Ntugharị bụ usoro ịchọta ụzọ kacha mma maka ịnyefe ngwugwu n'elu netwọk TCP/IP. Ngwaọrụ ọ bụla ejikọrọ na netwọk IPv4 nwere usoro na tebụl ntụgharị.
Edemede a abụghị HOWTO, ọ na-akọwa ntụgharị static na RouterOS na ihe atụ, kpachara anya hapụ ntọala ndị ọzọ (dịka ọmụmaatụ, srcnat maka ịnweta ịntanetị), yabụ ịghọta ihe ahụ chọrọ ọkwa ụfọdụ nke ihe ọmụma nke netwọkụ na RouterOS.
Ịgbanwe na ụzọ
Ngbanwe bụ usoro mgbanwe ngwugwu n'ime otu akụkụ Layer2 (Ethernet, ppp, ...). Ọ bụrụ na ngwaọrụ ahụ na onye nnata nke ngwugwu ahụ nọ n'otu ọdụ ụgbọ mmiri Ethernet na ya, ọ na-amụta adreesị Mac site na iji usoro arp wee nyefee ngwugwu ahụ ozugbo, na-agafe rawụta. Njikọ ppp (point-to-point) nwere ike ịnwe naanị ndị sonyere abụọ na a na-eziga ngwugwu ahụ na otu adreesị 0xff mgbe niile.
Ntugharị bụ usoro ịnyefe ngwugwu n'etiti ngalaba Layer2. Ọ bụrụ na ngwaọrụ chọrọ izipu ngwugwu nke onye nnata ya nọ n'èzí nke Ethernet, ọ na-eleba anya na tebụl ntụgharị ya wee nyefee ngwugwu ahụ gaa n'ọnụ ụzọ nke maara ebe a ga-eziga ngwugwu na-esote (ma ọ bụ nwere ike ọ gaghị ama, onye mbụ zitere nke ngwugwu ahụ bụ. amaghị nke a).
Ụzọ kachasị mfe ị ga-esi eche maka rawụta bụ dị ka ngwaọrụ ejikọrọ na akụkụ abụọ ma ọ bụ karịa Layer2 ma nwee ike ịgafe ngwugwu n'etiti ha site n'ịchọpụta ụzọ kacha mma site na tebụl ntụgharị.
Ọ bụrụ na ị ghọtara ihe niile, ma ọ bụ na ị maralarị ya, gụọ ya. Maka ndị ọzọ, a na m akwadosi ike ka ị mara onwe gị nke ọma na obere, mana nke nwere ikike .
Ntugharị na RouterOS na PacketFlow
Ihe fọrọ nke nta ka ọ bụrụ ọrụ niile metụtara ụzọ ntụgharị static dị na ngwugwu usoro. Akpa rọba ntughari na-agbakwụnye nkwado maka algọridim n'ụzọ siri ike (RIP, OSPF, BGP, MME), Nzacha ụzọ na BFD.
Isi menu maka ịhazi ụzọ ụzọ: [IP]->[Route]. Atụmatụ mgbagwoju anya nwere ike ịchọ ka ejiri akara ntugharị kpọọ ngwugwu na: [IP]->[Firewall]->[Mangle] (agbụ PREROUTING и OUTPUT).
Enwere ebe atọ na PacketFlow ebe a na-eme mkpebi mkpọ ụzọ IP:
- Ngwungwu ngagharị nke rawụta nwetara. N'oge a, a na-ekpebi ma ngwugwu ahụ ga-aga na usoro mpaghara ma ọ bụ na-ezigara ya na netwọk. Ngwunye njem na-enweta Ọpụpụ Mmepụta
- Ngwunye ọpụpụ mpaghara na-ebugharị. Ngwunye na-apụ apụ na-enweta Ọpụpụ Mmepụta
- Nzọụkwụ ụzọ ọzọ maka ngwugwu ndị na-apụ apụ, na-enye gị ohere ịgbanwe mkpebi njem n'ime
[Output|Mangle]
- Ụzọ ngwugwu dị na ngọngọ 1, 2 dabere na iwu dị na
[IP]->[Route] - Ụzọ ngwugwu dị na isi 1, 2 na 3 dabere na iwu dị na
[IP]->[Route]->[Rules] - Ụzọ ngwugwu dị na ngọngọ 1, 3 nwere ike imetụta iji
[IP]->[Firewall]->[Mangle]
RIB, FIB, cache okporo ụzọ
Isi Ozi Ntugharị
Isi ebe a na-anakọta okporo ụzọ site na protocol ntụgharị siri ike, ụzọ sitere na ppp na dhcp, ụzọ static na ejikọrọ. Ebe nchekwa data a nwere ụzọ niile, ewezuga nke onye nchịkwa na-enyocha ya.
N'ọnọdụ, anyị nwere ike iche na [IP]->[Route] na-egosiputa RIB.
Ebe Ozi Mbugharị
Isi ebe a na-anakọta ụzọ kacha mma sitere na RIB. Ụzọ niile dị na FIB na-arụ ọrụ ma a na-eji ya ebuga ngwugwu. Ọ bụrụ na ụzọ ahụ adịghị arụ ọrụ (onye nchịkwa (sistemụ) nwere nkwarụ, ma ọ bụ interface nke ekwesịrị iziga ngwugwu ahụ adịghị arụ ọrụ), a na-ewepụ ụzọ ahụ na FIB.
Iji mee mkpebi ntụgharị, tebụl FIB na-eji ozi ndị a gbasara ngwugwu IP:
- Isi mmalite Adreesị
- Adreesị ebe njedebe
- Isi mmalite Interface
- Akara uzo
- ToS (DSCP)
Ịbanye na ngwugwu FIB na-agafe usoro ndị a:
- Ezubere ngwugwu a maka usoro rawụta mpaghara?
- Ngwungwu ahụ ọ dabere na usoro ma ọ bụ iwu PBR onye ọrụ?
- Ọ bụrụ ee, mgbe ahụ, a na-eziga ngwugwu ahụ na tebụl ntụgharị akọwapụtara
- A na-eziga ngwugwu ahụ na tebụl isi
N'ọnọdụ, anyị nwere ike iche na [IP]->[Route Active=yes] na-egosipụta FIB.
Cache okporo ụzọ
Usoro caching ụzọ. Onye rawụta na-echeta ebe ezigara ngwugwu ma ọ bụrụ na e nwere ndị yiri ya (ma eleghị anya site na otu njikọ) ọ na-ahapụ ha ka ha gaa n'otu ụzọ ahụ, na-enweghị ịlele na FIB. A na-ekpochapụ cache ụzọ ahụ kwa oge.
