Multivan thiab routing ntawm Mikrotik RouterOS

Taw qhia

Kev noj cov ntawv, ntxiv rau qhov tsis muaj dab tsi, tau tshwm sim los ntawm kev ntxhov siab ntau zaus ntawm cov lus nug ntawm cov ncauj lus no hauv cov pab pawg profile ntawm Lavxias teb sab telegram zej zog. Tsab ntawv no yog tsom rau cov neeg tshiab Mikrotik RouterOS (tom qab no hu ua ROS) cov thawj coj. Nws tsuas yog cuam tshuam nrog lub multivan, nrog rau qhov tseem ceeb ntawm routing. Raws li qhov nyiaj tau los, muaj qhov tsawg kawg nkaus txaus los xyuas kom muaj kev nyab xeeb thiab kev ua haujlwm yooj yim. Cov neeg uas tab tom nrhiav kev nthuav tawm cov ncauj lus ntawm cov kab, kev sib npaug, vlans, txuas hniav, ntau theem sib sib zog nqus tsom ntawm lub xeev ntawm cov channel thiab cov zoo li - yuav tsis nkim sij hawm thiab siv zog nyeem ntawv.

Cov ntaub ntawv los ntawm cov ntaub ntawv

Raws li kev xeem ntawv, tsib-chaw nres nkoj Mikrotik router nrog ROS version 6.45.3 raug xaiv. Nws yuav taug kev ntawm ob lub network hauv zos (LAN1 thiab LAN2) thiab peb lub chaw pabcuam (ISP1, ISP2, ISP3). Cov channel rau ISP1 muaj qhov chaw nyob "grey", ISP2 - "dawb", tau los ntawm DHCP, ISP3 - "dawb" nrog PPPoE kev tso cai. Daim duab kev sib txuas yog qhia hauv daim duab:

Lub luag haujlwm yog los teeb tsa MTK router raws li lub tswv yim kom:

1. Muab kev hloov pauv tsis siv neeg mus rau tus muab kev pabcuam thaub qab. Cov chaw muab kev pabcuam tseem ceeb yog ISP2, thawj qhov tshwj xeeb yog ISP1, qhov thib ob yog ISP3.
2. Npaj LAN1 network nkag mus rau Is Taws Nem nkaus xwb los ntawm ISP1.
3. Muab lub peev xwm los taug kev los ntawm cov network hauv zos mus rau Is Taws Nem los ntawm cov neeg muab kev pabcuam xaiv raws li qhov chaw nyob- npe.
4. Muab rau qhov muaj peev xwm tshaj tawm cov kev pabcuam los ntawm lub network hauv zos mus rau Is Taws Nem (DSTNAT)
5. Teem lub firewall lim kom muaj kev ruaj ntseg tsawg kawg nkaus los ntawm Is Taws Nem.
6. Lub router tuaj yeem tsim nws tus kheej kev khiav tsheb los ntawm ib qho ntawm peb tus neeg muab kev pabcuam, nyob ntawm qhov chaw nyob xaiv.
7. Xyuas kom meej tias cov ntawv teb tau xa mus rau cov channel uas lawv tuaj (xws li LAN).

Cov lus ceeb toom. Peb yuav teeb tsa lub router "los ntawm kos" txhawm rau lav qhov tsis muaj qhov xav tsis thoob hauv qhov pib teeb tsa "tawm ntawm lub thawv" uas hloov pauv ntawm version rau version. Winbox tau raug xaiv los ua cov cuab yeej teeb tsa, qhov kev hloov pauv yuav pom pom. Cov chaw lawv tus kheej yuav raug teeb tsa los ntawm cov lus txib hauv Winbox davhlau ya nyob twg. Kev sib txuas ntawm lub cev rau kev teeb tsa yog tsim los ntawm kev sib txuas ncaj qha rau Ether5 interface.

Ib qho laj thawj me ntsis txog qhov multivan yog dab tsi, nws puas yog teeb meem lossis yog cov neeg txawj ntse nyob ib puag ncig kev sib koom tes sib koom tes

Tus thawj coj inquisitive thiab attentive, teeb tsa xws li los yog ib tug zoo xws li cov tswv yim ntawm nws tus kheej, mam li nco dheev paub tias nws twb ua hauj lwm ib txwm. Yog, yog, yam tsis muaj koj cov lus kev cai routing thiab lwm yam kev cai, uas feem ntau cov ntawv ntawm cov ncauj lus no yog tag nrho. Cia peb kuaj?

