ProHoster > Блог > Administrasi > Multivan lan nuntun ing Mikrotik RouterOS

Multivan lan nuntun ing Mikrotik RouterOS

Pambuka

Njupuk artikel kasebut, saliyane Vanity, dijaluk dening frekuensi depressing pitakonan ing topik iki ing grup profil masyarakat telegram Russian-speaking. Artikel kasebut ditujokake kanggo pangurus Mikrotik RouterOS (sateruse diarani ROS). Iku mung karo multivan, karo emphasis ing nuntun. Minangka bonus, ana setelan minimally cukup kanggo mesthekake operasi aman lan trep. Sing looking for pambocoran saka topik antrian, mbukak wawas, vlans, kreteg, multi-tataran analisis jero saka negara saluran lan kaya - bisa uga ora sampah wektu lan gaweyan maca.

Data sumber

Minangka subyek tes, router Mikrotik limang port kanthi versi ROS 6.45.3 dipilih. Iku bakal rute lalu lintas antarane rong jaringan lokal (LAN1 lan LAN2) lan telung panyedhiya (ISP1, ISP2, ISP3). Saluran menyang ISP1 nduweni alamat "abu-abu" statis, ISP2 - "putih", dipikolehi liwat DHCP, ISP3 - "putih" kanthi wewenang PPPoE. Diagram sambungan ditampilake ing gambar:

Multivan lan nuntun ing Mikrotik RouterOS

Tugas kanggo ngatur router MTK adhedhasar skema supaya:

  1. Nyedhiyakake ngalih otomatis menyang panyedhiya serep. Panyedhiya utama yaiku ISP2, cadangan pisanan yaiku ISP1, cadangan kapindho yaiku ISP3.
  2. Ngatur akses jaringan LAN1 menyang Internet mung liwat ISP1.
  3. Nyedhiyani kemampuan kanggo nuntun lalu lintas saka jaringan lokal menyang Internet liwat panyedhiya sing dipilih adhedhasar dhaptar alamat.
  4. Nyedhiyani kemungkinan layanan nerbitake saka jaringan lokal menyang Internet (DSTNAT)
  5. Nggawe filter firewall kanggo nyedhiyakake keamanan minimal sing cukup saka Internet.
  6. Router bisa ngetokake lalu lintas dhewe liwat salah siji saka telung panyedhiya, gumantung saka alamat sumber sing dipilih.
  7. Priksa manawa paket respon diarahake menyang saluran sing asale (kalebu LAN).

Cathetan. Kita bakal ngatur router "saka awal" kanggo njamin ora ana kejutan ing konfigurasi wiwitan "saka kothak" sing diganti saka versi menyang versi. Winbox dipilih minangka alat konfigurasi, ing ngendi owah-owahan bakal ditampilake kanthi visual. Setelan dhewe bakal disetel dening printah ing terminal Winbox. Sambungan fisik kanggo konfigurasi digawe dening sambungan langsung menyang antarmuka Ether5.

A sawetara pertimbangan babagan apa multivan, apa masalah utawa wong pinter sing licik ing sekitar nenun jaringan konspirasi

Administrator sing kepengin weruh lan enten, nyiyapake skema kasebut utawa sing padha, dumadakan tiba-tiba ngerti yen wis mlaku kanthi normal. Ya, ya, tanpa tabel routing khusus lan aturan rute liyane, sing umume artikel babagan topik iki kebak. Ayo priksa?

Apa kita bisa ngatur alamat ing antarmuka lan gateway standar? ya:

Ing ISP1, alamat lan gateway wis didaftar jarak = 2 и check-gateway=ping.
Ing ISP2, setelan klien dhcp standar - kanthi mangkono, jarak bakal padha karo siji.
Ing ISP3 ing setelan klien pppoe nalika add-default-route=ya sijine standar-rute-jarak=3.

