Hōʻike
ʻO ka lawe ʻana i ka ʻatikala, ma waho aʻe o ka lapuwale, ua hoʻoikaika ʻia e ka pinepine kaumaha o nā nīnau e pili ana i kēia kumuhana i nā pūʻulu profile o ke kaiāulu telegrama ʻōlelo Lūkini. Kuhi ʻia ka ʻatikala i nā mea hoʻokele Mikrotik RouterOS (ma hope i kapa ʻia ʻo ROS). Hoʻopili wale ia me ka multivan, me ka manaʻo nui i ke ala ala. Ma ke ʻano he bonus, aia nā hoʻonohonoho liʻiliʻi e hōʻoia i ka hana palekana a maʻalahi. ʻO ka poʻe e ʻimi nei i ka hōʻike ʻana i nā kumuhana o nā queues, load balancing, vlans, bridges, multi-stage deep analysis of the state of the channel and like - hiki ʻole ke hoʻopau i ka manawa a me ka hoʻoikaika ʻana i ka heluhelu ʻana.
ʻIkepili mua
Ma ke ʻano he kumuhana hoʻāʻo, ua koho ʻia kahi router Mikrotik ʻelima port me ROS version 6.45.3. E alakaʻi ia i nā kaʻa ma waena o ʻelua pūnaewele kūloko (LAN1 a me LAN2) a me ʻekolu mea hoʻolako (ISP1, ISP2, ISP3). Loaʻa i ke kahawai i ISP1 kahi helu "hina", ISP2 - "keʻokeʻo", loaʻa ma o DHCP, ISP3 - "keʻokeʻo" me ka ʻae ʻana o PPPoE. Hōʻike ʻia ke kiʻikuhi pili i ke kiʻi:
ʻO ka hana ka hoʻonohonoho ʻana i ka mea hoʻokele MTK e pili ana i ka hoʻolālā no laila:
- Hāʻawi i ka hoʻololi ʻakomi i kahi mea hoʻolako waihona. ʻO ka mea hoʻolako nui ʻo ISP2, ʻo ka mea mālama mua ʻo ISP1, ʻo ka lua o ka mālama ʻana ʻo ISP3.
- E hoʻonohonoho i ka ʻike pūnaewele LAN1 i ka Pūnaewele ma o ISP1 wale nō.
- Hāʻawi i ka hiki ke hoʻokele i nā kaʻa mai nā pūnaewele kūloko i ka Pūnaewele ma o ka mea hāʻawi i koho ʻia e pili ana i ka papa inoa helu.
- Hāʻawi i ka hiki ke hoʻolaha i nā lawelawe mai ka pūnaewele kūloko i ka Pūnaewele (DSTNAT)
- E hoʻonohonoho i kahi kānana pā ahi e hāʻawi i ka palekana liʻiliʻi mai ka Pūnaewele.
- Hiki i ka mea alalai ke hoʻopuka i kāna kaʻa ponoʻī ma o kekahi o nā mea hoʻolako ʻekolu, ma muli o ka helu kumu i koho ʻia.
- E hōʻoia i ka holo ʻana o nā ʻeke pane i ke kahawai kahi i hele mai ai lākou (me LAN).
Kākau. E hoʻonohonoho mākou i ke alalai "mai ka ʻōpala" i mea e hōʻoiaʻiʻo ai i ka nele o nā mea kupanaha i nā hoʻonohonoho hoʻomaka "ma waho o ka pahu" e hoʻololi ana mai kahi ʻano i kahi mana. Ua koho ʻia ʻo Winbox ma ke ʻano he mea hana hoʻonohonoho, kahi e hōʻike ʻia ai nā loli. E hoʻonohonoho ʻia nā hoʻonohonoho ponoʻī e nā kauoha ma ka pahu Winbox. ʻO ka pilina kino no ka hoʻonohonoho ʻana i hana ʻia e kahi pilina pololei i ka interface Ether5.
He wahi noʻonoʻo e pili ana i ke ʻano o ka multivan, he pilikia a he poʻe akamai maalea paha e pili ana i ka ulana ʻana i nā ʻupena kipi.
ʻO kahi luna hoʻomalu noʻonoʻo a hoʻolohe, hoʻonohonoho i kēlā ʻano a i ʻole kahi ʻano like ʻole ma kāna iho, ʻike koke ʻo ia ke hana maʻamau. ʻAe, ʻae, me ka ʻole o kāu mau papa hoʻokele maʻamau a me nā lula ala ʻē aʻe, ka hapa nui o nā ʻatikala e pili ana i kēia kumuhana i piha. E nānā kāua?