Peb puas tuaj yeem teeb tsa qhov chaw nyob ntawm cov interfaces thiab lub rooj vag qub? Yog:

Ntawm ISP1, qhov chaw nyob thiab lub rooj vag tau sau npe nrog nrug = 2 и check-gateway = ping.
Ntawm ISP2, lub neej ntawd dhcp tus neeg siv teeb tsa - raws li, qhov deb yuav sib npaug rau ib qho.
Ntawm ISP3 hauv pppoe tus neeg siv khoom thaum add-default-route=yog tso default-route-distance=3.

Tsis txhob hnov ​​​​qab sau npe NAT ntawm qhov tawm:

/ip firewall nat ntxiv kev txiav txim = masquerade saw = srcnat tawm-interface-list=WAN

Raws li qhov tshwm sim, cov neeg siv ntawm cov chaw hauv zos muaj kev lom zem rub tawm miv los ntawm lub chaw pabcuam ISP2 tseem ceeb thiab muaj kev tshwj tseg channel siv cov txheej txheem. kuaj lub rooj vag Saib daim ntawv 1

Cov ntsiab lus 1 ntawm txoj haujlwm tau ua tiav. Qhov twg yog lub multivan nrog nws cov cim? Tsis muaj…

Ntxiv mus. Koj yuav tsum tso cov neeg siv tshwj xeeb los ntawm LAN ntawm ISP1:

/ip firewall mangle ntxiv kev nqis tes ua = txoj kev saw = ua ntej dst-address-list=!BOGONS
passthrough=yes route-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle ntxiv kev nqis tes ua = txoj kev saw = ua ntej dst-address-list=!BOGONS
passthrough=no route-dst=100.66.66.1 src-address=192.168.88.0/24

Yam 2 thiab 3 ntawm txoj haujlwm tau ua tiav. Labels, stamps, route rules, koj nyob qhov twg?!

Xav tau kev nkag mus rau koj nyiam OpenVPN server nrog qhov chaw nyob 172.17.17.17 rau cov neeg siv khoom hauv Is Taws Nem? Thov:

/ip huab teeb ddns-enabled = yog

Raws li ib tug phooj ywg, peb muab cov neeg tau txais txiaj ntsig cov txiaj ntsig: ": tso [ip huab tau dns-name]"

Peb sau npe chaw nres nkoj xa los ntawm Is Taws Nem:

/ip firewall nat ntxiv kev nqis tes ua = dst-nat saw = dstnat dst-port = 1194
in-interface-list=WAN raws tu qauv=udp to-addresses=172.17.17.17

Yam 4 yog npaj txhij.

Peb teeb tsa lub firewall thiab lwm yam kev ruaj ntseg rau taw tes 5, tib lub sij hawm peb zoo siab tias txhua yam twb ua hauj lwm rau cov neeg siv thiab ncav cuag rau lub thawv nrog ib tug nyiam haus dej ...
A! Tunnels tsis nco qab lawm.

l2tp-tus neeg siv khoom, teeb tsa los ntawm google tsab xov xwm, tau nce mus rau koj nyiam Dutch VDS? Yog lawm.
l2tp-server nrog IPsec tau nce thiab cov neeg siv khoom los ntawm DNS-lub npe los ntawm IP huab (saib saum toj no.) cling? Yog lawm.
Tig rov qab rau hauv peb lub rooj zaum, haus dej haus, peb tsis xav txog cov ntsiab lus 6 thiab 7 ntawm txoj haujlwm. Peb xav - peb puas xav tau nws? Tag nrho tib yam, nws ua haujlwm li ntawd (c) ... Yog li, yog tias tseem tsis xav tau, yog li ntawd. Multivan siv.

Multivan yog dab tsi? Qhov no yog kev sib txuas ntawm ntau qhov Internet channel rau ib lub router.

Koj tsis tas yuav nyeem tsab xov xwm ntxiv, vim tias dab tsi tuaj yeem nyob ntawd ntxiv rau qhov qhia tawm ntawm qhov tsis txaus ntseeg?

Rau cov neeg uas nyob twj ywm, uas txaus siab rau cov ntsiab lus 6 thiab 7 ntawm txoj hauj lwm, thiab kuj xav tias khaus ntawm perfectionism, peb dhia tob dua.

