ã«ãŒãã£ã³ã°ã¯ãTCP/IP ãããã¯ãŒã¯äžã§ãã±ãããéä¿¡ããããã®æé©ãªãã¹ãèŠã€ããããã»ã¹ã§ãã IPv4 ãããã¯ãŒã¯ã«æ¥ç¶ãããŠããããã€ã¹ã«ã¯ãããã»ã¹ãšã«ãŒãã£ã³ã° ããŒãã«ãå«ãŸããŠããŸãã
ãã®èšäºã¯ HOWTO ã§ã¯ãªããRouterOS ã§ã®éçã«ãŒãã£ã³ã°ãäŸãšãšãã«èª¬æããŠããŸããæ®ãã®èšå® (ããšãã°ãã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããããã® srcnat ãªã©) ã¯æå³çã«çç¥ããŠããŸãããã®ãããå 容ãç解ããã«ã¯ããããã¯ãŒã¯ãš RouterOS ã«é¢ããããçšåºŠã®ç¥èãå¿ èŠã§ãã
ã¹ã€ããã³ã°ãšã«ãŒãã£ã³ã°
ã¹ã€ããã³ã°ã¯ã2 ã€ã®ã¬ã€ã€ 0 ã»ã°ã¡ã³ã (ã€ãŒãµããããppp ãªã©) å ã§ãã±ããã亀æããããã»ã¹ã§ãã ããã€ã¹ã¯ããã±ããã®åä¿¡è ãåãã€ãŒãµããã ãµããããäžã«ããããšã確èªãããšãarp ãããã³ã«ã䜿çšã㊠MAC ã¢ãã¬ã¹ãåŠç¿ããã«ãŒã¿ãŒããã€ãã¹ããŠãã±ãããçŽæ¥éä¿¡ããŸãã ppp (ãã€ã³ãããŒãã€ã³ã) æ¥ç¶ã§ã¯åå è 㯠XNUMX 人ã®ã¿ã§ããããã±ããã¯åžžã« XNUMX ã€ã®ã¢ãã¬ã¹ XNUMXxff ã«éä¿¡ãããŸãã
ã«ãŒãã£ã³ã°ã¯ãã¬ã€ã€ãŒ 2 ã»ã°ã¡ã³ãéã§ãã±ããã転éããããã»ã¹ã§ãã ããã€ã¹ããåä¿¡è ãã€ãŒãµããã ã»ã°ã¡ã³ãå€ã«ãããã±ãããéä¿¡ãããå Žåãã«ãŒãã£ã³ã° ããŒãã«ã調ã¹ã次ã«ãã±ãããéä¿¡ããå Žæãç¥ã£ãŠãã (ãŸãã¯ããã±ããã®å ã®éä¿¡è ãããããªãå ŽåããããŸã) ã²ãŒããŠã§ã€ã«ãã±ãããæž¡ããŸããããã«ã¯æ°ã¥ããŠããŸããïŒã
ã«ãŒã¿ãŒãèããæãç°¡åãªæ¹æ³ã¯ã2 ã€ä»¥äžã®ã¬ã€ã€ XNUMX ã»ã°ã¡ã³ãã«æ¥ç¶ãããã«ãŒãã£ã³ã° ããŒãã«ããæé©ãªã«ãŒãã決å®ããããšã«ãã£ãŠã»ã°ã¡ã³ãéã§ãã±ãããæž¡ãããšãã§ããããã€ã¹ã§ãããšèããããšã§ãã
ãã¹ãŠãç解ããŠããå ŽåããŸãã¯ãã§ã«ç¥ã£ãŠããå Žåã¯ãèªã¿ç¶ããŠãã ããã æ®ãã«ã€ããŠã¯ãå°ãããªãããéåžžã«å®¹éã®å€§ãããã®ã«æ
£ããããšã匷ããå§ãããŸãã
RouterOS ãš PacketFlow ã§ã®ã«ãŒãã£ã³ã°
éçã«ãŒãã£ã³ã°ã«é¢é£ããã»ãŒãã¹ãŠã®æ©èœãããã±ãŒãžã«å«ãŸããŠããŸã ãã ãããŒã«è¢ ã«ãŒãã£ã³ã° åçã«ãŒãã£ã³ã° ã¢ã«ãŽãªãºã (RIPãOSPFãBGPãMME)ãã«ãŒãã£ã³ã° ãã£ã«ã¿ãŒãããã³ BFD ã®ãµããŒããè¿œå ããŸãã
ã«ãŒãã£ã³ã°ãèšå®ããããã®ã¡ã€ã³ ã¡ãã¥ãŒ: [IP]->[Route]
ã è€éãªã¹ããŒã ã§ã¯ããã±ããã«æ¬¡ã®ã«ãŒãã£ã³ã° ããŒã¯ãäºåã«ä»ããå¿
èŠãããå ŽåããããŸãã [IP]->[Firewall]->[Mangle]
(ãã§ãŒã³ PREROUTING
О OUTPUT
).
PacketFlow ã«ã¯ãIP ãã±ããã®ã«ãŒãã£ã³ã°æ±ºå®ãè¡ãããå Žæã XNUMX ã€ãããŸãã
- ã«ãŒã¿ãŒãåä¿¡ãããã±ããã®ã«ãŒãã£ã³ã°ã ãã®æ®µéã§ããã±ãããããŒã«ã« ããã»ã¹ã«éãããããããã«ãããã¯ãŒã¯ã«éä¿¡ããããã決å®ãããŸãã ãã©ã³ãžããããã±ãŒãžã®åãåã åºåã€ã³ã¿ãã§ãŒã¹
- ããŒã«ã«éä¿¡ãã±ããã®ã«ãŒãã£ã³ã°ã éä¿¡ãã±ããã®åä¿¡ åºåã€ã³ã¿ãã§ãŒã¹
- çºä¿¡ãã±ããã®è¿œå ã«ãŒãã£ã³ã°æé ã«ãããã«ãŒãã£ã³ã°æ±ºå®ãå€æŽã§ããããã«ãªããŸãã
[Output|Mangle]
- ããã㯠1ã2 ã®ãã±ãã ãã¹ã¯ã
[IP]->[Route]
- ãã€ã³ã 1ã2ãããã³ 3 ã®ãã±ãã ãã¹ã¯ã次ã®ã«ãŒã«ã«ãã£ãŠç°ãªããŸãã
[IP]->[Route]->[Rules]
- ããã㯠1ã3 ã®ããã±ãŒãž ãã¹ã¯ã次ã䜿çšããŠåœ±é¿ãåããããšãã§ããŸãã
[IP]->[Firewall]->[Mangle]
RIBãFIBãã«ãŒãã£ã³ã° ãã£ãã·ã¥
ã«ãŒãã£ã³ã°æ
å ±ããŒã¹
åçã«ãŒãã£ã³ã° ãããã³ã«ãppp ããã³ dhcp ããã®ã«ãŒããéçã«ãŒãããã³æ¥ç¶ãããã«ãŒãããã«ãŒããåéãããããŒã¹ã ãã®ããŒã¿ããŒã¹ã«ã¯ã管çè
ã«ãã£ãŠãã£ã«ã¿ãããã«ãŒããé€ããã¹ãŠã®ã«ãŒããå«ãŸããŸãã
æ¡ä»¶ä»ãã§ã次ã®ããã«ä»®å®ã§ããŸãã [IP]->[Route]
RIBã衚瀺ããŸãã
転éæ
å ±ããŒã¹
RIBããã®æé©ãªã«ãŒããéããæ ç¹ã§ãã FIB å ã®ãã¹ãŠã®ã«ãŒãã¯ã¢ã¯ãã£ãã§ããããã±ããã®è»¢éã«äœ¿çšãããŸãã ã«ãŒããéã¢ã¯ãã£ãã«ãªããš (管çè (ã·ã¹ãã ) ã«ãã£ãŠç¡å¹ã«ãããå ŽåããŸãã¯ãã±ããã®éä¿¡ã«äœ¿çšãããã€ã³ã¿ãŒãã§ã€ã¹ãã¢ã¯ãã£ãã§ã¯ãªãå Žå)ãã«ãŒã㯠FIB ããåé€ãããŸãã
ã«ãŒãã£ã³ã°ã決å®ããããã«ãFIB ããŒãã«ã¯ IP ãã±ããã«é¢ãã次ã®æ å ±ã䜿çšããŸãã
- éä¿¡å ã¢ãã¬ã¹
- å®å ã¢ãã¬ã¹
- ãœãŒã¹ã€ã³ã¿ãŒãã§ãŒã¹
- ã«ãŒãã£ã³ã°ããŒã¯
- å©çšèŠçŽ (DSCP)
FIB ããã±ãŒãžã«å ¥ãã«ã¯ã次ã®æ®µéãçµãŸãã
- ããã±ãŒãžã¯ããŒã«ã« ã«ãŒã¿ãŒ ããã»ã¹ã察象ãšããŠããŸãã?
- ãã±ããã¯ã·ã¹ãã ãŸãã¯ãŠãŒã¶ãŒã® PBR ã«ãŒã«ã®å¯Ÿè±¡ã§ãã?
- ãã¯ããã®å Žåããã±ããã¯æå®ãããã«ãŒãã£ã³ã° ããŒãã«ã«éä¿¡ãããŸãã
- ãã±ããã¯ã¡ã€ã³ããŒãã«ã«éä¿¡ãããŸã
æ¡ä»¶ä»ãã§ã次ã®ããã«ä»®å®ã§ããŸãã [IP]->[Route Active=yes]
FIBã衚瀺ããŸãã
ã«ãŒãã£ã³ã°ãã£ãã·ã¥
ã«ãŒããã£ãã·ã¥ã¡ã«ããºã ã ã«ãŒã¿ã¯ãã±ãããã©ãã«éä¿¡ãããããèšæ¶ããŠãããé¡äŒŒãããã±ãããããå ŽåïŒããããåãæ¥ç¶ããã®ãã®ïŒãFIB ããã§ãã¯ã€ã³ããã«ãããããåãã«ãŒãã«æ²¿ã£ãŠéä¿¡ãããŸãã ã«ãŒã ãã£ãã·ã¥ã¯å®æçã«ã¯ãªã¢ãããŸãã
RouterOS 管çè
åãã«ãã«ãŒãã£ã³ã° ãã£ãã·ã¥ã衚瀺ããã³ç®¡çããããã®ããŒã«ã¯äœæãããŠããŸããã§ããããã«ãŒãã£ã³ã° ãã£ãã·ã¥ãç¡å¹ã«ã§ããå Žåã¯ã [IP]->[Settings]
.