Aja lali kanggo ndhaftar NAT ing metu:

/ ip firewall nat nambah tumindak = masquerade chain = srcnat metu-antarmuka-dhaftar = WAN

Akibaté, pangguna situs lokal seneng-seneng ndownload kucing liwat panyedhiya ISP2 utama lan ana reservasi saluran nggunakake mekanisme kasebut. mriksa gateway Deleng cathetan 1

Titik 1 saka tugas dileksanakake. Ing endi multivan kanthi tandha? ora…

Salajengipun. Sampeyan kudu ngeculake klien tartamtu saka LAN liwat ISP1:

/ ip firewall mangle add action=rute chain=prerouting dst-address-list=!BOGONS
passthrough=ya route-dst=100.66.66.1 src-address-list=Via_ISP1
/ ip firewall mangle add action=rute chain=prerouting dst-address-list=!BOGONS
passthrough=ora ana route-dst=100.66.66.1 src-address=192.168.88.0/24

Item 2 lan 3 saka tugas wis dileksanakake. Label, prangko, aturan rute, ngendi sampeyan?!

Sampeyan kudu menehi akses menyang server OpenVPN favorit kanthi alamat 172.17.17.17 kanggo klien saka Internet? Mangga:

/ ip cloud set ddns-enabled=ya

Minangka peer, kita menehi klien asil output: ": sijine [ip cloud njaluk dns-name]"

Kita ndhaptar port forwarding saka Internet:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=1194
in-interface-list=WAN protocol=udp to-addresses=172.17.17.17

Item 4 wis siyap.

Kita nyiyapake firewall lan keamanan liyane kanggo titik 5, ing wektu sing padha kita bungah yen kabeh wis bisa digunakake kanggo pangguna lan entuk wadhah karo minuman favorit ...
A! Tunnel wis lali.

l2tp-klien, diatur dening artikel google, wis munggah menyang VDS Walanda favorit? ya wis.
l2tp-server karo IPsec wis wungu lan klien dening DNS-jeneng saka IP Cloud (ndeleng ndhuwur.) cling? ya wis.
Mbalik ing kursi, nyedhot ngombe, kita males nganggep poin 6 lan 7 saka tugas kasebut. Kita mikir - apa kita butuh? Mekaten ugi kados makaten (c)... Dadi, yen isih ora perlu, ya wis. Multivan dileksanakake.

Apa multivan? Iki minangka sambungan sawetara saluran Internet menyang siji router.

Sampeyan ora kudu maca artikel kasebut luwih lanjut, amarga apa sing bisa ditindakake kajaba nuduhake aplikasi sing ora bisa dipercaya?

Kanggo sing tetep, sing kasengsem ing TCTerms 6 lan 7 saka tugas, lan uga aran gatel perfeksionisme, kita nyilem luwih jero.

Tugas sing paling penting kanggo ngetrapake multivan yaiku rute lalu lintas sing bener. Yaiku: preduli kang (utawa kang) Deleng. cathetan 3 saluran ISP kang (e) katon ing rute standar ing dalan kita, iku kudu bali nanggepi saluran pas paket teka saka. Tugas wis jelas. Endi masalahe? Pancen, ing jaringan lokal sing prasaja, tugase padha, nanging ora ana sing ngganggu setelan tambahan lan ora ngrasakake alangan. Bentenipun punika sembarang simpul routable ing Internet bisa diakses liwat saben saluran kita, lan ora liwat siji strictly tartamtu, kaya ing LAN prasaja. Lan "masalah" yaiku yen ana panjaluk kanggo alamat IP ISP3, mula jawaban kasebut bakal liwat saluran ISP2, amarga gateway standar diarahake ing kana. Godhong lan bakal dibuwang dening panyedhiya minangka salah. Masalah wis diidentifikasi. Carane ngatasi?

Solusi kasebut dipérang dadi telung tahap:

  1. Prasetel. Ing tahap iki, setelan dhasar router bakal disetel: jaringan lokal, firewall, dhaptar alamat, jepit rambut NAT, lsp.
  2. Multivan. Ing tahap iki, sambungan sing dibutuhake bakal ditandhani lan diurutake menyang tabel routing.
  3. Nyambung menyang ISP. Ing tahap iki, antarmuka sing nyedhiyakake sambungan menyang Internet bakal dikonfigurasi, nuntun lan mekanisme reservasi saluran Internet bakal diaktifake.

1. Prasetel

1.1. Kita mbusak konfigurasi router kanthi printah:

/system reset-configuration skip-backup=yes no-defaults=yes

setuju karo"Mbebayani! Reset wae? [y/N]:"lan, sawise urip maneh, kita nyambung karo Winbox liwat MAC. Ing tahap iki, konfigurasi lan basis pangguna wis dibusak.