Maka ndị nchịkwa RouterOS, ha emeghị ngwaọrụ maka ịlele na ijikwa cache Routing, mana mgbe enwere ike gbanyụọ ya. [IP]->[Settings].
Ewepụrụ usoro a na kernel linux 3.6, mana RouterOS ka na-eji kernel 3.3.5, ikekwe Routing cahce bụ otu n'ime ihe kpatara ya.
Tinye mkparịta ụka ụzọ
[IP]->[Route]->[+]
- Subnet nke ịchọrọ ịmepụta ụzọ (nke ndabara: 0.0.0.0/0)
- Ọnụ ụzọ ámá IP ma ọ bụ interface nke a ga-ezigara ngwugwu ahụ (enwere ike inwe ọtụtụ, lee ECMP n'okpuru)
- Lelee nnweta ọnụ ụzọ ámá
- Ụdị ndekọ
- Anya (metric) maka ụzọ
- Tebụl ụzọ
- IP maka ngwugwu ọpụpụ mpaghara site na ụzọ a
- Edere ebumnobi nke Obosara na ebumnuche ebumnuche na njedebe nke akụkọ.
Ọkọlọtọ ụzọ
- X - Onye nchịkwa gbanyụrụ ụzọ ahụ (
disabled=yes) - A - A na-eji ụzọ ezipụ ngwugwu
- D - Ụzọ agbakwunyere ike (BGP, OSPF, RIP, MME, PPP, DHCP, Ejikọtara)
- C - A na-ejikọta subnet ozugbo na rawụta
- S - Ụzọ kwụ ọtọ
- r,b,o,m - Ụzọ agbakwunyere site n'otu n'ime ụkpụrụ ngagharị dị ike
- B,U,P - Ụzọ nzacha (na-atụba ngwugwu kama ibunye)
Kedu ihe ị ga-edepụta na ọnụ ụzọ ámá: ip-adreesị ma ọ bụ interface?
Usoro ahụ na-enye gị ohere ịkọwapụta ha abụọ, ebe ọ naghị aṅụ iyi na ọ naghị enye nkọwa ma ọ bụrụ na i mere ihe na-ezighị ezi.
Adreesị IP
Adreesị ọnụ ụzọ ámá ga-enwerịrị ike ịnweta karịa Layer2. Maka Ethernet, nke a pụtara na rawụta ga-enwerịrị adreesị sitere na otu subnet dị n'otu n'ime oghere ip na-arụ ọrụ, maka ppp, na adreesị ọnụ ụzọ ámá akọwapụtara na otu n'ime oghere ndị na-arụ ọrụ dị ka adreesị subnet.
Ọ bụrụ na emezughị ọnọdụ nnweta maka Layer2, a na-ewere ụzọ ahụ adịghị arụ ọrụ ma ọ dịghị adaba na FIB.
interface
Ihe niile dị mgbagwoju anya na omume nke rawụta na-adabere n'ụdị interface:
- Njikọ PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) na-ewere naanị ndị sonyere abụọ na ngwugwu ahụ ga-ezigara ọnụ ụzọ ámá maka nnyefe mgbe niile, ma ọ bụrụ na ọnụ ụzọ ámá ahụ achọpụta na onye nnata ahụ bụ n'onwe ya, mgbe ahụ ọ ga-ebufe ngwugwu ahụ gaa na ya. usoro mpaghara ya.
- Ethernet na-ewere ọnụnọ nke ọtụtụ ndị sonyere na ọ ga-eziga arịrịọ na interface arp na adreesị nke onye nnata nke ngwugwu ahụ, nke a na-atụ anya na omume nkịtị maka ụzọ ejikọrọ.
Mana mgbe ị na-agbalị iji interface ahụ dị ka ụzọ maka subnet dịpụrụ adịpụ, ị ga-enweta ọnọdụ ndị a: ụzọ ahụ na-arụ ọrụ, ping na ọnụ ụzọ ámá na-agafe, ma ọ dịghị erute onye nnata site na subnet akọwapụtara. Ọ bụrụ na ilele interface ahụ site na sniffer, ị ga-ahụ arịrịọ arp nwere adreesị sitere na subnet dịpụrụ adịpụ.
Gbalịa ịkọwa adreesị IP dị ka ọnụ ụzọ mgbe ọ bụla enwere ike. Ewepụrụ bụ ụzọ ejikọrọ (mepụtara na-akpaghị aka) yana ihu PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN*).
OpenVPN enweghị nkụnye eji isi mee PPP, mana ị nwere ike iji aha interface OpenVPN mepụta ụzọ.
Ụzọ a kapịrị ọnụ
Iwu ntugharị isi. Ụzọ nke na-akọwa obere subnet (nwere nkpuchi subnet kachasị) na-ebute ụzọ na mkpebi ntụgharị nke ngwugwu ahụ. Ọnọdụ nke ntinye na tebụl ntụgharị adịghị mkpa na nhọrọ - isi iwu bụ More Specific.
Ụzọ niile sitere na atụmatụ akọwapụtara na-arụ ọrụ (nke dị na FIB). rụtụ aka na subnets dị iche iche ma ghara ịlụ ọgụ na ibe ya.
Ọ bụrụ na ọ nweghị otu n'ime ọnụ ụzọ ámá ahụ, a ga-ewere ụzọ ejikọta ya adịghị arụ ọrụ (wepụrụ na FIB) a ga-achọkwa ngwugwu site na ụzọ ndị ọzọ.
Ụzọ nwere subnet 0.0.0.0/0 na-enye mgbe ụfọdụ ọ pụtara pụrụ iche ma na-akpọ ya "Ụzọ ndabara" ma ọ bụ "Ọnụ ụzọ nke ikpeazụ". N'ezie, ọ dịghị ihe kpokọtara banyere ya na ọ na-agụnye niile kwere omume IPv4 adreesị, ma aha ndị a na-akọwa ya ọrụ nke ọma - ọ na-egosi ọnụ ụzọ ámá ebe ibuga ngwugwu nke na-enweghị ndị ọzọ na ezi ụzọ ụzọ.
Ihe mkpuchi subnet kachasị maka IPv4 bụ / 32, ụzọ a na-arụtụ aka na otu onye ọbịa ma enwere ike iji ya na tebụl ntụgharị.
