ʻO ke alahele ke kaʻina o ka ʻimi ʻana i ke ala maikaʻi loa no ka hoʻouna ʻana i nā ʻeke ma luna o nā pūnaewele TCP/IP. Loaʻa i kēlā me kēia mea i hoʻopili ʻia i kahi pūnaewele IPv4 kahi kaʻina hana a me nā papa kuhikuhi.
ʻAʻole kēia ʻatikala he HOWTO, e wehewehe ana i ka static routing ma RouterOS me nā hiʻohiʻona, ua haʻalele wau i ke koena o nā hoʻonohonoho (e laʻa, srcnat no ke komo ʻana i ka Pūnaewele), no laila e hoʻomaopopo i ka mea pono i kahi pae o ka ʻike o nā pūnaewele a me RouterOS.
Ke hoʻololi a me ke ala ala
ʻO ka hoʻololi ke kaʻina hana o ka hoʻololi ʻana i nā ʻeke i loko o hoʻokahi ʻāpana Layer2 (Ethernet, ppp, ...). Inā ʻike ka hāmeʻa aia ka mea i loaʻa i ka ʻeke ma ka ʻāpana Ethernet like me ia, aʻo ʻo ia i ka helu mac me ka hoʻohana ʻana i ka protocol arp a hoʻouna pololei i ka ʻeke, me ke kaʻe ʻana i ke alalai. Hiki i ka pilina ppp (point-to-point) ke loaʻa ʻelua mau mea komo a hoʻouna mau ʻia ka ʻeke i hoʻokahi helu helu 0xff.
ʻO ke alahele ke kaʻina o ka hoʻoili ʻana i nā ʻeke ma waena o nā ʻāpana Layer2. Inā makemake ka mea hana e hoʻouna i kahi ʻeke nona ka mea i loaʻa ma waho o ka ʻāpana Ethernet, nānā ʻo ia i kāna papa kuhikuhi a hāʻawi i ka ʻeke i ka ʻīpuka, ʻike i kahi e hoʻouna ai i ka ʻeke aʻe (a ʻaʻole ʻike paha, ʻo ka mea nāna i hoʻouna mua i ka ʻeke. ʻaʻole ʻike i kēia).
ʻO ke ala maʻalahi loa e noʻonoʻo ai i kahi alalai e like me kahi mea i hoʻopili ʻia i ʻelua a ʻoi aku paha nā ʻāpana Layer2 a hiki ke hele i nā ʻeke ma waena o lākou ma ka hoʻoholo ʻana i ke ala maikaʻi loa mai ka papa kuhikuhi.
Inā maopopo iā ʻoe nā mea a pau, a i ʻole ua ʻike mua ʻoe, a laila e heluhelu. No nā mea ʻē aʻe, paipai wau e hoʻomaʻamaʻa ʻoe iā ʻoe iho me kahi liʻiliʻi, akā nui loa .
Ke alahele ma RouterOS a me PacketFlow
Aneane i loko o ka pūʻolo nā hana a pau e pili ana i ka routing static nenoaiu. Eke 'ūlina ke hoʻokele hoʻohui i ke kākoʻo no nā algorithms routing dynamic (RIP, OSPF, BGP, MME), Nā kānana alahele a me BFD.
Papa kuhikuhi nui no ka hoʻonohonoho ʻana i ke ala ala: [IP]->[Route]. Pono paha nā ʻōnaehana paʻakikī e hoʻopaʻa inoa mua ʻia nā ʻeke me kahi hōʻailona ala i: [IP]->[Firewall]->[Mangle] (mau kaulahao PREROUTING и OUTPUT).
ʻEkolu mau wahi ma PacketFlow kahi i hoʻoholo ʻia ai nā hoʻoholo hoʻoholo ʻana i ka ʻeke IP:
- ʻO nā ʻeke hoʻokele i loaʻa mai e ke alalai. I kēia pae, ua hoʻoholo ʻia inā e hele ka ʻeke i ke kaʻina kūloko a i ʻole e hoʻouna hou ʻia i ka pūnaewele. Loaʻa nā pūʻolo kaʻa Pūnaewele Hōʻailona
- Ke alakaʻi nei i nā ʻeke puka waho kūloko. Loaʻa nā ʻeke puka Pūnaewele Hōʻailona
- ʻO ke ala ala ʻē aʻe no nā ʻeke puka waho, hiki iā ʻoe ke hoʻololi i ka hoʻoholo hoʻoholo ʻana i loko
[Output|Mangle]
- Aia ke ala packet ma nā poloka 1, 2 i nā lula i loko
[IP]->[Route] - ʻO ke ala packet ma nā helu 1, 2 a me 3 e pili ana i nā lula i loko
[IP]->[Route]->[Rules] - Hiki ke hoʻohana ʻia ke ala o ka pūʻolo ma nā poloka 1, 3
[IP]->[Firewall]->[Mangle]
RIB, FIB, Cache Alanui
Kahua ʻIke Alahele
ʻO ke kumu i hōʻiliʻili ʻia nā ala mai nā protocol routing dynamic, nā ala mai ppp a me dhcp, static a me nā ala pili. Aia kēia waihona i nā ala āpau, koe wale nā mea i kānana ʻia e ka luna hoʻoponopono.
Kūlana, hiki iā mākou ke manaʻo i kēlā [IP]->[Route] hōʻike RIB.
Hoʻouna ʻike kumu
ʻO ke kumu kahi e hōʻiliʻili ai nā ala maikaʻi loa mai RIB. Hoʻohana ʻia nā ala āpau ma FIB a hoʻohana ʻia e hoʻouna i nā ʻeke. Inā hele ʻole ke ala (hoʻopau ʻia e ka luna hoʻomalu (pūnaewele), a ʻaʻole ikaika ka interface e hoʻouna ʻia ai ka ʻeke), wehe ʻia ke ala mai ka FIB.
No ka hoʻoholo ʻana i ke ala ala, hoʻohana ka papa FIB i kēia ʻike e pili ana i kahi ʻeke IP:
- Wahi Kumu
- Wahi mākaʻikaʻi
- kumu hoʻopili
- kaha alahele
- ToS (DSCP)
ʻO ke komo ʻana i ka pūʻolo FIB e hele i nā pae aʻe:
- Ua manaʻo ʻia ka pūʻolo no kahi kaʻina hana router kūloko?
- Aia ka ʻeke i nā lula a i ʻole nā mea hoʻohana PBR?
- Inā ʻae, a laila hoʻouna ʻia ka ʻeke i ka papa kuhikuhi kuhikuhi
- Hoʻouna ʻia ka ʻeke i ka pākaukau nui
Kūlana, hiki iā mākou ke manaʻo i kēlā [IP]->[Route Active=yes] hōʻike FIB.