1.2. Gawe panganggo anyar:

/user add group=full name=knight password=ultrasecret comment=”Not horse”

mlebu ing ngisor lan busak sing standar:

/user remove admin

Cathetan. Iki minangka mbusak lan ora mateni pangguna standar sing dianggep penulis luwih aman lan dianjurake kanggo digunakake.

1.3. Kita nggawe dhaptar antarmuka dhasar supaya gampang digunakake ing firewall, setelan panemuan lan server MAC liyane:

/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"

Mlebu antarmuka karo komentar

/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"

lan isi dhaptar antarmuka:

/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2 
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN  comment="LAN1"
/interface list member add interface=ether5 list=LAN  comment="LAN2"

Cathetan. Nulis komentar sing bisa dimangerteni iku worth wektu ngginakaken iki, plus iku nemen nggampangake ngatasi masalah lan ngerti konfigurasi.

Penulis nganggep perlu, kanggo alasan keamanan, kanggo nambah antarmuka ether3 menyang dhaptar antarmuka "WAN", sanajan kasunyatane protokol ip ora bakal ditindakake.

Aja lali yen sawise antarmuka PPP diunggahake ing ether3, uga kudu ditambahake menyang dhaptar antarmuka "WAN"

1.4. Kita ndhelikake router saka deteksi lan kontrol lingkungan saka jaringan panyedhiya liwat MAC:

/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

1.5. Kita nggawe set minimal aturan filter firewall kanggo nglindhungi router:

/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow" 
connection-state=established,related,untracked

(aturan kasebut menehi ijin kanggo sambungan sing diadegake lan sing gegandhengan sing diwiwiti saka jaringan sing disambungake lan router dhewe)

/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp

(ping lan ora mung ping. Kabeh icmp diijini mlebu. Banget migunani kanggo nemokake masalah MTU)

/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN

(aturan sing nutup rantai input nglarang kabeh sing teka saka Internet)

/ip firewall filter add action=accept chain=forward 
comment="Established, Related, Untracked allow" 
connection-state=established,related,untracked

(aturan kasebut ngidini sambungan sing diadegake lan gegandhengan sing ngliwati router)

/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid

(aturan ngreset koneksi karo connection-state=invalid passing through the router. Iku banget dianjurake dening Mikrotik, nanging ing sawetara kahanan langka bisa ngalangi lalu lintas migunani)

/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"  
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(aturan kasebut nglarang paket sing teka saka Internet lan durung ngliwati prosedur dstnat kanggo ngliwati router. Iki bakal nglindhungi jaringan lokal saka penyusup sing, ing domain siaran sing padha karo jaringan eksternal kita, bakal ndhaptar IP eksternal kita minangka a gateway lan, kanthi mangkono, coba "njelajah" jaringan lokal kita.)

Cathetan. Ayo kita nganggep yen jaringan LAN1 lan LAN2 dipercaya lan lalu lintas ing antarane lan saka dheweke ora disaring.

1.6. Gawe dhaptar kanthi dhaptar jaringan sing ora bisa diowahi:

/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
 list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS

(Iki minangka dhaptar alamat lan jaringan sing ora bisa dialihake menyang Internet lan bakal diterusake.)

Cathetan. Dhaptar kasebut bisa diganti, mula aku menehi saran supaya mriksa relevansi kasebut.

1.7. Setel DNS kanggo router dhewe:

/ip dns set servers=1.1.1.1,8.8.8.8

Cathetan. Ing versi ROS saiki, server dinamis luwih diutamakake tinimbang sing statis. Panyuwunan resolusi jeneng dikirim menyang server pisanan supaya ing dhaptar. Transisi menyang server sabanjure ditindakake nalika sing saiki ora kasedhiya. Wektu entek gedhe - luwih saka 5 detik. Mbalik maneh, nalika "server tiba" diterusake, ora kanthi otomatis kedadeyan. Amarga algoritma iki lan anane multivan, penulis nyaranake ora nggunakake server sing diwenehake dening panyedhiya.