Hiki iā mākou ke hoʻonohonoho i ka ʻōlelo ʻana ma nā interface a me nā ʻīpuka paʻamau? ʻAe:
Ma ISP1, ua hoʻopaʻa inoa ʻia ka helu wahi a me ka puka mamao=2 и puka-puka=ping.
Ma ka ISP2, ka hoʻonohonoho o ka mea kūʻai aku dhcp - no laila, e like ka mamao me hoʻokahi.
Ma ka ISP3 i ka pppoe client hoʻonohonoho i ka wā add-default-route=ʻae kau default-alanui-distance=3.
Mai poina e hoʻopaʻa inoa iā NAT ma ka puka:
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
ʻO ka hopena, leʻaleʻa nā mea hoʻohana o nā pūnaewele kūloko i ka hoʻoiho ʻana i nā pōpoki ma o ka mea hoʻolako ISP2 nui a aia kahi hoʻopaʻa ʻana i ke kahawai e hoʻohana ana i ka mīkini. e nānā i ka ʻīpuka E nana memo 1
Hoʻokō ʻia ka helu 1 o ka hana. Auhea ka multivan me kona mau kaha? ʻAʻole…
Eia hou aku. Pono ʻoe e hoʻokuʻu i nā mea kūʻai aku mai ka LAN ma o ISP1:
/ip firewall mangle hoʻohui i ka hana=alahao ala=prerouting dst-address-list=!BOGONS
passthrough=ʻae ala-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle hoʻohui i ka hana=alahao ala=prerouting dst-address-list=!BOGONS
passthrough=ʻaʻohe ala-dst=100.66.66.1 src-address=192.168.88.0/24
Ua hoʻokō ʻia nā mea 2 a me 3 o ka hana. Nā lepili, nā peʻa, nā lula ala, ʻauhea ʻoe?!
Pono e hāʻawi i ke komo i kāu kikowaena OpenVPN punahele me ka helu 172.17.17.17 no nā mea kūʻai mai ka Pūnaewele? E ʻoluʻolu:
/ip cloud set ddns-enabled=ʻae
Ma keʻano he hoa, hāʻawi mākou i ka mea kūʻai i ka hopena hopena: ": hoʻokomo [ip cloud loaʻa ka inoa dns]"
Hoʻopaʻa inoa mākou i ka port forwarding mai ka Pūnaewele:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=1194
in-interface-list=WAN protocol=udp to-addresses=172.17.17.17
Mākaukau ka mea 4.
Hoʻonohonoho mākou i kahi pā ahi a me nā palekana ʻē aʻe no ka helu 5, i ka manawa like ke hauʻoli nei mākou i ka hana ʻana o nā mea āpau no nā mea hoʻohana a hiki i kahi pahu me kahi mea inu punahele ...
A! Poina nā tunnels.
l2tp-client, hoʻonohonoho ʻia e ka ʻatikala google, ua piʻi i kāu VDS Dutch punahele? ʻAe.
l2tp-server me IPsec ua piʻi a me nā mea kūʻai mai ma DNS-inoa mai IP Cloud (e nānā ma luna.) pili? ʻAe.
Ke hilinaʻi nei i hope ma ko mākou noho, e inu ana i ka inu, noʻonoʻo mākou i nā helu 6 a me 7 o ka hana. Manaʻo mākou - pono mākou? ʻO nā mea like, hana like ia (c) ... No laila, inā ʻaʻole pono ia, a laila ʻo ia. Ua hoʻokō ʻia ʻo Multivan.
He aha ka multivan? ʻO kēia ka hoʻohui ʻana o kekahi mau kaila Pūnaewele i hoʻokahi router.
ʻAʻole pono ʻoe e heluhelu hou aʻe i ka ʻatikala, no ka mea he aha ka mea ma laila ma waho o ka hōʻike ʻana i ka hoʻohana kānalua?
No ka poʻe i koe, ka poʻe hoihoi i nā helu 6 a me 7 o ka hana, a manaʻo hoʻi i ka ʻeha o ka perfectionism, luʻu mākou i ka hohonu.