Hoʻokaʻawale ʻana i ka cache
Mekanika hoʻokahe alanui. Hoʻomanaʻo ka mea alalai i kahi i hoʻouna ʻia ai nā ʻeke a inā he mau mea like (mai ka pilina like paha) hiki iā ia ke hele ma ke ala like, me ka nānā ʻole ʻana i ka FIB. Hoʻomaʻemaʻe ʻia ka cache ala i kēlā me kēia manawa.
No nā luna hoʻomalu o RouterOS, ʻaʻole lākou i hana i nā mea hana no ka nānā ʻana a me ka mālama ʻana i ka Routing Cache, akā inā hiki ke hoʻopau ʻia i loko. [IP]->[Settings].
Ua wehe ʻia kēia mīkini mai ka linux 3.6 kernel, akā hoʻohana mau ʻo RouterOS i ka kernel 3.3.5, malia paha ʻo Routing cahce kekahi o nā kumu.
Hoʻohui i ke kamaʻilio ala
[IP]->[Route]->[+]
- Subnet āu e makemake ai e hana i kahi ala (paʻamau: 0.0.0.0/0)
- Gateway IP a i ʻole interface kahi e hoʻouna ʻia ai ka ʻeke (he nui paha, e ʻike iā ECMP ma lalo)
- Nānā Loaʻa ʻia ʻo Gateway
- ʻAno moʻo
- Ka mamao (metric) no kahi ala
- Papa alahele
- IP no nā ʻeke puka waho ma kēia ala
- Ua kākau ʻia ke kumu o Scope and Target Scope ma ka hope o ka ʻatikala.
Hae alanui
- X - Ua pio ke ala e ka luna hoʻomalu (
disabled=yes) - A - Hoʻohana ʻia ke ala e hoʻouna i nā ʻeke
- D - Hoʻohui ʻia ke ala (BGP, OSPF, RIP, MME, PPP, DHCP, Hoʻohui ʻia)
- C - Hoʻopili pololei ʻia ka subnet i ke alalai
- S - Alanui paʻa
- r,b,o,m - Ke alahele i hoʻohui ʻia e kekahi o nā kaʻina hoʻokele ikaika
- B,U,P - Alanui kānana (hoʻokuʻu i nā ʻeke ma mua o ka hoʻouna ʻana)
He aha ka mea e kuhikuhi ai ma ka ʻīpuka: ip-address a i ʻole interface?
Hāʻawi ka ʻōnaehana iā ʻoe e wehewehe i nā mea ʻelua, ʻoiai ʻaʻole ia e hoʻohiki a ʻaʻole hāʻawi i nā hōʻailona inā hana hewa ʻoe.
IP helu wahi
Pono e ʻike ʻia ka helu ʻīpuka ma luna o Layer2. No Ethernet, 'o ia ho'i, pono e loa'a i ka mea alalai kahi helu mai ka subnet ho'okahi ma kekahi o na pili ip hana, no ka ppp, ua kuhikuhi 'ia ka helu wahi o ka puka ma kekahi o na kikowaena hana e like me ka helu helu subnet.
Inā ʻaʻole i hoʻokō ʻia ke kūlana hiki no Layer2, manaʻo ʻia ke ala ʻaʻole hana a hāʻule i ka FIB.
mau '
ʻOi aku ka paʻakikī o nā mea āpau a pili ka ʻano o ke alalai i ke ʻano o ka interface:
- ʻO ka PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) pili i ʻelua mau mea komo a e hoʻouna mau ʻia ka ʻeke i ka ʻīpuka no ka hoʻouna ʻana, inā ʻike ka ʻīpuka ʻo ka mea loaʻa iā ia iho, a laila e hoʻoili i ka ʻeke kona kaʻina hana kūloko.
- Manaʻo ʻo Ethernet i ka hiki ʻana mai o nā poʻe he nui a e hoʻouna i nā noi i ka interface arp me ka helu o ka mea i loaʻa i ka ʻeke, manaʻo ʻia kēia a me ka hana maʻamau no nā ala pili.
Akā ke ho'āʻo nei ʻoe e hoʻohana i ka interface ma ke ʻano he ala no kahi subnet mamao, e loaʻa iā ʻoe ke kūlana penei: ʻeleu ke ala, ping i ka puka puka, akā ʻaʻole hiki i ka mea loaʻa mai ka subnet i kuhikuhi ʻia. Inā ʻoe e nānā i ka interface ma o kahi sniffer, e ʻike ʻoe i nā noi arp me nā helu wahi mai kahi subnet mamao.
E ho'āʻo e kuhikuhi i ka helu IP ma ke ʻano he ʻīpuka ke hiki. ʻO ka ʻokoʻa nā ala pili (i hana ʻia) a me PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN*).
ʻAʻole loaʻa i OpenVPN kahi poʻomanaʻo PPP, akā hiki iā ʻoe ke hoʻohana i ka inoa interface OpenVPN e hana i kahi ala.
Alanui kiko'ī hou aku
Rula ala ala kumu. ʻO ke ala e wehewehe ana i ka subnet liʻiliʻi (me ka subnet mask nui loa) i mua i ka hoʻoholo hoʻoholo ʻana o ka ʻeke. ʻAʻole pili ke kūlana o nā mea komo i ka papa kuhikuhi i ke koho - ʻo ke kānāwai nui ʻoi aku ka kikoʻī.
ʻO nā ala āpau mai ka papahana i kuhikuhi ʻia (aia ma FIB). kuhikuhi i nā subnet ʻokoʻa a ʻaʻole kūʻē kekahi i kekahi.
Inā ʻaʻole loaʻa kekahi o nā ʻīpuka, e manaʻo ʻia ke ala e pili ana i ka hana ʻole (wehe ʻia mai ka FIB) a e ʻimi ʻia nā ʻeke mai nā ala i koe.
Hāʻawi ʻia ke ala me ka subnet 0.0.0.0/0 i kekahi manaʻo kūikawā a ua kapa ʻia ʻo "Default Route" a i ʻole "Gateway of last resort". ʻO ka ʻoiaʻiʻo, ʻaʻohe mea kupanaha i loko o ia mea a hoʻopili wale i nā helu IPv4 āpau, akā wehewehe maikaʻi kēia mau inoa i kāna hana - hōʻike ia i ka ʻīpuka kahi e hoʻouna ai i nā ʻeke ʻaʻohe ala ʻē aʻe, ʻoi aku ka pololei.
ʻO ka subnet mask kiʻekiʻe loa no IPv4 ʻo /32, kuhikuhi kēia ala i kahi host kikoʻī a hiki ke hoʻohana ʻia ma ka papa kuhikuhi.
ʻO ka hoʻomaopopo ʻana i ke ala kikoʻī hou aʻe he mea nui ia i kekahi mea hana TCP/IP.