1.8. Nggawe jaringan lokal.
1.8.1. Kita ngatur alamat IP statis ing antarmuka LAN:

/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"

1.8.2. Kita nyetel aturan kanggo rute menyang jaringan lokal liwat tabel routing utama:

/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"

Cathetan. Iki minangka salah sawijining cara sing cepet lan gampang kanggo ngakses alamat LAN kanthi sumber alamat IP eksternal saka antarmuka router sing ora liwat rute standar.

1.8.3. Aktifake NAT Jepit Rambut kanggo LAN1 lan LAN2:

/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1" 
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2" 
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0

Cathetan. Iki ngidini sampeyan ngakses sumber daya (dstnat) liwat IP eksternal nalika ana ing njero jaringan.

2. Bener, implementasine saka multivan bener banget

Kanggo ngatasi masalah "njawab saka ngendi dheweke takon", kita bakal nggunakake rong alat ROS: tandha sambungan и tandha routing. tandha sambungan ngidini sampeyan nandhani sambungan sing dikarepake banjur bisa nganggo tandha iki minangka syarat kanggo nglamar tandha routing. Lan wis karo tandha routing bisa kanggo kerja ing rute ip и aturan rute. Kita nemtokake alat, saiki sampeyan kudu mutusake sambungan sing bakal ditandhani - sapisan, persis ing ngendi kanggo menehi tandha - loro.

Kanthi sing pisanan, kabeh gampang - kita kudu menehi tandha kabeh sambungan sing teka menyang router saka Internet liwat saluran sing cocog. Ing kasus kita, iki bakal dadi telung label (kanthi jumlah saluran): "conn_isp1", "conn_isp2" lan "conn_isp3".

Nuansa sing nomer loro yaiku sambungan sing mlebu bakal dadi rong jinis: transit lan sing dimaksudake kanggo router kasebut. Mekanisme tandha sambungan dianggo ing meja mangle. Coba gerakan paket ing diagram sing disederhanakake, disusun kanthi apik dening spesialis sumber mikrotik-trainings.com (ora pariwara):

Multivan lan nuntun ing Mikrotik RouterOS

Sawise panah, kita weruh yen paket teka ing "antarmuka input", liwat rantai "Prerouting"lan banjur dipérang dadi transit lan lokal ing blok"Keputusan rute". Mulane, kanggo mateni manuk loro nganggo watu siji, kita nggunakake Tandha Sambungan ing meja Mangle Pre-routing rentengan Prerouting.

Cathetan:. Ing ROS, label "Tanda Routing" didaftar minangka "Tabel" ing bagean Ip / Rute / Aturan, lan minangka "Tanda Routing" ing bagean liyane. Iki bisa uga ngenalake sawetara kebingungan menyang pangerten, nanging, nyatane, iki padha, lan minangka analog saka rt_tables ing iproute2 ing linux.

2.1. Kita menehi tandha sambungan mlebu saka saben panyedhiya:

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1  new-connection-mark=conn_isp1 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2  new-connection-mark=conn_isp2 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3  new-connection-mark=conn_isp3 passthrough=no

Cathetan. Supaya ora kanggo tandha sambungan wis ditandhani, Aku nggunakake sambungan-tandha = ora tandha kondisi tinimbang sambungan-negara = anyar amarga aku iki luwih bener, uga penolakan kanggo nyelehake sambungan ora bener ing Filter input.


passthrough = ora - amarga ing cara implementasine iki, re-marking tilar lan, kanggo nyepetake, sampeyan bisa ngganggu enumerasi aturan sawise pertandhingan pisanan.

Sampeyan kudu eling yen kita ora ngganggu rute apa wae. Saiki mung ana tahap persiapan. Tahap implementasine sabanjure yaiku pangolahan lalu lintas transit sing bali liwat sambungan sing diadegake saka tujuan ing jaringan lokal. Sing. paket sing (ndeleng diagram) liwat dalan ing dalan:

"Antarmuka Input" => "Prerouting" => "Keputusan Routing" => "Maju" => "Post Routing" => "Antarmuka Output" lan entuk alamate ing jaringan lokal.