ãã®ã¡ã«ããºã 㯠Linux 3.6 ã«ãŒãã«ããåé€ãããŸããããRouterOS ã¯ãŸã ã«ãŒãã« 3.3.5 ã䜿çšããŠããŸããããããã«ãŒãã£ã³ã° ãã£ãã·ã¥ãçç±ã® XNUMX ã€ã§ãã
ã«ãŒãã®è¿œå ãã€ã¢ãã°
[IP]->[Route]->[+]
- ã«ãŒããäœæãããµãããã (ããã©ã«ã: 0.0.0.0/0)
- ãã±ããã®éä¿¡å ãšãªãã²ãŒããŠã§ã€ IP ãŸãã¯ã€ã³ã¿ãŒãã§ã€ã¹ (è€æ°ããå ŽåããããŸãã以äžã® ECMP ãåç §)
- ã²ãŒããŠã§ã€ã®å¯çšæ§ãã§ãã¯
- ã¬ã³ãŒãã¿ã€ã
- ã«ãŒãã®è·é¢ (ã¡ãŒãã«åäœ)
- ã«ãŒãã£ã³ã°ããŒãã«
- ãã®ã«ãŒããçµç±ããããŒã«ã«éä¿¡ãã±ããã® IP
- ã¹ã³ãŒãã®ç®çãšå¯Ÿè±¡ç¯å²ã¯èšäºã®æåŸã«èšèŒããŠããŸãã
ã«ãŒããã©ã°
- X - ã«ãŒãã¯ç®¡çè
ã«ãã£ãŠç¡å¹ã«ãããŠããŸã (
disabled=yes
) - A - ã«ãŒãã¯ãã±ããã®éä¿¡ã«äœ¿çšãããŸã
- D - åçã«è¿œå ãããã«ãŒã (BGPãOSPFãRIPãMMEãPPPãDHCPãæ¥ç¶æžã¿)
- C - ãµããããã¯ã«ãŒã¿ãŒã«çŽæ¥æ¥ç¶ãããŠããŸã
- S - éçã«ãŒã
- rãbãoãm - åçã«ãŒãã£ã³ã° ãããã³ã«ã®ããããã«ãã£ãŠè¿œå ãããã«ãŒã
- BãUãP - ã«ãŒãã®ãã£ã«ã¿ãªã³ã° (ãã±ãããéä¿¡ããã«ããããããŸã)
ã²ãŒããŠã§ã€ã«äœãæå®ããã: IP ã¢ãã¬ã¹ãŸãã¯ã€ã³ã¿ãŒãã§ã€ã¹?
ãã®ã·ã¹ãã ã§ã¯äž¡æ¹ãæå®ã§ããŸãããééã£ãããšãããå Žåã«æªå£ãèšã£ããããã³ããäžãããããããšã¯ãããŸããã
IPã¢ãã¬ã¹
ã²ãŒããŠã§ã€ ã¢ãã¬ã¹ã¯ãLayer2 çµç±ã§ã¢ã¯ã»ã¹ã§ããå¿
èŠããããŸãã ã€ãŒãµãããã®å Žåãããã¯ã«ãŒã¿ãŒãã¢ã¯ãã£ã㪠IP ã€ã³ã¿ãŒãã§ã€ã¹ã® XNUMX ã€ã§åããµããããã®ã¢ãã¬ã¹ãæã£ãŠããå¿
èŠãããããšãæå³ããŸããppp ã®å Žåãã²ãŒããŠã§ã€ ã¢ãã¬ã¹ãã¢ã¯ãã£ããªã€ã³ã¿ãŒãã§ã€ã¹ã® XNUMX ã€ã§ãµãããã ã¢ãã¬ã¹ãšããŠæå®ãããããšãæå³ããŸãã
ã¬ã€ã€ 2 ã®ã¢ã¯ã»ã¹æ¡ä»¶ãæºããããŠããªãå Žåãã«ãŒãã¯éã¢ã¯ãã£ããšã¿ãªãããFIB ã«ã¯å
¥ããŸããã
ã€ã³ã¿ãŒãã§ãŒã¹
ãã¹ãŠãããè€éã§ãã«ãŒã¿ãŒã®åäœã¯ã€ã³ã¿ãŒãã§ãŒã¹ã®ã¿ã€ãã«ãã£ãŠç°ãªããŸãã
- PPP (éåæãPPTPãL2TPãSSTPãPPPoEãOpenVPN *) æ¥ç¶ã¯ XNUMX 人ã®åå è
ã®ã¿ãæ³å®ããŠããããã±ããã¯åžžã«éä¿¡ã®ããã«ã²ãŒããŠã§ã€ã«éä¿¡ãããŸããã²ãŒããŠã§ã€ãåä¿¡è
ãèªåèªèº«ã§ããããšãæ€åºãããšããã±ããã次ã®å®å
ã«è»¢éããŸãããã®ããŒã«ã«ããã»ã¹ã
- ã€ãŒãµãããã¯å€æ°ã®åå è
ãååšããããšãæ³å®ãããã±ããã®åä¿¡è
ã®ã¢ãã¬ã¹ã䜿çšããŠãªã¯ãšã¹ãã arp ã€ã³ã¿ãŒãã§ã€ã¹ã«éä¿¡ããŸããããã¯äºæãããŠãããæ¥ç¶ãããã«ãŒãã§ã¯ããæ®éã®åäœã§ãã
ããããã€ã³ã¿ãŒãã§ã€ã¹ããªã¢ãŒã ãµããããã®ã«ãŒããšããŠäœ¿çšããããšãããšã次ã®ç¶æ³ãçºçããŸããã«ãŒãã¯ã¢ã¯ãã£ãã§ãã²ãŒããŠã§ã€ãžã® ping ã¯æåããŸãããæå®ããããµããããããã®åä¿¡è ã«å°éããŸããã ã¹ããã¡ãéããŠã€ã³ã¿ãŒãã§ã€ã¹ãèŠããšããªã¢ãŒã ãµããããããã®ã¢ãã¬ã¹ãæ〠arp ãªã¯ãšã¹ãã衚瀺ãããŸãã
å¯èœãªéããã²ãŒããŠã§ã€ãšã㊠IP ã¢ãã¬ã¹ãæå®ããããã«ããŠãã ããã äŸå€ã¯ãæ¥ç¶ãããã«ãŒã (èªåçã«äœæããã) ãš PPP (éåæãPPTPãL2TPãSSTPãPPPoEãOpenVPN*) ã€ã³ã¿ãŒãã§ã€ã¹ã§ãã
OpenVPN ã«ã¯ PPP ããããŒãå«ãŸããŠããŸããããOpenVPN ã€ã³ã¿ãŒãã§ã€ã¹åã䜿çšããŠã«ãŒããäœæã§ããŸãã
ããå ·äœçãªã«ãŒã
åºæ¬çãªã«ãŒãã£ã³ã° ã«ãŒã«ã ãã±ããã®ã«ãŒãã£ã³ã°æ±ºå®ã§ã¯ãå°ãããµãããã (æ倧ã®ãµãããã ãã¹ã¯ãæã€) ãèšè¿°ããã«ãŒããåªå ãããŸãã ã«ãŒãã£ã³ã° ããŒãã«å ã®ãšã³ããªã®äœçœ®ã¯éžæãšã¯é¢ä¿ãããŸãããäž»ãªã«ãŒã«ã¯ããå ·äœçãªãã®ã§ãã
æå®ãããã¹ããŒã ããã®ãã¹ãŠã®ã«ãŒããã¢ã¯ãã£ãã«ãªããŸã (FIB å ã«ãããŸã)ã ç°ãªããµãããããæããŠãããäºãã«ç«¶åããŸããã
ã²ãŒããŠã§ã€ã® XNUMX ã€ã䜿çšã§ããªããªããšãé¢é£ä»ããããã«ãŒãã¯éã¢ã¯ãã£ã (FIB ããåé€ããã) ãšã¿ãªãããæ®ãã®ã«ãŒããããã±ãããæ€çŽ¢ãããŸãã
ãµãããã 0.0.0.0/0 ã®ã«ãŒãã«ã¯ç¹å¥ãªæå³ãäžããããå Žåãããããããã©ã«ã ã«ãŒãããŸãã¯ãæåŸã®æ段ã®ã²ãŒããŠã§ã€ããšåŒã°ããŸãã å®éãããã«ã¯éæ³ã®ãããªãã®ã¯äœããªããèãããããã¹ãŠã® IPv4 ã¢ãã¬ã¹ãå«ãŸããŠããã ãã§ããããããã®ååã¯ãã®ã¿ã¹ã¯ãããè¡šããŠãããä»ã«ããæ£ç¢ºãªã«ãŒãããªããã±ããã転éããã²ãŒããŠã§ã€ã瀺ããŠããŸãã
IPv4 ã§äœ¿çšã§ããæ倧ã®ãµãããã ãã¹ã¯ã¯ /32 ã§ããã®ã«ãŒãã¯ç¹å®ã®ãã¹ããæããã«ãŒãã£ã³ã° ããŒãã«ã§äœ¿çšã§ããŸãã
ããå ·äœçãªã«ãŒããç解ããããšã¯ãTCP/IP ããã€ã¹ã«ãšã£ãŠåºæ¬ã§ãã
è·é¢
è·é¢ (ãŸãã¯ã¡ããªãã¯) ã¯ãè€æ°ã®ã²ãŒããŠã§ã€ãä»ããŠã¢ã¯ã»ã¹ã§ããåäžã®ãµãããããžã®ã«ãŒãã®ç®¡çãã£ã«ã¿ãªã³ã°ã«å¿
èŠã§ãã ã¡ããªãã¯ãäœãã«ãŒãã¯åªå
ãšã¿ãªãããFIB ã«å«ãŸããŸãã ã¡ããªãã¯ãäœãã«ãŒããã¢ã¯ãã£ãã§ãªããªããšãFIB å
ã®ã¡ããªãã¯ãããé«ãã«ãŒãã«çœ®ãæããããŸãã
åãã¡ããªãã¯ãæã€åããµãããããžã®ã«ãŒããè€æ°ããå Žåãã«ãŒã¿ãŒã¯å éšããžãã¯ã«åŸã£ãŠããã®ãã¡ã® XNUMX ã€ã ãã FIB ããŒãã«ã«è¿œå ããŸãã
