ProHoster > Блог > Whakahaerenga > Multivan me te ararere i runga i Mikrotik RouterOS

Multivan me te ararere i runga i Mikrotik RouterOS

Whakataki

Ko te tango i te tuhinga, i tua atu i te horihori, i akiakihia e te nui o te pouri o nga paatai ​​​​mo tenei kaupapa i roto i nga roopu korero o te hapori waea reo Ruhia. Ko te tuhinga e whai ana ki nga kaiwhakahaere Mikrotik RouterOS (i muri nei ka kiia ko ROS). He mahi mo te waka maha anake, me te aro nui ki te ararere. Hei painga, he iti rawa nga tautuhinga hei whakarite i te mahi haumaru me te watea. Ko te hunga e rapu ana mo te whakaatu i nga kaupapa o nga rarangi, te whakataurite kawenga, nga vlans, nga piriti, nga waahanga-maha te tātari hohonu o te ahua o te hongere me nga mea pera - kaore pea e moumou taima me te whakapau kaha ki te panui.

Raw raraunga

Hei kaupapa whakamatautau, i tohua he pouara Mikrotik rima-tauranga me te putanga ROS 6.45.3. Ka arataki waka i waenga i nga whatunga rohe e rua (LAN1 me LAN2) me nga kaiwhakarato e toru (ISP1, ISP2, ISP3). Ko te hongere ki ISP1 he wahitau "hina" pateko, ISP2 - "ma", ka whiwhi ma te DHCP, ISP3 - "ma" me te whakamanatanga PPPoE. Ko te hoahoa hononga e whakaatuhia ana i te ahua:

Multivan me te ararere i runga i Mikrotik RouterOS

Ko te mahi he whirihora i te pouara MTK i runga i te kaupapa kia:

  1. Whakaratohia te whakawhiti aunoa ki tetahi kaiwhakarato taapiri. Ko te kaiwhakarato matua ko ISP2, ko te rahui tuatahi ko ISP1, ko te rahui tuarua ko ISP3.
  2. Whakaritea te uru whatunga LAN1 ki te Ipurangi ma te ISP1 anake.
  3. Whakaratohia te kaha ki te arataki waka mai i nga whatunga rohe ki te Ipurangi ma te kaiwhakarato kua tohua i runga i te rarangi wahitau.
  4. Whakarato mo te waatea ki te whakaputa ratonga mai i te whatunga rohe ki te Ipurangi (DSTNAT)
  5. Whakaritehia he tātari pātūahi hei whakarato i te haumarutanga iti rawa mai i te Ipurangi.
  6. Ka taea e te pouara te whakaputa i ana ake hokohoko ma tetahi o nga kaiwhakarato e toru, i runga i te wahitau puna kua tohua.
  7. Me whakarite ka tukuna nga kete whakautu ki te hongere i puta mai ai (tae atu ki te LAN).

Ranui. Ka whirihorahia e matou te pouara "mai i te wahanga" hei whakapumau i te kore ohorere i roto i nga whirihoranga tiimata "i waho o te pouaka" ka huri mai i te putanga ki te putanga. I whiriwhiria a Winbox hei taputapu whirihora, ka whakaatuhia nga huringa. Ko nga tautuhinga ake ka whakatauhia e nga whakahau i te tauranga Winbox. Ko te hononga-a-tinana mo te whirihoranga ka mahia ma te hono tika ki te atanga Ether5.

He paku whakaaro mo te mea he multivan, he raru, he hunga mohio mohio ranei ki te raranga i nga whatunga whakahiato

Ko te kaiwhakahaere rapu whakaaro me te aro nui, e whakarite ana i tetahi kaupapa penei, i tetahi kaupapa rite ranei ki a ia ano, ohorere ka mohio kei te mahi noa. Ae, ae, me te kore o au ripanga ararere ritenga me etahi atu ture huarahi, kei te ki tonu te nuinga o nga tuhinga mo tenei kaupapa. Kia tirohia?

