å°å ¥
ãã®èšäºãåãäžããã®ã¯ãèæ å¿ã«å ããŠããã·ã¢èªåã®é»å ±ã³ãã¥ããã£ã®ãããã£ãŒã« ã°ã«ãŒãã§ãã®ãããã¯ã«é¢ããæ°ã®ããããããªè³ªåãé »ç¹ã«ãã£ãããšããã£ããã§ããã ãã®èšäºã¯ãåå¿è
ã® Mikrotik RouterOS (以äžãROS) 管çè
ã察象ãšããŠããŸãã ã«ãŒãã£ã³ã°ãéèŠããŠãã«ããã³ã®ã¿ãæ±ããŸãã ããã«ãå®å
šã§äŸ¿å©ãªæäœãä¿èšŒããããã«æäœéå¿
èŠãªèšå®ãçšæãããŠããŸãã ãã¥ãŒãããŒã ãã©ã³ã·ã³ã°ãVLANãããªããžããã£ãã«ç¶æ
ã®å€æ®µé詳现åæãªã©ã®ãããã¯ã®é瀺ãæ±ããŠãã人ã¯ãèªãã®ã«æéãšåŽåãç¡é§ã«ããªããããããŸããã
åæããŒã¿
ãã¹ã察象ãšããŠãROS ããŒãžã§ã³ 6.45.3 ãæèŒãã 1 ããŒã Mikrotik ã«ãŒã¿ãŒãéžæãããŸããã 2 ã€ã®ããŒã«ã« ãããã¯ãŒã¯ (LAN1 ããã³ LAN2) ãš 3 ã€ã®ãããã€ã㌠(ISP1ãISP2ãISP3) ã®éã§ãã©ãã£ãã¯ãã«ãŒãã£ã³ã°ããŸãã ISPXNUMX ãžã®ãã£ãã«ã«ã¯éçãã°ã¬ãŒãã¢ãã¬ã¹ãISPXNUMX - DHCP çµç±ã§ååŸãããããã¯ã€ãããISPXNUMX - PPPoE èªèšŒä»ãã®ããã¯ã€ããããããŸãã æ¥ç¶å³ã次ã®å³ã«ç€ºããŸãã
ã¿ã¹ã¯ã¯ã次ã®ããã«ã¹ããŒã ã«åºã¥ã㊠MTK ã«ãŒã¿ãŒãæ§æããããšã§ãã
- ããã¯ã¢ãããããã€ããŒãžã®èªååãæ¿ããæäŸããŸãã ã¡ã€ã³ãããã€ããŒã¯ ISP2ãæåã®äºåãããã€ããŒã¯ ISP1ã3 çªç®ã®äºåãããã€ããŒã¯ ISPXNUMX ã§ãã
- ISP1 ãä»ããŠã®ã¿ã€ã³ã¿ãŒããããžã® LAN1 ãããã¯ãŒã¯ ã¢ã¯ã»ã¹ãæ§æããŸãã
- ã¢ãã¬ã¹ãªã¹ãã«åºã¥ããŠãéžæãããããã€ããŒãä»ããŠããŒã«ã« ãããã¯ãŒã¯ããã€ã³ã¿ãŒãããã«ãã©ãã£ãã¯ãã«ãŒãã£ã³ã°ããæ©èœãæäŸããŸãã
- ããŒã«ã« ãããã¯ãŒã¯ããã€ã³ã¿ãŒããã (DSTNAT) ãžã®ãµãŒãã¹å ¬éã®å¯èœæ§ãæäŸããŸãã
- ãã¡ã€ã¢ãŠã©ãŒã« ãã£ã«ã¿ãŒãèšå®ããŠãã€ã³ã¿ãŒãããããã®æäœéã®ååãªã»ãã¥ãªãã£ãæäŸããŸãã
- ã«ãŒã¿ãŒã¯ãéžæããéä¿¡å ã¢ãã¬ã¹ã«å¿ããŠãXNUMX ã€ã®ãããã€ããŒã®ãããããä»ããŠç¬èªã®ãã©ãã£ãã¯ãçºè¡ã§ããŸãã
- å¿çãã±ãããéä¿¡å ã®ãã£ãã« (LAN ãå«ã) ã«ã«ãŒãã£ã³ã°ãããŠããããšã確èªããŸãã
åè ããŒãžã§ã³ããšã«å€æŽããããããã«äœ¿ãããåæèšå®ã§äºæãã¬äºæ ãçºçããªãããšãä¿èšŒããããã«ãã«ãŒã¿ããæåãããèšå®ããŸãã Winbox ã¯ãå€æŽãèŠèŠçã«è¡šç€ºãããæ§æããŒã«ãšããŠéžæãããŸããã èšå®èªäœã¯ Winbox ã¿ãŒããã«ã®ã³ãã³ãã«ãã£ãŠèšå®ãããŸãã èšå®ã®ããã®ç©çæ¥ç¶ã¯ãEther5 ã€ã³ã¿ãŒãã§ã€ã¹ãžã®çŽæ¥æ¥ç¶ã«ãã£ãŠè¡ãããŸãã
ãã«ããã³ãšã¯äœãªã®ããåé¡ãããã®ãââããããšãé°è¬ãããã¯ãŒã¯ãç·šã¿åºããŠããç¡çŸãªè³¢ã人ã ãããã®ãã«ã€ããŠã®ã¡ãã£ãšããæšè«
奜å¥å¿æºçã§æ°é ãã®ãã管çè ãããã®ãããªã¹ããŒã ãŸãã¯åæ§ã®ã¹ããŒã ãèªåã§èšå®ãããšãããããã§ã«æ£åžžã«æ©èœããŠããããšã«çªç¶æ°ã¥ããŸãã ã¯ããã¯ããã«ã¹ã¿ã ã«ãŒãã£ã³ã° ããŒãã«ããã®ä»ã®ã«ãŒã ã«ãŒã«ã¯å¿ èŠãããŸããããã®ãããã¯ã«é¢ããã»ãšãã©ã®èšäºã«ã¯ãããã®ã«ãŒã«ãå«ãŸããŠããŸãã 確èªãããïŒ
ã€ã³ã¿ãŒãã§ã€ã¹ãšããã©ã«ã ã²ãŒããŠã§ã€ã§ã¢ãã¬ã¹æå®ãæ§æã§ããŸãã? ã¯ãïŒ
ISP1ã§ã¯ãã¢ãã¬ã¹ãšã²ãŒããŠã§ã€ãç»é²ãããŠããŸããã è·é¢=2 О ãã§ãã¯ã²ãŒããŠã§ã€=pingã
ISP2 ã§ã¯ãããã©ã«ãã® dhcp ã¯ã©ã€ã¢ã³ãèšå®ã«å¿ããŠãè·é¢ã¯ XNUMX ã«ãªããŸãã
ISP3 ã® pppoe ã¯ã©ã€ã¢ã³ãèšå®ã§ã ããã©ã«ãã«ãŒãã®è¿œå =ã¯ã 眮ã ããã©ã«ãã®ã«ãŒãè·é¢=3.