Ka mamao
Pono nā mamao (a i ʻole Metrics) no ka kānana hoʻomalu ʻana i nā ala i kahi subnet hoʻokahi i hiki ke loaʻa ma nā ʻīpuka lehulehu. ʻO ke ala me ka metric haʻahaʻa i manaʻo ʻia he mea nui a e hoʻokomo ʻia i ka FIB. Inā pau ka hana ʻana o kahi ala me ka metric haʻahaʻa, a laila e pani ʻia ia e kahi ala me kahi metric kiʻekiʻe ma ka FIB.
Inā he nui nā ala i ka subnet like me ka metric like, e hoʻohui ka mea alalai i hoʻokahi wale nō o ia mau ala i ka papa FIB, i alakaʻi ʻia e kona loina kūloko.
Hiki i ka metric ke lawe i ka waiwai mai 0 a 255:
- 0 - Metric no nā ala pili. ʻAʻole hiki ke hoʻonohonoho ʻia ka mamao 0 e ka luna hoʻoponopono
- 1-254 - Loaʻa nā ana i ka luna hoʻoponopono no ka hoʻonohonoho ʻana i nā ala. ʻOi aku ka manaʻo nui o nā ana me ka waiwai haʻahaʻa
- 255 - Loaʻa ka metric i ka luna hoʻoponopono no ka hoʻonohonoho ʻana i nā ala. ʻAʻole like me 1-254, ʻo kahi ala me kahi metric o 255 mau ka hana ʻole a ʻaʻole hāʻule i ka FIB
- ana kiko'ī. Loaʻa nā waiwai metric maʻamau i nā ala i loaʻa mai nā protocol routing dynamic
e nānā i ka ʻīpuka
ʻO ka ʻīpuka e nānā i kahi hoʻonui MikroTik RoutesOS no ka nānā ʻana i ka loaʻa o ka puka ma o icmp a i ʻole arp. Hoʻokahi manawa i kēlā me kēia 10 kekona (ʻaʻole hiki ke hoʻololi), hoʻouna ʻia kahi noi i ka ʻīpuka, inā ʻaʻole i loaʻa ʻelua ka pane, manaʻo ʻia ʻaʻole hiki ke ala a wehe ʻia mai ka FIB. Inā ʻaʻole i paʻa ka ʻīpuka nānā, hoʻomau ke ala nānā a e ʻeleu hou ke ala ma hope o hoʻokahi hōʻoia holomua.
Hoʻopau ʻo Check gateway i ke komo ʻana i hoʻonohonoho ʻia a me nā mea hoʻokomo ʻē aʻe a pau (ma nā papa kuhikuhi a me nā ala ecmp) me ka ʻīpuka i kuhikuhi ʻia.
Ma keʻano laulā, holo maikaʻi ka ʻīpuka nānā inā ʻaʻohe pilikia me ka poho o ka ʻeke i ka ʻīpuka. ʻAʻole ʻike ʻo Check gateway i ka mea e hana nei me ke kamaʻilio ʻana ma waho o ka ʻīpuka i nānā ʻia, pono kēia i nā mea hana hou: nā palapala, ka hoʻihoʻi hou ʻana, nā protocol routing dynamic.
Loaʻa ka hapa nui o nā VPN a me nā protocol tunnel i nā mea hana i kūkulu ʻia no ka nānā ʻana i ka hana pili, ʻo ka ʻae ʻana i ka ʻīpuka nānā no lākou he ukana hou (akā liʻiliʻi loa) ma ka pūnaewele a me ka hana ʻana o ka hāmeʻa.
ECMP ala
Equal-Cost Multi-Path - hoʻouna ʻana i nā ʻeke i ka mea loaʻa me ka hoʻohana ʻana i kekahi mau puka i ka manawa like me ka Round Robin algorithm.
Hoʻokumu ʻia kahi ala ECMP e ka luna hoʻomalu ma ke kuhikuhi ʻana i nā ʻīpuka he nui no hoʻokahi subnet (a i ʻole, inā ʻelua ala OSPF like).
Hoʻohana ʻia ʻo ECMP no ka hoʻohālikelike ʻana i ka ukana ma waena o nā kaha ʻelua, ma ke kumumanaʻo, inā ʻelua mau ala ma ke ala ecmp, a laila no kēlā me kēia ʻeke e ʻokoʻa ke kahawai puka. Akā ʻo ka Routing cache mechanical e hoʻouna i nā ʻeke mai ka pilina ma ke ala a ka ʻeke mua i lawe ai, ma muli o ka hopena, loaʻa iā mākou kahi ʻano kaulike e pili ana i nā pili (per-connection loading balancing).
Inā hoʻopau ʻoe i ka Routing Cache, a laila e kaʻana pololei ʻia nā ʻeke ma ke ala ECMP, akā aia kahi pilikia me NAT. ʻO ke kānāwai NAT wale nō ke kaʻina hana i ka ʻeke mua mai ka pilina (ʻo ke koena e hana ʻia), a ʻike ʻia nā ʻeke me ka helu kumu hoʻokahi e waiho i nā pilina like ʻole.
ʻAʻole hana ka ʻīpuka ma nā ala ECMP (RouterOS bug). Akā hiki iā ʻoe ke hoʻopuni i kēia palena ma ka hana ʻana i nā ala hōʻoia hou e hoʻopau ai i nā mea komo ma ECMP.
Ke kānana ʻana ma o ke ala ala
Hoʻoholo ke koho Type i ka mea e hana ai me ka pūʻolo:
- unicast - hoʻouna i ka ʻīpuka i ʻōlelo ʻia (interface)
- ʻeleʻele - hoʻolei i kahi ʻeke
- pāpā, hiki ʻole - e hoʻolei i ka ʻeke a hoʻouna i kahi leka icmp i ka mea hoʻouna
Hoʻohana maʻamau ka kānana i ka wā e pono ai e hoʻopaʻa i ka hoʻouna ʻana i nā ʻeke ma ke ala hewa, ʻoiaʻiʻo, hiki iā ʻoe ke kānana i kēia ma o ka pā ahi.
ʻElua mau laʻana
E hoʻohui i nā mea kumu e pili ana i ke ala ala.