Penting! Ing ROS, ora ana divisi logis menyang antarmuka eksternal lan internal. Yen kita nglacak path paket respon miturut diagram ing ndhuwur, banjur bakal ngetutake jalur logis sing padha karo panyuwunan:

"Antarmuka Input" => "Prerouting" => "Keputusan Routing" => "Maju" => "Post Routing" => "Antarmuka Output" mung kanggo njaluk"Antarmuka Input” ana antarmuka ISP, lan kanggo jawaban - LAN

2.2. Kita ngarahake lalu lintas transit tanggapan menyang tabel rute sing cocog:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP1" connection-mark=conn_isp1 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP2" connection-mark=conn_isp2 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP3" connection-mark=conn_isp3 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=no

Komentar. in-interface-list=!WAN - kita bisa mung karo lalu lintas saka jaringan lokal lan dst-address-type=!local sing ora duwe alamat tujuan alamat antarmuka saka router dhewe.

Padha kanggo paket lokal sing teka menyang dalan ing dalan:

"Antarmuka Input" => "Prerouting" => "Keputusan Routing" => "Input" => "Proses Lokal"

Penting! Jawaban kasebut bakal ditindakake kanthi cara ing ngisor iki:

"Proses Lokal" => "Keputusan Routing" => "Output" => "Post Routing" => "Antarmuka Output"

2.3. Kita langsung nanggapi lalu lintas lokal menyang tabel rute sing cocog:

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local 
new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local 
new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local 
new-routing-mark=to_isp3 passthrough=no

Ing tahap iki, tugas nyiapake kanggo ngirim respon menyang saluran Internet saka ngendi panjalukan kasebut bisa dianggep wis rampung. Kabeh wis ditandhani, labeled lan siap kanggo routed.
Efek "sisih" banget saka persiyapan iki yaiku kemampuan kanggo nggarap port DSNAT sing diterusake saka loro panyedhiya (ISP2, ISP3) bebarengan. Ora babar pisan, amarga ing ISP1 kita duwe alamat sing ora bisa ditindakake. Efek iki penting, contone, kanggo server mail karo loro MXs sing katon ing saluran Internet beda.

Kanggo ngilangi nuansa operasi jaringan lokal kanthi router IP eksternal, kita nggunakake solusi saka paragraf. 1.8.2 lan 3.1.2.6.

Kajaba iku, sampeyan bisa nggunakake alat kanthi tandha kanggo ngrampungake paragraf 3 masalah kasebut. Kita ngleksanakake kaya iki:

2.4. Kita ngarahake lalu lintas saka klien lokal saka dhaptar rute menyang tabel sing cocog:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1 
passthrough=no src-address-list=Via_ISP1

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2 
passthrough=no src-address-list=Via_ISP2

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3 
passthrough=no src-address-list=Via_ISP3

Akibaté, katon kaya iki:

Multivan lan nuntun ing Mikrotik RouterOS

3. Nggawe sambungan menyang ISP lan ngaktifake nuntun branded

3.1. Nggawe sambungan menyang ISP1:
3.1.1. Konfigurasi alamat IP statis:

/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"

3.1.2. Setel rute statis:
3.1.2.1. Tambah rute "darurat" standar:

/ip route add comment="Emergency route" distance=254 type=blackhole

Cathetan. Rute iki ngidini lalu lintas saka pangolahan lokal kanggo ngliwati tataran Keputusan Rute, preduli saka negara pranala saka samubarang panyedhiya. Nuansa lalu lintas lokal sing metu yaiku supaya paket bisa mindhah paling ora nang endi wae, tabel rute utama kudu duwe rute aktif menyang gateway standar. Yen ora, paket kasebut mung bakal dirusak.

Minangka ekstensi alat mriksa gateway Kanggo analisis sing luwih jero babagan negara saluran, aku saranake nggunakake metode rute rekursif. Inti saka metode kasebut yaiku supaya router golek dalan menyang gateway ora langsung, nanging liwat gateway penengah. 4.2.2.1, 4.2.2.2 lan 4.2.2.3 bakal dipilih minangka "test" gateways kanggo ISP1, ISP2 lan ISP3 mungguh.

3.1.2.2. Rute menyang alamat "verifikasi":

/ip route add check-gateway=ping comment="For recursion via ISP1"  
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10

Cathetan. We ngisor Nilai orane katrangan kanggo standar ing ROS orane katrangan target supaya nggunakake 4.2.2.1 minangka gateway rekursif ing mangsa. Aku nandheske: orane katrangan saka rute kanggo alamat "test" kudu kurang saka utawa padha karo target orane katrangan saka rute sing bakal nuduhake test siji.