åºå£ã§ NAT ãç»é²ããããšãå¿ããªãã§ãã ããã
/ip firewall nat add action=masqueradechain=srcnat out-interface-list=WAN
ãã®çµæãããŒã«ã« ãµã€ãã®ãŠãŒã¶ãŒã¯ãäž»èŠãª ISP2 ãããã€ããŒãéããŠç«ãããŠã³ããŒãããŠæ¥œããã§ããããã®ã¡ã«ããºã ã䜿çšããŠãã£ã³ãã«äºçŽãè¡ãããŠããŸãã ã²ãŒããŠã§ã€ããã§ãã¯ãã 泚1ãåç §
ã¿ã¹ã¯ã®ãã€ã³ã 1 ãå®è£ ãããŸãã ããŒã¯ã®ãããã«ããã³ã¯ã©ãã«ãããŸããïŒ ãããâŠ
ããã«é ãã ISP1 çµç±ã§ç¹å®ã®ã¯ã©ã€ã¢ã³ãã LAN ãã解æŸããå¿ èŠããããŸãã
/ip ãã¡ã€ã¢ãŠã©ãŒã«ãã³ã°ã«è¿œå ã¢ã¯ã·ã§ã³=ã«ãŒããã§ãŒã³=ãã¬ã«ãŒãã£ã³ã° dst-address-list=!BOGONS
passthrough = ã¯ããroute-dst = 100.66.66.1 src-address-list = Via_ISP1
/ip ãã¡ã€ã¢ãŠã©ãŒã«ãã³ã°ã«è¿œå ã¢ã¯ã·ã§ã³=ã«ãŒããã§ãŒã³=ãã¬ã«ãŒãã£ã³ã° dst-address-list=!BOGONS
ãã¹ã¹ã«ãŒ = ããã ã«ãŒã dst = 100.66.66.1 src ã¢ãã¬ã¹ = 192.168.88.0/24
ã¿ã¹ã¯ã®é ç® 2 ãš 3 ãå®è£ ãããŸããã ã©ãã«ãã¹ã¿ã³ããã«ãŒãã«ãŒã«ãããã¯ã©ã?!
ã€ã³ã¿ãŒãããããã¯ã©ã€ã¢ã³ãã«ã¢ãã¬ã¹ 172.17.17.17 ãæã€ãæ°ã«å ¥ãã® OpenVPN ãµãŒããŒãžã®ã¢ã¯ã»ã¹ãèš±å¯ããå¿ èŠããããŸãã? ãé¡ãããŸãïŒ
/ip ã¯ã©ãŠã ã»ãã ddns-enabled=yes
ãã¢ãšããŠãç§ãã¡ã¯ã¯ã©ã€ã¢ã³ãã«åºåçµæãäžããŸãã:put [IP ã¯ã©ãŠãååŸ DNS å]ã
ã€ã³ã¿ãŒãããããã®ããŒã転éãç»é²ããŸãã
/ip ãã¡ã€ã¢ãŠã©ãŒã« nat è¿œå ã¢ã¯ã·ã§ã³=dst-nat ãã§ãŒã³=dstnat dst-port=1194
in-interface-list=WAN ãããã³ã«=udp to-addresses=172.17.17.17
é ç® 4 ã®æºåãæŽããŸããã
ãã€ã³ã 5 ã«ã€ããŠã¯ãã¡ã€ã¢ãŠã©ãŒã«ãšãã®ä»ã®ã»ãã¥ãªãã£ãèšå®ããŸããããåæã«ãŠãŒã¶ãŒã«ãšã£ãŠãã¹ãŠããã§ã«æ©èœããŠããããšãå¬ããæãããæ°ã«å
¥ãã®é£²ã¿ç©ã®å
¥ã£ã容åšã«æã䌞ã°ããŸã...
ããïŒ ãã³ãã«ã¯å¿ãå»ãããŠããã
Google ã®èšäºã§æ§æããã l2tp-client ã¯ããæ°ã«å
¥ãã®ãªã©ã³ãã® VDS ã«ææ ŒããŸããã? ã¯ãã
IPsec ãåãã l2tp ãµãŒããŒãèµ·åããIP ã¯ã©ãŠãããã® DNS åã«ããã¯ã©ã€ã¢ã³ã (äžèšãåç
§) ãããã¿ã€ããŠããŸãã? ã¯ãã
ç§ãã¡ã¯æ€
åã«ããããããã飲ã¿ç©ã飲ã¿ãªãããã¿ã¹ã¯ã®ãã€ã³ã 6 ãš 7 ãã®ãã³ããšæ€èšããŸãã ç§ãã¡ã¯ããæããŸã - ããã¯å¿
èŠã§ãã? ããã§ãããã®ããã«åäœããŸã (c) ... ããã§ãããã§ãå¿
èŠãªãå Žåã¯ãããã§çµããã§ãã ãã«ããã³ãå®è£
ãããŸããã
ãã«ããã³ãšã¯äœã§ããïŒ ããã¯ãè€æ°ã®ã€ã³ã¿ãŒããã ãã£ãã«ã XNUMX å°ã®ã«ãŒã¿ãŒã«æ¥ç¶ããããšã§ãã
ãã®èšäºããã以äžèªãå¿ èŠã¯ãããŸãããé©çšå¯èœæ§ãçãããããšãèªç€ºããããšä»¥å€ã«äœãããã§ãããã?