Alaula home maʻamau
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1- Ala paʻa i 0.0.0.0/0 (ala paʻamau)
- ʻO ke ala i hoʻohui ʻia ma ke kikowaena me ka mea hāʻawi
- ʻO ke ala i hoʻohui ʻia ma ka interface LAN
ʻO ka mea hoʻokele home maʻamau me PPPoE
- ʻO ke ala paʻa i ke ala paʻamau, hoʻohui aunoa. ua hoakakaia ma na waiwai pili
- ʻO ke ala i hoʻohui ʻia no ka pilina PPP
- ʻO ke ala i hoʻohui ʻia ma ka interface LAN
ʻO ke alalai home maʻamau me ʻelua mea hoʻolako a me ka redundancy
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2- ʻO ke ala paʻa i ke ala paʻamau ma o ka mea hāʻawi mua me ka metric 1 a me ka nānā ʻana i ka loaʻa ʻana o ka puka
- ʻO ke ala kūʻokoʻa i ke ala paʻamau ma o ka mea hoʻolako lua me ka metric 2
- Nā ala i hoʻohui ʻia
Ke hele nei ke kaʻa i 0.0.0.0/0 ma 10.10.10.1 i ka wā e loaʻa ai kēia ʻīpuka, inā ʻaʻole e hoʻololi i ka 10.20.20.1
Hiki ke noʻonoʻo ʻia kēlā ʻano hoʻolālā he hoʻopaʻa kahawai, akā ʻaʻole ia me ka ʻole o nā drawbacks. Inā loaʻa kahi hoʻomaha ma waho o ka ʻīpuka o ka mea hoʻolako (no ka laʻana, i loko o ka pūnaewele o ka mea hoʻohana), ʻaʻole ʻike kāu mea hoʻokele a hoʻomau i ka noʻonoʻo ʻana i ke ala he hana.
ʻO ka mea hoʻokele home maʻamau me nā mea hoʻolako ʻelua, redundancy a me ECMP
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1- Nā ala paʻa no ka nānā ʻana i ka ʻīpuka chack
- ECMP ala
- Nā ala i hoʻohui ʻia
ʻO nā ala e nānā ai he uliuli (ke kala o nā ala hana ʻole), akā ʻaʻole ia e keʻakeʻa i ka hana ʻana i ka ʻīpuka. Hāʻawi ka mana o kēia manawa (6.44) o RoS i ka mea nui i ke ala ECMP, akā ʻoi aku ka maikaʻi o ka hoʻohui ʻana i nā ala hoʻāʻo i nā papa kuhikuhi ʻē aʻe (koho. routing-mark)
Ma ka Speedtest a me nā wahi like ʻole, ʻaʻohe piʻi o ka wikiwiki (māhele ʻo ECMP i nā kaʻa ma nā pilina, ʻaʻole ma nā ʻeke), akā pono e hoʻoiho wikiwiki nā noi p2p.
Kānana ma ke ala ala
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole- Ala paʻa i ke ala paʻamau
- ʻO ke ala kūʻokoʻa i ka 192.168.200.0/24 ma luna o ka tunnel ipip
- Ke papa ʻana i ke ala paʻa i 192.168.200.0/24 ma o ka mea hoʻokele ISP
ʻO kahi koho kānana kahi e hele ʻole ai ke kaʻa o ka tunnel i ke alalai o ka mea hāʻawi i ka wā i pio ka interface ipip. ʻAʻole koi ʻia kēlā mau papahana, no ka mea hiki iā ʻoe ke hoʻokō i ka pale ʻana ma o ka pā ahi.
Lope alahele
Ke ala ala - he kūlana ke holo ka ʻeke ma waena o nā mea ala ma mua o ka pau ʻana o ka ttl. ʻO ka maʻamau ka hopena o kahi hewa hoʻonohonoho, ma nā pūnaewele nui e mālama ʻia e ka hoʻokō ʻana i nā protocol routing dynamic, i nā mea liʻiliʻi - me ka mālama.
Penei e like ai:
He laʻana (maʻalahi loa) pehea e loaʻa ai kahi hopena like:
ʻAʻole hoʻohana pono ka laʻana loop Routing, akā hōʻike ʻia ʻaʻole maopopo i nā mea hoʻokele e pili ana i ka papa hoʻokele o ko lākou hoalauna.
Nā Papa Kūlana Kūlana Kūlana a me nā Papa Alanui Hou
Ke koho ʻana i kahi alahele, hoʻohana ka mea alalai i hoʻokahi wale nō kahua mai ke poʻomanaʻo packet (Dst. Address) - ʻo ia ke ala ala kumu. ʻO ke ala ala e pili ana i nā kūlana ʻē aʻe, e like me ka helu kumu, ke ʻano o ke kaʻa (ToS), ke kaupaona ʻana me ka ʻole ECMP, pili i ka Policy Base Routing (PBR) a hoʻohana i nā papa kuhikuhi ʻē aʻe.
Alanui kiko'ī hou aku ʻo ia ka lula koho ala nui i loko o ka papa kuhikuhi.
Ma ka paʻamau, hoʻohui ʻia nā lula ala āpau i ka papaʻaina nui. Hiki i ka luna hoʻomalu ke hana i ka helu ʻole o nā papa alahele ʻē aʻe a me nā ʻeke huakaʻi iā lākou. ʻAʻole kūʻē nā lula ma nā papa like ʻole. Inā ʻaʻole ʻike ka pūʻolo i kahi lula kūpono i ka papa i kuhikuhi ʻia, e hele ia i ka papa nui.
Laʻana me ka hāʻawi ʻana ma o ka pā ahi:
- 192.168.100.10 -> 8.8.8.8
- Hoʻopili ʻia nā kaʻa mai 192.168.100.10 ma o-isp1 в
[Prerouting|Mangle] - Ma ka pae Alanui ma ka papa ma o-isp1 huli i ke ala i 8.8.8.8
- Loaʻa ke ala, hoʻouna ʻia ke kaʻa i ka ʻīpuka 10.10.10.1
- Hoʻopili ʻia nā kaʻa mai 192.168.100.10 ma o-isp1 в
- 192.168.200.20 -> 8.8.8.8
- Hoʻopili ʻia nā kaʻa mai 192.168.200.20 ma o-isp2 в
[Prerouting|Mangle] - Ma ka pae Alanui ma ka papa ma o-isp2 huli i ke ala i 8.8.8.8
- Loaʻa ke ala, hoʻouna ʻia ke kaʻa i ka ʻīpuka 10.20.20.1
- Hoʻopili ʻia nā kaʻa mai 192.168.200.20 ma o-isp2 в
- Inā loaʻa ʻole kekahi o nā puka (10.10.10.1 a i ʻole 10.20.20.1), a laila e hele ka ʻeke i ka papaʻaina. ka papa kuhikuhiE a e ʻimi i kahi ala kūpono i laila
Nā pilikia ʻōlelo
Loaʻa i ka RouterOS kekahi mau pilikia terminology.
Ke hana me na rula i [IP]->[Routes] hōʻike ʻia ka papa kuhikuhi, ʻoiai ua kākau ʻia ka lepili:
В [IP]->[Routes]->[Rule] pololei nā mea a pau, ma ke kūlana lepili i ka hana papa:
Pehea e hoʻouna ai i kahi ʻeke i kahi papa kuhikuhi kuhikuhi
Hāʻawi ʻo RouterOS i kekahi mau mea hana:
- Nā lula ma
[IP]->[Routes]->[Rules] - Nā kaha ala (
action=mark-routing) in[IP]->[Firewall]->[Mangle] - VRF
Nā kānāwai [IP]->[Route]->[Rules]
Hoʻoponopono ʻia nā lula, inā pili ka ʻeke i nā kūlana o ka lula, ʻaʻole ia e hala.