3.1.2.3. Rute standar rekursif kanggo lalu lintas tanpa tandha rute:

/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1

Cathetan. Nilai jarak = 2 digunakake amarga ISP1 diumumake minangka serep pisanan miturut kahanan tugas.

3.1.2.4. Rute standar rekursif kanggo lalu lintas kanthi tandha rute "to_isp1":

/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1 
routing-mark=to_isp1

Cathetan. Bener, ing kene pungkasane kita wiwit seneng karo asil persiapan sing ditindakake ing paragraf 2.


Ing rute iki, kabeh lalu lintas sing nduweni rute tandha "to_isp1" bakal diarahake menyang gateway panyedhiya pisanan, preduli saka gateway standar sing saiki aktif kanggo tabel utama.

3.1.2.5. Rute standar rekursif fallback pisanan kanggo lalu lintas sing diwenehi tag ISP2 lan ISP3:

/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp3

Cathetan. Rute kasebut dibutuhake, antara liya, kanggo ngreksa lalu lintas saka jaringan lokal sing dadi anggota dhaptar alamat "to_isp*"'

3.1.2.6. Kita ndhaptar rute kanggo lalu lintas lokal router menyang Internet liwat ISP1:

/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1

Cathetan. Ing kombinasi karo aturan saka paragraf 1.8.2, menehi akses menyang saluran sing dipengini karo sumber tartamtu. Iki penting kanggo mbangun trowongan sing nemtokake alamat IP sisih lokal (EoIP, IP-IP, GRE). Wiwit aturan ing aturan rute ip dileksanakake saka ndhuwur kanggo ngisor, nganti cocog pisanan kondisi, banjur aturan iki kudu sawise aturan saka klausa 1.8.2.

3.1.3. Kita ndhaptar aturan NAT kanggo lalu lintas metu:

/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"  
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2

Cathetan. NATim kabeh sing metu, kajaba apa sing mlebu ing kabijakan IPsec. Aku nyoba ora nggunakake action=masquerade kajaba pancen perlu. Iku luwih alon lan sumber daya luwih intensif tinimbang src-nat amarga ngetung alamat NAT kanggo saben sambungan anyar.

3.1.4. Kita ngirim klien saka dhaptar sing dilarang ngakses liwat panyedhiya liyane langsung menyang gateway panyedhiya ISP1.

/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only" 
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1 
src-address-list=Via_only_ISP1 place-before=0

Cathetan. action=rute nduweni prioritas sing luwih dhuwur lan ditrapake sadurunge aturan routing liyane.


place-before=0 - nyeleh aturan kita pisanan ing dhaftar.

3.2. Nggawe sambungan menyang ISP2.

Wiwit panyedhiya ISP2 menehi setelan liwat DHCP, iku cukup kanggo nggawe owah-owahan sing perlu nganggo skrip sing diwiwiti nalika klien DHCP dipicu:

/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
    n    /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1 
           dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
    n    /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
    n    /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 
           routing-mark=to_isp2;r
    n    /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2 
           routing-mark=to_isp1;r
    n    /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2 
           routing-mark=to_isp3;r
    n    /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
           out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2" 
           place-before=1;r
    n    if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
    n        /ip route rule add comment="From ISP2 IP to Inet" 
               src-address=$"lease-address" table=to_isp2 r
    n    } else={r
    n       /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no 
              src-address=$"lease-address"r
    n    }      r
    n} else={r
    n   /ip firewall nat remove  [find comment="NAT via ISP2"];r
    n   /ip route remove [find comment="For recursion via ISP2"];r
    n   /ip route remove [find comment="Unmarked via ISP2"];r
    n   /ip route remove [find comment="Marked via ISP2 Main"];r
    n   /ip route remove [find comment="Marked via ISP1 Backup1"];r
    n   /ip route remove [find comment="Marked via ISP3 Backup2"];r
    n   /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
    n}r
    n" use-peer-dns=no use-peer-ntp=no

Skrip kasebut dhewe ing jendela Winbox:

Multivan lan nuntun ing Mikrotik RouterOS
Cathetan. Pérangan pisanan saka skrip dipicu nalika lease kasil dipikolehi, kaloro - sawise lease dirilis.Deleng cathetan 2

3.3. Kita nyiyapake sambungan menyang panyedhiya ISP3.

Wiwit panyedhiya setelan menehi kita dinamis, iku cukup kanggo nggawe owah-owahan perlu karo Tulisan sing diwiwiti sawise antarmuka ppp wis wungu lan sawise tiba.