Lub luag haujlwm tseem ceeb tshaj plaws ntawm kev siv lub multivan yog txoj kev khiav tsheb kom raug. Namely: tsis hais qhov twg (los yog qhov twg) Saib. ceeb toom 3 ISP's channel (s) saib lub neej ntawd txoj hauv kev ntawm peb lub router, nws yuav tsum rov qab teb rau qhov tseeb channel cov pob khoom tuaj. Txoj hauj lwm yog qhov tseeb. Qhov teeb meem nyob qhov twg? Tseeb, nyob rau hauv ib qho yooj yim hauv zos network, txoj hauj lwm yog tib yam, tab sis tsis muaj leej twg thab nrog ntxiv chaw thiab tsis muaj teeb meem. Qhov txawv yog tias txhua qhov kev sib txuas lus hauv Is Taws Nem nkag mus tau los ntawm txhua qhov ntawm peb cov channel, thiab tsis yog los ntawm ib qho tshwj xeeb, xws li hauv LAN yooj yim. Thiab qhov "teeb ​​meem" yog tias yog ib qho kev thov tuaj rau peb rau qhov chaw nyob IP ntawm ISP3, tom qab ntawd peb cov lus teb yuav dhau los ntawm ISP2 channel, txij li lub qhov rooj nkag mus rau qhov ntawd. Tawm thiab yuav muab pov tseg los ntawm tus kws kho mob raws li qhov tsis raug. Qhov teeb meem tau raug txheeb xyuas. Yuav daws li cas?

Kev daws tau muab faib ua peb theem:

1. Kev teeb tsa ua ntej. Nyob rau theem no, cov kev teeb tsa yooj yim ntawm router yuav raug teeb tsa: hauv zos network, firewall, chaw nyob, hairpin NAT, thiab lwm yam.
2. Multivan. Nyob rau theem no, cov kev sib txuas tsim nyog yuav raug cim thiab txheeb rau hauv cov rooj sib tham.
3. Txuas rau ISP. Nyob rau theem no, cov kev sib txuas uas muab kev sib txuas rau Is Taws Nem yuav raug teeb tsa, routing thiab Internet channel reservation mechanism yuav qhib.

1. Presetting

1.1. Peb tshem lub router configuration nrog cov lus txib:

/system reset-configuration skip-backup=yes no-defaults=yes

pom zoo nrog "Txaus ntshai! Rov pib dua lawm? [y/N]:”thiab, tom qab rebooting, peb txuas nrog Winbox ntawm MAC. Nyob rau theem no, kev teeb tsa thiab cov neeg siv lub hauv paus raug tshem tawm.

1.2. Tsim tus neeg siv tshiab:

/user add group=full name=knight password=ultrasecret comment=”Not horse”

nkag mus rau hauv qab nws thiab rho tawm lub neej ntawd ib qho:

/user remove admin

Cov lus ceeb toom. Nws yog qhov kev tshem tawm thiab tsis ua haujlwm ntawm tus neeg siv lub neej ntawd uas tus sau suav tias muaj kev nyab xeeb dua thiab pom zoo siv.

1.3. Peb tsim cov npe interface yooj yim rau kev yooj yim ntawm kev khiav hauj lwm hauv firewall, nrhiav chaw thiab lwm yam MAC servers:

/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"

Kos npe interfaces nrog cov lus pom

/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"

thiab sau rau hauv cov npe interface:

/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2 
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN  comment="LAN1"
/interface list member add interface=ether5 list=LAN  comment="LAN2"

Cov lus ceeb toom. Sau cov lus nkag siab yog tsim nyog rau lub sijhawm siv rau qhov no, ntxiv rau nws zoo heev pab daws teeb meem thiab nkag siab txog kev teeb tsa.

Tus sau xav tias nws tsim nyog, rau kev ruaj ntseg, ntxiv ether3 interface rau "WAN" interface daim ntawv teev, txawm tias qhov tseeb tias ip raws tu qauv yuav tsis dhau mus.

Tsis txhob hnov ​​​​qab tias tom qab PPP interface tau tsa ntawm ether3, nws tseem yuav tsum tau ntxiv rau hauv daim ntawv teev npe "WAN"

1.4. Peb zais lub router los ntawm cov neeg nyob ib puag ncig nrhiav pom thiab tswj los ntawm cov chaw muab kev pabcuam ntawm MAC:

/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

1.5. Peb tsim qhov tsawg kawg nkaus cov cai ntawm firewall lim los tiv thaiv lub router:

/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow" 
connection-state=established,related,untracked

(txoj cai muab kev tso cai rau tsim thiab muaj feem cuam tshuam kev sib txuas uas tau pib los ntawm ob qho tib si txuas thiab router nws tus kheej)

/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp

(ping thiab tsis tsuas yog ping. Txhua icmp tau tso cai rau hauv. Muaj txiaj ntsig zoo rau kev nrhiav MTU teeb meem)

/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN

(txoj cai uas kaw cov khoom nkag tau txwv tsis pub txhua yam uas los ntawm Is Taws Nem)

/ip firewall filter add action=accept chain=forward 
comment="Established, Related, Untracked allow" 
connection-state=established,related,untracked

(txoj cai tso cai tsim thiab muaj feem cuam tshuam txog kev sib txuas uas dhau los ntawm router)