Ịghọta ụzọ dị iche iche dị mkpa maka ngwaọrụ TCP/IP ọ bụla.
anya
A chọrọ anya (ma ọ bụ metrik) maka nhazi nhazi nke ụzọ gaa na otu subnet nke a na-enweta site na ọtụtụ ọnụ ụzọ ámá. A na-ewere ụzọ nwere metrik dị ala dị ka ihe kacha mkpa, a ga-etinyekwa ya na FIB. Ọ bụrụ na ụzọ nwere metric dị ala kwụsịrị ịrụ ọrụ, mgbe ahụ, a ga-eji ụzọ nwere metric dị elu dochie ya na FIB.
Ọ bụrụ na enwere ọtụtụ ụzọ gaa n'otu subnet nwere otu metric, rawụta ahụ ga-agbakwunye naanị otu n'ime ha na tebụl FIB, nke ezi uche dị n'ime ya na-eduzi.
Metiriki ahụ nwere ike were uru site na 0 ruo 255:
- 0 - Metric maka ụzọ ejikọrọ. Onye nchịkwa enweghị ike ịtọ anya 0
- 1-254 - Metric dị maka onye nchịkwa maka ịtọ ụzọ. Metrics nwere ọnụ ahịa dị ala nwere mkpa dị elu
- 255 - Metric dị maka onye nchịkwa maka ịtọ ụzọ. N'adịghị ka 1-254, ụzọ nwere metric nke 255 na-anọgide na-adịghị arụ ọrụ ma ghara ịdaba na FIB.
- metrik kpọmkwem. Ụzọ ndị a na-enweta site na protocol ntụgharị dị ike nwere ụkpụrụ metrik ọkọlọtọ
lelee ọnụ ụzọ ámá
Lelee ọnụ ụzọ ámá bụ MikroTik RoutesOS ndọtị maka ịlele ịdị adị nke ọnụ ụzọ ámá site na icmp ma ọ bụ arp. Ozugbo 10 sekọnd ọ bụla (enweghị ike ịgbanwe), a na-eziga arịrịọ n'ọnụ ụzọ ámá, ọ bụrụ na anabataghị nzaghachi ugboro abụọ, a na-ewere ụzọ ahụ adịghị adị ma wepụ ya na FIB. Ọ bụrụ na nlele gateway nwere nkwarụ, ụzọ nlele na-aga n'ihu, ụzọ ahụ ga-amalitekwa ọrụ ọzọ ka otu nlele gara nke ọma.
Lelee ọnụ ụzọ ámá na-ewepụ ntinye nke ahaziri ya na ndenye ndị ọzọ niile (na tebụl ntụgharị na ụzọ ecmp) nwere ọnụ ụzọ a kapịrị ọnụ.
Na mkpokọta, nlele gateway na-arụ ọrụ nke ọma ma ọ bụrụhaala na enweghị nsogbu na mfu ngwugwu n'ọnụ ụzọ ámá ahụ. Lelee ọnụ ụzọ ámá amaghị ihe na-eme na nzikọrịta ozi n'èzí ọnụ ụzọ elele, nke a chọrọ ngwaọrụ ndị ọzọ: scripts, recursive routing, dynamic routing protocols.
Ọtụtụ VPN na protocol ọwara nwere ngwaọrụ arụnyere arụnyere maka ịlele ọrụ njikọ, na-enyere ha aka ịlele ọnụ ụzọ ámá bụ ihe mgbakwunye (ma dị obere) ibu na netwọk na arụmọrụ ngwaọrụ.
Ụzọ ECMP
Ụzọ Multi-Cost Equal-Cost - iziga ngwugwu nye onye nnata site na iji ọtụtụ ọnụ ụzọ ámá n'otu oge na-eji Round Robin algọridim.
Onye nchịkwa na-emepụta ụzọ ECMP site na ịkọwapụta ọtụtụ ọnụ ụzọ ámá maka otu subnet (ma ọ bụ na-akpaghị aka, ma ọ bụrụ na e nwere ụzọ OSPF abụọ dakọtara).
A na-eji ECMP mee ihe maka nhazi ibu n'etiti ọwa abụọ, na tiori, ọ bụrụ na enwere ọwa abụọ na ụzọ ecmp, mgbe ahụ maka ngwugwu ọ bụla, ọwa na-apụ apụ kwesịrị ịdị iche. Mana usoro cache nke Routing na-eziga ngwugwu site na njikọ n'okporo ụzọ nke ngwugwu mbụ ahụ mere, n'ihi ya, anyị na-enweta ụdị nguzozi dabere na njikọ (mmekọrịta n'otu n'otu na-ebufe nha).
Ọ bụrụ na ị gbanyụọ Routing Cache, mgbe ahụ a ga-ekekọrịta ngwugwu ndị dị na ụzọ ECMP nke ọma, mana enwere nsogbu na NAT. Usoro iwu NAT bụ naanị ngwugwu mbụ sitere na njikọ (a na-ahazi ndị ọzọ na-akpaghị aka), ọ tụgharịrị na ngwugwu nwere otu adreesị isi iyi na-ahapụ oghere dị iche iche.
Lelee ọnụ ụzọ ámá anaghị arụ ọrụ na ụzọ ECMP (RouterOS bug). Mana ị nwere ike nweta ihe mgbochi a site na ịmepụta ụzọ nkwado ndị ọzọ ga-ewepụ ndenye na ECMP.
Nzacha site na Routing
Nhọrọ Ụdị ahụ na-ekpebi ihe a ga-eme na ngwugwu:
- unicast - zipu gaa na ọnụ ụzọ ámá akọwapụtara (nhụta)
- blackhole - tụfuo ngwugwu
- machibido, enweghị ike iru - tụfuo ngwugwu ma ziga onye na-ezipụ ozi icmp
A na-ejikarị nzacha eme ihe mgbe ọ dị mkpa iji chekwaa izipu ngwugwu n'ụzọ na-ezighị ezi, n'ezie, ị nwere ike nyochaa nke a site na firewall.
Ihe atụ abụọ
Iji mekwaa ihe ndị bụ isi gbasara ngagharị.