3.3.1. Pisanan kita ngatur profil:

/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client 
on-down="/ip firewall nat remove  [find comment="NAT via ISP3"];r
    n/ip route remove [find comment="For recursion via ISP3"];r
    n/ip route remove [find comment="Unmarked via ISP3"];r
    n/ip route remove [find comment="Marked via ISP3 Main"];r
    n/ip route remove [find comment="Marked via ISP1 Backup2"];r
    n/ip route remove [find comment="Marked via ISP2 Backup2"];r
    n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;" 
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1 
    dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
    n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
    n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3 
    routing-mark=to_isp3;r
    n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp1;r
    n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp2;r
    n/ip firewall mangle set [find comment="Connmark in from ISP3"] 
    in-interface=$"interface";r
    n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
    out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3" 
    place-before=1;r
    nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
    n   /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address" 
    table=to_isp3 r
    n} else={r
    n   /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no 
    src-address=$"local-address"r
    n};r
    n"

Skrip kasebut dhewe ing jendela Winbox:

Multivan lan nuntun ing Mikrotik RouterOS
Cathetan. Senar
/ ip firewall mangle set [golek komentar = "Connmark saka ISP3"] ing-antarmuka = ​​$ "antarmuka";
ngijini sampeyan kanggo bener nangani ngganti jeneng antarmuka, awit iku dianggo karo kode lan ora jeneng tampilan.

3.3.2. Saiki, nggunakake profil, nggawe sambungan ppp:

/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no 
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_client

Minangka tutul pungkasan, ayo nyetel jam:

/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org

Kanggo sing maca nganti pungkasan

Cara sing diusulake kanggo ngleksanakake multivan minangka pilihan pribadi penulis lan ora mung siji-sijine. Toolkit ROS ekstensif lan fleksibel, sing, ing tangan siji, nimbulaké kangelan kanggo pamula, lan, ing tangan liyane, alesan kanggo popularitas. Sinau, coba, temokake alat lan solusi anyar. Contone, minangka aplikasi saka kawruh angsal, iku bisa kanggo ngganti alat ing implementasine saka multivan mriksa-gateway karo rute rekursif kanggo jam tangan net.

Cathetan

  1. mriksa-gateway - mekanisme sing ngijini sampeyan kanggo mateni rute sawise loro consecutive gagal mriksa gateway kanggo kasedhiyan. Priksa dileksanakake saben 10 detik, ditambah wektu entek respon. Secara total, wektu ngoper nyata ana ing kisaran 20-30 detik. Yen wektu ngoper kasebut ora cukup, ana pilihan kanggo nggunakake alat kasebut jam tangan net, ing ngendi wektu mriksa bisa disetel kanthi manual. mriksa-gateway ora murub ing mundhut paket intermiten ing link.

    Penting! Mateni rute utama bakal mateni kabeh rute liyane sing ngrujuk. Mulane, kanggo wong-wong mau kanggo nunjukaké check-gateway=ping ora perlu.

  2. Mengkono sing Gagal ana ing mekanisme DHCP, kang katon kaya klien macet ing negara gawe anyar. Ing kasus iki, bagean liya saka skrip ora bakal bisa, nanging ora bakal nyegah lalu lintas mlaku kanthi bener, amarga negara nglacak rute rekursif sing cocog.
  3. ECMP (Equal Cost Multi-Path) - ing ROS iku bisa kanggo nyetel rute karo sawetara gateways lan kadohan padha. Ing kasus iki, sambungan bakal disebarake liwat saluran nggunakake algoritma round robin, ing proporsi kanggo jumlah gateways tartamtu.

Kanggo impetus kanggo nulis artikel, bantuan kanggo mbentuk struktur lan panggonan logat - matur nuwun pribadi kanggo Evgeny @jscar

Source: www.habr.com