin dubawar "WAN"
1.4. Muna ɓoye na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga gano yanki da sarrafawa daga cibiyoyin sadarwa ta MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Mun ƙirƙira mafi ƙarancin isassun ƙa'idodin tace ta wuta don kare na'ura mai ba da hanya tsakanin hanyoyin sadarwa:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(Dokar tana ba da izini don kafaffen haɗin kai da alaƙa waɗanda aka fara daga cibiyoyin sadarwar da aka haɗa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(ping kuma ba kawai ping ba. An yarda da duk icmp a ciki. Da amfani sosai don gano matsalolin MTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(ka'idar da ke rufe sarkar shigarwa ta hana duk wani abu da ya zo daga Intanet)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(Dokar ta ba da damar kafaffen haɗin gwiwa da alaƙa waɗanda ke wucewa ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(ka'idar tana sake saita haɗin kai tare da haɗin kai-state= mara inganci wucewa ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa. Yana ba da shawarar sosai ta hanyar Mikrotik, amma a wasu yanayi da ba kasafai ba yana iya toshe zirga-zirga masu amfani)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(ka'idar ta hana fakitin da ke fitowa daga Intanet kuma ba su wuce hanyar dstnat don wucewa ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa ba. Wannan zai kare cibiyoyin sadarwar gida daga masu kutse waɗanda, kasancewa a cikin yanki ɗaya na watsa shirye-shirye tare da hanyoyin sadarwar mu na waje, za su yi rajistar IPs na waje a matsayin ƙofa kuma, don haka, yi ƙoƙarin "bincika" hanyoyin sadarwar mu na gida.)
Sake alamar. Bari mu ɗauka cewa cibiyoyin sadarwar LAN1 da LAN2 an amince da su kuma ba a tace zirga-zirgar da ke tsakanin su da daga gare su ba.
1.6. Ƙirƙiri jeri tare da jerin cibiyoyin sadarwar da ba za su iya ba:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Wannan jerin adireshi ne da cibiyoyin sadarwa waɗanda ba za su iya shiga Intanet ba kuma za a bi su yadda ya kamata.)
Sake alamar. Lissafin yana iya canzawa, don haka ina ba ku shawarar ku duba dacewa lokaci-lokaci.
1.7. Saita DNS don na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta:
/ip dns set servers=1.1.1.1,8.8.8.8Sake alamar. A cikin sigar ROS na yanzu, sabar masu ƙarfi suna fifita a kan na tsaye. Ana aika buƙatar ƙudurin suna zuwa uwar garken farko domin a jeri. Ana aiwatar da sauyawa zuwa uwar garken na gaba lokacin da babu na yanzu. Ƙayyadaddun lokaci yana da girma - fiye da daƙiƙa 5. Komawa, lokacin da aka ci gaba da “faɗuwar sabar”, baya faruwa ta atomatik. Ganin wannan algorithm da kasancewar multivan, marubucin ya ba da shawarar kada a yi amfani da sabar da masu samarwa suka bayar.
1.8. Saita cibiyar sadarwar gida.
1.8.1. Muna saita adiresoshin IP a tsaye akan mu'amalar LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Mun saita ka'idoji don hanyoyin zuwa hanyoyin sadarwar gida ta hanyar babban tebur na kwatance:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Sake alamar. Wannan yana ɗaya daga cikin hanyoyi masu sauri da sauƙi don samun damar adiresoshin LAN tare da tushen adiresoshin IP na waje na hanyoyin sadarwa na na'ura mai ba da hanya tsakanin hanyoyin sadarwa waɗanda ba su bi ta hanyar da ta dace ba.
1.8.3. Kunna Hairpin NAT don LAN1 da LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Sake alamar. Wannan yana ba ku damar samun damar albarkatun ku (dstnat) ta hanyar IP na waje yayin da kuke cikin cibiyar sadarwar.
2. A gaskiya, aiwatar da madaidaicin multivan
Don magance matsalar "amsar inda suka tambaya", za mu yi amfani da kayan aikin ROS guda biyu: alamar haɗi и alamar hanya. alamar haɗi yana ba ku damar yin alama akan haɗin da ake so sannan kuyi aiki tare da wannan lakabin azaman yanayin nema alamar hanya. Kuma riga da alamar hanya mai yiwuwa a yi aiki a ciki ip ip и dokokin hanya. Mun gano kayan aikin, yanzu kuna buƙatar yanke shawarar waɗanne hanyoyin haɗin gwiwa don yin alama - sau ɗaya, daidai inda za a yi alama - biyu.
Tare da na farko, duk abin da yake mai sauƙi ne - dole ne mu yi alama duk haɗin da ke zuwa ga na'ura mai ba da hanya tsakanin hanyoyin sadarwa daga Intanet ta hanyar tashar da ta dace. A cikin yanayinmu, waɗannan za su zama lakabi uku (ta adadin tashoshi): "conn_isp1", "conn_isp2" da "conn_isp3".