ʻAe nā Ruting Rules iā ʻoe e hoʻonui i nā hiki o ka hoʻokele ʻana, me ka hilinaʻi ʻaʻole wale i ka helu o ka mea i loaʻa, akā i ka helu kumu a me ka interface kahi i loaʻa ai ka ʻeke.
Aia nā lula i nā kūlana a me kahi hana:
- Nā kūlana. E hana hou i ka papa inoa o nā hōʻailona e nānā ʻia ai ka pūʻolo ma FIB, ʻo ToS wale nō ka nalo.
- Nā hana
- huli - hoʻouna i kahi ʻeke i kahi papaʻaina
- ʻimi wale ma ka papaʻaina - laka i ka pūʻolo ma ka papaʻaina, inā ʻaʻole ʻike ʻia ke ala, ʻaʻole e hele ka pūʻolo i ka papaʻaina nui.
- hāʻule - hāʻule i kahi ʻeke
- hiki ʻole - e hoʻolei i ka ʻeke me ka leka hoʻouna
Ma FIB, hoʻokele ʻia ke kaʻina i nā kaʻina kūloko me ke kaʻe ʻana i nā lula [IP]->[Route]->[Rules]:
Mākaʻu [IP]->[Firewall]->[Mangle]
Hiki iā ʻoe ke hoʻonohonoho i ka ʻīpuka no kahi ʻeke me ka hoʻohana ʻana i nā kūlana Firewall:
Ma keʻano maʻamau, no ka mea ʻaʻole kūpono lākou a pau, a hiki i kekahi ke hana paʻa.
ʻElua ala e lepili ai i kahi pūʻolo:
- Hoʻokomo koke kaha alahele
- E kau mua hōʻailona pili, a laila ma muli o hōʻailona pili e hoʻokau kaha alahele
Ma kahi ʻatikala e pili ana i nā pā ahi, ua kākau wau ʻoi aku ka maikaʻi o ka koho lua. e ho'ēmi i ka ukana ma ka cpu, i ka hōʻailona ʻana i nā ala - ʻaʻole ʻoiaʻiʻo loa kēia. ʻAʻole like kēia mau ʻano mākaʻikaʻi a hoʻohana mau ʻia e hoʻoponopono i nā pilikia like ʻole.
Nā mea hoʻohana
E neʻe kākou i nā laʻana o ka hoʻohana ʻana i ka Policy Base Routing, ʻoi aku ka maʻalahi o ka hōʻike ʻana i ke kumu e pono ai kēia mau mea.
MultiWAN a hoʻihoʻi i waho (Output).
ʻO kahi pilikia maʻamau me kahi hoʻonohonoho MultiWAN: Loaʻa ʻo Mikrotik mai ka Pūnaewele ma o kahi mea hoʻolako "active".
ʻAʻole mālama ka mea alalai i ka ip i hiki mai ai ka noi, i ka wā e hana ai i kahi pane, e ʻimi ʻo ia i kahi ala ma ka papa kuhikuhi kahi e hana ai ke ala ma o isp1. Eia hou, e kānana ʻia kēlā ʻeke ma ke ala i ka mea loaʻa.
ʻO kekahi mea hoihoi. Inā hoʻonohonoho ʻia kahi kumu "maʻalahi" ma ka interface ether1: /ip fi nat add out-interface=ether1 action=masquerade e hele ka pūʻolo ma ka pūnaewele me src. address=10.10.10.100, ʻoi aku ka maikaʻi o nā mea.
Nui nā ala e hoʻoponopono ai i ka pilikia, akā e koi ʻia kekahi o lākou i nā papa kuhikuhi ʻē aʻe:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2E hoʻohana [IP]->[Route]->[Rules]
E wehewehe i ka papa kuhikuhi e hoʻohana ʻia no nā ʻeke me ka IP Source i kuhikuhi ʻia.
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2Hiki ke hoʻohana action=lookup, akā, no nā kaʻa puka waho kūloko, kāpae loa kēia koho i nā pilina mai ka interface hewa.
- Hoʻopuka ka ʻōnaehana i kahi ʻeke pane me Src. Helu helu: 10.20.20.200
- ʻO ka hoʻoholo ʻana i ke alahele (2) nā ʻanuʻu
[IP]->[Routes]->[Rules]a hoʻouna ʻia ka ʻeke i ka papa kuhikuhi over-isp2 - Wahi a ka papa kuhikuhi, pono e hoʻouna ʻia ka ʻeke i ka puka 10.20.20.1 ma o ka interface ether2.
ʻAʻole pono kēia ʻano hana i kahi Tracker Connection, ʻaʻole like me ka hoʻohana ʻana i ka papa Mangle.
E hoʻohana [IP]->[Firewall]->[Mangle]
Hoʻomaka ka pilina me kahi ʻeke e komo mai ana, no laila e kaha mākou iā ia (action=mark-connection), no nā ʻeke puka mai kahi pilina i kaha ʻia, e hoʻonoho i ka lepili alahele (action=mark-routing).
/ip firewall mangle
#Маркировка входящих соединений
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#Маркировка исходящих пакетов на основе соединений
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=noInā hoʻonohonoho ʻia kekahi mau ips ma hoʻokahi interface, hiki iā ʻoe ke hoʻohui i ke kūlana dst-address e maopopo.
- Wehe ka ʻeke i ka pilina ma ka interface ether2. Hele ka pūʻolo i loko
[INPUT|Mangle]e ʻōlelo ana e kaha i nā ʻeke a pau mai ka pilina me mai-isp2 - Hoʻopuka ka ʻōnaehana i kahi ʻeke pane me Src. Helu helu: 10.20.20.200
- Ma ke kahua Hoʻoholo Hoʻoholo (2), hoʻouna ʻia ka packet, e like me ka papa kuhikuhi, i ka puka 10.20.20.1 ma o ka interface ether1. Hiki iā ʻoe ke hōʻoia i kēia ma ke komo ʻana i nā pūʻolo
[OUTPUT|Filter] - Ma ke kahua
[OUTPUT|Mangle]nānā ʻia ka lepili pili mai-isp2 a loaʻa i ka ʻeke kahi hōʻailona ala over-isp2 - Nānā ka ʻanuʻu ʻo Routing Adjusment(3) no ka loaʻa ʻana o kahi lepili alahele a hoʻouna iā ia i ka papa kuhikuhi kūpono.
- Wahi a ka papa kuhikuhi, pono e hoʻouna ʻia ka ʻeke i ka puka 10.20.20.1 ma o ka interface ether2.