ʻO ka hana koʻikoʻi o ka hoʻokō ʻana i kahi multivan ka hoʻokele kaʻa pololei. ʻO ia hoʻi: me ka nānā ʻole i ka mea (a i ʻole) Nānā. Nānā 3 ke alahele o ka ISP e nānā i ke ala paʻamau ma kā mākou router, pono ia e hoʻihoʻi i kahi pane i ke kahawai pololei i hele mai ai ka ʻeke. Akaka ka hana. Aia i hea ka pilikia? ʻOiaʻiʻo, ma kahi pūnaewele kūloko maʻalahi, ua like ka hana, akā ʻaʻohe mea e hoʻopilikia i nā hoʻonohonoho hou aʻe a ʻaʻole pilikia. ʻO ka ʻokoʻa, ʻo kēlā me kēia node routable ma ka Pūnaewele hiki ke loaʻa ma o kēlā me kēia o kā mākou kahawai, ʻaʻole ma o kahi kikoʻī kikoʻī, e like me ka LAN maʻalahi. A ʻo ka "pilikia" inā i hele mai kahi noi iā mākou no ka IP address o ISP3, a laila ma kā mākou hihia e hele ka pane ma ke kahawai ISP2, no ka mea, ua kuhikuhi ʻia ka ʻīpuka paʻamau ma laila. E haʻalele a e hoʻolei ʻia e ka mea hāʻawi i ka hewa. Ua ʻike ʻia ka pilikia. Pehea e hoʻoponopono ai?
Hoʻokaʻawale ʻia ka hopena i ʻekolu mau pae:
- Hoʻonohonoho mua. I kēia pae, e hoʻonohonoho ʻia nā hoʻonohonoho kumu o ke alalai: ka pūnaewele kūloko, ke ahi, nā papa inoa helu, hairpin NAT, etc.
- Multivan. I kēia pae, e kaha ʻia nā pili pono a hoʻokaʻawale ʻia i nā papa kuhikuhi.
- Hoʻopili i kahi ISP. I kēia pae, e hoʻonohonoho ʻia nā mea hoʻopili e pili ana i ka Pūnaewele, e hoʻāla ʻia ke alahele a me ka mīkini hoʻopaʻa ʻana i ke kahawai pūnaewele.
1. Hoʻonohonoho mua
1.1. Hoʻomaʻemaʻe mākou i ka hoʻonohonoho router me ke kauoha:
/system reset-configuration skip-backup=yes no-defaults=yesʻae me "Pilikia! E hoʻonohonoho hou? [y/N]:"a, ma hope o ka rebooting, pili mākou me Winbox ma MAC. I kēia pae, hoʻomaʻemaʻe ʻia ka hoʻonohonoho hoʻonohonoho a me ka waihona mea hoʻohana.
1.2. E hana i mea hoʻohana hou:
/user add group=full name=knight password=ultrasecret comment=”Not horse”e komo i lalo a holoi i ka mea paʻamau:
/user remove adminKākau. ʻO ka wehe ʻana a ʻaʻole hoʻopau i ka mea hoʻohana paʻamau i manaʻo ʻia e ka mea kākau he palekana a paipai ʻia no ka hoʻohana.
1.3. Hana mākou i nā papa inoa maʻamau no ka ʻoluʻolu o ka hana ʻana i kahi pā ahi, nā hoʻonohonoho ʻike a me nā kikowaena MAC ʻē aʻe:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Kakau inoa ʻana me nā manaʻo
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"a hoʻopiha i nā papa inoa interface:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Kākau. ʻO ke kākau ʻana i nā manaʻo hoʻomaopopo pono ʻia ka manawa i hoʻohana ʻia ma kēia, a hoʻomaʻamaʻa nui ia i ka hoʻoponopono pilikia a me ka hoʻomaopopo ʻana i ka hoʻonohonoho.
Manaʻo ka mea kākau he mea pono, no nā kumu palekana, e hoʻohui i ka interface ether3 i ka papa inoa interface "WAN", ʻoiai ʻaʻole e hele ka protocol ip ma ia.