ã¡ããªãã¯ã¯ 0 ïœ 255 ã®å€ãåãããšãã§ããŸãã
- 0 - æ¥ç¶ãããã«ãŒãã®ã¡ããªãã¯ã è·é¢ 0 ã¯ç®¡çè ãèšå®ã§ããŸãã
- 1-254 - 管çè ãã«ãŒããèšå®ããããã«äœ¿çšã§ããã¡ããªãã¯ã å€ãäœãã¡ããªã¯ã¹ã®åªå 床ãé«ããªããŸã
- 255 - 管çè ãã«ãŒããèšå®ããããã«äœ¿çšã§ããã¡ããªãã¯ã 1 ïœ 254 ãšã¯ç°ãªããã¡ããªã㯠255 ã®ã«ãŒãã¯åžžã«éã¢ã¯ãã£ããªãŸãŸã§ãããFIB ã«ã¯å«ãŸããŸããã
- ç¹å®ã®ææšã åçã«ãŒãã£ã³ã° ãããã³ã«ãã掟çããã«ãŒãã«ã¯æšæºã®ã¡ããªãã¯å€ããããŸã
ã²ãŒããŠã§ã€ããã§ãã¯ãã
ã²ãŒããŠã§ã€ã®ç¢ºèªã¯ãicmp ãŸã㯠arp çµç±ã§ã²ãŒããŠã§ã€ã®å¯çšæ§ã確èªããããã® MikroTik RoutesOS æ¡åŒµæ©èœã§ãã 10 ç§ããšã« (å€æŽäžå¯)ãèŠæ±ãã²ãŒããŠã§ã€ã«éä¿¡ãããå¿çã XNUMX ååä¿¡ãããªãå Žåãã«ãŒãã¯äœ¿çšäžå¯ãšã¿ãªãããFIB ããåé€ãããŸãã ã²ãŒããŠã§ã€ã®ãã§ãã¯ãç¡å¹ã«ãªã£ãŠããå Žåããã¹ã®ãã§ãã¯ã¯ç¶è¡ããããã§ãã¯ã XNUMX åæåãããšã«ãŒããåã³ã¢ã¯ãã£ãã«ãªããŸãã
ã²ãŒããŠã§ã€ããã§ãã¯ãããšããã®ã²ãŒããŠã§ã€ãèšå®ãããŠãããšã³ããªãšãæå®ãããã²ãŒããŠã§ã€ã®ä»ã®ãã¹ãŠã®ãšã³ã㪠(ãã¹ãŠã®ã«ãŒãã£ã³ã° ããŒãã«ããã³ ECMP ã«ãŒãå ) ãç¡å¹ã«ãªããŸãã
äžè¬ã«ãã²ãŒããŠã§ã€ãžã®ãã±ããæ倱ã«åé¡ããªãéãããã§ã㯠ã²ãŒããŠã§ã€ã¯æ£åžžã«åäœããŸãã ãã§ã㯠ã²ãŒããŠã§ã€ã¯ããã§ã㯠ã²ãŒããŠã§ã€ã®å€éšã®éä¿¡ã§äœãèµ·ãã£ãŠããããç¥ããŸãããããã«ã¯ãã¹ã¯ãªãããååž°ã«ãŒãã£ã³ã°ãåçã«ãŒãã£ã³ã° ãããã³ã«ãªã©ã®è¿œå ããŒã«ãå¿ èŠã§ãã
ã»ãšãã©ã® VPN ããã³ãã³ãã« ãããã³ã«ã«ã¯ãæ¥ç¶ã¢ã¯ãã£ããã£ããã§ãã¯ããããã®ããŒã«ãçµã¿èŸŒãŸããŠããããããã®ãã§ã㯠ã²ãŒããŠã§ã€ãæå¹ã«ãããšããããã¯ãŒã¯ãšããã€ã¹ã®ããã©ãŒãã³ã¹ã«è¿œå ã® (ãã ãéåžžã«å°ãã) è² è·ãããããŸãã
ECMP ã«ãŒã
çã³ã¹ã ãã«ããã¹ - ã©ãŠã³ã ããã³ ã¢ã«ãŽãªãºã ã䜿çšããŠãè€æ°ã®ã²ãŒããŠã§ã€ãåæã«äœ¿çšããŠåä¿¡è ã«ãã±ãããéä¿¡ããŸãã
ECMP ã«ãŒãã¯ã管çè
ã XNUMX ã€ã®ãµããããã«è€æ°ã®ã²ãŒããŠã§ã€ãæå®ããããšã«ãã£ãŠ (ãŸãã¯ãåçã® OSPF ã«ãŒãã XNUMX ã€ããå Žåã¯èªåçã«) äœæãããŸãã
ECMP 㯠XNUMX ã€ã®ãã£ãã«éã®è² è·åæ£ã«äœ¿çšãããŸããçè«çã«ã¯ãecmp ã«ãŒãã« XNUMX ã€ã®ãã£ãã«ãããå Žåããã±ããããšã«éä¿¡ãã£ãã«ãç°ãªãå¿ èŠããããŸãã ããããã«ãŒãã£ã³ã° ãã£ãã·ã¥ ã¡ã«ããºã ã¯ãæåã®ãã±ããããã©ã£ãã«ãŒãã«æ²¿ã£ãŠæ¥ç¶ãããã±ãããéä¿¡ãããããæ¥ç¶ã«åºã¥ããŠäžçš®ã®ãã©ã³ã·ã³ã° (æ¥ç¶ããšã®è² è·ãã©ã³ã·ã³ã°) ãè¡ãããŸãã
ã«ãŒãã£ã³ã° ãã£ãã·ã¥ãç¡å¹ã«ãããšãECMP ã«ãŒãå
ã®ãã±ããã¯æ£ããå
±æãããŸãããNAT ã«åé¡ãçºçããŸãã NAT ã«ãŒã«ã¯æ¥ç¶ããã®æåã®ãã±ããã®ã¿ãåŠçã (æ®ãã¯èªåçã«åŠçãããŸã)ãåãéä¿¡å
ã¢ãã¬ã¹ãæã€ãã±ããã¯ç°ãªãã€ã³ã¿ãŒãã§ã€ã¹ããéä¿¡ãããããšãããããŸãã
ãã§ãã¯ã²ãŒããŠã§ã€ã ECMP ã«ãŒãã§æ©èœããªã (RouterOS ã®ãã°)ã ãã ããECMP ã®ãšã³ããªãç¡å¹ã«ããè¿œå ã®æ€èšŒã«ãŒããäœæããããšã§ããã®å¶éãåé¿ã§ããŸãã
ã«ãŒãã£ã³ã°ã«ãããã£ã«ã¿ãªã³ã°
Type ãªãã·ã§ã³ã¯ãããã±ãŒãžãã©ãæ±ããã決å®ããŸãã
- ãŠããã£ã¹ã - æå®ãããã²ãŒããŠã§ã€ (ã€ã³ã¿ãŒãã§ãŒã¹) ã«éä¿¡ããŸãã
- ãã©ãã¯ããŒã« - ãã±ãããç Žæ£ããŸã
- çŠæ¢ãå°éäžèœ - ãã±ãããç Žæ£ããéä¿¡è ã« icmp ã¡ãã»ãŒãžãéä¿¡ããŸãã
ãã£ã«ã¿ãªã³ã°ã¯éåžžã誀ã£ãæ¹åãžã®ãã±ããã®éä¿¡ãä¿è·ããå¿ èŠãããå Žåã«äœ¿çšãããŸãããã¡ãããããããã¡ã€ã¢ãŠã©ãŒã«çµç±ã§ãã£ã«ã¿ãªã³ã°ããããšãã§ããŸãã
ããã€ãã®äŸ
ã«ãŒãã£ã³ã°ã«é¢ããåºæ¬çãªäºé ããŸãšããŸãã
äžè¬çãªããŒã ã«ãŒã¿ãŒ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
- 0.0.0.0/0 ãžã®éçã«ãŒã (ããã©ã«ã ã«ãŒã)
- ãããã€ããšã®ã€ã³ã¿ãŒãã§ãŒã¹äžã®æ¥ç¶ã«ãŒã
- LANã€ã³ã¿ãŒãã§ãŒã¹äžã®æ¥ç¶çµè·¯
PPPoEãåããäžè¬çãªããŒã ã«ãŒã¿ãŒ
- ããã©ã«ã ã«ãŒããžã®ã¹ã¿ãã£ã㯠ã«ãŒããèªåçã«è¿œå ãããŸãã æ¥ç¶ããããã£ã§æå®ãããŸã
- PPPæ¥ç¶ã®æ¥ç¶çµè·¯
- LANã€ã³ã¿ãŒãã§ãŒã¹äžã®æ¥ç¶çµè·¯
XNUMX ã€ã®ãããã€ããŒãšåé·æ§ãåããäžè¬çãªããŒã ã«ãŒã¿ãŒ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2
- ã¡ããªã㯠1 ãšã²ãŒããŠã§ã€å¯çšæ§ãã§ãã¯ãæã€æåã®ãããã€ããŒãçµç±ããããã©ã«ã ã«ãŒããžã®éçã«ãŒã
- ã¡ããªã㯠2 ã® XNUMX çªç®ã®ãããã€ããŒãçµç±ããããã©ã«ã ã«ãŒããžã®éçã«ãŒã
- æ¥ç¶ã«ãŒã
0.0.0.0/0 ãžã®ãã©ãã£ãã¯ã¯ããã®ã²ãŒããŠã§ã€ã䜿çšå¯èœãªé㯠10.10.10.1 ãééãããã以å€ã®å Žå㯠10.20.20.1 ã«åãæ¿ãããŸãã