Nuance tare da na biyu shine cewa haɗin da ke shigowa zai kasance nau'i biyu: wucewa da waɗanda aka yi niyya don na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta. Tsarin alamar haɗin yana aiki a cikin tebur mangle. Yi la'akari da motsin fakitin akan siffa mai sauƙi, wanda kwararrun ma'aikatan mikrotik-trainings.com suka tsara (ba talla ba):
Biye da kibiyoyi, mun ga cewa fakitin ya iso "shigar da bayanai", yana shiga cikin sarkar"Gabatarwa"sai kawai a raba shi zuwa hanyar wucewa da na gida a cikin toshe"Shawarar hanya". Don haka, don kashe tsuntsaye biyu da dutse ɗaya, muna amfani da su Alamar haɗi a cikin tebur Mangle Pre-routing sarƙoƙi Gabatarwa.
Lura. A cikin ROS, an jera alamun “Routing mark” a matsayin “Table” a cikin sashin Ip/Hanyoyi/Dokoki, da kuma a matsayin “Alamar Routing” a wasu sassan. Wannan na iya gabatar da wasu ruɗani cikin fahimta, amma, a zahiri, wannan abu ɗaya ne, kuma shine analogue na rt_tables a cikin iproute2 akan Linux.
2.1. Muna yin alamar haɗin kai mai shigowa daga kowane ɗayan masu samarwa:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noSake alamar. Don kar in yi alama a haɗin haɗin da aka riga aka yi alama, Ina amfani da yanayin haɗin-mark=no-mark condition maimakon haɗin-state=sabo saboda ina ganin wannan ya fi daidai, da kuma ƙin sauke haɗin da ba daidai ba a cikin matatar shigarwa.
passthrough=a'a - saboda a cikin wannan hanyar aiwatarwa, ba a cire sake yin alama kuma, don hanzarta, zaku iya katse lissafin dokoki bayan wasan farko.
Ya kamata a tuna cewa ba mu tsoma baki a kowace hanya tare da kwatance ba tukuna. Yanzu akwai matakai na shirye-shiryen kawai. Mataki na gaba na aiwatarwa zai kasance sarrafa zirga-zirgar zirga-zirgar ababen hawa wanda ke dawowa akan kafaffen haɗin gwiwa daga inda ake nufi a cikin hanyar sadarwar gida. Wadancan. waɗancan fakitin da (duba zane) suka wuce ta hanyar na'ura mai ba da hanya tsakanin hanyoyin sadarwa a hanya:
"Input Interface"=>"Prerouting"=>"Tsarin Tattaunawa"=>"Gabatarwa"=>"Tsarin Gabatarwa"=>"Tsarin Fasakarwa" kuma sun sami adireshinsu a cikin hanyar sadarwar gida.
Muhimmin! A cikin ROS, babu rarrabuwar hankali zuwa musaya na waje da na ciki. Idan muka bi hanyar fakitin amsawa bisa ga zanen da ke sama, to zai bi hanyar ma'ana iri ɗaya kamar buƙatar:
"Input Interface"=>"Prerouting"=>"Tsarin Tattaunawa"=>"Gabatarwa"=>"Tsarin Gabatarwa"=>"Tsarin Fasakarwa" kawai don nema"Mai shigar da Input” shine kewayon ISP, kuma ga amsar - LAN
2.2. Muna jagorantar zirga-zirgar zirga-zirgar zirga-zirgar ababen hawa zuwa madaidaitan allunan kwatance:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noSharhi. in-interface-list=!WAN - muna aiki ne kawai tare da zirga-zirga daga cibiyar sadarwar gida da dst-address-type=!local wanda ba shi da adireshin inda aka nufa adireshin musaya na na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kansa.
Hakanan ga fakiti na gida waɗanda suka zo ga na'ura mai ba da hanya tsakanin hanyoyin sadarwa a hanya:
"Input Interface"=>"Prerouting"=>"Tsarin Tafiya"=>"Input"=>"Tsarin Gida"
Muhimmin! Amsar za ta tafi kamar haka:
"Tsarin Gida"=>"Shawarar Yankewa"=>"Fitowa"=>"Tsarin Rubutu"=>"Tsarin Fitarwa"
2.3. Muna ba da martani ga zirga-zirgar gida zuwa ga tebur ɗin da suka dace:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noA wannan mataki, ana iya la'akari da aikin shirye-shiryen aika amsa ga tashar Intanet wanda buƙatar ta fito. An yiwa komai alama, an yiwa alama kuma an shirya don a fatattake su.