Mai poina ma hope o ka hoʻokiʻekiʻe ʻana o ka PPP ma ka ether3, pono e hoʻohui ʻia i ka papa inoa interface "WAN"
1.4. Hūnā mākou i ke alalai mai ka ʻike ʻana a me ka hoʻomalu ʻana mai nā pūnaewele hoʻolako ma MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Hana mākou i ka liʻiliʻi liʻiliʻi o nā lula kānana firewall e pale i ke alalai:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(Hāʻawi ke kānāwai i ka ʻae no nā pilina paʻa a pili i hoʻomaka ʻia mai nā pūnaewele pili ʻelua a me ke alalai ponoʻī)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(Ping a ʻaʻole ping wale nō. Ua ʻae ʻia nā icmp āpau. Pono loa no ka ʻimi ʻana i nā pilikia MTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(ʻo ke kānāwai e pani ana i ke kaulahao hoʻokomo i pāpā i nā mea ʻē aʻe e hele mai mai ka Pūnaewele)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(ʻae ka lula i nā pilina paʻa a pili e hele ana ma ke alalai)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(Hoʻoponopono hou ke kānāwai i nā pilina me ka pili-state=ʻaʻole i kūpono ka hele ʻana ma ke alalai. Manaʻo ikaika ʻia e Mikrotik, akā i kekahi mau kūlana hiki ke hoʻopaʻa ʻia ke kaʻa pono)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(ʻAʻole ke kānāwai i nā paʻi i hele mai mai ka Pūnaewele a ʻaʻole i hala i ke kaʻina dstnat e hele ma o ke alalai. Mālama kēia i nā pūnaewele kūloko mai nā mea hoʻopiʻi, ka mea i loko o ka pae hoʻolaha like me kā mākou pūnaewele waho, e hoʻopaʻa inoa i kā mākou IP waho ma ke ʻano he ʻīpuka a, no laila, e hoʻāʻo e "ʻimi" i kā mākou pūnaewele kūloko.)
Kākau. E noʻonoʻo kākou ua hilinaʻi ʻia nā pūnaewele LAN1 a me LAN2 a ʻaʻole i kānana ʻia ke kaʻa ma waena o lākou a mai lākou.
1.6. E hana i papa inoa me ka papa inoa o nā pūnaewele hiki ʻole ke hoʻohana:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(He papa inoa kēia o nā helu wahi a me nā ʻupena i hiki ʻole ke hele i ka Pūnaewele a e hahai ʻia e like me ia.)
Kākau. Hiki ke loli ka papa inoa, no laila ke aʻo aku nei au iā ʻoe e nānā i ka pili.
1.7. E hoʻonohonoho i ka DNS no ka mea alalai ponoʻī:
/ip dns set servers=1.1.1.1,8.8.8.8Kākau. Ma ka mana o kēia manawa o ROS, ʻoi aku ka nui o nā kikowaena dynamic ma mua o nā kikowaena. Hoʻouna ʻia ka noi hoʻoholo inoa i ke kikowaena mua ma ka papa inoa. Hoʻokō ʻia ka hoʻololi ʻana i kahi kikowaena aʻe ke loaʻa ʻole ka mea i kēia manawa. Nui ka manawa pau - ʻoi aku ma mua o 5 kekona. ʻO ka hoʻi ʻana, i ka wā e hoʻomaka hou ai ka "server hāʻule", ʻaʻole hiki koke mai. Hāʻawi ʻia kēia algorithm a me ke alo o kahi multivan, ʻōlelo ka mea kākau ʻaʻole e hoʻohana i nā kikowaena i hāʻawi ʻia e nā mea hoʻolako.
1.8. Hoʻonohonoho i kahi pūnaewele kūloko.
1.8.1. Hoʻonohonoho mākou i nā helu IP kūʻokoʻa ma nā kikowaena LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Hoʻonoho mākou i nā lula no nā ala i kā mākou pūnaewele kūloko ma o ka papa kuhikuhi ala nui:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Kākau. ʻO kēia kekahi o nā ala wikiwiki a maʻalahi e hiki ai ke komo i nā helu LAN me nā kumu o nā IP address waho o nā mea hoʻohana router i hele ʻole ma ke ala paʻamau.
1.8.3. E ho'ā i ka Hairpin NAT no LAN1 a me LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Kākau. Hiki iā ʻoe ke komo i kāu mau kumuwaiwai (dstnat) ma o kahi IP waho i ka wā e noho ana i loko o ka pūnaewele.