/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid

(txoj cai rov pib dua kev sib txuas nrog kev sib txuas-xeev = tsis siv tau dhau los ntawm router. Nws tau pom zoo los ntawm Mikrotik, tab sis qee qhov tsis tshua muaj nws tuaj yeem thaiv kev siv tau zoo)

/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"  
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(txoj cai txwv tsis pub cov pob ntawv uas tuaj ntawm Is Taws Nem thiab tsis tau dhau qhov txheej txheem dstnat kom dhau los ntawm router. Qhov no yuav tiv thaiv cov tes hauj lwm hauv zos los ntawm cov neeg intruders uas, nyob rau hauv tib lub tshaj tawm xov xwm nrog peb cov kev sib txuas sab nraud, yuav sau npe rau peb cov IP sab nraud ua ib qho lub rooj vag thiab, yog li, sim "xav" peb lub network hauv zos.)

Cov lus ceeb toom. Cia peb xav tias cov tes hauj lwm LAN1 thiab LAN2 ntseeg tau thiab cov tsheb khiav ntawm lawv thiab los ntawm lawv tsis raug lim.

1.6. Tsim ib daim ntawv teev npe nrog cov npe ntawm cov tsis muaj kev sib txuas lus:

/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
 list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS

(Qhov no yog ib daim ntawv teev cov chaw nyob thiab cov tes hauj lwm uas tsis tuaj yeem mus rau Is Taws Nem thiab yuav ua raws li.)

Cov lus ceeb toom. Daim ntawv teev npe yuav raug hloov pauv, yog li kuv qhia koj kom tshawb xyuas qhov cuam tshuam ib ntus.

1.7. Teeb DNS rau lub router nws tus kheej:

/ip dns set servers=1.1.1.1,8.8.8.8

Cov lus ceeb toom. Hauv qhov tam sim no version ntawm ROS, dynamic servers ua qhov tseem ceeb tshaj li qhov qub. Lub npe daws teeb meem thov xa mus rau thawj tus neeg rau zaub mov hauv kev txiav txim hauv daim ntawv teev npe. Kev hloov mus rau lwm tus neeg rau zaub mov yog nqa tawm thaum qhov tam sim no tsis muaj. Lub sij hawm tawm yog loj - ntau tshaj 5 vib nas this. Rov qab rov qab, thaum lub "poob server" rov pib dua, tsis tuaj yeem tshwm sim. Muab qhov algorithm no thiab muaj cov multivan, tus sau pom zoo kom tsis txhob siv servers muab los ntawm cov chaw muab kev pab.

1.8. Teeb tsa lub network hauv zos.
1.8.1 ib. Peb teeb tsa IP chaw nyob zoo li qub ntawm LAN interfaces:

/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"

1.8.2 ib. Peb tau teeb tsa cov kev cai rau txoj kev mus rau peb lub network hauv zos los ntawm lub ntsiab lus routing:

/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"

Cov lus ceeb toom. Qhov no yog ib txoj hauv kev yooj yim thiab yooj yim rau kev nkag mus rau LAN chaw nyob nrog cov chaw ntawm IP chaw nyob sab nraud ntawm router interfaces uas tsis mus los ntawm txoj hauv kev.

1.8.3 ib. Qhib Hairpin NAT rau LAN1 thiab LAN2:

/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1" 
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2" 
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0

Cov lus ceeb toom. Qhov no tso cai rau koj nkag mus rau koj cov peev txheej (dstnat) ntawm tus IP sab nraud thaum nyob hauv lub network.

2. Qhov tseeb, qhov kev siv ntawm qhov tseeb multivan

Txhawm rau daws qhov teeb meem ntawm "teb qhov lawv nug los ntawm", peb yuav siv ob lub cuab yeej ROS: kev sib txuas cim и routing mark. kev sib txuas cim tso cai rau koj kos cov kev sib txuas uas xav tau thiab tom qab ntawd ua haujlwm nrog daim ntawv lo no raws li qhov xwm txheej rau kev thov routing mark. Thiab twb nrog routing mark tuaj yeem ua haujlwm hauv tus ip txoj kev и txoj cai txoj kev. Peb xam tawm cov cuab yeej, tam sim no koj yuav tsum txiav txim siab qhov kev sib txuas rau kos - ib zaug, raws nraim qhov twg kos - ob.

Nrog thawj tus, txhua yam yog yooj yim - peb yuav tsum kos tag nrho cov kev sib txuas uas tuaj rau lub router los ntawm Is Taws Nem ntawm cov channel tsim nyog. Hauv peb cov ntaub ntawv, cov no yuav yog peb daim ntawv lo (los ntawm tus lej ntawm cov channel): "conn_isp1", "conn_isp2" thiab "conn_isp3".