Kyakkyawan tasirin "gefe" na wannan saitin shine ikon yin aiki tare da isar da tashar tashar DSNAT daga duka masu samar da (ISP2, ISP3) a lokaci guda. Ba kwata-kwata ba, tunda akan ISP1 muna da adireshi mara amfani. Wannan tasirin yana da mahimmanci, alal misali, ga uwar garken imel tare da MX guda biyu waɗanda ke kallon tashoshin Intanet daban-daban.
Don kawar da nuances na aikin cibiyoyin sadarwa na gida tare da masu amfani da IP na waje, muna amfani da mafita daga sakin layi. 1.8.2 da 3.1.2.6.
Bugu da kari, zaku iya amfani da kayan aiki tare da alamomi don warware sakin layi na 3 na matsalar. Muna aiwatar da shi kamar haka:
2.4. Muna jagorantar zirga-zirga daga abokan ciniki na gida daga jerin hanyoyin da za a bi zuwa teburin da suka dace:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3A sakamakon haka, yana kama da wani abu kamar haka:
3. Saita haɗin kai zuwa ISP kuma kunna alamar kwatance
3.1. Saita haɗi zuwa ISP1:
3.1.1. Sanya adireshin IP na tsaye:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Ƙirƙiri hanyar tafiya a tsaye:
3.1.2.1. Ƙara tsohuwar hanyar "gaggawa":
/ip route add comment="Emergency route" distance=254 type=blackholeSake alamar. Wannan hanya tana ba da damar zirga-zirga daga matakan gida don wuce matakin yanke shawara, ba tare da la'akari da yanayin hanyoyin haɗin kowane ɗayan masu samarwa ba. Bambancin zirga-zirgar gida mai fita shine don fakitin ya motsa aƙalla wani wuri, babban tebur ɗin tuƙi dole ne ya kasance yana da hanya mai aiki zuwa tsohuwar ƙofa. Idan ba haka ba, to fakitin kawai za a lalata shi.
A matsayin tsawo na kayan aiki duba ƙofa Don zurfafa nazarin yanayin tashar, Ina ba da shawarar yin amfani da hanyar maimaita hanya. Ma'anar hanyar ita ce mu gaya wa na'ura mai ba da hanya tsakanin hanyoyin sadarwa cewa ya nemi hanyar zuwa hanyarsa ba kai tsaye ba, amma ta hanyar tsaka-tsakin kofa. 4.2.2.1, 4.2.2.2 da 4.2.2.3 za a zaba a matsayin irin wannan ƙofofin "gwaji" don ISP1, ISP2 da ISP3 bi da bi.
3.1.2.2. Hanyar zuwa adireshin "tabbaci":
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Sake alamar. Muna rage ƙimar iyaka zuwa tsoho a cikin iyakar maƙasudin ROS don amfani da 4.2.2.1 azaman ƙofa mai maimaitawa a nan gaba. Na jaddada: iyakar hanyar zuwa adireshin "gwaji" dole ne ya zama ƙasa da ko daidai da iyakar maƙasudin hanyar da za ta koma ga gwajin.
3.1.2.3. Hanyar da ta dace don zirga-zirga ba tare da alamar hanya ba:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Sake alamar. Ana amfani da nisa = ƙimar 2 saboda an ayyana ISP1 azaman madadin farko gwargwadon yanayin aiki.
3.1.2.4. Hanyar da ta dace don zirga-zirga tare da alamar "to_isp1":
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Sake alamar. A zahiri, a nan daga ƙarshe za mu fara jin daɗin ɗimbin ɗimbin amfanin shirye-shiryen da aka yi a sakin layi na 2.
A kan wannan hanya, duk zirga-zirgar da ke da alamar "to_isp1" za a tura shi zuwa ƙofar mai ba da sabis na farko, ba tare da la'akari da wanda tsohuwar ƙofar ke aiki don babban tebur ba.
3.1.2.5. Farko mai maimaita hanyar dawowa don ISP2 da ISP3 masu alamar zirga-zirga:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Sake alamar. Ana buƙatar waɗannan hanyoyin, a tsakanin sauran abubuwa, don adana zirga-zirga daga cibiyoyin sadarwar gida waɗanda ke cikin jerin adireshi “to_isp*”'
3.1.2.6. Muna yin rajistar hanyar don zirga-zirgar gida na mai ba da hanya tsakanin hanyoyin sadarwa zuwa Intanet ta hanyar ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Sake alamar. A hade tare da dokoki daga sakin layi na 1.8.2, yana ba da damar shiga tashar da ake so tare da tushen da aka ba. Wannan yana da mahimmanci don gina ramukan da ke ƙayyade adireshin IP na gida (EoIP, IP-IP, GRE). Tun da ka'idodin da ke cikin ka'idodin hanyar ip ana aiwatar da su daga sama zuwa ƙasa, har zuwa wasan farko na sharuɗɗan, to wannan doka ya kamata ta kasance bayan ka'idodin daga sashe na 1.8.2.