2. ʻOiaʻiʻo, ka hoʻokō ʻana i ka multivan pololei loa
No ka hoʻoponopono ʻana i ka pilikia o ka "pane ʻana i kahi a lākou i noi ai", e hoʻohana mākou i ʻelua mau mea hana ROS: kaha pili и kaha alahele. kaha pili hiki iā ʻoe ke hōʻailona i ka pilina i makemake ʻia a laila e hana me kēia māka ma ke ʻano he kūlana no ka noi kaha alahele. A ua me kaha alahele hiki ke hana i loko pauka ip и rula ala. Ua noʻonoʻo mākou i nā mea hana, i kēia manawa pono ʻoe e hoʻoholo i nā pilina e hōʻailona ai - hoʻokahi, kahi e hōʻailona ai - ʻelua.
Me ka mea mua, maʻalahi nā mea a pau - pono mākou e hōʻailona i nā pili āpau e hele mai i ke alalai mai ka Pūnaewele ma o ke kahawai kūpono. I kā mākou hihia, ʻekolu mau lepili (ma ka helu o nā kahawai): "conn_isp1", "conn_isp2" a me "conn_isp3".
ʻO ka nuance me ka lua, ʻo ia ka pili ʻana i ʻelua mau ʻano: transit a me nā mea i manaʻo ʻia no ke alalai ponoʻī. Ke hana nei ka mīkini hōʻailona pili i ka pākaukau mangle. E noʻonoʻo i ka neʻe ʻana o ka pūʻolo ma kahi kiʻi maʻalahi, i hōʻuluʻulu maikaʻi ʻia e nā loea o ka mikrotik-trainings.com kumu (ʻaʻole hoʻolaha):
Ma hope o nā pua, ʻike mākou e hōʻea ana ka ʻeke i "ʻōnaehana hoʻokomo", hele ma ke kaulahao"Hoʻoholo mua"A laila ua māhele ʻia ʻo ia i ka transit a me ke kūloko i ka poloka"Hoʻoholo alahele". No laila, e pepehi i ʻelua manu me ka pōhaku hoʻokahi, hoʻohana mākou Maka Hoʻohui i ka papa ʻO Mangle Pre-routing kaulahao Hoʻoholo mua.
Kākau. Ma ROS, ua helu ʻia nā lepili "Routing mark" ma ke ʻano he "Table" ma ka ʻāpana Ip/Routes/Rules, a ma ke ʻano he "Routing Mark" ma nā ʻāpana ʻē aʻe. Hiki paha i kēia ke hoʻokomo i kahi huikau i ka hoʻomaopopo ʻana, akā, ʻoiaʻiʻo, ʻo ia ka mea like, a he ʻano like ia o rt_tables ma iproute2 ma linux.
2.1. Hōʻailona mākou i nā pilina e hiki mai ana mai kēlā me kēia mea hoʻolako:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noKākau. I mea e hōʻailona ʻole ai i nā pilina i hōʻailona mua ʻia, hoʻohana wau i ke kūlana pili-mark = ʻaʻohe-mark ma kahi o ka pilina-state = hou no ka mea manaʻo wau he ʻoi aku ka pololei, a me ka hōʻole ʻana i ka hāʻule ʻana o nā pilina kūpono ʻole i ka kānana hoʻokomo.
passthrough = ʻaʻole - no ka mea ma kēia ʻano hoʻokō, hoʻokaʻawale ʻia ka māka hou ʻana a, no ka wikiwiki, hiki iā ʻoe ke hoʻopau i ka helu ʻana o nā lula ma hope o ka pāʻani mua.
Pono e hoʻomanaʻo ʻaʻole mākou e keʻakeʻa i kekahi ʻano me ke ala ala. I kēia manawa aia wale nō nā pae o ka hoʻomākaukau. ʻO ka pae aʻe o ka hoʻokō ʻana, ʻo ia ka hana ʻana i nā kaʻa transit e hoʻi ana ma luna o ka pilina paʻa mai kahi e hele ai i ka pūnaewele kūloko. ʻO kēlā mau. kēlā mau ʻeke i hele (e ʻike i ke kiʻikuhi) i hele ma ke ala ala ma ke ala:
"Interface Input" => "Preroouting" => "Hoʻoholo Hoʻokele" => "Imua" => "Post Routing" => "Interface Output" a loaʻa i kā lākou mea kākau ma ka pūnaewele kūloko.