A na-ahụkarị rawụta ụlọ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1- Ụzọ kwụ ọtọ gaa na 0.0.0.0/0 (ụzọ ndabara)
- Ụzọ ejikọrọ na interface na onye na-eweta ya
- Ụzọ ejikọrọ na interface LAN
A na-ahụkarị rawụta ụlọ nwere PPPoE
- Ụzọ kwụ ọtọ na ụzọ ndabara, agbakwunyere na-akpaghị aka. akọwapụtara ya na njirimara njikọ
- Ụzọ ejikọrọ maka njikọ PPP
- Ụzọ ejikọrọ na interface LAN
A na-ahụkarị rawụta ụlọ nwere ndị na-eweta abụọ yana redundancy
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2- Ụzọ kwụ ọtọ gaa n'okporo ụzọ ndabara site na onye na-eweta mbụ nwere metric 1 yana nlele nnweta ọnụ ụzọ
- Ụzọ kwụ ọtọ gaa n'okporo ụzọ ndabara site na onye na-eweta nke abụọ nwere metric 2
- Ụzọ ejikọrọ
Okporo ụzọ gaa na 0.0.0.0/0 na-agafe 10.10.10.1 mgbe ọnụ ụzọ a dị, ma ọ bụghị ya, ọ na-agbanye na 10.20.20.1
Enwere ike iwere atụmatụ dị otú ahụ dị ka ndoputa ọwa, ma ọ bụghị na-enweghị ihe ndọghachi azụ. Ọ bụrụ na nkwụsịtụ na-apụta na mpụga ọnụ ụzọ onye na-eweta ya (dịka ọmụmaatụ, n'ime netwọk onye ọrụ), rawụta gị agaghị ama maka ya, ọ ga-aga n'ihu na-ewere ụzọ ahụ dị ka ọ na-arụ ọrụ.
A na-ahụkarị rawụta ụlọ nwere ndị na-eweta abụọ, redundancy na ECMP
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1- Ụzọ kwụ ọtọ maka ịlele ọnụ ụzọ chack
- Ụzọ ECMP
- Ụzọ ejikọrọ
Ụzọ ịlele bụ acha anụnụ anụnụ (agba nke ụzọ ndị anaghị arụ ọrụ), mana nke a anaghị egbochi ọnụ ụzọ nlele. Ụdị nke ugbu a (6.44) nke RoS na-enye ụzọ ECMP ụzọ na-akpaghị aka, mana ọ ka mma ịgbakwunye ụzọ ule na tebụl ndị ọzọ (nhọrọ). routing-mark)
Na Speedtest na saịtị ndị ọzọ yiri ya, a gaghị enwe mmụba na ọsọ (ECMP na-ekewa okporo ụzọ site na njikọ, ọ bụghị site na ngwugwu), mana ngwa p2p kwesịrị ibudata ngwa ngwa.
Nzacha site na Routing
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole- Ụzọ kwụ ọtọ na-aga ụzọ ndabara
- Ụzọ kwụ ọtọ gaa 192.168.200.0/24 n'elu ọwara ipip
- Machibido ụzọ kwụ ọtọ gaa 192.168.200.0/24 site na rawụta ISP
Nhọrọ nzacha nke okporo ụzọ ọwara agaghị aga na rawụta ndị na-eweta mgbe ipip nwere nkwarụ. A naghị achọ atụmatụ ndị dị otú ahụ, n'ihi na ị nwere ike mejuputa igbochi site na firewall.
Ntụgharị aka
Routing loop - ọnọdụ mgbe ngwugwu na-aga n'etiti ndị na-anya ụgbọ mmiri tupu ttl agwụ. Ọtụtụ mgbe, ọ bụ nsonaazụ nke njehie nhazi, na netwọk buru ibu, a na-emeso ya site na mmejuputa usoro iwu ntụgharị dị ike, na obere - na nlezianya.
Ọ dị ka nke a:
Ihe atụ (dị mfe) nke otu esi enweta nsonaazụ yiri ya:
Ihe atụ Routing loop abaghị uru ọ bụla, mana ọ na-egosi na ndị na-anya ụgbọ mmiri enweghị echiche gbasara tebụl ụzọ ndị agbata obi ha.
Usoro Ntugharị Iwu na Tebụl Ntugharị Ndị Ọzọ
Mgbe ị na-ahọrọ ụzọ, onye rawụta na-eji naanị otu mpaghara site na nkụnye eji isi mee (Dst. Adreesị) - nke a bụ ụzọ ntụgharị. Ntugharị dabere na ọnọdụ ndị ọzọ, dị ka adreesị isi mmalite, ụdị okporo ụzọ (ToS), ịhazi na-enweghị ECMP, bụ nke Policy Base Routing (PBR) ma na-eji tebụl ntụgharị ndị ọzọ.
Ụzọ a kapịrị ọnụ bụ isi iwu nhọrọ ụzọ n'ime tebụl ntụgharị.
Site na ndabara, a na-agbakwunye iwu ụzọ ụzọ niile na tebụl isi. Onye nchịkwa nwere ike ịmepụta ọnụ ọgụgụ aka ike nke tebụl ụzọ ụzọ na ngwugwu ụzọ na ha. Iwu dị na tebụl dị iche iche anaghị emegide ibe ha. Ọ bụrụ na ngwugwu ahụ achọtaghị iwu kwesịrị ekwesị na tebụl a kapịrị ọnụ, ọ ga-aga na tebụl isi.
Ọmụmaatụ na nkesa site na Firewall:
- 192.168.100.10 -> 8.8.8.8
- A na-akpọ okporo ụzọ sitere na 192.168.100.10 site-isp1 в
[Prerouting|Mangle] - Na Routing ogbo na tebụl site-isp1 na-achọ ụzọ gaa 8.8.8.8
- Achọpụtara ụzọ, a na-eziga okporo ụzọ gaa n'ọnụ ụzọ 10.10.10.1
- A na-akpọ okporo ụzọ sitere na 192.168.100.10 site-isp1 в
- 192.168.200.20 -> 8.8.8.8
- A na-akpọ okporo ụzọ sitere na 192.168.200.20 site-isp2 в
[Prerouting|Mangle] - Na Routing ogbo na tebụl site-isp2 na-achọ ụzọ gaa 8.8.8.8
- Achọpụtara ụzọ, a na-eziga okporo ụzọ gaa n'ọnụ ụzọ 10.20.20.1
- A na-akpọ okporo ụzọ sitere na 192.168.200.20 site-isp2 в
- Ọ bụrụ na otu n'ime ọnụ ụzọ ámá (10.10.10.1 ma ọ bụ 10.20.20.1) adịghị adị, mgbe ahụ ngwugwu ga-aga na tebụl. isi ma ga-achọ ụzọ kwesịrị ekwesị ebe ahụ
Okwu okwu
RouterOS nwere ụfọdụ okwu okwu.
Mgbe na-arụ ọrụ na iwu na [IP]->[Routes] A na-egosi tebụl ụzọ ụgbọ mmiri, ọ bụ ezie na edere ya na akara:
В [IP]->[Routes]->[Rule] ihe niile ziri ezi, na akara ọnọdụ na tebụl omume:
Otu esi ezipu ngwugwu gaa na tebụl ntugharị akọwapụtara
RouterOS na-enye ọtụtụ ngwaọrụ:
- Iwu na
[IP]->[Routes]->[Rules] - Ihe nrịbama ụzọ (
action=mark-routing) na[IP]->[Firewall]->[Mangle] - VRF
Iwu [IP]->[Route]->[Rules]
A na-ahazi usoro n'usoro, ọ bụrụ na ngwugwu dabara na ọnọdụ nke iwu ahụ, ọ naghị agafe n'ihu.