æ®ããã¿ã¹ã¯ã®ãã€ã³ã 6 ãš 7 ã«èå³ããããå®ç§äž»çŸ©ã«æ©ãŸãããŠãã人ã®ããã«ãããã«æ·±ãæãäžããŠãããŸãã
ãã«ããã³ãå®è£ ããéã®æãéèŠãªã¿ã¹ã¯ã¯ãæ£ãããã©ãã£ã㯠ã«ãŒãã£ã³ã°ã§ãã ã€ãŸããã©ã (ãŸãã¯ã©ã) ã«é¢ä¿ãªããåç §ããŠãã ããã 泚 3 ISP ã®ãã£ãã«ã¯ã«ãŒã¿ãŒã®ããã©ã«ã ã«ãŒãã確èªãããã±ããã®éä¿¡å ã§ããæ£ç¢ºãªãã£ãã«ã«å¿çãè¿ãå¿ èŠããããŸãã 課é¡ã¯æ確ã§ãã åé¡ã¯ã©ãã ïŒ ç¢ºãã«ãåçŽãªããŒã«ã« ãããã¯ãŒã¯ã§ã¯ãã¿ã¹ã¯ã¯åãã§ããã誰ãè¿œå ã®èšå®ãæ°ã«ãããåé¡ãæããŸããã éãã¯ãã€ã³ã¿ãŒãããäžã®ã«ãŒãã£ã³ã°å¯èœãªããŒãã¯ãã¹ãŠãåçŽãª LAN ã®ããã«å³å¯ã«ç¹å®ããããã£ãã«ãä»ããŠã§ã¯ãªããåãã£ãã«ãä»ããŠã¢ã¯ã»ã¹ã§ããããšã§ãã ãããŠããåé¡ãã¯ãISP3 ã® IP ã¢ãã¬ã¹ãæ±ãããªã¯ãšã¹ããæ¥ãå Žåãããã©ã«ã ã²ãŒããŠã§ã€ãããã«åããããŠããããããã®å Žåãçã㯠ISP2 ãã£ãã«ãçµç±ããããšã§ãã ãã®ãŸãŸã«ãããããã€ããŒã«ãã£ãŠééã£ãŠãããšããŠç Žæ£ãããŸãã åé¡ã¯ç¹å®ãããŸããã ã©ããã£ãŠè§£æ±ºããã°ããã§ããããïŒ
解決ç㯠XNUMX ã€ã®æ®µéã«åãããŠããŸãã
- ããªã»ããã ãã®æ®µéã§ã¯ãã«ãŒã¿ãŒã®åºæ¬èšå®ïŒããŒã«ã« ãããã¯ãŒã¯ããã¡ã€ã¢ãŠã©ãŒã«ãã¢ãã¬ã¹ ãªã¹ãããã¢ãã³ NAT ãªã©ïŒãèšå®ãããŸãã
- ãã«ããã³ã ãã®æ®µéã§ãå¿ èŠãªæ¥ç¶ãããŒã¯ãããã«ãŒãã£ã³ã° ããŒãã«ã«åé¡ãããŸãã
- ISP ã«æ¥ç¶ããŠããŸãã ãã®æ®µéã§ã¯ãã€ã³ã¿ãŒããããžã®æ¥ç¶ãæäŸããã€ã³ã¿ãŒãã§ã€ã¹ãæ§æãããã«ãŒãã£ã³ã°ãšã€ã³ã¿ãŒããã ãã£ãã«äºçŽã¡ã«ããºã ãã¢ã¯ãã£ãã«ãªããŸãã
1. ããªã»ãã
1.1. 次ã®ã³ãã³ãã䜿çšããŠã«ãŒã¿ãŒèšå®ãã¯ãªã¢ããŸãã
/system reset-configuration skip-backup=yes no-defaults=yes
ã«åæãã "å±éºïŒ ãšã«ãããªã»ããããŸããïŒ [y/N]:ããšè¡šç€ºãããåèµ·ååŸãMAC çµç±ã§ Wiâânbox ã«æ¥ç¶ããŸãã ãã®æ®µéã§ã¯ãæ§æãšãŠãŒã¶ãŒããŒã¹ãã¯ãªã¢ãããŸãã
1.2. æ°ãããŠãŒã¶ãŒãäœæããŸãã
/user add group=full name=knight password=ultrasecret comment=âNot horseâ
ãã®äžã§ãã°ã€ã³ããããã©ã«ãã®ãã®ãåé€ããŸãã
/user remove admin
åè èè ãããå®å šã§ãããšèãã䜿çšãæšå¥šããŠããã®ã¯ãããã©ã«ã ãŠãŒã¶ãŒãç¡å¹ã«ããã®ã§ã¯ãªããåé€ããããšã§ãã
1.3. ãã¡ã€ã¢ãŠã©ãŒã«ãæ€åºèšå®ããã®ä»ã® MAC ãµãŒããŒã§ã®æäœã«äŸ¿å©ãªããã«ãåºæ¬çãªã€ã³ã¿ãŒãã§ã€ã¹ ãªã¹ããäœæããŸãã
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"
ã³ã¡ã³ãä»ãã®çœ²åã€ã³ã¿ãŒãã§ã€ã¹
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"
ãããŠã€ã³ã¿ãŒãã§ãŒã¹ã®ãªã¹ãã«èšå ¥ããŸãã
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
åè ããããããã³ã¡ã³ããæžãããšã¯ãããã«æéãè²»ãã䟡å€ããããããã«ããã©ãã«ã·ã¥ãŒãã£ã³ã°ãšæ§æã®ç解ãå€§å¹ ã«å®¹æã«ãªããŸãã
èè ã¯ãIP ãããã³ã«ãééããªãã«ãããããããã»ãã¥ãªãã£äžã®çç±ãããether3 ã€ã³ã¿ãŒãã§ã€ã¹ããWANãã€ã³ã¿ãŒãã§ã€ã¹ ãªã¹ãã«è¿œå ããå¿ èŠããããšèããŠããŸãã
PPP ã€ã³ã¿ãŒãã§ã€ã¹ã ether3 äžã§ç¢ºç«ãããåŸããããã€ã³ã¿ãŒãã§ã€ã¹ ãªã¹ããWANãã«ãè¿œå ããå¿ èŠãããããšãå¿ããªãã§ãã ããã
1.4. ã«ãŒã¿ãŒãè¿é£æ€åºããé ããMAC ãä»ããŠãããã€ã㌠ãããã¯ãŒã¯ããå¶åŸ¡ããŸãã