Mea nui! I ka ROS, ʻaʻohe māhele kūpono i nā pilina o waho a me loko. Inā mākou e ʻimi i ke ala o ka ʻeke pane e like me ke kiʻi i luna, a laila e hahai ia i ke ala kūpono e like me ke noi:
"Interface Input" => "Preroouting" => "Hoʻoholo Hoʻokele" => "Imua" => "Post Routing" => "Interface Output" no ka noi wale"Pūnaewele Input"ʻo ia ka ISP interface, a no ka pane - LAN
2.2. Ke kuhikuhi nei mākou i nā kaʻa kaʻa kaʻa i nā papa kuhikuhi ala:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noManaʻo. in-interface-list=!WAN - hana wale mākou me nā kaʻa mai ka pūnaewele kūloko a me ka dst-address-type=!local ʻaʻole i loaʻa ka helu wahi o ka helu wahi o nā pilina o ke alalai ponoʻī.
Pēlā nō no nā ʻeke kūloko i hele mai i ke alalai ma ke ala:
"Ka Hoʻokomo Hoʻokomo" => "Preroouting" => "Ka Hoʻoholo Hoʻokele" => "Hoʻokomo" => "Kaʻina Hana Kūloko"
Mea nui! E hele ana ka pane ma ke ala penei:
"Ke Kaʻina Hana Kūloko" => "Ka Hoʻoholo Hoʻoholo Ala" => "Hanaʻike" => "Ka Hoʻolaha Hoʻolaha" => "Ka Hoʻolaha Hoʻopuka"
2.3. Ke kuhikuhi nei mākou i ka pane ʻana i nā kaʻa kūloko i nā papa hoʻokele pili:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noI kēia manawa, hiki ke noʻonoʻo ʻia ka hana o ka hoʻomākaukau ʻana e hoʻouna i kahi pane i ka pūnaewele pūnaewele kahi i hele mai ai ka noi. Hoʻopaʻa ʻia nā mea a pau, hoʻopaʻa ʻia a mākaukau e hoʻokele.
ʻO kahi hopena "ʻaoʻao" maikaʻi loa o kēia hoʻonohonoho ʻana, ʻo ia ka hiki ke hana me ka DSNAT port i mua mai nā mea hoʻolako ʻelua (ISP2, ISP3) i ka manawa like. ʻAʻole loa, no ka mea ma ka ISP1 loaʻa iā mākou kahi helu wahi ʻole. He mea koʻikoʻi kēia hopena, no ka laʻana, no kahi kikowaena leka uila me ʻelua mau MX e nānā ana i nā ala pūnaewele like ʻole.
No ka hoʻopau ʻana i nā nuances o ka hana o nā pūnaewele kūloko me nā mea hoʻokele IP waho, hoʻohana mākou i nā hopena mai nā paukū. 1.8.2 a me 3.1.2.6.
Eia hou, hiki iā ʻoe ke hoʻohana i kahi mea hana me nā māka e hoʻoponopono i ka paukū 3 o ka pilikia. Hoʻohana mākou e like me kēia:
2.4. Ke alakaʻi nei mākou i nā kaʻa mai nā mea kūʻai aku kūloko mai nā papa kuhikuhi ala i nā papa kūpono:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3ʻO ka hopena, ua like ia me kēia:
3. E hoʻonohonoho i kahi pilina i ka ISP a hiki ke hoʻohana i ke ala ala branded
3.1. Hoʻonohonoho i kahi pilina me ISP1:
3.1.1. E hoʻonohonoho i kahi helu IP paʻa:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. E hoʻonohonoho i ke ala ala paʻa:
3.1.2.1. Hoʻohui i kahi ala "pilikia" paʻamau:
/ip route add comment="Emergency route" distance=254 type=blackholeKākau. Hāʻawi kēia ala i nā kaʻa mai nā kaʻina kūloko e hele i ka pae Hoʻoholo Alanui, me ka nānā ʻole i ke kūlana o nā loulou o kekahi o nā mea hoʻolako. ʻO ke ʻano o nā kaʻa kaʻa kaiapuni e neʻe ai ka ʻeke ma kahi liʻiliʻi loa, pono e loaʻa i ka papa kuhikuhi nui kahi ala hele i ka ʻīpuka paʻamau. Inā ʻaʻole, a laila e luku wale ʻia ka pūʻolo.