Ka taea e tatou te whirihora i nga korero mo nga atanga me nga kuaha taunoa? Āe:

I te ISP1, i rehitatia te wahitau me te kuaha tawhiti=2 и taki-kuwaha=ping.
I te ISP2, te tautuhinga kiritaki dhcp taunoa - na reira, ka rite te tawhiti ki te kotahi.
I te ISP3 i roto i nga tautuhinga kiritaki pppoe ka add-default-route=ae hoatu taunoa-ara-tawhiti=3.

Kaua e wareware ki te rehita NAT i te putanga:

/ ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

Ko te mutunga, he harikoa nga kaiwhakamahi o nga waahi o te rohe ki te tango ngeru ma te kaiwhakarato ISP2 matua, a he rahui hongere ma te whakamahi i te miihini. tirohia te kuwaha Tirohia te tuhipoka 1

Ka whakatinanahia te tohu tuatahi o te mahi. Kei hea te waka maha me ona tohu? Kao…

I tua atu. Me tuku e koe nga kiritaki motuhake mai i te LAN ma te ISP1:

/ip pātūahi mangle tāpiri mahi=mekameka ara=prerouting dst-wāhitau-rārangi=!BOGONS
passthrough=ae ara-dst=100.66.66.1 src-address-list=Via_ISP1
/ip pātūahi mangle tāpiri mahi=mekameka ara=prerouting dst-wāhitau-rārangi=!BOGONS
passthrough=kore ara-dst=100.66.66.1 src-address=192.168.88.0/24

Kua whakatinanahia nga waahanga 2 me te 3 o te mahi. Nga tapanga, nga kuini, nga tikanga ara, kei hea koe?!

Me tuku uru ki to tūmau OpenVPN tino pai me te wahitau 172.17.17.17 mo nga kaihoko mai i te Ipurangi? Tena koa:

/ip cloud set ddns-enabled=ae

Hei hoa, ka hoatu e matou ki te kiritaki te hua whakaputa: “: tuu [ip kapua tiki ingoa-dns]"

Ka rehita matou i te tauranga whakamua mai i te Ipurangi:

/ip pātūahi nat tāpiri mahi=dst-nat chain=dstnat dst-port=1194
in-interface-list=kawa WAN=udp to-addresses=172.17.17.17

Kua reri te nama take 4.

I whakaturia e matou he papaahi me etahi atu haumarutanga mo te tohu 5, i te wa ano ka koa matou kei te mahi nga mea katoa mo nga kaiwhakamahi me te toro atu ki tetahi ipu me tetahi inu tino pai ...
A! Ka warewarehia nga kohanga.

l2tp-kiritaki, i whirihorahia e te tuhinga a google, kua eke ki to VDS Tatimana tino pai? Ae.
l2tp-server with IPsec has risen and clients by DNS-ingoa i IP Kapua (tirohia i runga.) piri? Ae.
Ko te okioki ki muri i to tuuru, ka inu i te inu, ka whakaaro mangere matou ki nga wahanga 6 me te 7 o te mahi. Ka whakaaro tatou - me hiahia tatou? Heoi ano, he pera ano te mahi (c) ... No reira, ki te kore tonu e hiahiatia, katahi ano. I whakatinanahia te Multivan.

He aha te waka maha? Koinei te hononga o etahi hongere Ipurangi ki tetahi pouara.

Kaore koe e panui i te tuhinga atu, na te mea he aha te mea kei tua atu i te whakaatu mai i nga tono whakapae?

Mo te hunga e noho tonu ana, e aro nui ana ki nga wahanga 6 me te 7 o te mahi, ka rongo ano hoki i te weriweri o te tino pai, ka ruku hohonu atu.