ãã®ãããªæ¹åŒã¯ãã£ãã«äºçŽãšèŠãªãããšãã§ããŸãããæ¬ ç¹ããªãããã§ã¯ãããŸããã ãããã€ããŒã®ã²ãŒããŠã§ã€ã®å€åŽ (ããšãã°ããªãã¬ãŒã¿ãŒã®ãããã¯ãŒã¯å ) ã§åæãçºçããå Žåãã«ãŒã¿ãŒã¯ãããèªèãããåŒãç¶ããã®ã«ãŒããã¢ã¯ãã£ãã§ãããšèŠãªããŸãã
åé·æ§ãš ECMP ã® XNUMX ã€ã®ãããã€ããŒãåããäžè¬çãªããŒã ã«ãŒã¿ãŒ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1
- ãã§ãã¯ã²ãŒããŠã§ã€ããã§ãã¯ããããã®éçã«ãŒã
- ECMPã«ãŒã
- æ¥ç¶ã«ãŒã
ãã§ãã¯ããã«ãŒãã¯éè² (éã¢ã¯ãã£ããªã«ãŒãã®è²) ã§ãããããã¯ãã§ã㯠ã²ãŒããŠã§ã€ã«å¹²æžããŸããã RoS ã®çŸåšã®ããŒãžã§ã³ (6.44) ã§ã¯ãECMP ã«ãŒãã«èªåçã«åªå
é äœãäžããããŸãããä»ã®ã«ãŒãã£ã³ã° ããŒãã«ã«ãã¹ã ã«ãŒããè¿œå ããããšããå§ãããŸã (ãªãã·ã§ã³) routing-mark
)
Speedtest ãä»ã®åæ§ã®ãµã€ãã§ã¯é床ã¯åäžããŸãã (ECMP ã¯ãã±ããã§ã¯ãªãæ¥ç¶ããšã«ãã©ãã£ãã¯ãåå²ããŸã) ããp2p ã¢ããªã±ãŒã·ã§ã³ã®ããŠã³ããŒãã¯éããªããŸãã
ã«ãŒãã£ã³ã°ã«ãããã£ã«ã¿ãªã³ã°
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole
- ã¹ã¿ãã£ãã¯ã«ãŒãããããã©ã«ãã«ãŒããž
- ipip ãã³ãã«çµç±ã® 192.168.200.0/24 ãžã®éçã«ãŒã
- ISP ã«ãŒã¿ãŒçµç±ã® 192.168.200.0/24 ãžã®éçã«ãŒãã®çŠæ¢
ipip ã€ã³ã¿ãŒãã§ã€ã¹ãç¡å¹ã«ãªã£ãŠããå Žåããã³ãã« ãã©ãã£ãã¯ããããã€ããŒã®ã«ãŒã¿ãŒã«éä¿¡ãããªããã£ã«ã¿ãªã³ã° ãªãã·ã§ã³ã ãã®ãããªã¹ããŒã ãå¿ èŠã«ãªãããšã¯ã»ãšãã©ãããŸããã ãã¡ã€ã¢ãŠã©ãŒã«ãä»ãããããã¯ãå®è£ ã§ããŸãã
ã«ãŒãã£ã³ã°ã«ãŒã
ã«ãŒãã£ã³ã° ã«ãŒã - ttl ãæéåãã«ãªãåã«ãã±ãããã«ãŒã¿ãŒéã§å®è¡ãããç¶æ³ã éåžžãããã¯æ§æãšã©ãŒã®çµæã§ããã倧èŠæš¡ãªãããã¯ãŒã¯ã§ã¯åçã«ãŒãã£ã³ã° ãããã³ã«ã®å®è£
ã«ãã£ãŠåŠçãããå°èŠæš¡ãªãããã¯ãŒã¯ã§ã¯æ³šæãå¿
èŠã§ãã
ããã¯ãã®ããã«èŠããŸãïŒ
åæ§ã®çµæãåŸãæ¹æ³ã® (æãåçŽãª) äŸ:
ã«ãŒãã£ã³ã° ã«ãŒãã®äŸã¯å®éã«ã¯åœ¹ã«ç«ã¡ãŸããããã«ãŒã¿ãè¿é£ã«ãŒãã£ã³ã° ããŒãã«ã«ã€ããŠäœãç¥ããªãããšã瀺ããŠããŸãã
ããªã·ãŒããŒã¹ã«ãŒãã£ã³ã°ãšè¿œå ã«ãŒãã£ã³ã°ããŒãã«
ã«ãŒããéžæãããšããã«ãŒã¿ãŒã¯ãã±ãã ããããŒã® XNUMX ã€ã®ãã£ãŒã«ã (å®å ã¢ãã¬ã¹) ã®ã¿ã䜿çšããŸãããããåºæ¬çãªã«ãŒãã£ã³ã°ã§ãã éä¿¡å ã¢ãã¬ã¹ããã©ãã£ãã¯ã®çš®é¡ (ToS)ãECMP ã䜿çšããªããã©ã³ã·ã³ã°ãªã©ã®ä»ã®æ¡ä»¶ã«åºã¥ãã«ãŒãã£ã³ã°ã¯ãããªã·ãŒ ããŒã¹ ã«ãŒãã£ã³ã° (PBR) ã«å±ããè¿œå ã®ã«ãŒãã£ã³ã° ããŒãã«ã䜿çšããŸãã
ããå ·äœçãªã«ãŒã ã¯ãã«ãŒãã£ã³ã° ããŒãã«å ã®äž»èŠãªã«ãŒãéžæã«ãŒã«ã§ãã
ããã©ã«ãã§ã¯ããã¹ãŠã®ã«ãŒãã£ã³ã° ã«ãŒã«ãã¡ã€ã³ ããŒãã«ã«è¿œå ãããŸãã 管çè ã¯ãä»»æã®æ°ã®è¿œå ã«ãŒãã£ã³ã° ããŒãã«ãäœæããããã«ãã±ãããã«ãŒãã£ã³ã°ã§ããŸãã ç°ãªãããŒãã«ã®ã«ãŒã«ã¯äºãã«ç«¶åããŸããã ããã±ãŒãžã¯ãæå®ãããããŒãã«å ã«é©åãªã«ãŒã«ãèŠã€ãããªãå Žåãã¡ã€ã³ ããŒãã«ã«ç§»åããŸãã
ãã¡ã€ã¢ãŠã©ãŒã«çµç±ã§ã®é
åžã®äŸ:
- 192.168.100.10-> 8.8.8.8
- 192.168.100.10 ããã®ãã©ãã£ãã¯ã«ã©ãã«ãä»ããããŸã ISP1çµç± в
[Prerouting|Mangle]
- ããŒãã«ã®ã«ãŒãã£ã³ã°æ®µé㧠ISP1çµç± 8.8.8.8ãžã®ã«ãŒããæ€çŽ¢ããŸã
- ã«ãŒããèŠã€ãããŸããããã©ãã£ãã¯ã¯ã²ãŒããŠã§ã€ 10.10.10.1 ã«éä¿¡ãããŸã
- 192.168.100.10 ããã®ãã©ãã£ãã¯ã«ã©ãã«ãä»ããããŸã ISP1çµç± в
- 192.168.200.20-> 8.8.8.8
- 192.168.200.20 ããã®ãã©ãã£ãã¯ã«ã©ãã«ãä»ããããŸã ISP2çµç± в
[Prerouting|Mangle]
- ããŒãã«ã®ã«ãŒãã£ã³ã°æ®µé㧠ISP2çµç± 8.8.8.8ãžã®ã«ãŒããæ€çŽ¢ããŸã
- ã«ãŒããèŠã€ãããŸããããã©ãã£ãã¯ã¯ã²ãŒããŠã§ã€ 10.20.20.1 ã«éä¿¡ãããŸã
- 192.168.200.20 ããã®ãã©ãã£ãã¯ã«ã©ãã«ãä»ããããŸã ISP2çµç± в
- ã²ãŒããŠã§ã€ã® 10.10.10.1 〠(10.20.20.1 ãŸã㯠XNUMX) ã䜿çšã§ããªããªããšããã±ããã¯ããŒãã«ã«éãããŸãã ã¡ã€ã³ ããã§é©åãªã«ãŒããæ¢ããŸã
çšèªã®åé¡
RouterOS ã«ã¯ç¹å®ã®çšèªã®åé¡ããããŸãã
ã§ã«ãŒã«ãæäœããå Žå [IP]->[Routes]
ã«ãŒãã£ã³ã° ããŒãã«ã瀺ãããŠããŸãããã©ãã«ã«ã¯æ¬¡ã®ããã«æžãããŠããŸãã
Ð [IP]->[Routes]->[Rule]
ããŒãã«ã¢ã¯ã·ã§ã³ã®ã©ãã«æ¡ä»¶ã¯ãã¹ãŠæ£ããã§ãã
ç¹å®ã®ã«ãŒãã£ã³ã° ããŒãã«ã«ãã±ãããéä¿¡ããæ¹æ³
RouterOS ã«ã¯ããã€ãã®ããŒã«ãçšæãããŠããŸãã
- ã®ã«ãŒã«
[IP]->[Routes]->[Rules]
- ã«ãŒãããŒã«ãŒ (
action=mark-routing
ïŒã§[IP]->[Firewall]->[Mangle]
- VRF
èŠå¶ [IP]->[Route]->[Rules]
ã«ãŒã«ã¯é çªã«åŠçããããã±ãããã«ãŒã«ã®æ¡ä»¶ã«äžèŽããå Žåããã以äžééããŸããã
ã«ãŒãã£ã³ã° ã«ãŒã«ã䜿çšãããšãåä¿¡è ã®ã¢ãã¬ã¹ã ãã§ãªããéä¿¡å ã¢ãã¬ã¹ããã±ãããåä¿¡ããã€ã³ã¿ãŒãã§ã€ã¹ã«ãäŸåããŠãã«ãŒãã£ã³ã°ã®å¯èœæ§ãæ¡åŒµã§ããŸãã