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
1.5. ã«ãŒã¿ãŒãä¿è·ããããã«ãæå°éã®ååãªãã¡ã€ã¢ãŠã©ãŒã« ãã£ã«ã¿ãŒ ã«ãŒã«ã®ã»ãããäœæããŸãã
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked
(ãã®ã«ãŒã«ã¯ãæ¥ç¶ããããããã¯ãŒã¯ãšã«ãŒã¿ãŒèªäœã®äž¡æ¹ããéå§ãããã確ç«ãããé¢é£æ¥ç¶ã«å¯Ÿããèš±å¯ãæäŸããŸã)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp
(ping ã ãã§ãªãããã¹ãŠã® icmp ãèš±å¯ãããŸããMTU ã®åé¡ãèŠã€ããã®ã«éåžžã«åœ¹ç«ã¡ãŸã)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN
(å ¥åãã§ãŒã³ãéããã«ãŒã«ã«ãããã€ã³ã¿ãŒãããããã®ãã®ä»ãã¹ãŠã®ãã®ãçŠæ¢ãããŸã)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked
(ãã®ã«ãŒã«ã§ã¯ãã«ãŒã¿ãŒãééãã確ç«ãããé¢é£æ¥ç¶ãèš±å¯ãããŸã)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid
(ãã®ã«ãŒã«ã¯ã«ãŒã¿ãŒãééãã connection-state=invalid ã®æ¥ç¶ããªã»ããããŸããMikrotik ã«ãã£ãŠåŒ·ãæšå¥šãããŠããŸããããŸããªç¶æ³ã§æçšãªãã©ãã£ãã¯ããããã¯ãããå¯èœæ§ããããŸã)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
(ãã®ã«ãŒã«ã¯ãã€ã³ã¿ãŒãããããéä¿¡ãããdstnat æé ãééããŠããªããã±ãããã«ãŒã¿ãŒãééããããšãçŠæ¢ããŸããããã«ãããå€éšãããã¯ãŒã¯ãšåããããŒããã£ã¹ã ãã¡ã€ã³å ã«ãããå€éš IP ããããã£ãŠãããŒã«ã« ãããã¯ãŒã¯ããæ¢çŽ¢ãããŠã¿ãŸãã)
åè ãããã¯ãŒã¯ LAN1 ãš LAN2 ãä¿¡é ŒãããŠããããããã®éã®ãã©ãã£ãã¯ãããã³ãããããã®ãã©ãã£ãã¯ããã£ã«ã¿ãªã³ã°ãããŠããªããšä»®å®ããŸãã
1.6. ã«ãŒãã£ã³ã°äžå¯èœãªãããã¯ãŒã¯ã®ãªã¹ããå«ããªã¹ããäœæããŸãã
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS
(ããã¯ãã€ã³ã¿ãŒãããã«ã«ãŒãã£ã³ã°ã§ããªãã¢ãã¬ã¹ãšãããã¯ãŒã¯ã®ãªã¹ãã§ãããããã«å¿ããŠè¿œè·¡ãããŸãã)
åè ãªã¹ãã¯å€æŽãããå¯èœæ§ããããããé¢é£æ§ãå®æçã«ç¢ºèªããããšããå§ãããŸãã
1.7. ã«ãŒã¿ãŒèªäœã® DNS ãèšå®ããŸãã
/ip dns set servers=1.1.1.1,8.8.8.8
åè ROS ã®çŸåšã®ããŒãžã§ã³ã§ã¯ãåçãµãŒããŒãéçãµãŒããŒãããåªå ãããŸãã åå解決èŠæ±ã¯ããªã¹ãã®æåã®ãµãŒããŒã«é çªã«éä¿¡ãããŸãã çŸåšã®ãµãŒããŒã䜿çšã§ããªãå Žåã次ã®ãµãŒããŒãžã®ç§»è¡ãå®è¡ãããŸãã ã¿ã€ã ã¢ãŠããé·ãã5 ç§ãè¶ ããŠããŸãã ãããŠã³ãããµãŒããŒããåéããããšãã«ãå ã«æ»ãããšã¯èªåçã«ã¯è¡ãããŸããã ãã®ã¢ã«ãŽãªãºã ãšãã«ããã³ã®ååšãèæ ®ããŠãèè ã¯ãããã€ããŒãæäŸãããµãŒããŒã䜿çšããªãããšããå§ãããŸãã
1.8. ããŒã«ã«ãããã¯ãŒã¯ãèšå®ããŸãã
1.8.1. LAN ã€ã³ã¿ãŒãã§ãŒã¹äžã«éç IP ã¢ãã¬ã¹ãæ§æããŸãã
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"
1.8.2. ã¡ã€ã³ ã«ãŒãã£ã³ã° ããŒãã«ãéããŠããŒã«ã« ãããã¯ãŒã¯ãžã®ã«ãŒãã®ã«ãŒã«ãèšå®ããŸãã
/ip route rule add dst-address=192.168.88.0/24 table=main comment=âto LAN1â
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"