3.1.3. Muna yin rijistar dokar NAT don zirga-zirgar ababen hawa:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Sake alamar. NATIm duk abin da ke fita, sai dai abin da ke shiga cikin manufofin IPsec. Ina ƙoƙarin kada in yi amfani da aikin = masquerade sai dai idan ya zama dole. Yana da hankali kuma yana da ƙarfi fiye da src-nat saboda yana ƙididdige adireshin NAT don kowane sabon haɗi.
3.1.4. Muna aika abokan ciniki daga jerin waɗanda aka hana su shiga ta wasu masu samarwa kai tsaye zuwa ƙofar mai bada ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Sake alamar. action=hanya tana da fifiko mafi girma kuma ana amfani da ita kafin sauran ƙa'idodin tuƙi.
place-before=0 - sanya dokar mu ta farko a cikin jerin.
3.2. Saita haɗi zuwa ISP2.
Tun da mai bada ISP2 yana ba mu saitunan ta hanyar DHCP, yana da kyau a yi canje-canje masu dacewa tare da rubutun da ke farawa lokacin da abokin ciniki na DHCP ya jawo:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noRubutun kanta a cikin Winbox taga:
Sake alamar. Sashi na farko na rubutun yana haifar da lokacin da aka samu nasarar yin hayar, na biyu - bayan an fitar da haya.Duba bayanin kula 2
3.3. Mun saita haɗi zuwa mai bada ISP3.
Tun da mai ba da saitunan ya ba mu ƙarfi, yana da kyau a yi canje-canje masu mahimmanci tare da rubutun da ke farawa bayan an ɗaga ƙirar ppp da kuma bayan faɗuwar.
3.3.1. Da farko muna saita bayanin martaba:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Rubutun kanta a cikin Winbox taga:
Sake alamar. Layi
/ ip Firewall mangle saita [nemo sharhi = "Connmark in daga ISP3"] in-interface = $ "interface";
yana ba ka damar yin daidai da sake suna na dubawa, tunda yana aiki da lambar sa ba sunan nuni ba.
3.3.2. Yanzu, ta amfani da bayanin martaba, ƙirƙirar haɗin ppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientA matsayin taɓawa ta ƙarshe, bari mu saita agogo:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgGa wadanda suka karanta har karshe
Hanyar da aka tsara don aiwatar da multivan shine zaɓi na sirri na marubucin kuma ba shine kawai mai yiwuwa ba. ROS Toolkit yana da yawa kuma mai sassauƙa, wanda, a gefe guda, yana haifar da matsaloli ga masu farawa, kuma, a gefe guda, shine dalilin shahararsa. Koyi, gwadawa, gano sabbin kayan aiki da mafita. Alal misali, a matsayin aikace-aikacen ilimin da aka samu, yana yiwuwa a maye gurbin kayan aiki a cikin wannan aiwatar da multivan duba-ƙofa tare da recursive hanyoyin zuwa netwatch.
Bayanan kula
- duba-ƙofa - hanyar da ke ba ku damar kashe hanyar bayan bincike guda biyu a jere ba tare da nasara ba na ƙofar don samuwa. Ana yin cak ɗin sau ɗaya kowane daƙiƙa 10, tare da ƙarewar amsawa. Gabaɗaya, ainihin lokacin sauyawa yana cikin kewayon 20-30 seconds. Idan irin wannan lokacin sauyawa bai isa ba, akwai zaɓi don amfani da kayan aiki netwatch, inda za'a iya saita mai ƙidayar lokaci da hannu. duba-ƙofa baya gobara akan asarar fakitin lokaci-lokaci akan hanyar haɗin gwiwa.
Muhimmanci! Kashe hanyar farko zai kashe duk sauran hanyoyin da ke nuni da ita. Don haka, don su nuna check-gateway=ping ba dole ba.
- Yana faruwa cewa gazawar ta faru a cikin tsarin DHCP, wanda yayi kama da abokin ciniki makale a cikin yanayin sabuntawa. A wannan yanayin, ɓangaren na biyu na rubutun ba zai yi aiki ba, amma ba zai hana zirga-zirga daga tafiya daidai ba, tun lokacin da jihar ke bin hanyar da ta dace.
- ECMP (Hanyoyi Madaidaicin Kuɗi) - a cikin ROS yana yiwuwa a saita hanya tare da ƙofofin da yawa da nisa iri ɗaya. A wannan yanayin, za a rarraba haɗin kai a cikin tashoshi ta hanyar amfani da algorithm na zagaye na zagaye, daidai da adadin ƙayyadaddun ƙofofin.
Don ƙarfafa rubuta labarin, taimaka wajen tsara tsarinsa da kuma sanya lafazin - godiya ga Evgeny
source: www.habr.com