ã«ãŒã«ã¯æ¡ä»¶ãšã¢ã¯ã·ã§ã³ã§æ§æãããŸãã
- æ¡ä»¶ã å®éã«ã¯ãFIB ã§ããã±ãŒãžããã§ãã¯ããããã®æšèã®ãªã¹ããç¹°ãè¿ããŸããToS ã ããæ¬ èœããŠããŸãã
- 掻å
- lookup - ãã±ãããããŒãã«ã«éä¿¡ããŸã
- ããŒãã«å ã®ã¿æ€çŽ¢ - ããŒãã«å ã®ããã±ãŒãžãããã¯ããŸããã«ãŒããèŠã€ãããªãå Žåãããã±ãŒãžã¯ã¡ã€ã³ ããŒãã«ã«ç§»åããŸããã
- ãããã - ãã±ãããããããããŸã
- å°éäžèœ - éä¿¡è éç¥ãšãšãã«ãã±ãããç Žæ£ããŸã
FIB ã§ã¯ãããŒã«ã« ããã»ã¹ãžã®ãã©ãã£ãã¯ã¯ã«ãŒã«ããã€ãã¹ããŠåŠçãããŸãã [IP]->[Route]->[Rules]
:
ããŒãã³ã° [IP]->[Firewall]->[Mangle]
ã«ãŒãã£ã³ã° ã©ãã«ã䜿çšãããšãã»ãŒãã¹ãŠã®ãã¡ã€ã¢ãŠã©ãŒã«æ¡ä»¶ã䜿çšããŠãã±ããã®ã²ãŒããŠã§ã€ãèšå®ã§ããŸãã
å®éã«ã¯ãããããã¹ãŠãæå³ããªãããã§ã¯ãªããäžéšã¯äžå®å®ã«åäœããå¯èœæ§ãããããã§ãã
ããã±ãŒãžã«ã©ãã«ãä»ããã«ã¯ XNUMX ã€ã®æ¹æ³ããããŸãã
- ããã«å ¥ãã ã«ãŒãã£ã³ã°ããŒã¯
- æåã«çœ®ã æ¥ç¶ããŒã¯ã次ã«åºã¥ã㊠æ¥ç¶ããŒã¯ èšå®ãã ã«ãŒãã£ã³ã°ããŒã¯
ãã¡ã€ã¢ãŠã©ãŒã«ã«é¢ããèšäºã§ãç§ã¯ XNUMX çªç®ã®ãªãã·ã§ã³ãæãŸãããšæžããŸããã ã«ãŒããããŒã¯ããå ŽåãCPU ã®è² è·ã軜æžãããŸãããããã¯å®å šã«çå®ã§ã¯ãããŸããã ãããã®ããŒãã³ã°æ¹æ³ã¯å¿ ãããåçã§ãããšã¯éãããéåžžã¯ããŸããŸãªåé¡ã解決ããããã«äœ¿çšãããŸãã
䜿çšäŸ
ããªã·ãŒ ããŒã¹ ã«ãŒãã£ã³ã°ã®äœ¿çšäŸã«ç§»ããŸãããããããå¿ èŠãªçç±ã瀺ãã®ãã¯ããã«ç°¡åã§ãã
MultiWAN ãšæ»ãã®çºä¿¡ (åºå) ãã©ãã£ãã¯
MultiWAN æ§æã«é¢ããäžè¬çãªåé¡: Mikrotik ã¯ããã¢ã¯ãã£ããªããããã€ããŒãä»ããŠã®ã¿ã€ã³ã¿ãŒãããããå©çšã§ããŸãã
ã«ãŒã¿ãŒã¯ãèŠæ±ãã©ã® IP ã«éä¿¡ãããããæ°ã«ãããå¿çãçæãããšãã«ãisp1 ãçµç±ããã«ãŒããã¢ã¯ãã£ãã§ããã«ãŒãã£ã³ã° ããŒãã«å ã®ã«ãŒããæ¢ããŸãã ããã«ããã®ãããªãã±ããã¯åä¿¡è ã«å±ããŸã§ã®éçšã§ãã£ã«ã¿ãªã³ã°ãããå¯èœæ§ãé«ããªããŸãã
ããäžã€èå³æ·±ãç¹ããããŸãã ãåçŽãªããœãŒã¹ nat ã ether1 ã€ã³ã¿ãŒãã§ã€ã¹ã«èšå®ãããŠããå Žå: /ip fi nat add out-interface=ether1 action=masquerade
ããã±ãŒãžã¯ src ã䜿çšããŠãªã³ã©ã€ã³ã«ãªããŸãã address=10.10.10.100ãããã¯äºæ
ãããã«æªåãããŸãã
ãã®åé¡ã解決ããã«ã¯ããã€ãã®æ¹æ³ããããŸããããããã®æ¹æ³ã§ãè¿œå ã®ã«ãŒãã£ã³ã° ããŒãã«ãå¿
èŠã«ãªããŸãã
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2
äœ¿çš [IP]->[Route]->[Rules]
æå®ãããéä¿¡å
IP ãæã€ãã±ããã«äœ¿çšãããã«ãŒãã£ã³ã° ããŒãã«ãæå®ããŸãã
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2
䜿çšã§ããŸã action=lookup
ãã ããããŒã«ã«çºä¿¡ãã©ãã£ãã¯ã®å Žåããã®ãªãã·ã§ã³ã¯ééã£ãã€ã³ã¿ãŒãã§ã€ã¹ããã®æ¥ç¶ãå®å
šã«é€å€ããŸãã
- ã·ã¹ãã 㯠Src ãå«ãå¿çãã±ãããçæããŸãã äœæ: 10.20.20.200
- ã«ãŒãã£ã³ã°æ±ºå®(2) ã¹ãããã®ãã§ãã¯
[IP]->[Routes]->[Rules]
ãããŠãã±ããã¯ã«ãŒãã£ã³ã°ããŒãã«ã«éä¿¡ãããŸã over-isp2 - ã«ãŒãã£ã³ã° ããŒãã«ã«ããã°ããã±ãã㯠ether10.20.20.1 ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã§ã²ãŒããŠã§ã€ 2 ã«éä¿¡ãããå¿ èŠããããŸãã
ãã®æ¹æ³ã§ã¯ãMangle ããŒãã«ã䜿çšããå Žåãšã¯ç°ãªããåäœãã Connection Tracker ã¯å¿ èŠãããŸããã
äœ¿çš [IP]->[Firewall]->[Mangle]
æ¥ç¶ã¯åä¿¡ãã±ããã§å§ãŸããããããã«ããŒã¯ãä»ããŸã (action=mark-connection
)ãããŒã¯ãããæ¥ç¶ããã®éä¿¡ãã±ããã«å¯ŸããŠãã«ãŒãã£ã³ã° ã©ãã« (action=mark-routing
).
/ip firewall mangle
#ÐаÑкОÑПвка вÑ
ПЎÑÑОÑ
ÑПеЎОМеМОй
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#ÐаÑкОÑПвка ОÑÑ
ПЎÑÑОÑ
пакеÑПв Ма ПÑМПве ÑПеЎОМеМОй
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=no
XNUMX ã€ã®ã€ã³ã¿ãŒãã§ã€ã¹ã«è€æ°ã® IP ãèšå®ãããŠããå Žåã¯ãæ¡ä»¶ã«è¿œå ã§ããŸãã dst-address
念ã®ããã
- ãã±ããã¯ãether2 ã€ã³ã¿ãŒãã§ã€ã¹äžã§æ¥ç¶ãéããŸãã ããã±ãŒãžã¯å
¥ããŸã
[INPUT|Mangle]
ããã¯ãæ¥ç¶ããã®ãã¹ãŠã®ãã±ããã次ã®ããã«ããŒã¯ããããšã瀺ããŠããŸã from-isp2 - ã·ã¹ãã 㯠Src ãå«ãå¿çãã±ãããçæããŸãã äœæ: 10.20.20.200
- ã«ãŒãã£ã³ã°æ±ºå®(2) ã¹ããŒãžã§ã¯ããã±ããã¯ã«ãŒãã£ã³ã° ããŒãã«ã«åŸã£ãŠãether10.20.20.1 ã€ã³ã¿ãŒãã§ã€ã¹ãä»ããŠã²ãŒããŠã§ã€ 1 ã«éä¿¡ãããŸãã ããã確èªããã«ã¯ãããã±ãŒãžã«ãã°ã€ã³ããŸãã
[OUTPUT|Filter]
- ã¹ããŒãžäž
[OUTPUT|Mangle]