åè ããã¯ãããã©ã«ã ã«ãŒããçµç±ããªãã«ãŒã¿ãŒ ã€ã³ã¿ãŒãã§ã€ã¹ã®å€éš IP ã¢ãã¬ã¹ã®ãœãŒã¹ã䜿çšã㊠LAN ã¢ãã¬ã¹ã«ã¢ã¯ã»ã¹ããããã®è¿ éãã€ç°¡åãªæ¹æ³ã® XNUMX ã€ã§ãã
1.8.3. LAN1 ãš LAN2 ã®ãã¢ãã³ NAT ãæå¹ã«ããŸãã
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0
åè ããã«ããããããã¯ãŒã¯å ã«ããªããå€éš IP çµç±ã§ãªãœãŒã¹ (dstnat) ã«ã¢ã¯ã»ã¹ã§ããããã«ãªããŸãã
2.å®éã«ã¯ãéåžžã«æ£ãããã«ããã³ã®å®è£
ãã©ãããå°ãããããã«çããããšããåé¡ã解決ããããã«ã次㮠XNUMX ã€ã® ROS ããŒã«ã䜿çšããŸãã æ¥ç¶ããŒã¯ О ã«ãŒãã£ã³ã°ããŒã¯. æ¥ç¶ããŒã¯ ç®çã®æ¥ç¶ãããŒã¯ãããã®ããŒã¯ãé©çšæ¡ä»¶ãšããŠäœ¿çšã§ããŸãã ã«ãŒãã£ã³ã°ããŒã¯ã ãããŠãã§ã« ã«ãŒãã£ã³ã°ããŒã¯ ã§åãããšãå¯èœ IPã«ãŒã О ã«ãŒãã«ãŒã«ã ããŒã«ãç解ããŸããã次ã«ãã©ã®æ¥ç¶ã«ããŒã¯ãä»ãããã決å®ããå¿ èŠããããŸã (XNUMX åãæ£ç¢ºã«ã©ãã«ããŒã¯ããã) XNUMX ã€ã
æåã®æ¹æ³ã§ã¯ããã¹ãŠãç°¡åã§ããã€ã³ã¿ãŒãããããé©åãªãã£ãã«ãä»ããŠã«ãŒã¿ãŒã«å°éãããã¹ãŠã®æ¥ç¶ã«ããŒã¯ãä»ããå¿ èŠããããŸãã ãã®å Žåãããã㯠1 ã€ã®ã©ãã« (ãã£ãã«æ°ããš)ããconn_isp2ãããconn_isp3ããããã³ãconn_ispXNUMXãã«ãªããŸãã
XNUMX çªç®ã®å Žåã®ãã¥ã¢ã³ã¹ã¯ãåä¿¡æ¥ç¶ã«ã¯ XNUMX ã€ã®ã¿ã€ãããããšããããšã§ãããã©ã³ãžããæ¥ç¶ãšã«ãŒã¿ãŒèªäœã察象ãšããæ¥ç¶ã§ãã ããŒãã«å ã§æ¥ç¶ããŒã¯æ©æ§ãåäœããŸã ãã³ã°ã«ã mikrotik-trainings.com ãªãœãŒã¹ (宣äŒã§ã¯ãããŸãã) ã®å°é家ã芪åã«ãŸãšããç°¡ç¥å³ã§ããã±ãŒãžã®åããèããŠã¿ãŸãããã
ç¢å°ã«åŸããšããã±ãããããã«å°çããŠããããšãããããŸããå ¥åã€ã³ã¿ãŒãã§ãŒã¹âããã§ãŒã³ãééããŸãâãã¬ã«ãŒãã£ã³ã°ãããŠããããããã¯å ã§ãã©ã³ãžãããšããŒã«ã«ã«åå²ãããã ãã§ããã«ãŒãã£ã³ã°ã®æ±ºå®ãã ããã§ãäžç³äºé³¥ãšããŠã æ¥ç¶ããŒã¯ è¡šã®äž ãã³ã°ã«ãã¬ã«ãŒãã£ã³ã° ãã§ãŒã³ ãã¬ã«ãŒãã£ã³ã°.
泚æïŒã ROS ã§ã¯ããã«ãŒãã£ã³ã° ããŒã¯ãã©ãã«ã¯ãIp/Routes/Rules ã»ã¯ã·ã§ã³ã§ã¯ãããŒãã«ããšããŠãªã¹ããããä»ã®ã»ã¯ã·ã§ã³ã§ã¯ãã«ãŒãã£ã³ã° ããŒã¯ããšããŠãªã¹ããããŸãã ããã¯ç解ã«æ··ä¹±ãæããããããŸããããå®éã«ã¯ããã¯åããã®ã§ãããLinux äžã® iproute2 ã® rt_tables ã«äŒŒãŠããŸãã
2.1. åãããã€ããŒããã®åä¿¡æ¥ç¶ãããŒã¯ããŸãã
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=no
åè ãã§ã«ããŒã¯ãããŠããæ¥ç¶ãããŒã¯ããªãããã«ããã«ã¯ãconnection-state=new ã®ä»£ããã« connection-mark=no-mark æ¡ä»¶ã䜿çšããŸããããã¯ãå ¥åãã£ã«ã¿ãŒã§ç¡å¹ãªæ¥ç¶ã®ãããããæåŠããã ãã§ãªãããããããæ£ç¢ºã§ãããšèããããããã§ãã
passthrough=no - ãã®å®è£
æ¹æ³ã§ã¯åããŒãã³ã°ãé€å€ãããé«éåããããã«æåã®äžèŽåŸã«ã«ãŒã«ã®åæãäžæã§ããããã§ãã
ãŸã ã«ãŒãã£ã³ã°ã«ã¯ãããªã圢ã§ãå¹²æžããŠããªãããšã«çæããŠãã ããã ä»ã¯æºå段éã®ã¿ã§ãã å®è£ ã®æ¬¡ã®æ®µéã¯ãããŒã«ã« ãããã¯ãŒã¯ã®å®å ãã確ç«ãããæ¥ç¶ãä»ããŠæ»ããã©ã³ãžãã ãã©ãã£ãã¯ã®åŠçã§ãã ãããã®ã éäžã§ã«ãŒã¿ãŒãééãããã±ãã (å³ãåç §):
ãå ¥åã€ã³ã¿ãŒãã§ã€ã¹ã=>ããã¬ã«ãŒãã£ã³ã°ã=>ãã«ãŒãã£ã³ã°æ±ºå®ã=>ã転éã=>ããã¹ãã«ãŒãã£ã³ã°ã=>ãåºåã€ã³ã¿ãŒãã§ã€ã¹ã ãããŠããŒã«ã«ãããã¯ãŒã¯å ã®å®å ã«å±ããŸããã