Lub nuance nrog qhov thib ob yog tias cov kev sib txuas tuaj yuav yog ob hom: kev thauj mus los thiab cov uas tau npaj rau lub router nws tus kheej. Cov cim kev sib txuas ua haujlwm hauv lub rooj mangle. Xav txog kev txav ntawm pob ntawm daim duab yooj yim, ua siab zoo sau los ntawm cov kws tshaj lij ntawm mikrotik-trainings.com cov peev txheej (tsis yog tshaj tawm):

Ua raws li cov xub, peb pom tias pob ntawv tuaj txog ntawm "input interface", mus los ntawm cov saw"Ua ntej"Thiab tsuas yog tom qab ntawd nws tau muab faib rau hauv kev thauj mus los thiab hauv zos hauv qhov thaiv"Txoj kev txiav txim siab". Yog li ntawd, kom tua ob tug noog nrog ib lub pob zeb, peb siv Kev sib txuas Mark hauv lub rooj Mangle Pre-routing chains Ua ntej.

Lus Cim. Hauv ROS, "Routing mark" cov ntawv teev npe yog "Table" hauv Ip/Routes/Rules section, thiab raws li "Routing Mark" hauv lwm seem. Qhov no yuav qhia qee qhov tsis meej pem rau kev nkag siab, tab sis, qhov tseeb, qhov no yog tib yam, thiab yog ib qho analogue ntawm rt_tables hauv iproute2 ntawm linux.

2.1. Peb kos cov kev sib txuas los ntawm txhua tus neeg muab kev pabcuam:

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1  new-connection-mark=conn_isp1 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2  new-connection-mark=conn_isp2 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3  new-connection-mark=conn_isp3 passthrough=no

Cov lus ceeb toom. Txhawm rau kom tsis txhob cim cov kev sib txuas uas twb muaj lawm, kuv siv qhov kev sib txuas-kos = tsis muaj-kos cim es tsis yog kev sib txuas-xeev = tshiab vim tias kuv xav tias qhov no yog qhov tseeb dua, nrog rau kev tsis lees paub qhov kev sib txuas tsis raug rau hauv cov khoom siv lim.

passthrough = tsis yog - vim hais tias nyob rau hauv txoj kev siv no, re-kos npe yog cais thiab, kom ceev, koj muaj peev xwm cuam tshuam tus enumeration ntawm cov cai tom qab thawj match.

Nws yuav tsum tau borne nyob rau hauv lub siab hais tias peb tsis cuam tshuam nyob rau hauv txhua txoj kev nrog routing tsis tau. Tam sim no tsuas muaj cov theem ntawm kev npaj. Cov theem tom ntej ntawm kev siv yuav yog kev ua haujlwm ntawm cov tsheb thauj mus los uas rov qab los ntawm kev sib txuas tsim los ntawm qhov chaw nyob hauv zos network. Cov. cov pob ntawv uas (saib daim duab) dhau los ntawm lub router raws txoj kev:

"Input Interface" => "Prerouting" => "Routing Decision" => "Forward" => "Post Routing" => "Tswj Interface" thiab tau txais mus rau lawv tus neeg nyob hauv lub zos network.

Tseem ceeb! Hauv ROS, tsis muaj kev sib faib cov ntsiab lus rau sab nraud thiab sab hauv. Yog tias peb taug qab txoj hauv kev ntawm pob ntawv teb raws li daim duab saum toj no, ces nws yuav ua raws tib txoj hauv kev raws li qhov kev thov:

"Input Interface" => "Prerouting" => "Routing Decision" => "Forward" => "Post Routing" => "Tswj Interface" tsuas yog rau kev thov "Cov tswv yim sib cuam tshuam” yog ISP interface, thiab rau cov lus teb - LAN

2.2. Peb ncaj qha teb cov tsheb thauj mus los rau cov rooj sib tham:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP1" connection-mark=conn_isp1 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP2" connection-mark=conn_isp2 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP3" connection-mark=conn_isp3 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=no

Saib. in-interface-list=!WAN - peb tsuas yog ua haujlwm nrog kev khiav tsheb los ntawm lub network hauv zos thiab dst-address-type=!local uas tsis muaj qhov chaw nyob ntawm qhov chaw nyob ntawm qhov chaw nyob ntawm lub router nws tus kheej.