Ma ke ʻano he hoʻonui mea hana e nānā i ka ʻīpuka No ka ʻike hohonu o ka mokuʻāina o ke kahawai, manaʻo wau e hoʻohana i ke ala ala recursive. ʻO ke kumu o ke ʻano, ʻo ia ke haʻi aku i ke alalai e ʻimi i ke ala i kona ʻīpuka ʻaʻole pololei, akā ma o kahi puka waena. E koho ʻia ʻo 4.2.2.1, 4.2.2.2 a me 4.2.2.3 e like me nā puka "hoʻāʻo" no ISP1, ISP2 a me ISP3.
3.1.2.2. Alanui i ka helu "hōʻoia":
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Kākau. Hoʻohaʻahaʻa mākou i ke kumukūʻai kikoʻī i ka paʻamau i ka ROS target scope i mea e hoʻohana ai i ka 4.2.2.1 ma ke ʻano he ʻīpuka recursive i ka wā e hiki mai ana. Ke hoʻoikaika nei au: ʻoi aku ka liʻiliʻi a i ʻole like ka laulā o ke ala e hele ai i ka helu "hōʻoia" me ka laulā o ke ala e pili ana i ka hoʻāʻo.
3.1.2.3. ʻO ke ala paʻamau recursive no ke kaʻa me ka ʻole o ka māka hoʻokele:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Kākau. Hoʻohana ʻia ka waiwai mamao = 2 no ka mea ua haʻi ʻia ʻo ISP1 ʻo ia ka waihona mua e like me nā kūlana hana.
3.1.2.4. ʻO ke ala paʻamau no ke kaʻa me ka māka ala "to_isp1":
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Kākau. ʻOiaʻiʻo, eia mākou e hoʻomaka nei e hauʻoli i nā hua o ka hana hoʻomākaukau i hana ʻia ma ka paukū 2.
Ma kēia ala, e kuhikuhi ʻia nā kaʻa āpau i loaʻa ke ala māka "to_isp1" i ka ʻīpuka o ka mea hoʻolako mua, me ka nānā ʻole i ka ʻīpuka paʻamau e hana nei no ka papaʻaina nui.
3.1.2.5. ʻO ke ala paʻamau hoʻihoʻi mua no ka ISP2 a me ISP3 i kau inoa ʻia:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Kākau. Pono kēia mau ala, ma waena o nā mea ʻē aʻe, e mālama i nā kaʻa mai nā pūnaewele kūloko i lālā o ka papa helu helu "to_isp*"'
3.1.2.6. Hoʻopaʻa inoa mākou i ke ala no ka holo kūloko o ke alalai i ka Pūnaewele ma o ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Kākau. Ma ka hui pū ʻana me nā lula mai ka paukū 1.8.2, hāʻawi ia i ke komo i ke kahawai makemake me kahi kumu i hāʻawi ʻia. He mea koʻikoʻi kēia no ke kūkulu ʻana i nā tunnels e kuhikuhi ana i ka helu IP ʻaoʻao kūloko (EoIP, IP-IP, GRE). No ka mea, ua hoʻokō ʻia nā lula ma ke ala ip mai luna a lalo, a hiki i ka hoʻokūkū mua o nā kūlana, a laila pono kēia lula ma hope o nā lula mai ka paukū 1.8.2.
3.1.3. Hoʻopaʻa inoa mākou i ke kānāwai NAT no ka hele ʻana i waho:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Kākau. NATim i nā mea a pau e hele i waho, koe wale nā mea i komo i nā kulekele IPsec. Ho'āʻo wau ʻaʻole e hoʻohana i ka hana=masquerade ke ʻole pono. ʻOi aku ka lohi a ʻoi aku ka ikaika o ka waiwai ma mua o src-nat no ka mea e helu ana i ka helu NAT no kēlā me kēia pili hou.
3.1.4. Hoʻouna mākou i nā mea kūʻai mai ka papa inoa i pāpā ʻia mai ke komo ʻana ma o nā mea hoʻolako ʻē aʻe i ka ʻīpuka o ka mea hoʻolako ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Kākau. action=ʻoi aku ka nui o ke ala a hoʻohana ʻia ma mua o nā lula ala ʻē aʻe.
place-before=0 - kau mua i kā mākou lula ma ka papa inoa.