éèŠïŒ ROS ã§ã¯ãå€éšã€ã³ã¿ãŒãã§ã€ã¹ãšå éšã€ã³ã¿ãŒãã§ã€ã¹ãžã®è«ççãªåå²ã¯ãããŸããã äžã®å³ã«åŸã£ãŠå¿çãã±ããã®ãã¹ã远跡ãããšãèŠæ±ãšåãè«çãã¹ããã©ãããšã«ãªããŸãã
ãå ¥åã€ã³ã¿ãŒãã§ã€ã¹ã=>ããã¬ã«ãŒãã£ã³ã°ã=>ãã«ãŒãã£ã³ã°æ±ºå®ã=>ã転éã=>ããã¹ãã«ãŒãã£ã³ã°ã=>ãåºåã€ã³ã¿ãŒãã§ã€ã¹ã ãã ã®ãé¡ãã ãããå ¥åã€ã³ã¿ãã§ãŒã¹ã㯠ISP ã€ã³ã¿ãŒãã§ã€ã¹ã§ããããã®çã㯠LAN ã§ããã
2.2. å¿çã®äžç¶ãã©ãã£ãã¯ã察å¿ããã«ãŒãã£ã³ã° ããŒãã«ã«éä¿¡ããŸãã
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=no
ã³ã¡ã³ãã in-interface-list=!WAN - ããŒã«ã« ãããã¯ãŒã¯ãšãã«ãŒã¿ãŒèªäœã®ã€ã³ã¿ãŒãã§ã€ã¹ã®ã¢ãã¬ã¹ã®å®å
ã¢ãã¬ã¹ãæããªã dst-address-type=!local ããã®ãã©ãã£ãã¯ã®ã¿ãåŠçããŸãã
éäžã§ã«ãŒã¿ãŒã«å°éããããŒã«ã« ãã±ããã«ã€ããŠãåæ§ã§ãã
ãå ¥åã€ã³ã¿ãŒãã§ã€ã¹ã=>ããã¬ã«ãŒãã£ã³ã°ã=>ãã«ãŒãã£ã³ã°æ±ºå®ã=>ãå ¥åã=>ãããŒã«ã«ããã»ã¹ã
éèŠïŒ çãã¯æ¬¡ã®ããã«ãªããŸãã
ãããŒã«ã«ããã»ã¹ã=>ãã«ãŒãã£ã³ã°æ±ºå®ã=>ãåºåã=>ããã¹ãã«ãŒãã£ã³ã°ã=>ãåºåã€ã³ã¿ãŒãã§ãŒã¹ã
2.3. å¿çã®ããŒã«ã« ãã©ãã£ãã¯ã察å¿ããã«ãŒãã£ã³ã° ããŒãã«ã«éä¿¡ããŸãã
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=no
ãã®æ®µéã§ãèŠæ±ã®éä¿¡å
ã§ããã€ã³ã¿ãŒããã ãã£ãã«ã«å¿çãéä¿¡ããæºåãããã¿ã¹ã¯ã¯è§£æ±ºããããšèŠãªãããŸãã ãã¹ãŠãããŒã¯ãããã©ãã«ãä»ããããé
ç·ããæºåãã§ããŠããŸãã
ãã®èšå®ã®åªãããå¯æ¬¡çãå¹æã¯ãäž¡æ¹ (ISP2ãISP3) ãããã€ããŒããã® DSNAT ããŒã転éãåæã«äœ¿çšã§ããããšã§ãã ISP1 ã«ã¯ã«ãŒãã£ã³ã°äžå¯èœãªã¢ãã¬ã¹ãããããããŸã£ããããã§ã¯ãããŸããã ãã®å¹æã¯ãããšãã°ãç°ãªãã€ã³ã¿ãŒããã ãã£ãã«ãåç
§ãã XNUMX ã€ã® MX ãåããã¡ãŒã« ãµãŒããŒã®å Žåã«éèŠã§ãã
å€éš IP ã«ãŒã¿ãŒã䜿çšããããŒã«ã« ãããã¯ãŒã¯ã®éçšã®åŸ®åŠãªéããæé€ããããã«ã段èœã®ãœãªã¥ãŒã·ã§ã³ã䜿çšããŸãã 1.8.2 ããã³ 3.1.2.6ã
ããã«ãåé¡ã®æ®µèœ 3 ã解ãããã«ããŒã¯ãä»ããããŒã«ã䜿çšããããšãã§ããŸãã 次ã®ããã«å®è£ ããŸãã
2.4. ããŒã«ã« ã¯ã©ã€ã¢ã³ãããã®ãã©ãã£ãã¯ãã«ãŒãã£ã³ã° ãªã¹ãããé©åãªããŒãã«ã«è»¢éããŸãã
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3
ãã®çµæã次ã®ããã«ãªããŸãã
3. ISP ãžã®æ¥ç¶ãèšå®ãããã©ã³ã ã«ãŒãã£ã³ã°ãæå¹ã«ããŸã
3.1. ISP1 ãžã®æ¥ç¶ãã»ããã¢ããããŸãã
3.1.1. éç IP ã¢ãã¬ã¹ãæ§æããŸãã
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"
3.1.2. éçã«ãŒãã£ã³ã°ãèšå®ããŸãã
3.1.2.1. ããã©ã«ãã®ãç·æ¥ãã«ãŒããè¿œå ããŸãã
/ip route add comment="Emergency route" distance=254 type=blackhole
åè ãã®ã«ãŒãã«ããããããã€ããŒã®ãªã³ã¯ã®ç¶æ ã«é¢ä¿ãªããããŒã«ã« ããã»ã¹ããã®ãã©ãã£ãã¯ãã«ãŒã決å®ã¹ããŒãžãééã§ããããã«ãªããŸãã éä¿¡ããŒã«ã« ãã©ãã£ãã¯ã®ãã¥ã¢ã³ã¹ã¯ããã±ãããå°ãªããšãã©ããã«ç§»åããã«ã¯ãã¡ã€ã³ ã«ãŒãã£ã³ã° ããŒãã«ã«ããã©ã«ã ã²ãŒããŠã§ã€ãžã®ã¢ã¯ãã£ããªã«ãŒããå¿ èŠã§ãããšããããšã§ãã ããã§ãªãå Žåãããã±ãŒãžã¯åã«ç Žæ£ãããŸãã