Ib yam rau cov pob ntawv hauv zos uas tuaj rau lub router raws txoj kev:

"Input Interface" => "Prerouting" => "Routing Decision" => "Input" => "Local Process"

Tseem ceeb! Cov lus teb yuav mus raws li hauv qab no:

"Local Process" => "Routing Decision" => "Output" => "Post Routing" => "Output Interface"

2.3. Peb ncaj qha teb cov tsheb khiav hauv zos rau cov rooj sib tham:

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local 
new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local 
new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local 
new-routing-mark=to_isp3 passthrough=no

Nyob rau theem no, txoj haujlwm ntawm kev npaj xa cov lus teb rau Internet channel los ntawm qhov kev thov tuaj yeem txiav txim siab daws tau. Txhua yam yog cim, sau npe thiab npaj txhij mus taug kev.
Ib qho "sab" zoo heev ntawm kev teeb tsa no yog lub peev xwm ua haujlwm nrog DSNAT chaw nres nkoj xa mus los ntawm ob qho tib si (ISP2, ISP3) cov chaw muab kev pabcuam tib lub sijhawm. Tsis yog tag nrho, txij li ntawm ISP1 peb muaj qhov chaw nyob tsis tuaj yeem. Cov nyhuv no yog ib qho tseem ceeb, piv txwv li, rau cov neeg xa ntawv xa ntawv nrog ob lub MXs uas saib hauv Internet sib txawv.

Txhawm rau tshem tawm cov nuances ntawm kev ua haujlwm ntawm cov tes hauj lwm hauv zos nrog lwm tus IP routers, peb siv cov kev daws teeb meem los ntawm kab lus. 1.8.2 thiab 3.1.2.6.

Tsis tas li ntawd, koj tuaj yeem siv lub cuab yeej nrog cov cim los daws cov kab lus 3 ntawm qhov teeb meem. Peb siv nws li no:

2.4. Peb coj cov tsheb khiav los ntawm cov neeg siv khoom hauv zos los ntawm cov npe routing mus rau cov rooj tsim nyog:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1 
passthrough=no src-address-list=Via_ISP1

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2 
passthrough=no src-address-list=Via_ISP2

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3 
passthrough=no src-address-list=Via_ISP3

Raws li qhov tshwm sim, nws zoo li qhov no:

3. Teem ib qho kev sib txuas rau ISP thiab pab kom muaj kev sib txuas lus

3.1. Teeb tsa kev sib txuas rau ISP1:
3.1.1. Configure tus IP chaw nyob zoo li qub:

/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"

3.1.2. Teeb tsa static routing:
3.1.2.1. Ntxiv ib txoj hauv kev "emergency":

/ip route add comment="Emergency route" distance=254 type=blackhole

Cov lus ceeb toom. Txoj kev no tso cai rau kev khiav tsheb los ntawm cov txheej txheem hauv zos kom dhau qhov Route Decision theem, tsis hais lub xeev ntawm cov kev sib txuas ntawm ib qho ntawm cov chaw muab kev pab. Lub nuance ntawm cov tsheb khiav hauv zos yog tias kom cov pob ntawv txav mus los tsawg kawg ib qho, lub rooj sib tham tseem ceeb yuav tsum muaj txoj hauv kev mus rau lub rooj vag qub. Yog tsis yog, ces lub pob tsuas yuav raug puas tsuaj.

Raws li cov cuab yeej txuas ntxiv kuaj lub rooj vag Rau kev soj ntsuam tob dua ntawm lub xeev channel, kuv xav kom siv txoj kev rov ua dua. Lub ntsiab lus ntawm txoj kev yog tias peb qhia rau lub router kom nrhiav txoj hauv kev rau nws lub rooj vag tsis ncaj, tab sis los ntawm qhov nruab nrab qhov rooj. 4.2.2.1, 4.2.2.2 thiab 4.2.2.3 yuav raug xaiv raws li "test" rooj vag rau ISP1, ISP2 thiab ISP3 raws li.

3.1.2.2. Txoj kev mus rau qhov chaw nyob "kev pov thawj":

/ip route add check-gateway=ping comment="For recursion via ISP1"  
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10

Cov lus ceeb toom. Peb txo qis tus nqi mus rau lub neej ntawd hauv ROS lub hom phiaj kom siv 4.2.2.1 ua lub rooj vag rov qab rau yav tom ntej. Kuv hais ntxiv: qhov Scope ntawm txoj kev mus rau qhov chaw nyob "test" yuav tsum tsawg dua los yog sib npaug rau lub hom phiaj ntawm txoj kev uas yuav xa mus rau qhov kev xeem.

3.1.2.3. Recursive default route for traffic without routing mark:

/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1

Cov lus ceeb toom. Qhov kev ncua deb = 2 tus nqi yog siv vim tias ISP1 tau tshaj tawm tias yog thawj qhov thaub qab raws li cov haujlwm ua haujlwm.

3.1.2.4 ib. Recursive default route for traffic with routing mark “to_isp1”:

/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1 
routing-mark=to_isp1

Cov lus ceeb toom. Qhov tseeb, ntawm no peb thaum kawg pib txaus siab rau cov txiv hmab txiv ntoo ntawm kev npaj ua haujlwm uas tau ua nyob rau hauv nqe lus 2.