3.2. Hoʻonohonoho i kahi pilina me ISP2.
Ma muli o ka hāʻawi ʻana o ka mea hoʻolako ISP2 iā mākou i nā hoʻonohonoho ma o DHCP, he mea kūpono ke hana i nā hoʻololi kūpono me kahi palapala e hoʻomaka ana i ka wā e hoʻomaka ai ka mea kūʻai aku DHCP:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noʻO ka palapala ponoʻī ma ka puka makani Winbox:
Kākau. Hoʻomaka ka hapa mua o ka palapala i ka wā i loaʻa maikaʻi ai ka hoʻolimalima, ʻo ka lua - ma hope o ka hoʻokuʻu ʻia ʻana o ka lease.E nana memo 2
3.3. Hoʻonohonoho mākou i kahi pilina i ka mea hoʻolako ISP3.
Ma muli o ka hāʻawi ʻana o ka mea hoʻonohonoho hoʻonohonoho iā mākou i ka ikaika, kūpono ke hana i nā hoʻololi e pono ai me nā palapala e hoʻomaka ma hope o ka piʻi ʻana o ka ppp interface a ma hope o ka hāʻule.
3.3.1. Hoʻonohonoho mua mākou i ka ʻaoʻao:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"ʻO ka palapala ponoʻī ma ka puka makani Winbox:
Kākau. Nā laina
/ ip firewall mangle set [find comment="Connmark in from ISP3"] in-interface=$"interface";
hiki iā ʻoe ke lawelawe pololei i ka inoa hou ʻana o ka interface, no ka mea, hana pū me kāna code a ʻaʻole ka inoa hōʻike.
3.3.2. I kēia manawa, me ka hoʻohana ʻana i ka ʻaoʻao, hana i kahi pilina ppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientMa ke ʻano he paʻi hope, e hoʻonohonoho kāua i ka uaki:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgNo ka poe heluhelu a hiki i ka hope
ʻO ke ala i manaʻo ʻia e hoʻokō i kahi multivan ka makemake pilikino o ka mea kākau a ʻaʻole ʻo ia wale nō ka mea hiki. ʻO ka mea hana ROS he mea nui a maʻalahi, a ma kekahiʻaoʻao, e pilikia ai nā poʻe hoʻomaka, a ma kekahiʻaoʻao,ʻo ia ke kumu o kona kaulana. E aʻo, e hoʻāʻo, e ʻimi i nā mea hana hou a me nā hoʻonā. Eia kekahi laʻana, ma keʻano he noi o kaʻike i loaʻa, hiki ke hoʻololi i ka mea hana i kēia hoʻokō o ka multivan puka-puka me nā ala recursive i wati net.
Nā memo
- puka-puka - he mīkini e hiki ai iā ʻoe ke hoʻopau i ke ala ma hope o ʻelua mau mākaʻikaʻi kūleʻa ʻole o ka ʻīpuka no ka loaʻa. Hana ʻia ka nānā ʻana i hoʻokahi manawa i kēlā me kēia 10 kekona, me ka manawa pane. ʻO ka huina, aia ka manawa hoʻololi maoli ma kahi o 20-30 kekona. Inā ʻaʻole lawa kēlā manawa hoʻololi, aia kahi koho e hoʻohana ai i ka hāmeʻa wati net, kahi e hiki ke hoʻonohonoho lima ʻia ka manawa nānā. puka-puka ʻAʻole ia e puhi i ka poho packet intermittent ma ka loulou.
Mea nui! ʻO ka hoʻopau ʻana i kahi ala mua e hoʻopau i nā ala ʻē aʻe a pau e pili ana iā ia. No laila, no lākou e hōʻike puka-puka=ping ʻaʻole pono.
- Hiki mai ka hemahema ma ka mīkini DHCP, e like me ka mea kūʻai aku i paʻa i ka mokuʻāina hou. I kēia hihia, ʻaʻole e hana ka ʻāpana ʻelua o ka palapala, akā ʻaʻole ia e pale i ka hele ʻana mai ka hele pololei ʻana, no ka mea ke hahai nei ka mokuʻāina i ke ala recursive pili.
- ECMP (Ala-nui ke kumu kūʻai like) - ma ROS hiki ke hoʻonohonoho i kahi ala me nā ʻīpuka he nui a me ka mamao like. I kēia hihia, e māhele ʻia nā pilina ma nā kahawai me ka hoʻohana ʻana i ka algorithm round robin, e like me ka helu o nā ʻīpuka i kuhikuhi ʻia.
No ka hoʻoikaika ʻana e kākau i ka ʻatikala, kōkua i ka hoʻokumu ʻana i kona ʻano a me ke kau ʻana o nā leo - mahalo pilikino iā Evgeny
Source: www.habr.com