ããŒã«ã®æ¡åŒµæ©èœãšã㊠ã²ãŒããŠã§ã€ããã§ãã¯ãã ãã£ãã«ç¶æ ãããæ·±ãåæããã«ã¯ãååž°ã«ãŒãææ³ã䜿çšããããšããå§ãããŸãã ãã®æ¹æ³ã®æ¬è³ªã¯ãã²ãŒããŠã§ã€ãžã®ãã¹ãçŽæ¥ã§ã¯ãªãäžéã²ãŒããŠã§ã€ãä»ããŠæ¢ãããã«ã«ãŒã¿ãŒã«æ瀺ããããšã§ãã 4.2.2.1ã4.2.2.2ãããã³ 4.2.2.3 ãããããã ISP1ãISP2ãããã³ ISP3 ã®ããã¹ããã²ãŒããŠã§ã€ãšããŠéžæãããŸãã
3.1.2.2. ãæ€èšŒãã¢ãã¬ã¹ã«ã«ãŒãã£ã³ã°ããŸãã
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10
åè å°æ¥çã« 4.2.2.1 ãååž°ã²ãŒããŠã§ã€ãšããŠäœ¿çšããããã«ãROS ã¿ãŒã²ãã ã¹ã³ãŒãã®ã¹ã³ãŒãå€ãããã©ã«ãã«äžããŸãã 匷調ãããã®ã¯ãããã¹ããã¢ãã¬ã¹ãžã®ã«ãŒãã®ã¹ã³ãŒãã¯ããã¹ã ã¢ãã¬ã¹ãåç §ããã«ãŒãã®ã¿ãŒã²ãã ã¹ã³ãŒã以äžã§ãªããã°ãªããªããšããããšã§ãã
3.1.2.3. ã«ãŒãã£ã³ã° ããŒã¯ã®ãªããã©ãã£ãã¯ã®ååž°çãªããã©ã«ã ã«ãŒã:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1
åè ã¿ã¹ã¯æ¡ä»¶ã«åŸã£ãŠ ISP2 ãæåã®ããã¯ã¢ãããšããŠå®£èšãããŠããããã distance=1 ã®å€ã䜿çšãããŸãã
3.1.2.4. ã«ãŒãã£ã³ã° ããŒã¯ãto_isp1ããæã€ãã©ãã£ãã¯ã®ååž°çããã©ã«ã ã«ãŒã:
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1
åè å®éãããã§ç§ãã¡ã¯ãããã第 2 段èœã§è¡ã£ãæºåäœæ¥ã®ææã享åãå§ããŠããŸãã
ãã®ã«ãŒãã§ã¯ãã©ã®ããã©ã«ã ã²ãŒããŠã§ã€ãã¡ã€ã³ ããŒãã«ã«å¯ŸããŠçŸåšã¢ã¯ãã£ãã§ãããã«é¢ä¿ãªããããŒã¯ ã«ãŒããto_isp1ããæã€ãã¹ãŠã®ãã©ãã£ãã¯ãæåã®ãããã€ããŒã®ã²ãŒããŠã§ã€ã«éä¿¡ãããŸãã
3.1.2.5. ISP2 ããã³ ISP3 ã¿ã°ä»ããã©ãã£ãã¯ã®æåã®ãã©ãŒã«ããã¯ååž°çããã©ã«ã ã«ãŒã:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3
åè ãããã®ã«ãŒãã¯ãç¹ã«ãã¢ãã¬ã¹ ãªã¹ããto_isp*ãã®ã¡ã³ããŒã§ããããŒã«ã« ãããã¯ãŒã¯ããã®ãã©ãã£ãã¯ãäºçŽããããã«å¿ èŠã§ãã
3.1.2.6. ã«ãŒã¿ãŒã®ããŒã«ã« ãã©ãã£ãã¯ã®ã«ãŒãã ISP1 çµç±ã§ã€ã³ã¿ãŒãããã«ç»é²ããŸãã
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1
åè 1.8.2 é ã®ã«ãŒã«ãšçµã¿åãããŠãæå®ããããœãŒã¹ã§ç®çã®ãã£ã³ãã«ãžã®ã¢ã¯ã»ã¹ãæäŸããŸãã ããã¯ãããŒã«ã«åŽ IP ã¢ãã¬ã¹ (EoIPãIP-IPãGRE) ãæå®ãããã³ãã«ãæ§ç¯ããå Žåã«éèŠã§ãã ip ã«ãŒã ã«ãŒã«ã®ã«ãŒã«ã¯æ¡ä»¶ãæåã«äžèŽãããŸã§äžããäžã«å®è¡ãããããããã®ã«ãŒã«ã¯ 1.8.2 é ã®ã«ãŒã«ã®åŸã«ããå¿ èŠããããŸãã
3.1.3. éä¿¡ãã©ãã£ãã¯çšã® NAT ã«ãŒã«ãç»é²ããŸãã
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2
åè IPsec ããªã·ãŒã«å«ãŸãããã®ãé€ããéä¿¡ããããã¹ãŠã®ãã®ã NAT åããŸãã ã©ãããŠãå¿ èŠãªå Žåãé€ããaction=masquerade ã¯äœ¿çšããªãããã«ããŠããŸãã æ°ããæ¥ç¶ããšã« NAT ã¢ãã¬ã¹ãèšç®ãããããsrc-nat ãããé ãããªãœãŒã¹ã倧éã«æ¶è²»ããŸãã
3.1.4. ä»ã®ãããã€ããŒãä»ããã¢ã¯ã»ã¹ãçŠæ¢ãããŠãããªã¹ãã®ã¯ã©ã€ã¢ã³ãããISP1 ãããã€ããŒã®ã²ãŒããŠã§ã€ã«çŽæ¥éä¿¡ããŸãã
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0
åè action=route ã®åªå é äœãé«ããä»ã®ã«ãŒãã£ã³ã° ã«ãŒã«ãããå ã«é©çšãããŸãã
place-before=0 - ã«ãŒã«ããªã¹ãã®æåã«é
眮ããŸãã
3.2. ISP2ãžã®æ¥ç¶ãèšå®ããŸãã