Ntawm txoj kev no, tag nrho cov tsheb khiav uas muaj txoj kev cim "to_isp1" yuav raug coj mus rau lub rooj vag ntawm thawj tus kws kho mob, tsis hais lub rooj vag qub uas tam sim no ua haujlwm rau lub rooj loj.

3.1.2.5. Thawj fallback recursive default route rau ISP2 thiab ISP3 tagged tsheb:

/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp3

Cov lus ceeb toom. Cov kev no yog xav tau, ntawm lwm yam, kom tseg kev khiav tsheb los ntawm cov chaw hauv zos uas yog cov tswv cuab ntawm cov npe chaw nyob "to_isp*"'

3.1.2.6. Peb sau npe txoj hauv kev rau kev khiav tsheb hauv zos ntawm router mus rau Is Taws Nem los ntawm ISP1:

/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1

Cov lus ceeb toom. Ua ke nrog cov cai los ntawm kab lus 1.8.2, nws muab kev nkag mus rau qhov xav tau channel nrog ib qho chaw muab. Qhov no yog qhov tseem ceeb rau kev tsim cov tunnels uas qhia txog qhov chaw nyob hauv zos IP (EoIP, IP-IP, GRE). Txij li cov kev cai nyob rau hauv ip txoj cai txoj cai raug coj los ntawm sab saum toj mus rau hauv qab, kom txog rau thaum thawj qhov sib tw ntawm cov xwm txheej, ces txoj cai no yuav tsum yog tom qab cov cai los ntawm kab lus 1.8.2.

3.1.3. Peb tso npe rau NAT txoj cai rau cov tsheb khiav tawm:

/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"  
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2

Cov lus ceeb toom. NATim txhua yam uas tawm mus, tshwj tsis yog qhov tau txais rau hauv IPsec cov cai. Kuv sim tsis txhob siv qhov kev txiav txim = masquerade tshwj tsis yog tias tsim nyog. Nws qeeb dua thiab muaj peev txheej ntau dua li src-nat vim nws suav qhov chaw nyob NAT rau txhua qhov kev sib txuas tshiab.

3.1.4. Peb xa cov neeg siv khoom los ntawm cov npe uas raug txwv tsis pub nkag los ntawm lwm tus neeg muab kev pabcuam ncaj qha mus rau ISP1 tus kws kho mob lub rooj vag.

/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only" 
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1 
src-address-list=Via_only_ISP1 place-before=0

Cov lus ceeb toom. action = txoj kev muaj qhov tseem ceeb dua thiab raug siv ua ntej lwm txoj cai routing.

place-before=0 - tso peb txoj cai ua ntej hauv daim ntawv.

3.2. Teeb tsa kev sib txuas rau ISP2.

Txij li thaum tus neeg muab kev pabcuam ISP2 muab rau peb qhov chaw ntawm DHCP, nws yog qhov tsim nyog los hloov qhov tsim nyog nrog ib tsab ntawv uas pib thaum tus neeg siv DHCP tshwm sim:

/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
    n    /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1 
           dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
    n    /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
    n    /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 
           routing-mark=to_isp2;r
    n    /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2 
           routing-mark=to_isp1;r
    n    /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2 
           routing-mark=to_isp3;r
    n    /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
           out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2" 
           place-before=1;r
    n    if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
    n        /ip route rule add comment="From ISP2 IP to Inet" 
               src-address=$"lease-address" table=to_isp2 r
    n    } else={r
    n       /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no 
              src-address=$"lease-address"r
    n    }      r
    n} else={r
    n   /ip firewall nat remove  [find comment="NAT via ISP2"];r
    n   /ip route remove [find comment="For recursion via ISP2"];r
    n   /ip route remove [find comment="Unmarked via ISP2"];r
    n   /ip route remove [find comment="Marked via ISP2 Main"];r
    n   /ip route remove [find comment="Marked via ISP1 Backup1"];r
    n   /ip route remove [find comment="Marked via ISP3 Backup2"];r
    n   /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
    n}r
    n" use-peer-dns=no use-peer-ntp=no

Tsab ntawv nws tus kheej hauv Winbox qhov rai:

Cov lus ceeb toom. Thawj ntu ntawm tsab ntawv tau tshwm sim thaum daim ntawv xauj tsev tau tiav, qhov thib ob - tom qab daim ntawv xauj tsev raug tso tawm.Saib daim ntawv 2

3.3. Peb teeb tsa kev sib txuas rau ISP3 tus kws kho mob.

Txij li thaum lub chaw muab kev pab muab rau peb dynamic, nws yog tsim nyog los ua qhov tsim nyog hloov nrog scripts uas pib tom qab lub ppp interface tau tsa thiab tom qab lub caij nplooj zeeg.