æ¥ç¶ã©ãã«ããã§ãã¯ãããŠããŸã from-isp2 ãããŠãã±ããã¯ã«ãŒãã©ãã«ãåãåããŸã over-isp2 - ã«ãŒãã£ã³ã°èª¿æŽ(3) ã¹ãããã§ã¯ãã«ãŒãã£ã³ã° ã©ãã«ã®ååšã確èªãããããé©åãªã«ãŒãã£ã³ã° ããŒãã«ã«éä¿¡ããŸãã
- ã«ãŒãã£ã³ã° ããŒãã«ã«ããã°ããã±ãã㯠ether10.20.20.1 ã€ã³ã¿ãŒãã§ã€ã¹çµç±ã§ã²ãŒããŠã§ã€ 2 ã«éä¿¡ãããå¿ èŠããããŸãã
MultiWAN ãšãªã¿ãŒã³ dst-nat ãã©ãã£ãã¯
ããè€éãªäŸã¯ããã©ã€ããŒã ãµããããäžã®ã«ãŒã¿ãŒã®èåŸã«ãµãŒã㌠(Web ãªã©) ãããããããã€ããŒçµç±ã§ãµãŒããŒãžã®ã¢ã¯ã»ã¹ãæäŸããå¿ èŠãããå Žåã«ã©ããããã§ãã
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100
åé¡ã®æ¬è³ªã¯åãã§ã解決ç㯠Firewall Mangle ãªãã·ã§ã³ãšäŒŒãŠãããä»ã®ãã§ãŒã³ã®ã¿ã䜿çšãããŸãã
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
ãã®å³ã«ã¯ NAT ã瀺ãããŠããŸãããããã¹ãŠãæããã ãšæããŸãã
MultiWAN ãšã¢ãŠãããŠã³ãæ¥ç¶
PBR æ©èœã䜿çšãããšãç°ãªãã«ãŒã¿ãŒ ã€ã³ã¿ãŒãã§ã€ã¹ããè€æ°ã® VPN (ãã®äŸã§ã¯ SSTP) æ¥ç¶ãäœæã§ããŸãã
è¿œå ã®ã«ãŒãã£ã³ã° ããŒãã«:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3
ããã±ãŒãžã®ããŒãã³ã°:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=no
åçŽãª NAT ã«ãŒã«ãããã§ãªãå Žåããã±ããã¯ééã£ã Src ã§ã€ã³ã¿ãŒãã§ã€ã¹ããéä¿¡ãããŸãã äœæïŒ
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masquerade
解æïŒ
- ã«ãŒã¿ãŒã¯ XNUMX ã€ã® SSTP ããã»ã¹ãäœæããŸã
- ã«ãŒãã£ã³ã°æ±ºå® (2) 段éã§ã¯ãã¡ã€ã³ ã«ãŒãã£ã³ã° ããŒãã«ã«åºã¥ããŠãããã®ããã»ã¹ã®ã«ãŒããéžæãããŸãã åãã«ãŒããããã±ãã㯠Src ãåä¿¡ããŸãã ether1 ã€ã³ã¿ãŒãã§ã€ã¹ã«ãã€ã³ããããã¢ãã¬ã¹
- Ð
[Output|Mangle]
ç°ãªãæ¥ç¶ããã®ãã±ããã¯ç°ãªãã©ãã«ãåãåããŸã - ãã±ããã¯ã«ãŒãã£ã³ã°èª¿æŽæ®µéã§ã©ãã«ã«å¯Ÿå¿ããããŒãã«ã«å ¥ãããã±ãããéä¿¡ããããã®æ°ããã«ãŒããåãåããŸãã
- ãã ããããã±ãŒãžã«ã¯ãŸã Src ããããŸãã ether1 ã®ã¹ããŒãžäžã®æŒèª¬
[Nat|Srcnat]
ã¢ãã¬ã¹ã¯ã€ã³ã¿ãŒãã§ãŒã¹ã«åŸã£ãŠçœ®ãæããããŸã
èå³æ·±ãããšã«ãã«ãŒã¿ãŒã«ã¯æ¬¡ã®æ¥ç¶ããŒãã«ã衚瀺ãããŸãã
æ¥ç¶ãã©ãã«ãŒãæ©æã«æ©èœãã [Mangle]
О [Srcnat]
ãããã£ãŠããã¹ãŠã®æ¥ç¶ã¯ XNUMX ã€ã®ã¢ãã¬ã¹ããæ¥ãŠãããããããã«è©³ããèŠããšã Replay Dst. Address
NAT ã®åŸã«ã¢ãã¬ã¹ãååšããŸãã
VPN ãµãŒã㌠(ãã¹ããã³ãã« XNUMX ã€ãããŸã) ã§ã¯ããã¹ãŠã®æ¥ç¶ãæ£ããã¢ãã¬ã¹ããæ¥ãŠããããšãããããŸãã
éäžã§åŸ
ã£ãŠãã ãã
ãã£ãšç°¡åãªæ¹æ³ããããŸããåã¢ãã¬ã¹ã«ç¹å®ã®ã²ãŒããŠã§ã€ãæå®ããã ãã§ãã
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1
ãããããã®ãããªã«ãŒãã¯çºä¿¡ãã©ãã£ãã¯ã ãã§ãªãééãã©ãã£ãã¯ã«ã圱é¿ãäžããŸãã ããã«ãVPN ãµãŒããŒãžã®ãã©ãã£ãã¯ãäžé©åãªéä¿¡ãã£ãã«ãééããå¿
èŠããªãå Žåã¯ãããã« 6 ã€ã®ã«ãŒã«ãè¿œå ããå¿
èŠããããŸãã [IP]->[Routes]
Ñ type=blackhole
ã åã®ããŒãžã§ã³ã§ã¯ - 3 ã€ã®ã«ãŒã« [IP]->[Route]->[Rules]
.
éä¿¡ãã£ãã«å¥ã®ãŠãŒã¶ãŒæ¥ç¶ã®ååž
åçŽãªæ¥åžžã®ã¿ã¹ã¯ã ããã§ããè¿œå ã®ã«ãŒãã£ã³ã° ããŒãã«ãå¿ èŠã«ãªããŸãã
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
䜿ãæ¹ [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2
䜿ããªã action=lookup
ããã£ãã«ã® XNUMX ã€ãç¡å¹ã«ãªããšããã©ãã£ãã¯ã¯ã¡ã€ã³ ããŒãã«ã«éãããäœæ¥ãã£ãã«ãééããŸãã ãããå¿
èŠãã©ããã¯ã¿ã¹ã¯ã«ãã£ãŠç°ãªããŸãã
ã§ã®ããŒãã³ã°ã®äœ¿çš [IP]->[Firewall]->[Mangle]
IP ã¢ãã¬ã¹ã®ãªã¹ãã䜿çšããç°¡åãªäŸã ååãšããŠãã»ãŒãã¹ãŠã®æ¡ä»¶ã䜿çšã§ããŸãã Layer7 ã®å¯äžã®æ³šæç¹ã¯ãæ¥ç¶ã©ãã«ãšçµã¿åãããå Žåã§ãããã¹ãŠãæ£ããæ©èœããŠããããã«èŠããŠããäžéšã®ãã©ãã£ãã¯ã¯äŸç¶ãšããŠééã£ãæ¹åã«é²ãããšã§ãã
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2
XNUMX ã€ã®ã«ãŒãã£ã³ã° ããŒãã«ã§ãŠãŒã¶ãŒããããã¯ãã§ããŸãã [IP]->[Route]->[Rules]
:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2
ã©ã¡ãããéã㊠[IP]->[Firewall]->[Filter]
:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=reject
ãªããªãŒããã dst-address-type=!local
è¿œå æ¡ä»¶ dst-address-type=!local
ãŠãŒã¶ãŒããã®ãã©ãã£ãã¯ãã«ãŒã¿ãŒã®ããŒã«ã« ããã»ã¹ (DNSãwinboxãssh ãªã©) ã«å°éããå¿
èŠããããŸãã è€æ°ã®ããŒã«ã« ãµãããããã«ãŒã¿ãŒã«æ¥ç¶ãããŠããå Žåã¯ãããšãã°æ¬¡ã®ã³ãã³ãã䜿çšããŠããããã®éã®ãã©ãã£ãã¯ãã€ã³ã¿ãŒãããã«éä¿¡ãããªãããã«ããå¿
èŠããããŸãã dst-address-table
.