Usoro nchịkwa na-enye gị ohere ịgbasa ohere nke ịkwọ ụgbọ mmiri, na-adabere ọ bụghị naanị na adreesị nnata, kamakwa na adreesị isi iyi na interface nke natara ngwugwu ahụ.
Iwu nwere ọnọdụ yana omume:
- Ọnọdụ. Tinyegharịa ndepụta nke akara nke ejiri na-enyocha ngwugwu na FIB, naanị ToS na-efu.
- Omume
- nyocha - zipu ngwugwu na tebụl
- ịchọ naanị na tebụl - kpochie ngwugwu na tebụl, ọ bụrụ na achọtaghị ụzọ ahụ, ngwugwu agaghị aga na tebụl isi.
- dobe - dobe ngwugwu
- enweghị ike iru - tụfuo ngwugwu ahụ yana ọkwa onye zitere ya
Na FIB, a na-ahazi okporo ụzọ na usoro mpaghara site na ịgafe iwu [IP]->[Route]->[Rules]:
Eche [IP]->[Firewall]->[Mangle]
Akara akara na-enye gị ohere idobe ọnụ ụzọ ámá maka ngwugwu site na iji ihe fọrọ nke nta ka ọ bụrụ ọnọdụ Firewall ọ bụla:
N'ezie, n'ihi na ọ bụghị ha niile nwere ezi uche, ụfọdụ nwere ike ịrụ ọrụ na-akwụghị ụgwọ.
Enwere ụzọ abụọ iji kpọọ ngwugwu:
- Tinye ozugbo akara uzo
- Tinye ụzọ njikọ-akara, wee dabere na njikọ-akara itinye akara uzo
N'ime edemede gbasara firewalls, edere m na nhọrọ nke abụọ ka mma. na-ebelata ibu na cpu, n'ihe banyere ụzọ akara - nke a abụghị eziokwu kpamkpam. Ụzọ nrịbama ndị a anaghị adị otu mgbe niile ma a na-ejikarị edozi nsogbu dị iche iche.
Ihe atụ nke iji
Ka anyị gaa na ihe atụ nke iji Policy Base Routing, ha na-adị mfe karị igosi ihe mere ihe a nile ji dị mkpa.
MultiWAN ma weghachite okporo ụzọ na-apụ apụ (mmepụta).
Nsogbu nkịtị na nhazi MultiWAN: Mikrotik dị na ịntanetị naanị site na onye na-eweta "arụ ọrụ".
Onye rawụta ahụ achọghị ịma ihe ip arịrịọ ahụ bịara, mgbe ọ na-emepụta nzaghachi, ọ ga-achọ ụzọ na tebụl ntụgharị ebe ụzọ site na isp1 na-arụ ọrụ. Ọzọkwa, o yikarịrị ka a ga-enyocha ngwugwu dị otú ahụ n'ụzọ nke onye nnata.
Isi ihe ọzọ na-adọrọ mmasị. Ọ bụrụ na ahaziri isi iyi "dị mfe" na ether1 interface: /ip fi nat add out-interface=ether1 action=masquerade ngwugwu ga-aga online na src. adreesị=10.10.10.100, nke na-eme ka ihe ka njọ.
Enwere ụzọ dị iche iche iji dozie nsogbu ahụ, mana nke ọ bụla n'ime ha ga-achọ tebụl ntụgharị ọzọ:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2Jiri [IP]->[Route]->[Rules]
Ezipụta tebụl ntụgharị nke a ga-eji maka ngwugwu nwere isi mmalite IP akọwapụtara.
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2Nwere ike iji action=lookup, mana maka okporo ụzọ na-apụ apụ na mpaghara, nhọrọ a na-ewepu kpamkpam njikọ na interface na-ezighị ezi.
- Sistemu na-ewepụta ngwugwu nzaghachi na Src. adreesị: 10.20.20.200
- Mkpebi ụzọ ụzọ (2) na-enyocha nzọụkwụ
[IP]->[Routes]->[Rules]a na-ezigakwa ngwugwu ahụ na tebụl ntụgharị gafere-isp2 - Dabere na tebụl ntụgharị, a ga-eziga ngwugwu ahụ na ọnụ ụzọ ámá 10.20.20.1 site na interface ether2.
Usoro a anaghị achọ njikọ Tracker na-arụ ọrụ, n'adịghị ka iji tebụl Mangle.
Jiri [IP]->[Firewall]->[Mangle]
Njikọ ahụ na-amalite site na ngwugwu mbata, yabụ anyị na-aka ya (action=mark-connection), maka ngwugwu na-apụ apụ site na njikọ akara akara, tọọ akara ntụgharị (action=mark-routing).
/ip firewall mangle
#Маркировка входящих соединений
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#Маркировка исходящих пакетов на основе соединений
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=noỌ bụrụ na ahazi ọtụtụ ip na otu interface, ị nwere ike ịgbakwunye na ọnọdụ ahụ dst-address iji jide n'aka.
- Otu ngwugwu na-emepe njikọ na ether2 interface. Ngwungwu na-abanye
[INPUT|Mangle]nke na-ekwu ka akara ngwugwu niile site na njikọ dị ka site-isp2 - Sistemu na-ewepụta ngwugwu nzaghachi na Src. adreesị: 10.20.20.200
- N'oge Mkpebi Mkpebi (2), ngwugwu ahụ, dị ka tebụl ntụgharị, na-eziga na ọnụ ụzọ ámá 10.20.20.1 site na ether1 interface. Ị nwere ike ịchọpụta nke a site na ịbanye na ngwugwu
[OUTPUT|Filter] - Na ogbo
[OUTPUT|Mangle]A na-enyocha akara njikọ site-isp2 na ngwugwu na-enweta akara ụzọ gafere-isp2 - Ntụzigharị okporo ụzọ (3) na-enyocha maka ọnụnọ nke akara ụzọ ma ziga ya na tebụl ntụgharị kwesịrị ekwesị.
- Dabere na tebụl ntụgharị, a ga-eziga ngwugwu ahụ na ọnụ ụzọ ámá 10.20.20.1 site na interface ether2.