3.3.1. Ua ntej peb configure qhov profile:

/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client 
on-down="/ip firewall nat remove  [find comment="NAT via ISP3"];r
    n/ip route remove [find comment="For recursion via ISP3"];r
    n/ip route remove [find comment="Unmarked via ISP3"];r
    n/ip route remove [find comment="Marked via ISP3 Main"];r
    n/ip route remove [find comment="Marked via ISP1 Backup2"];r
    n/ip route remove [find comment="Marked via ISP2 Backup2"];r
    n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;" 
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1 
    dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
    n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
    n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3 
    routing-mark=to_isp3;r
    n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp1;r
    n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp2;r
    n/ip firewall mangle set [find comment="Connmark in from ISP3"] 
    in-interface=$"interface";r
    n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
    out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3" 
    place-before=1;r
    nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
    n   /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address" 
    table=to_isp3 r
    n} else={r
    n   /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no 
    src-address=$"local-address"r
    n};r
    n"

Tsab ntawv nws tus kheej hauv Winbox qhov rai:

Cov lus ceeb toom. Txoj hlua
/ip firewall mangle teeb [nrhiav cov lus pom = "Connmark hauv los ntawm ISP3"] hauv-interface = $ "interface";
tso cai rau koj kom tswj tau qhov kev hloov npe ntawm lub interface, vim nws ua haujlwm nrog nws cov cai thiab tsis yog lub npe zaub.

3.3.2. Tam sim no, siv qhov profile, tsim kev sib txuas ppp:

/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no 
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_client

Raws li qhov kawg kov, cia peb teeb lub moos:

/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org

Rau cov nyeem kom txog thaum kawg

Txoj kev npaj rau kev siv lub multivan yog tus kheej nyiam ntawm tus sau thiab tsis yog tib qho ua tau. Cov cuab yeej ROS yog qhov dav thiab hloov pauv, uas, ntawm ib sab, ua rau muaj teeb meem rau cov pib tshiab, thiab, ntawm qhov tod tes, yog vim li cas rau nws qhov chaw. Kawm, sim, nrhiav cov cuab yeej tshiab thiab cov kev daws teeb meem. Piv txwv li, raws li ib tug daim ntawv thov ntawm kev txawj ntse, nws muaj peev xwm hloov lub cuab tam nyob rau hauv no kev siv ntawm lub multivan. check-gateway nrog recursive txoj kev mus netwatch.

Sau ntawv

1. check-gateway - ib lub tshuab uas tso cai rau koj kom deactivate txoj kev tom qab ob qhov kev kuaj xyuas tsis tiav ntawm lub rooj vag kom muaj. Kev kuaj xyuas yog ua ib zaug txhua 10 vib nas this, ntxiv rau lub sijhawm teb. Hauv tag nrho, lub sijhawm hloov pauv tiag tiag nyob hauv thaj tsam ntawm 20-30 vib nas this. Yog tias lub sijhawm hloov pauv tsis txaus, muaj kev xaiv los siv lub cuab yeej netwatch, qhov twg check timer tuaj yeem teeb tsa manually. check-gateway tsis tua hluav taws ntawm cov pob ntawv tsis sib xws ntawm qhov txuas.

   Tseem ceeb! Deactivating ib txoj kev tseem ceeb yuav deactivate tag nrho lwm txoj kev uas xa mus rau nws. Yog li ntawd, rau lawv qhia check-gateway = ping tsis tsim nyog.

2. Nws tshwm sim tias qhov tsis ua haujlwm tshwm sim hauv DHCP mechanism, uas zoo li tus neeg siv khoom daig hauv lub xeev tshiab. Nyob rau hauv rooj plaub no, qhov thib ob ntawm tsab ntawv yuav tsis ua haujlwm, tab sis nws yuav tsis tiv thaiv kev taug kev mus kom raug, txij li lub xeev taug qab txoj kev rov ua dua.
3. ECMP (Equal Cost Multi-Path) - hauv ROS nws tuaj yeem teeb tsa txoj hauv kev nrog ob peb lub rooj vag thiab tib qhov deb. Nyob rau hauv cov ntaub ntawv no, kev sib txuas yuav raug faib thoob plaws cov channel uas siv lub round robin algorithm, nyob rau hauv kev faib ua feem rau tus naj npawb ntawm lub rooj vag.

Rau lub zog los sau tsab xov xwm, pab tsim nws cov qauv thiab kev tso kawm ntawm accents - tus kheej ua tsaug rau Evgeny @jscar

Tau qhov twg los: www.hab.com