MultiWAN a hoʻihoʻi i nā kaʻa dst-nat
ʻOi aku ka paʻakikī o kahi laʻana, he aha kāu e hana ai inā aia kahi kikowaena (no ka laʻana, pūnaewele) ma hope o ke alalai ma kahi subnet pilikino a pono ʻoe e hāʻawi i ke komo iā ia ma o kekahi o nā mea hoʻolako.
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100E like ana ke kumu o ka pilikia, ua like ka hopena me ka koho Firewall Mangle, e hoʻohana wale ʻia nā kaulahao ʻē aʻe:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
ʻAʻole hōʻike ka diagram iā NAT, akā manaʻo wau ua maopopo nā mea āpau.
MultiWAN a me waho
Hiki iā ʻoe ke hoʻohana i nā mana PBR e hana i nā vpn he nui (SSTP i ka laʻana) nā pilina mai nā ʻokoʻa alaala.
Nā papa kuhikuhi ala ʻē aʻe:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3Hōʻailona pūʻolo:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=noNā rula NAT maʻalahi, inā ʻaʻole e haʻalele ka ʻeke i ke kikowaena me ka hewa Src. helu wahi:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masqueradeParsing:
- Hana ʻo Router i ʻekolu kaʻina hana SSTP
- Ma ke kahua Hoʻoholo Ala (2), koho ʻia kahi ala no kēia mau kaʻina hana ma muli o ka papa kuhikuhi nui. Mai ke ala like, loaʻa iā Src ka ʻeke. Hoʻopili ʻia ka helu wahi i ka interface ether1
- В
[Output|Mangle]loaʻa i nā ʻeke mai nā pilina like ʻole nā lepili like ʻole - Hoʻokomo nā ʻeke i nā pākaukau e pili ana i nā lepili ma ke kaʻina Hoʻoponopono Routing a loaʻa kahi ala hou no ka hoʻouna ʻana i nā ʻeke.
- Akā, loaʻa nā pūʻolo Src. Heluhelu mai ether1, ma ke kahua
[Nat|Srcnat]ua pani ʻia ka helu wahi e like me ka interface
ʻO ka mea e mahalo ai, ma ke alalai e ʻike ʻoe i ka papa kuhikuhi pili:
Hoʻomaka mua ka Connection Tracker [Mangle] и [Srcnat], no laila hele mai nā pilina a pau mai ka helu wahi hoʻokahi, inā ʻoe e nānā i nā kikoʻī hou aku, a laila i loko Replay Dst. Address e loaʻa nā helu ma hope o NAT:
Ma ke kikowaena VPN (he hoʻokahi kaʻu ma ka papa hoʻāʻo), hiki iā ʻoe ke ʻike e hele mai nā pilina a pau mai nā helu kūpono:
E paʻa i ke ala
Aia kahi ala maʻalahi, hiki iā ʻoe ke kuhikuhi i kahi ʻīpuka kikoʻī no kēlā me kēia helu wahi:
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1Akā ʻo ia mau ala e hoʻopilikia ʻaʻole wale i ka hele ʻana akā ke kaʻahele hoʻi. Eia kekahi, inā ʻaʻole pono ʻoe i ke kaʻa i ka server vpn e hele i nā ala kamaʻilio kūpono ʻole, a laila pono ʻoe e hoʻohui i 6 mau lula hou i [IP]->[Routes]с type=blackhole. Ma ka mana mua - 3 mau lula i loko [IP]->[Route]->[Rules].
Ka hoʻolaha ʻana i nā pilina mea hoʻohana e nā ala kamaʻilio
Nā hana maʻalahi i kēlā me kēia lā. Eia hou, pono nā papa kuhikuhi ʻē aʻe:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2Ke hoʻohana nei [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2Inā hoʻohana action=lookup, a laila, i ka wā i pio ai kekahi o nā alahele, e hele ka huakaʻi i ka papaʻaina nui a hele i ke ala hana. Inā pono kēia a ʻaʻole paha e pili ana i ka hana.
Ke hoʻohana nei i nā hōʻailona ma [IP]->[Firewall]->[Mangle]
He laʻana maʻalahi me nā papa inoa o nā helu ip. Ma ke kumu, aneane hiki ke hoʻohana i nā kūlana. ʻO ka hōʻailona wale nō o ka layer7, ʻoiai i hui pū ʻia me nā lepili pili, me he mea lā ke hana pololei nei nā mea a pau, akā e hele mau ana kekahi o nā kaʻa i ke ala hewa.
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2Hiki iā ʻoe ke "laka" i nā mea hoʻohana i hoʻokahi papa kuhikuhi [IP]->[Route]->[Rules]:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2Ma o [IP]->[Firewall]->[Filter]:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=rejectRetreat pro dst-address-type=!local
Kūlana hou dst-address-type=!local pono ia e hele mai nā mea hoʻohana i nā kaʻina kūloko o ke alalai (dns, winbox, ssh, ...). Inā pili kekahi mau subnets kūloko i ke alalai, pono e hōʻoia i ka hele ʻole o ke kaʻa ma waena o lākou i ka Pūnaewele, no ka laʻana, me ka hoʻohana ʻana. dst-address-table.
Ma ka laʻana e hoʻohana ana [IP]->[Route]->[Rules] ʻaʻohe ʻokoʻa like ʻole, akā hiki ke kaʻa i nā kaʻina kūloko. ʻO ka ʻoiaʻiʻo ʻo ke komo ʻana i ka pūʻolo FIB i hōʻailona ʻia [PREROUTING|Mangle] Loaʻa iā ia kahi lepili ala a hele i kahi papa alahele ʻē aʻe ma waho o ka mea nui, kahi i loaʻa ʻole kahi kikowaena kūloko. Ma ka hihia o Routing Rules, e nānā mua ʻia inā i manaʻo ʻia ka ʻeke no kahi kaʻina kūloko a ma ka pae PBR wale nō e hele ai i ka papa kuhikuhi kuhikuhi.
Ke hoʻohana nei [IP]->[Firewall]->[Mangle action=route]
Hana wale kēia hana i loko [Prerouting|Mangle] a hiki iā ʻoe ke kuhikuhi i ke kaʻa i ka ʻīpuka i ʻōlelo ʻia me ka hoʻohana ʻole ʻana i nā papa hoʻokele ʻē aʻe, ma ke kuhikuhi pololei ʻana i ka helu ʻīpuka:
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1kanawai route ʻoi aku ka haʻahaʻa ma mua o nā lula hoʻokele ([IP]->[Route]->[Rules]). I ka hihia o nā kaha ala, pili nā mea a pau i ke kūlana o nā lula, inā ʻo ka lula me action=route ʻoi aku ka waiwai ma mua o action=mark-route, a laila e hoʻohana ʻia (me ka ʻole o ka hae passtrough), i ʻole e kaha ana i ke ala.