ã䜿çšããäŸã§ã¯ã [IP]->[Route]->[Rules]
ãã®ãããªäŸå€ã¯ãããŸãããããã©ãã£ãã¯ã¯ããŒã«ã« ããã»ã¹ã«å°éããŸãã å®éã«ã¯ãã§ããŒã¯ããã FIB ããã±ãŒãžã«å
¥ããšããããšã§ãã [PREROUTING|Mangle]
ã«ã¯ã«ãŒã ã©ãã«ããããããŒã«ã« ã€ã³ã¿ãŒãã§ã€ã¹ãååšããªãã¡ã€ã³ä»¥å€ã®ã«ãŒãã£ã³ã° ããŒãã«ã«å
¥ããŸãã ã«ãŒãã£ã³ã° ã«ãŒã«ã®å Žåãæåã«ãã±ãããããŒã«ã« ããã»ã¹åãã§ãããã©ããããã§ãã¯ããããŠãŒã¶ãŒ PBR 段éã§ã®ã¿æå®ãããã«ãŒãã£ã³ã° ããŒãã«ã«éä¿¡ãããŸãã
䜿ãæ¹ [IP]->[Firewall]->[Mangle action=route]
ãã®ã¢ã¯ã·ã§ã³ã¯æ¬¡ã®å Žåã«ã®ã¿æ©èœããŸãã [Prerouting|Mangle]
ãŸããã²ãŒããŠã§ã€ ã¢ãã¬ã¹ãçŽæ¥æå®ããããšã§ãè¿œå ã®ã«ãŒãã£ã³ã° ããŒãã«ã䜿çšããã«ãæå®ããã²ãŒããŠã§ã€ã«ãã©ãã£ãã¯ãéä¿¡ã§ããŸãã
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1
ã¢ã¯ã·ã§ã³ route
ã«ãŒãã£ã³ã° ã«ãŒã«ãããåªå
床ãäœããªããŸã ([IP]->[Route]->[Rules]
ïŒã ã«ãŒã ããŒã¯ã®å Žåããã¹ãŠã¯ã«ãŒã«ã®äœçœ®ã«äŸåããŸãã action=route
以äžã®äŸ¡å€ããã action=mark-route
ããã®åŸãããã䜿çšãããŸãïŒãã©ã°ã«é¢ä¿ãªãïŒ passtrough
)ããã以å€ã®å Žåã¯ã«ãŒããããŒã¯ããŸãã
ãã®ã¢ã¯ã·ã§ã³ã«é¢ãã Wiki ã«ã¯æ
å ±ãã»ãšãã©ãªãããã¹ãŠã®çµè«ã¯å®éšçã«åŸããããã®ã§ããããããã«ããŠãããã®ãªãã·ã§ã³ã䜿çšãããšä»ã®ãªãã·ã§ã³ãããå©ç¹ããããšãããªãã·ã§ã³ãèŠã€ãããŸããã§ããã
PPC ããŒã¹ã®åçãã©ã³ã·ã³ã°
Per Connection Classifier - ECMP ã®ããæè»ãªé¡äŒŒç©ã§ãã ECMP ãšã¯ç°ãªãããã©ãã£ãã¯ãæ¥ç¶ããšã«ããå³å¯ã«åå²ããŸã (ECMP ã¯æ¥ç¶ã«ã€ããŠã¯äœãç¥ããŸããããã«ãŒãã£ã³ã° ãã£ãã·ã¥ãšçµã¿åããããšãåæ§ã®çµæãåŸãããŸã)ã
PCC ã¯ããããŸã æå®ããããã£ãŒã«ã ip ããããŒããååŸãã32 ãããå€ã«å€æããã§é€ç®ããŸãã åæ¯ã é€ç®ã®äœããæå®ãããå€ãšæ¯èŒãããŸãã æ®ã ããããäžèŽããå Žåãæå®ãããã¢ã¯ã·ã§ã³ãé©çšãããŸãã
XNUMX ã€ã®ã¢ãã¬ã¹ã®äŸ:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1
XNUMX ã€ã®ãã£ãã«éã® src.address ã«ãããã©ãã£ãã¯ã®åçåæ£ã®äŸ:
#ТаблОÑа ЌаÑÑÑÑÑОзаÑОО
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#ÐаÑкОÑПвка ÑПеЎОМеМОй О ЌаÑÑÑÑÑПв
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3
ã«ãŒããããŒã¯ããå Žåãè¿œå ã®æ¡ä»¶ããããŸãã in-interface=br-lan
ãäžã«ãªãå Žå action=mark-routing
ã€ã³ã¿ãŒãããããã®å¿çãã©ãã£ãã¯ã¯åä¿¡ãããã«ãŒãã£ã³ã° ããŒãã«ã«åŸã£ãŠãããã€ããŒã«æ»ããŸãã
éä¿¡ãã£ãã«ã®åãæ¿ã
Check ping ã¯åªããããŒã«ã§ãããæãè¿ã IP ãã¢ãšã®æ¥ç¶ã®ã¿ããã§ãã¯ããŸããéåžžããããã€ã㌠ãããã¯ãŒã¯ã¯å€æ°ã®ã«ãŒã¿ãŒã§æ§æãããŠãããæãè¿ããã¢ã®å€åŽã§æ¥ç¶ã®åæãçºçããå¯èœæ§ããããŸãããŸããããã¯ããŒã³éä¿¡äºæ¥è
ãåæ§ã«æ¥ç¶ãåæããå¯èœæ§ããããŸããåé¡ãããå Žåãäžè¬ã«ãping ããã§ãã¯ããŠããã°ããŒãã« ãããã¯ãŒã¯ãžã®ã¢ã¯ã»ã¹ã«é¢ããææ°æ
å ±ãåžžã«è¡šç€ºãããããã§ã¯ãããŸããã
ãããã€ããŒã倧äŒæ¥ã BGP ãã€ããã㯠ã«ãŒãã£ã³ã° ãããã³ã«ãå°å
¥ããŠããå Žåã家åºããªãã£ã¹ã®ãŠãŒã¶ãŒã¯ãç¹å®ã®éä¿¡ãã£ãã«ãä»ããŠã€ã³ã¿ãŒããã ã¢ã¯ã»ã¹ã確èªããæ¹æ³ãç¬èªã«èŠã€ãåºãå¿
èŠããããŸãã
éåžžãç¹å®ã®éä¿¡ãã£ãã«ãéããŠã€ã³ã¿ãŒãããäžã® IP ã¢ãã¬ã¹ã®å¯çšæ§ããã§ãã¯ããä¿¡é Œã§ãããã® (Google DNS: 8.8.8.8 ãªã©) ãéžæããã¹ã¯ãªããã䜿çšãããŸãã 8.8.4.4ã ããããMikrotik ã³ãã¥ããã£ã§ã¯ãããèå³æ·±ãããŒã«ãããã«é©å¿ãããŠããŸãã
ååž°ã«ãŒãã£ã³ã°ã«ã€ããŠäžèš
ãã«ãããã BGP ãã¢ãªã³ã°ãæ§ç¯ããå Žåãååž°çã«ãŒãã£ã³ã°ãå¿
èŠã§ãããã¹ã¿ãã£ã㯠ã«ãŒãã£ã³ã°ã®åºæ¬ã«é¢ããèšäºã«åãäžããããã®ã¯ããã§ã㯠ã²ãŒããŠã§ã€ãšçµã¿åãããååž°çã«ãŒãã䜿çšããŠãè¿œå ã®ã¹ã¯ãªããã䜿çšããã«éä¿¡ãã£ãã«ãåãæ¿ããæ¹æ³ãèŠã€ãåºããç¡çŸãª MikroTik ãŠãŒã¶ãŒã®ãããã§ãã
ããã§ãã¹ã³ãŒã/ã¿ãŒã²ãã ã¹ã³ãŒãã®ãªãã·ã§ã³ãäžè¬çã«ç解ããã«ãŒããã€ã³ã¿ãŒãã§ã€ã¹ã«ã©ã®ããã«ãã€ã³ããããããç解ããŸãã
- ã«ãŒãã¯ãã¹ã³ãŒãå€ãšãã¿ãŒã²ãã ã¹ã³ãŒãå€ä»¥äžã®ã¡ã€ã³ ããŒãã«å ã®ãã¹ãŠã®ãšã³ããªã«åºã¥ããŠããã±ãããéä¿¡ããã€ã³ã¿ãŒãã§ã€ã¹ãæ€çŽ¢ããŸãã
- æ€çŽ¢ãããã€ã³ã¿ãŒãã§ãŒã¹ã®äžãããæå®ããã²ãŒããŠã§ã€ã«ãã±ãããéä¿¡ã§ããã€ã³ã¿ãŒãã§ãŒã¹ãéžæãããŸã
- èŠã€ãã£ãæ¥ç¶ãšã³ããªã®ã€ã³ã¿ãŒãã§ã€ã¹ãéžæãããã²ãŒããŠã§ã€ã«ãã±ãããéä¿¡ãããŸãã
ååž°ã«ãŒããååšããå Žåããã¹ãŠãåãããã«èµ·ãããŸããã次㮠XNUMX ã€ã®æ®µéã§è¡ãããŸãã
- 1-3 æ¥ç¶ãããŠããã«ãŒãã«ãæå®ããã²ãŒããŠã§ã€ã«å°éã§ããã«ãŒãããã XNUMX ã€è¿œå ããŸã
- 4-6 ãäžéãã²ãŒããŠã§ã€ã®æ¥ç¶ã«ãŒããæ€çŽ¢ãã
ååž°çæ€çŽ¢ã«ãããã¹ãŠã®æäœã¯ RIB ã§è¡ãããæçµçµæã®ã¿ã FIB ã«è»¢éãããŸãã 0.0.0.0/0 via 10.10.10.1 on ether1
.
ååž°ã«ãŒãã£ã³ã°ã䜿çšããŠçµè·¯ãåãæ¿ããäŸ
æ§æïŒ
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2
ãã±ããã 10.10.10.1 ã«éä¿¡ãããããšã確èªã§ããŸãã
ãã§ã㯠ã²ãŒããŠã§ã€ã¯ååž°ã«ãŒãã£ã³ã°ã«ã€ããŠäœãèªèãããã¢ãã¬ã¹ 8.8.8.8 ã« ping ãéä¿¡ããã ãã§ãããã®ã¢ãã¬ã¹ã¯ (ã¡ã€ã³ ããŒãã«ã«åºã¥ããš) ã²ãŒããŠã§ã€ 10.10.10.1 çµç±ã§å°éå¯èœã§ãã
10.10.10.1 ãš 8.8.8.8 ã®éã®éä¿¡ã倱ããããšãã«ãŒãã¯åæãããŸããã8.8.8.8 ãžã®ãã±ãã (ãã¹ã ping ãå«ã) ã¯åŒãç¶ã 10.10.10.1 ãééããŸãã
ether1 ãžã®ãªã³ã¯ã倱ããããšã8.8.8.8 ããåã®ãã±ããã XNUMX çªç®ã®ãããã€ããŒãééãããšãã«äžå¿«ãªç¶æ³ãçºçããŸãã
ããã¯ã8.8.8.8 ã䜿çšã§ããªããšãã« NetWatch ã䜿çšããŠã¹ã¯ãªãããå®è¡ããŠããå Žåã«åé¡ã«ãªããŸãã ãªã³ã¯ãå£ããå ŽåãNetWatch ã¯ããã¯ã¢ããéä¿¡ãã£ãã«ãä»ããŠåäœãããã¹ãŠãæ£åžžã§ãããšæ³å®ããŸãã è¿œå ã®ãã£ã«ã¿ãŒ ã«ãŒããè¿œå ããããšã§è§£æ±ºããŸããã
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
ããã¬ã«ã¯ãããŸã
ãããŠããã®ãããªäºçŽã䜿çšããå Žåãã¢ãã¬ã¹ 8.8.8.8 ã¯ãããã€ããŒã® XNUMX ã€ã«ããŒãã³ãŒãã£ã³ã°ããããããããã DNS ãœãŒã¹ãšããŠéžæããããšã¯åŸçã§ã¯ãããŸããã
ä»®æ³ã«ãŒãã£ã³ã°ããã³è»¢é (VRF) ã«ã€ããŠäžèš
VRF ãã¯ãããžãŒã¯ã3 ã€ã®ç©çã«ãŒã¿ãŒå
ã«è€æ°ã®ä»®æ³ã«ãŒã¿ãŒãäœæããããã«èšèšãããŠããããã®ãã¯ãããžãŒã¯éä¿¡äºæ¥è
ã«ãã£ãŠ (é垞㯠MPLS ãšçµã¿åãããŠ) éè€ãããµãããã ã¢ãã¬ã¹ãæã€ã¯ã©ã€ã¢ã³ãã« LXNUMXVPN ãµãŒãã¹ãæäŸããããã«åºã䜿çšãããŠããŸãã
ãã ããMikrotik ã® VRF ã¯ã«ãŒãã£ã³ã° ããŒãã«ã«åºã¥ããŠç·šæãããŠãããå€ãã®æ¬ ç¹ããããŸããããšãã°ãã«ãŒã¿ãŒã®ããŒã«ã« IP ã¢ãã¬ã¹ã¯ãã¹ãŠã® VRF ããå©çšã§ããŸãã
VRF èšå®äŸ:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0
ether2 ã«æ¥ç¶ãããŠããããã€ã¹ããã¯ãping ãå¥ã® VRF ããã«ãŒã¿ãŒ ã¢ãã¬ã¹ã«éä¿¡ãããŠããããšãããããŸã (ãããåé¡ã§ã)ãäžæ¹ãping ã¯ã€ã³ã¿ãŒãããã«ã¯éä¿¡ãããŠããŸããã
ã€ã³ã¿ãŒãããã«ã¢ã¯ã»ã¹ããã«ã¯ãã¡ã€ã³ ããŒãã«ã«ã¢ã¯ã»ã¹ããè¿œå ã®ã«ãŒããç»é²ããå¿
èŠããããŸã (VRF çšèªã§ã¯ããããã«ãŒã ãªãŒã¯ãšåŒã³ãŸã)ã
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2
ã«ãŒã ãªãŒã¯ã«ã¯ãã«ãŒãã£ã³ã° ããŒãã«ã䜿çšãã XNUMX ã€ã®æ¹æ³ããããŸãã 172.17.0.1@main
ãããŠã€ã³ã¿ãŒãã§ãŒã¹åã䜿çšããŸã: 172.17.0.1%wlan1
.