MultiWAN wee weghachi okporo ụzọ dst-nat
Ihe atụ dị mgbagwoju anya karị, ihe ị ga-eme ma ọ bụrụ na enwere ihe nkesa (dịka ọmụmaatụ, webụ) n'azụ rawụta na subnet nkeonwe ma ịkwesịrị ịnye ohere ịnweta ya site na ndị na-eweta ya ọ bụla.
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100Isi nsogbu ahụ ga-abụ otu, ihe ngwọta dị ka nhọrọ Firewall Mangle, naanị agbụ ndị ọzọ ka a ga-eji:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
Eserese ahụ egosighi NAT, mana echere m na ihe niile doro anya.
MultiWAN na njikọ ọpụpụ
Ị nwere ike iji ikike PBR mepụta ọtụtụ vpn (SSTP na ihe atụ) njikọ site na dị iche iche rawụta interface.
Tebụl ụzọ ụzọ ndị ọzọ:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3Akara ngwugwu:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=noIwu NAT dị mfe, ma ọ bụghị ya, ngwugwu ahụ ga-ahapụ interface ahụ na Src na-ezighi ezi. adreesị:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masqueradeNa-eme:
- Router na-emepụta usoro SSTP atọ
- N'oge Mkpebi Ntugharị (2), a na-ahọrọ ụzọ maka usoro ndị a dabere na tebụl ntụgharị isi. Site n'otu ụzọ ahụ, ngwugwu ahụ na-enweta Src. Adreesị jikọtara na ether1 interface
- В
[Output|Mangle]ngwugwu sitere na njikọ dị iche iche na-enweta akara dị iche iche - Ihe ngwugwu na-abanye na tebụl kwekọrọ na akara ndị dị na nhazi nhazi nhazi wee nweta ụzọ ọhụrụ maka izipu ngwugwu.
- Mana ngwugwu ka nwere Src. Adreesị si ether1, na ogbo
[Nat|Srcnat]a na-anọchi anya adreesị dị ka interface
N'ụzọ na-akpali mmasị, na rawụta ị ga-ahụ tebụl njikọ ndị a:
Njikọ Tracker na-arụ ọrụ na mbụ [Mangle] и [Srcnat], yabụ njikọ niile sitere n'otu adreesị ahụ, ọ bụrụ na ị lelee nke ọma, wee banye Replay Dst. Address a ga-enwe adreesị mgbe NAT gachara:
Na sava VPN (enwere m otu na bench ule), ị nwere ike ịhụ na njikọ niile sitere na adreesị ziri ezi:
Jidesie ụzọ
Enwere ụzọ dị mfe, ị nwere ike ịkọwapụta otu ọnụ ụzọ ámá maka adreesị nke ọ bụla:
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1Mana ụzọ ndị dị otú ahụ ga-emetụta ọ bụghị naanị ndị na-apụ apụ kamakwa ọ ga-emetụta okporo ụzọ. Na mgbakwunye, ọ bụrụ na ịchọghị okporo ụzọ gaa na sava vpn ka ịgafe ọwa nkwukọrịta na-ekwesịghị ekwesị, mgbe ahụ ị ga-agbakwunye iwu 6 ọzọ na [IP]->[Routes]с type=blackhole. Na nsụgharị gara aga - iwu 3 na [IP]->[Route]->[Rules].
Nkesa njikọ onye ọrụ site na ọwa nkwukọrịta
Ọrụ dị mfe, kwa ụbọchị. Ọzọ, a ga-achọ tebụl ụzọ ụzọ ọzọ:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2Iji [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2Ọ bụrụ na ị na-eji action=lookup, mgbe ahụ, mgbe otu n'ime ọwa ahụ nwere nkwarụ, okporo ụzọ ga-aga na tebụl isi wee gafee ọwa ọrụ. Ma nke a ọ dị mkpa ma ọ bụ na ọ bụghị dabere na ọrụ ahụ.
Iji akara n'ime [IP]->[Firewall]->[Mangle]
Ihe atụ dị mfe nwere ndepụta adreesị IP. Na ụkpụrụ, ihe fọrọ nke nta ka ọ bụrụ ọnọdụ ọ bụla nwere ike iji. Naanị caveat nke Layer7, ọbụlagodi mgbe ejikọtara ya na akara njikọ, ọ nwere ike ịdị ka ihe niile na-arụ ọrụ nke ọma, mana ụfọdụ okporo ụzọ ka ga-aga n'ụzọ na-ezighi ezi.
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2Ị nwere ike "kpọchie" ndị ọrụ n'otu tebụl na-ebugharị [IP]->[Route]->[Rules]:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2Ma site na [IP]->[Firewall]->[Filter]:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=rejectlaghachi azụ pro dst-address-type=!local
Ọnọdụ mgbakwunye dst-address-type=!local ọ dị mkpa na okporo ụzọ sitere na ndị ọrụ rute usoro mpaghara nke rawụta (dns, winbox, ssh, ...). Ọ bụrụ na ejikọrọ ọtụtụ subnets mpaghara na rawụta, ọ dị mkpa iji hụ na okporo ụzọ dị n'etiti ha anaghị aga na ịntanetị, dịka ọmụmaatụ, iji. dst-address-table.
Na ihe atụ na-eji [IP]->[Route]->[Rules] Enweghị ndị dị otú ahụ, mana okporo ụzọ na-erute usoro mpaghara. Nke bụ eziokwu bụ na ịbanye n'ime ngwugwu FIB akara [PREROUTING|Mangle] nwere akara okporo ụzọ wee banye n'ime tebụl ntụgharị na-abụghị isi, ebe enweghị interface mpaghara. N'ihe gbasara Iwu Routing, nke mbụ, a na-enyocha ma ngwugwu ahụ bụ maka usoro mpaghara ma naanị na ọkwa onye ọrụ PBR ka ọ na-aga na tebụl ntụgharị akọwapụtara.
Iji [IP]->[Firewall]->[Mangle action=route]
Ihe omume a na-arụ ọrụ naanị [Prerouting|Mangle] ma na-enye gị ohere iduzi okporo ụzọ gaa n'ọnụ ụzọ a kapịrị ọnụ na-ejighi tebụl ntụgharị ọzọ, site na ịkọwa adreesị ọnụ ụzọ ámá ozugbo:
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1mmetụta route nwere mkpa dị ala karịa iwu ngagharị ([IP]->[Route]->[Rules]). N'ihe banyere akara ụzọ, ihe niile dabere na ọnọdụ nke iwu, ma ọ bụrụ na iwu na action=route bara uru karịa action=mark-route, mgbe ahụ, a ga-eji ya (n'agbanyeghị ọkọlọtọ passtrough), ma ọ bụghị akara ụzọ.