He liʻiliʻi ka ʻike ma ka wiki e pili ana i kēia hana a loaʻa nā hopena a pau i ka hoʻokolohua, i kēlā me kēia hihia, ʻaʻole wau i ʻike i nā koho i ka wā e hoʻohana ai i kēia koho e hāʻawi i nā mea maikaʻi ma mua o nā mea ʻē aʻe.
PPC hoʻokumu i ka hoʻohālikelike hoʻoikaika kino
Per Connection Classifier - he analogue maʻalahi o ECMP. ʻAʻole e like me ECMP, hoʻokaʻawale ʻo ia i nā kaʻa ma nā pilina (ʻaʻole ʻike ʻo ECMP i nā mea pili, akā i ka hui ʻana me Routing Cache, loaʻa kahi mea like).
Lawe ʻo PCC kahua i kuhikuhi ʻia mai ke poʻomanaʻo ip, hoʻololi iā lākou i kahi waiwai 32-bit, a puʻunaue ʻia e denominator. Hoʻohālikelike ʻia ke koena o ka mahele me ka mea i kuhikuhi ʻia koena a inā pili lākou, a laila hoʻohana ʻia ka hana i kuhikuhi ʻia. . He leo pupule, akā hana.
Laʻana me ʻekolu helu wahi:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1He laʻana o ka puʻunaue ikaika o ke kaʻa ma src.address ma waena o ʻekolu ala:
#Таблица маршрутизации
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#Маркировка соединений и маршрутов
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3I ka hōʻailona ʻana i nā ala, aia kekahi ʻano ʻē aʻe: in-interface=br-lan, me ka ole malalo action=mark-routing e loaʻa mai nā pane pane mai ka Pūnaewele a, e like me nā papa kuhikuhi, e hoʻi i ka mea hoʻolako.
Ke hoʻololi nei i nā ala kamaʻilio
He mea hana maikaʻi ka nānā ʻana i ka ping, akā nānā wale ia i ka pilina me ka hoa IP kokoke loa, ʻo nā pūnaewele hoʻolako e loaʻa i kahi helu nui o nā mea ala a hiki ke hoʻomaha ʻia ka pilina ma waho o ka hoa kokoke loa, a laila aia nā mea hoʻohana telecom backbone. Loaʻa nā pilikia, ma ke ʻano maʻamau ʻaʻole hōʻike mau ka ping i ka ʻike hou e pili ana i ke komo ʻana i ka pūnaewele puni honua.
Inā loaʻa i nā mea hoʻolako a me nā hui nui ka BGP dynamic routing protocol, a laila pono nā mea hoʻohana home a me nā keʻena e noʻonoʻo kūʻokoʻa pehea e nānā ai i ka ʻike pūnaewele ma o kahi ala kamaʻilio kikoʻī.
ʻO ka maʻamau, hoʻohana ʻia nā palapala e, ma o kekahi ala kamaʻilio, e nānā i ka loaʻa ʻana o kahi leka uila ma ka Pūnaewele, ʻoiai ke koho ʻana i kahi mea hilinaʻi, no ka laʻana, google dns: 8.8.8.8. 8.8.4.4. Akā i loko o ke kaiāulu Mikrotik, ua hoʻololi ʻia kahi mea hana hoihoi no kēia.
ʻO kekahi mau ʻōlelo e pili ana i ka routing recursive
Pono ke ala hele hou i ka wā e kūkulu ai i ka Multihop BGP peering a komo i ka ʻatikala e pili ana i nā kumu o ka static routing wale nō ma muli o nā mea hoʻohana maalea MikroTik i noʻonoʻo pehea e hoʻohana ai i nā ala recursive i hui pū ʻia me ka ʻīpuka nānā e hoʻololi i nā ala kamaʻilio me ka ʻole o nā palapala hou.
ʻO ka manawa kēia e hoʻomaopopo ai i nā koho scope / target scope ma nā ʻōlelo maʻamau a pehea e pili ai ke ala i ka interface:
- Ke nānā nei ke ala i kahi interface no ka hoʻouna ʻana i ka ʻeke e pili ana i kāna waiwai kikoʻī a me nā mea komo āpau i ka papaʻaina nui me ka liʻiliʻi a i ʻole ka like o nā kumu waiwai.
- Mai nā loulou i loaʻa, koho ʻia ka mea e hiki ai iā ʻoe ke hoʻouna i kahi ʻeke i ka ʻīpuka i kuhikuhi ʻia
- Ua koho ʻia ka ʻaoʻao o ke komo ʻana i hoʻopili ʻia e hoʻouna i ka ʻeke i ka ʻīpuka
Ma ke alo o kahi ala recursive, hiki i nā mea āpau ke like, akā i ʻelua mau pae:
- 1-3 Hoʻohui ʻia kahi ala hou i nā ala i hoʻopili ʻia, kahi e hiki ai i ka ʻīpuka i kuhikuhi ʻia
- 4-6 E ʻimi ana i ke ala i hoʻopili ʻia no ka puka "kuwaena".
Loaʻa nā manipulations āpau me ka hulina recursive i ka RIB, a ʻo ka hopena hope wale nō i hoʻoili ʻia i ka FIB: 0.0.0.0/0 via 10.10.10.1 on ether1.
ʻO kahi laʻana o ka hoʻohana ʻana i ke ala ala recursive e hoʻololi i nā ala
Hoʻonohonoho:
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2Hiki iā ʻoe ke nānā e hoʻouna ʻia nā ʻeke i 10.10.10.1:
ʻAʻole ʻike ʻo Check gateway e pili ana i ka hoʻokele recursive a hoʻouna wale i nā pings i 8.8.8.8, kahi (ma ka papaʻaina nui) hiki ke loaʻa ma o ka puka 10.10.10.1.
Inā nalowale ke kamaʻilio ʻana ma waena o 10.10.10.1 a me 8.8.8.8, a laila ua kāpae ʻia ke ala, akā e hoʻomau nā packets (me nā ping hoʻāʻo) i ka 8.8.8.8 i ka 10.10.10.1:
Inā nalowale ka loulou i ka ether1, a laila hiki mai kahi kūlana maikaʻi ʻole i ka wā e hele ai nā ʻeke ma mua o 8.8.8.8 i ka lua o ka mea hoʻolako:
He pilikia kēia inā ʻoe e hoʻohana ana i ka NetWatch e holo i nā palapala ke loaʻa ʻole ka 8.8.8.8. Inā haʻihaʻi ka loulou, e hana wale ʻo NetWatch ma o ke kahawai kamaʻilio kākoʻo a manaʻo ua maikaʻi nā mea a pau. Hoʻoholo ʻia ma ka hoʻohui ʻana i kahi ala kānana hou:
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
Aia ma habré , kahi e noʻonoʻo nui ai ke kūlana me NetWatch.
A ʻae, i ka wā e hoʻohana ai i kahi hoʻopaʻa ʻana, e hoʻopaʻa ʻia ka helu helu 8.8.8.8 i kekahi o nā mea hoʻolako, no laila ʻaʻole maikaʻi ke koho ʻana iā ia ma ke ʻano he kumu dns.