ãããŠãªã¿ãŒã³ãã©ãã£ãã¯ã®ããŒãã³ã°ãèšå®ããŸã [PREROUTING|Mangle]
:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
åãã¢ãã¬ã¹ãæã€ãµãããã
VRF ãšããããããã䜿çšãããåãã«ãŒã¿ãŒäžã®åãã¢ãã¬ã¹ãæã€ãµãããããžã®ã¢ã¯ã»ã¹ã®æ§æ:
åºæ¬æ§æ:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0
ãã¡ã€ã¢ãŠã©ãŒã«ã®ã«ãŒã«:
#ÐаÑкОÑÑеЌ пакеÑÑ ÐŽÐ»Ñ ÐŸÑпÑавкО в пÑавОлÑÐœÑÑ ÑаблОÑÑ ÐŒÐ°ÑÑÑÑÑОзаÑОО
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#СÑеЎÑÑваЌО netmap заЌеМÑеЌ аЎÑеÑа "ÑÑОЌеÑÐœÑÑ
" пПЎÑеÑей Ма ÑеалÑÐœÑе пПЎÑеÑО
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
æ»ããã©ãã£ãã¯ã®ã«ãŒãã£ã³ã° ã«ãŒã«:
#УказаМОе ОЌеМО ОМÑеÑÑейÑа ÑПже ÐŒÐŸÐ¶ÐµÑ ÑÑОÑаÑÑÑÑ route leaking, МП пП ÑÑÑО ÑÑÑ ÑПзЎаеÑÑÑ Ð°ÐœÐ°Ð»ÐŸÐ³ connected ЌаÑÑÑÑÑа
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2
dhcp çµç±ã§åä¿¡ããã«ãŒããç¹å®ã®ã«ãŒãã£ã³ã° ããŒãã«ã«è¿œå ãã
VRF ã¯ãåçã«ãŒã (ããšãã°ãdhcp ã¯ã©ã€ã¢ã³ããã) ãç¹å®ã®ã«ãŒãã£ã³ã° ããŒãã«ã«èªåçã«è¿œå ããå¿
èŠãããå Žåã«åœ¹ç«ã¡ãŸãã
VRF ãžã®ã€ã³ã¿ãŒãã§ã€ã¹ã®è¿œå :
/ip route vrf
add interface=ether1 routing-mark=over-isp1
ããŒãã«ãä»ããŠãã©ãã£ãã¯ïŒéä¿¡ããã³ééïŒãéä¿¡ããããã®ã«ãŒã« over-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=no
éä¿¡ã«ãŒãã£ã³ã°ãæ©èœããããã®è¿œå ã®åœã®ã«ãŒã:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=bare
ãã®ã«ãŒãã¯ãããŒã«ã«çºä¿¡ãã±ãããã«ãŒãã£ã³ã°æ±ºå® (2) ãééã§ããããã«ããããã«ã®ã¿å¿
èŠã§ãã [OUTPUT|Mangle]
ã«ãŒãã£ã³ã° ã©ãã«ãååŸããŸããã¡ã€ã³ ããŒãã«ã® 0.0.0.0/0 ããåã«ã«ãŒã¿ãŒäžã«ä»ã®ã¢ã¯ãã£ããªã«ãŒããããå Žåãããã¯å¿
èŠãããŸããã
ãã§ãŒã³ connected-in
О dynamic-in
в [Routing] -> [Filters]
ã«ãŒã ãã£ã«ã¿ãªã³ã° (åä¿¡ããã³éä¿¡) ã¯ãéåžžãåçã«ãŒãã£ã³ã° ãããã³ã«ãšçµã¿åãããŠäœ¿çšââãããããŒã«ã§ã (ãããã£ãŠãããã±ãŒãžã®ã€ã³ã¹ããŒã«åŸã«ã®ã¿äœ¿çšå¯èœã§ã) ã«ãŒãã£ã³ã°) ã§ãããåä¿¡ãã£ã«ã¿ãŒã«ã¯ XNUMX ã€ã®èå³æ·±ããã§ãŒã³ããããŸãã
- Connected-in â æ¥ç¶ãããã«ãŒãã®ãã£ã«ã¿ãªã³ã°
- Dynamic-in - PPP ããã³ DCHP ã«ãã£ãŠåä¿¡ãããåçã«ãŒãã®ãã£ã«ã¿ãªã³ã°
ãã£ã«ã¿ãªã³ã°ã䜿çšãããšãã«ãŒããç Žæ£ããã ãã§ãªããè·é¢ãã«ãŒãã£ã³ã° ããŒã¯ãã³ã¡ã³ããã¹ã³ãŒããã¿ãŒã²ãã ã¹ã³ãŒããªã©ã®å€ãã®ãªãã·ã§ã³ãå€æŽããããšãã§ããŸãã
ããã¯éåžžã«æ£ç¢ºãªããŒã«ã§ãããã«ãŒãã£ã³ã° ãã£ã«ã¿ãŒã䜿çšããã«äœããå®è¡ã§ãã (ãã ãã¹ã¯ãªããã¯äœ¿çšã§ããªã) å Žåã¯ãã«ãŒãã£ã³ã° ãã£ã«ã¿ãŒã䜿çšããªãã§ãã ããããŸããèªåèªèº«ãšãåŸã§ã«ãŒã¿ãŒãæ§æãã人ãã¡ãæ··ä¹±ãããªãã§ãã ããã åçã«ãŒãã£ã³ã°ã®ã³ã³ããã¹ãã§ã¯ãã«ãŒãã£ã³ã° ãã£ã«ã¿ãŒã¯ããé »ç¹ã«ãããçç£çã«äœ¿çšãããŸãã
åçã«ãŒãã®ã«ãŒãã£ã³ã°ããŒã¯ã®èšå®
ããŒã ã«ãŒã¿ãŒã®äŸã XNUMX ã€ã® VPN æ¥ç¶ãæ§æãããŠããããããã®ãã©ãã£ãã¯ã¯ã«ãŒãã£ã³ã° ããŒãã«ã«åŸã£ãŠã©ãããããå¿
èŠããããŸãã åæã«ãã€ã³ã¿ãŒãã§ã€ã¹ãã¢ã¯ãã£ãåããããšãã«ã«ãŒããèªåçã«äœæãããããã«ããŸãã
#ÐÑО ÑПзЎаМОО vpn пПЎклÑÑеМОй ÑказÑваеЌ ÑПзЎаМОе default route О заЎаеЌ ЎОÑÑаМÑОÑ
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#ЀОлÑÑÑаЌО ПÑпÑавлÑеЌ ЌаÑÑÑÑÑÑ Ð² ПпÑеЎелеММÑе ÑаблОÑÑ ÐŒÐ°ÑÑÑÑÑОзаÑОО Ма ПÑМПве пПЎÑеÑО МазМаÑÐµÐœÐžÑ Ðž ЎОÑÑаМÑОО
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2
çç±ã¯ããããŸãããããããããã°ã§ãããppp ã€ã³ã¿ãŒãã§ã€ã¹ã® VRF ãäœæãããšã0.0.0.0/0 ãžã®ã«ãŒããã¡ã€ã³ ããŒãã«ã«å ¥ããŸãã ããã§ãªããã°ããã¹ãŠãããã«ç°¡åã«ãªãã§ãããã
æ¥ç¶ãããã«ãŒãã®ç¡å¹å
å Žåã«ãã£ãŠã¯ãããå¿
èŠã«ãªããŸãã
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=reject
ãããã°ããŒã«
RouterOS ã«ã¯ãã«ãŒãã£ã³ã°ããããã°ããããã®ããŒã«ãå€æ°çšæãããŠããŸãã
[Tool]->[Tourch]
- ã€ã³ã¿ãŒãã§ã€ã¹äžã®ãã±ããã衚瀺ã§ããŸã/ip route check
- ãã±ãããã©ã®ã²ãŒããŠã§ã€ã«éä¿¡ããããã確èªã§ããŸãããã«ãŒãã£ã³ã° ããŒãã«ã§ã¯æ©èœããŸãã/ping routing-table=<name>
О/tool traceroute routing-table=<name>
- æå®ãããã«ãŒãã£ã³ã° ããŒãã«ã䜿çšãã ping ãšãã¬ãŒã¹action=log
в[IP]->[Firewall]
- ãã±ãã ãããŒã«æ²¿ã£ãŠãã±ããã®ãã¹ã远跡ã§ããåªããããŒã«ããã®ã¢ã¯ã·ã§ã³ã¯ãã¹ãŠã®ãã§ãŒã³ãšããŒãã«ã§å©çšã§ããŸãã
åºæïŒ habr.com