ISP2 ãããã€ããŒã¯ DHCP çµç±ã§èšå®ãæäŸãããããDHCP ã¯ã©ã€ã¢ã³ããããªã¬ãŒããããšãã«éå§ãããã¹ã¯ãªããã§å¿ èŠãªå€æŽãå ããããšãåççã§ãã
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=no
Winbox ãŠã£ã³ããŠå ã®ã¹ã¯ãªããèªäœ:
åè ã¹ã¯ãªããã®æåã®éšåã¯ãªãŒã¹ãæ£åžžã«ååŸããããšãã«ããªã¬ãŒãããXNUMX çªç®ã®éšåã¯ãªãŒã¹ã解æŸãããåŸã«ããªã¬ãŒãããŸãã泚2ãåç
§
3.3. ISP3 ãããã€ããŒãžã®æ¥ç¶ãã»ããã¢ããããŸãã
èšå®ãããã€ããŒã«ãã£ãŠåçãæäŸããããããppp ã€ã³ã¿ãŒãã§ã€ã¹ãèµ·åãããåŸãšéäžåŸã«éå§ãããã¹ã¯ãªããã§å¿ èŠãªå€æŽãè¡ãã®ãåççã§ãã
3.3.1. ãŸããããã¡ã€ã«ãèšå®ããŸãã
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"
Winbox ãŠã£ã³ããŠå ã®ã¹ã¯ãªããèªäœ:
åè ã²ã
/ip ãã¡ã€ã¢ãŠã©ãŒã«ãã³ã°ã«ã»ãã [find comment="ISP3 ããã®æ¥ç¶"] in-interface=$"interface";
ã€ã³ã¿ãŒãã§ã€ã¹ã®ååå€æŽã¯è¡šç€ºåã§ã¯ãªãã³ãŒãã§æ©èœãããããã€ã³ã¿ãŒãã§ã€ã¹ã®ååå€æŽãæ£ããåŠçã§ããŸãã
3.3.2. 次ã«ããããã¡ã€ã«ã䜿çšã㊠ppp æ¥ç¶ãäœæããŸãã
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_client
æåŸã®ä»äžããšããŠãæèšãèšå®ããŸãããã
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org
æåŸãŸã§èªãã§ããã ããæ¹ãž
ãã«ããã³ãå®è£ ããããã«ææ¡ãããæ¹æ³ã¯ãäœæè ã®å人çãªå¥œã¿ã§ãããå¯èœãªå¯äžã®æ¹æ³ã§ã¯ãããŸããã ROS ããŒã«ãããã¯åºç¯ãã€æè»ã§ãããããåå¿è ã«ãšã£ãŠã¯å°é£ãåŒãèµ·ããäžæ¹ã§ãããã人æ°ã®çç±ã§ããããŸãã æ°ããããŒã«ããœãªã¥ãŒã·ã§ã³ãåŠã³ãè©ŠããçºèŠããŠãã ããã ããšãã°ãåŸãããç¥èã®å¿çšãšããŠããã®ãã«ããã³ã®å®è£ ã®ããŒã«ã眮ãæããããšãã§ããŸãã ãã§ãã¯ã²ãŒããŠã§ã€ ãžã®ååž°ã«ãŒããäœ¿çš ããããŠã©ãã.
泚é
- ãã§ãã¯ã²ãŒããŠã§ã€ - ã²ãŒããŠã§ã€ã®å¯çšæ§ãã§ãã¯ã 10 åé£ç¶ããŠå€±æããå Žåã«ãã«ãŒããéã¢ã¯ãã£ãåã§ããã¡ã«ããºã ã ãã§ãã¯ã¯ 20 ç§ããšã« 30 åãšå¿çã¿ã€ã ã¢ãŠããå ããŠå®è¡ãããŸãã å®éã®åãæ¿ãã¿ã€ãã³ã°ã¯åèšã§ XNUMX ïœ XNUMX ç§ã®ç¯å²ã«ãªããŸãã ãã®ãããªåãæ¿ãã¿ã€ãã³ã°ãååã§ãªãå Žåã¯ãããŒã«ã䜿çšãããªãã·ã§ã³ããããŸãã ããããŠã©ããããã§ãã¯ã¿ã€ããŒãæåã§èšå®ã§ããŸãã ãã§ãã¯ã²ãŒããŠã§ã€ ãªã³ã¯äžã§æç¶çãªãã±ããæ倱ãçºçããå Žåã«ã¯èµ·åããŸããã
éèŠïŒ ãã©ã€ã㪠ã«ãŒããéã¢ã¯ãã£ãã«ãããšããããåç §ããä»ã®ãã¹ãŠã®ã«ãŒããéã¢ã¯ãã£ãã«ãªããŸãã ãããã£ãŠã圌ããæå®ããããã«ã¯ã ãã§ãã¯ã²ãŒããŠã§ã€=ping å¿ èŠã¯ãããŸããã
- DHCP ã¡ã«ããºã ã§é害ãçºçããããšããããã¯ã©ã€ã¢ã³ããæŽæ°ç¶æ ã§ã¹ã¿ãã¯ããŠããããã«èŠããŸãã ãã®å Žåãã¹ã¯ãªããã® XNUMX çªç®ã®éšåã¯æ©èœããŸããããç¶æ ã察å¿ããååž°ã«ãŒãã远跡ããããããã©ãã£ãã¯ãæ£ãã移åããããšã¯åŠšããããŸããã
- ECMP (çã³ã¹ããã«ããã¹) - ROS ã§ã¯ãè€æ°ã®ã²ãŒããŠã§ã€ãšåãè·é¢ãæã€ã«ãŒããèšå®ã§ããŸãã ãã®å Žåãæ¥ç¶ã¯ãæå®ãããã²ãŒããŠã§ã€ã®æ°ã«æ¯äŸããŠãã©ãŠã³ã ããã³ ã¢ã«ãŽãªãºã ã䜿çšããŠãã£ãã«å šäœã«åæ£ãããŸãã
èšäºãæžãåååãšããŠããã®æ§é ãšã¢ã¯ã»ã³ãã®é
眮ã®åœ¢æã«ãååãã ãã - Evgeny ã«å人çã«æè¬ããŸã
åºæïŒ habr.com