Enwere obere ozi na wiki gbasara omume a na nkwubi okwu niile enwetara nnwale, n'ọnọdụ ọ bụla, ahụghị m nhọrọ mgbe ị na-eji nhọrọ a na-enye uru karịa ndị ọzọ.
PPC dabere na nguzozi ike
Kwa Njikọ Classifier - bụ analọgụ na-agbanwe agbanwe nke ECMP. N'adịghị ka ECMP, ọ na-ekewa okporo ụzọ site na njikọ nke ọma (ECMP amaghị ihe ọ bụla gbasara njikọ, mana mgbe ejikọtara ya na Routing Cache, a na-enweta ihe yiri ya).
PCC na-ewe mpaghara akọwapụtara site na nkụnye eji isi mee ip, na-atụgharị ha na uru 32-bit, wee kewaa site na denominator. A na-atụnyere nkebi nke fọdụrụ na nke akọwapụtara nke fọduru ma ọ bụrụ na ha dakọtara, mgbe ahụ, a na-etinye ihe a kapịrị ọnụ. . Na-ada nzuzu, mana ọ na-arụ ọrụ.
Ọmụmaatụ nwere adreesị atọ:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1Ọmụmaatụ nke ikesa okporo ụzọ site na src.address n'etiti ọwa atọ:
#Таблица маршрутизации
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#Маркировка соединений и маршрутов
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3Mgbe ị na-aka akara n'ụzọ, enwere ọnọdụ agbakwunyere: in-interface=br-lan, na-enweghị ya n'okpuru action=mark-routing okporo ụzọ nzaghachi sitere na ịntanetị ga-enweta ma, dịka tebụl ntụgharị, ga-alaghachi na onye na-eweta ya.
Ọwa nkwukọrịta na-agbanwe
Lelee ping bụ ngwá ọrụ dị mma, mana ọ na-enyocha njikọ ya na ndị ọgbọ IP kacha nso, netwọk ndị na-enye ọrụ na-enwekarị ọnụ ọgụgụ dị ukwuu nke ndị na-anya ụgbọ mmiri na nkwụsị njikọ nwere ike ime n'èzí ndị ọgbọ kacha nso, mgbe ahụ, e nwere ndị na-arụ ọrụ telecom na azụ azụ ndị nwekwara ike. nwere nsogbu, n'ozuzu nlele ping anaghị egosi mgbe niile ozi ọhụụ gbasara ịnweta netwọkụ zuru ụwa ọnụ.
Ọ bụrụ na ndị na-enye ọrụ na nnukwu ụlọ ọrụ nwere BGP dynamic routing protocol, mgbe ahụ ndị ọrụ ụlọ na ụlọ ọrụ ga-echepụta onwe ha ka ha ga-esi lelee ohere ịntanetị site na otu ọwa nkwukọrịta.
Dị ka ọ na-adịkarị, a na-eji scripts nke, site na ụfọdụ ọwa nkwukọrịta, lelee ịdị adị nke adreesị IP na ịntanetị, mgbe ị na-ahọrọ ihe a pụrụ ịdabere na ya, dịka ọmụmaatụ, google dns: 8.8.8.8. 8.8.4.4. Ma n'ime obodo Mikrotik, a na-emegharị ngwá ọrụ na-adọrọ mmasị karị maka nke a.
Okwu ole na ole gbasara ntughari ntughari
Recursive routing dị mkpa mgbe na-ewu Multihop BGP peering wee banye n'ime isiokwu banyere ihe bụ isi nke static routing naanị n'ihi aghụghọ MikroTik ọrụ bụ ndị chepụtara otú e si eji recursive ụzọ paired na-elele gateway ịgbanwee nkwurịta okwu ọwa na-enweghị ọzọ scripts.
Ọ bụ oge ịghọta obosara/nhọrọ obosara ebumnuche na usoro izugbe yana otu ụzọ siri ejikọta na interface:
- Ụzọ ahụ na-achọ interface iji zipu ngwugwu ahụ dabere na oke uru ya yana ndenye niile dị na tebụl bụ isi nwere ụkpụrụ ebumnuche erughị ma ọ bụ nhata nhata.
- Site na oghere ndị achọtara, a na-ahọrọ nke ị nwere ike izipu ngwugwu gaa n'ọnụ ụzọ akọwapụtara
- A na-ahọrọ interface nke ntinye ejikọrọ na-achọta iji zipu ngwugwu ahụ n'ọnụ ụzọ ámá
N'ihu ụzọ na-emegharịghachi, ihe niile na-eme otu ihe ahụ, ma na nkebi abụọ:
- 1-3 A na-agbakwunye otu ụzọ na ụzọ ejikọrọ, nke enwere ike iru ọnụ ụzọ ámá akọwapụtara
- 4-6 Ịchọta ụzọ ejikọrọ maka ọnụ ụzọ "etiti".
Nghọta niile na nchọgharị na-emegharị emegharị na-eme na RIB, ma ọ bụ naanị nsonaazụ ikpeazụ ka a na-ebufe na FIB: 0.0.0.0/0 via 10.10.10.1 on ether1.
Ọmụmaatụ nke iji recursive routing iji gbanwee ụzọ
Nhazi:
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2Ị nwere ike ịlele na a ga-eziga ngwugwu na 10.10.10.1:
Lelee ọnụ ụzọ ámá amaghị ihe ọ bụla gbasara recursive routing na na-eziga pings na 8.8.8.8, nke (dabere na isi tebụl) bụ inweta site ọnụ ụzọ ámá 10.10.10.1.
Ọ bụrụ na enwere nkwụsị nke nkwurịta okwu n'etiti 10.10.10.1 na 8.8.8.8, mgbe ahụ, a na-ewepụ ụzọ ahụ, ma ngwugwu (gụnyere pings ule) na 8.8.8.8 na-aga n'ihu na 10.10.10.1:
Ọ bụrụ na njikọ ether1 furu efu, mgbe ahụ, ọnọdụ na-adịghị mma na-eme mgbe ngwugwu tupu 8.8.8.8 gafere onye na-eweta nke abụọ:
Nke a bụ nsogbu ma ọ bụrụ na ị na-eji NetWatch na-agba ọsọ scripts mgbe 8.8.8.8 adịghị. Ọ bụrụ na njikọ ahụ agbajiri, NetWatch ga-arụ ọrụ naanị site na ọwa nkwukọrịta nkwado wee chee na ihe niile dị mma. Edoziri site na ịgbakwunye ụzọ nzacha ọzọ:
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
Enwere na habré , ebe a na-atụle ọnọdụ NetWatch n'ụzọ zuru ezu karị.