ʻO kekahi mau huaʻōlelo e pili ana i ka Virtual Routing and Forwarding (VRF)
Hoʻolālā ʻia ka ʻenehana VRF no ka hana ʻana i kekahi mau mea hoʻokele virtual i loko o hoʻokahi kino, hoʻohana nui ʻia kēia ʻenehana e nā mea kelepona kelepona (maʻa mau me MPLS) e hāʻawi i nā lawelawe L3VPN i nā mea kūʻai aku me nā helu helu subnet.
Akā, ua hoʻonohonoho ʻia ʻo VRF ma Mikrotik ma ke kumu o nā papa kuhikuhi a loaʻa iā ia kekahi mau hemahema, no ka laʻana, loaʻa nā helu IP kūloko o ka router mai nā VRF āpau, hiki iā ʻoe ke heluhelu hou aʻe. .
vrf laʻana hoʻonohonoho:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0Mai ka mea pili i ka ether2, ʻike mākou e hele ana ka ping i ka address router mai kekahi vrf (a he pilikia kēia), ʻoiai ʻaʻole hele ka ping i ka Pūnaewele:
No ke komo ʻana i ka Pūnaewele, pono ʻoe e hoʻopaʻa inoa i kahi ala ʻē aʻe e komo ai i ka papaʻaina nui (ma ka vrf terminology, kapa ʻia kēia ala leaking):
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2Eia ʻelua ala o ke ala ala: me ka hoʻohana ʻana i ka papa kuhikuhi. 172.17.0.1@main a me ka hoʻohana ʻana i ka inoa interface: 172.17.0.1%wlan1.
A hoʻonohonoho i ka mākaʻikaʻi no ka hoʻi ʻana mai [PREROUTING|Mangle]:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
Nā subnet me ka helu wahi like
Hoʻonohonoho i ka loaʻa ʻana i nā subnets me ka ʻōlelo like ʻana ma ka mea hoʻokele hoʻokahi me ka hoʻohana ʻana i ka VRF a me ka netmap:
Hoʻonohonoho kumu:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0Nā rula o ka pā ahi:
#Маркируем пакеты для отправки в правильную таблицу маршрутизации
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#Средствами netmap заменяем адреса "эфимерных" подсетей на реальные подсети
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24Nā lula no ka hoʻi ʻana mai:
#Указание имени интерфейса тоже может считаться route leaking, но по сути тут создается аналог connected маршрута
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2Hoʻohui i nā ala i loaʻa ma o dhcp i kahi papa kuhikuhi i hāʻawi ʻia
Hiki ke hoihoi ʻia ka VRF inā pono ʻoe e hoʻohui i kahi ala ikaika (no ka laʻana, mai kahi mea kūʻai aku dhcp) i kahi papa kuhikuhi kikoʻī.
Hoʻohui i ka interface i vrf:
/ip route vrf
add interface=ether1 routing-mark=over-isp1Nā lula no ka hoʻouna ʻana i nā kaʻa (waho a me ka transit) ma o ka papaʻaina over-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=noHoʻohui, ala hoʻopunipuni no ka hoʻokuʻu ʻana i ka hana:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=barePono wale kēia ala i hiki i nā ʻeke puka i waho ke hele i ka hoʻoholo ʻana i ka Routing (2) ma mua [OUTPUT|Mangle] a e kiʻi i ka lepili routing, inā he mau ala ʻē aʻe ma ke alalai ma mua o 0.0.0.0/0 ma ka papa nui, ʻaʻole pono ia.
kaulahao connected-in и dynamic-in в [Routing] -> [Filters]
ʻO ke kānana ala (inbound a i waho) kahi mea hana maʻamau i hoʻohana pū ʻia me nā protocols dynamic routing protocols (a no laila aia wale nō ma hope o ka hoʻokomo ʻana i ka pūʻolo. ke hoʻokele), akā aia ʻelua mau kaulahao hoihoi i nā kānana e hiki mai ana:
- i hoʻohui ʻia - kānana i nā ala pili
- dynamic-in - kānana i nā ala ikaika i loaʻa iā PPP a me DCHP
ʻAʻole hiki ke kānana iā ʻoe e hoʻolei wale i nā ala, akā e hoʻololi i nā koho he nui: mamao, hōʻailona ala, ʻōlelo, scope, target scope, ...
He mea hana pololei loa kēia a inā hiki iā ʻoe ke hana i kekahi mea me ka ʻole o nā kānana Routing (akā ʻaʻole nā palapala), a laila mai hoʻohana i nā kānana Routing, mai huikau iā ʻoe iho a me ka poʻe e hoʻonohonoho i ke alalai ma hope o ʻoe. I loko o ka pōʻaiapili o ka hoʻokele ʻana, e hoʻohana pinepine ʻia nā kānana ʻo Routing Filters a ʻoi aku ka maikaʻi.
Hoʻonohonoho ʻana i ka hōʻailona ala no nā ala ala
ʻO kahi laʻana mai kahi router home. Loaʻa iaʻu ʻelua mau pilina VPN i hoʻonohonoho ʻia a ʻo ke kaʻa i loko o ia mau mea pono e kāwili ʻia e like me nā papa kuhikuhi. I ka manawa like, makemake wau e hana maʻalahi nā ala i ka wā e hoʻāla ʻia ai ka interface:
#При создании vpn подключений указываем создание default route и задаем дистанцию
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#Фильтрами отправляем маршруты в определенные таблицы маршрутизации на основе подсети назначения и дистанции
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2ʻAʻole maopopo iaʻu i ke kumu, he bug paha, akā inā ʻoe e hana i kahi vrf no ka interface ppp, a laila e komo ke ala i 0.0.0.0/0 i ka papa nui. A i ʻole, e maʻalahi nā mea a pau.
Hoʻopau i nā ala i hoʻohui ʻia
I kekahi manawa pono kēia:
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=rejectNā mea hana hoʻopau
Hāʻawi ʻo RouterOS i nā mea hana no ka hoʻopau ʻana i ke ala ala:
[Tool]->[Tourch]- hiki iā ʻoe ke nānā i nā ʻeke ma nā interface/ip route check- hiki iā ʻoe ke ʻike i ka ʻīpuka e hoʻouna ʻia ai ka ʻeke, ʻaʻole hana me nā papa kuhikuhi/ping routing-table=<name>и/tool traceroute routing-table=<name>- ping a me ka huli ʻana me ka hoʻohana ʻana i ka papa kuhikuhi kuhikuhiaction=logв[IP]->[Firewall]- kahi mea hana maikaʻi e hiki ai iā ʻoe ke ʻimi i ke ala o kahi ʻeke ma ke kahe o ka packet, loaʻa kēia hana i nā kaulahao a me nā papa.
Source: www.habr.com