Ma ee, mgbe ị na-eji ndoputa dị otú ahụ, adreesị 8.8.8.8 ga-abụ hardwired na otu n'ime ndị na-enye ya, ya mere ịhọrọ ya dị ka isi iyi dns abụghị ezigbo echiche.
Okwu ole na ole gbasara Virtual Routing and Forwarding (VRF)
Emebere teknụzụ VRF iji mepụta ọtụtụ ndị na-anya ụgbọ elu n'ime otu anụ ahụ, ndị na-ahụ maka telecom na-eji teknụzụ a (na-ejikọkarị ya na MPLS) iji nye ndị ahịa ọrụ L3VPN adreesị subnet na-ekpuchi anya:
Mana VRF dị na Mikrotik a na-ahazi ya dabere na tebụl ntụgharị ma nwee ọtụtụ ọghọm, dịka ọmụmaatụ, adreesị IP mpaghara nke rawụta dị na VRF niile, ị nwere ike ịgụkwu. .
ọmụmaatụ nhazi vrf:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0Site na ngwaọrụ ejikọrọ na ether2, anyị na-ahụ na ping na-aga na adreesị rawụta site na vrf ọzọ (nke a bụ nsogbu), ebe ping anaghị aga na Ịntanetị:
Iji nweta ịntanetị, ịkwesịrị ịdebanye aha ụzọ ọzọ na-abanye na tebụl bụ isi (na vrf terminology, nke a na-akpọ leaking ụzọ):
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2Nke a bụ ụzọ abụọ nke ịgbapu ụzọ: iji tebulu routing: 172.17.0.1@main na iji interface aha: 172.17.0.1%wlan1.
Ma guzobe akara maka nloghachi okporo ụzọ [PREROUTING|Mangle]:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
Subnets nwere otu adreesị
Nhazi nke ịnweta subnets nwere otu adreesị na otu rawụta site na iji VRF na netmap:
Nhazi ntọala:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0iwu firewall:
#Маркируем пакеты для отправки в правильную таблицу маршрутизации
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#Средствами netmap заменяем адреса "эфимерных" подсетей на реальные подсети
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24Iwu nhazi maka okporo ụzọ nloghachi:
#Указание имени интерфейса тоже может считаться route leaking, но по сути тут создается аналог connected маршрута
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2Na-agbakwụnye ụzọ enwetara site na dhcp na tebụl ntụgharị enyere
VRF nwere ike ịmasị gị ma ọ bụrụ na ịchọrọ ịgbakwunye ụzọ dị ike na-akpaghị aka (dịka ọmụmaatụ, site na onye ahịa dhcp) gaa na tebụl ntụgharị.
Na-agbakwụnye interface na vrf:
/ip route vrf
add interface=ether1 routing-mark=over-isp1Iwu maka izipu okporo ụzọ (ọpụpụ na njem) site na tebụl gafere-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=noNa mgbakwunye, ụzọ adịgboroja maka ụzọ ọpụpụ na-arụ ọrụ:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=bareỤzọ a ka achọrọ naanị ka ngwugwu ọpụpụ mpaghara nwee ike ịgafe mkpebi ntụgharị (2) tupu [OUTPUT|Mangle] ma nweta akara ntanetị, ma ọ bụrụ na e nwere ụzọ ndị ọzọ na-arụ ọrụ na rawụta tupu 0.0.0.0/0 na tebụl isi, ọ dịghị mkpa.
ụdọ connected-in и dynamic-in в [Routing] -> [Filters]
Nzacha okporo ụzọ (inbound na outbound) bụ ngwa ọrụ a na-ejikarị yana usoro ngagharị dị ike (ya mere ọ dị naanị mgbe ị wụnyechara ngwugwu ahụ. ntughari), mana enwere ụdọ abụọ na-adọrọ mmasị na nzacha na-abata:
- ejikọrọ na - nzacha ụzọ ejikọrọ
- dynamic-in - nzacha ụzọ dị ike nke PPP na DCHP natara
Nzacha na-enye gị ohere ọ bụghị naanị ịtụfu ụzọ, kamakwa ị gbanwee ọtụtụ nhọrọ: anya, akara akara, nkọwa, scope, obosara ebumnuche, ...
Nke a bụ ngwá ọrụ ziri ezi ma ọ bụrụ na ị nwere ike ime ihe na-enweghị ihe nzacha ụzọ (ma ọ bụghị script), mgbe ahụ, ejila Routing Filters, emela onwe gị na ndị ga-ahazi rawụta mgbe ị gachara. N'ihe gbasara ntugharị siri ike, a ga-eji ihe nzacha Routing eme ihe ugboro ugboro yana na-arụpụta nke ọma.
Ịtọlite akara ngosi maka ụzọ dị egwu
Ihe atụ sitere na rawụta ụlọ. Enwere m njikọ VPN abụọ ahaziri na okporo ụzọ dị n'ime ha kwesịrị ka a kechie ya dị ka tebụl ntụgharị. N'otu oge ahụ, achọrọ m ka e mepụta ụzọ ndị ahụ na-akpaghị aka mgbe interface na-arụ ọrụ:
#При создании vpn подключений указываем создание default route и задаем дистанцию
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#Фильтрами отправляем маршруты в определенные таблицы маршрутизации на основе подсети назначения и дистанции
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2Amaghị m ihe kpatara ya, ma eleghị anya ahụhụ, ma ọ bụrụ na ịmepụta vrf maka interface ppp, mgbe ahụ ụzọ 0.0.0.0/0 ga-abanye na tebụl isi. Ma ọ bụghị ya, ihe niile ga-adị mfe karị.
Ịgbanyụ ụzọ ejikọrọ
Mgbe ụfọdụ, a na-achọrọ nke a:
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=rejectNgwa ndozi
RouterOS na-enye ọtụtụ ngwaọrụ maka nbibi ụzọ:
[Tool]->[Tourch]- na-enye gị ohere ịlele ngwugwu na interfaces/ip route check- na-enye gị ohere ịhụ ọnụ ụzọ ámá nke a ga-ezigara ngwugwu ahụ, anaghị arụ ọrụ na tebụl ntụgharị/ping routing-table=<name>и/tool traceroute routing-table=<name>- ping na trace site na iji tebụl ntụgharị akọwapụtaraaction=logв[IP]->[Firewall]- ngwá ọrụ magburu onwe ya nke na-enye gị ohere ịchọta ụzọ nke ngwugwu n'akụkụ ngwungwu ngwugwu, ihe a dị na agbụ na tebụl niile.
isi: www.habr.com