Ko te mahi tino nui ki te whakatinana i te waka maha ko te huarahi waka tika. Ara: ahakoa ko wai (he aha ranei) Tirohia. tuhipoka 3 titiro te hongere o te ISP ki te ara taunoa i runga i to tatou pouara, me whakahoki mai he whakautu ki te hongere tika i puta mai ai te kete. He maamaa te mahi. Kei hea te raruraru? Ae, i roto i te whatunga o te rohe ngawari, he rite tonu te mahi, engari kaore he tangata e raru ana ki nga taapiri taapiri me te kore e raru. Ko te rerekee ko tetahi node huri i runga i te Ipurangi ka uru mai ma ia hongere, kaua ma te mea motuhake, penei i te LAN ngawari. A ko te "raruraru" ko te mea ka tae mai he tono ki a matou mo te wahitau IP o ISP3, na i roto i ta maatau keehi ka haere te whakautu ma te hongere ISP2, na te mea kei reira te huarahi taunoa. Ka rau ka peia e te kaiwhakarato i te he. Kua tautuhia te raruraru. Me pehea te whakaoti?

Kua wehea te otinga kia toru nga waahanga:

  1. Tatūkē. I tenei waahanga, ka whakatauhia nga tautuhinga taketake o te pouara: whatunga rohe, papangaahi, rarangi wahitau, hairpin NAT, etc.
  2. Waana maha. I tenei wa, ka tohua nga hononga e tika ana ka tohua ki nga ripanga ararere.
  3. Te hono ki tetahi ISP. I tenei wahanga, ka whirihorahia nga atanga e hono ana ki te Ipurangi, te ararere me te tikanga rahui hongere Ipurangi ka whakahohehia.

1. Whakaritea

1.1. Ka whakakorehia e matou te whirihoranga pouara me te whakahau:

/system reset-configuration skip-backup=yes no-defaults=yes

whakaae ki "Mōrearea! Tautuhi tonu? [y/N]:"A, i muri i te whakaara ano, ka hono atu matou ki a Winbox ma MAC. I tenei wa, ka whakakorehia te whirihoranga me te turanga kaiwhakamahi.

1.2. Waihangatia he kaiwhakamahi hou:

/user add group=full name=knight password=ultrasecret comment=”Not horse”

takiuru ki raro ka mukua te taunoa:

/user remove admin

Ranui. Ko te tango me te kore e whakakore i te kaiwhakamahi taunoa ka whakaarohia e te kaituhi he haumaru ake, ka tūtohu kia whakamahia.

1.3. Ka waihangahia e matou he rarangi atanga taketake mo te pai o te mahi i roto i te papangaahi, nga tautuhinga kitenga me etahi atu tūmau MAC:

/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"

Waitohu atanga me nga korero

/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"

ka whakakiia nga rarangi atanga:

/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2 
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN  comment="LAN1"
/interface list member add interface=ether5 list=LAN  comment="LAN2"

Ranui. Ko te tuhi i nga korero e marama ana he utu mo te wa i whakapaua mo tenei, me te mea ka tino awhina i te rapu raruraru me te mohio ki te whirihoranga.

Ka whakaarohia e te kaituhi he mea tika, mo nga take haumaru, ki te whakauru i te atanga ether3 ki te rarangi atanga "WAN", ahakoa te mea kaore te kawa ip e haere i roto.

Kaua e wareware i muri i te whakaarahanga o te atanga PPP i runga i te ether3, me whakauru ano ki te rarangi atanga "WAN"

1.4. Ka huna e matou te pouara mai i te rapunga me te mana whakahaere mai i nga whatunga kaiwhakarato ma te MAC:

/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

1.5. Ka waihangahia e matou te huinga iti rawa o nga ture tātari papaahi hei tiaki i te pouara:

/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow" 
connection-state=established,related,untracked

(ka tukuna e te ture he whakaaetanga mo nga hononga kua whakaritea me nga hononga hono i timata mai i nga whatunga hono me te pouara ake)

/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp

(Ping and not only ping. Ka whakaaetia nga icmp katoa ki roto. Tino whai hua mo te rapu raruraru MTU)

/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN

(ko te ture e kati ana i te mekameka whakauru ka aukati i nga mea katoa ka puta mai i te Ipurangi)

/ip firewall filter add action=accept chain=forward 
comment="Established, Related, Untracked allow" 
connection-state=established,related,untracked

(ka whakaaetia e te ture nga hononga kua whakaritea me nga hononga hono ka haere ma te pouara)

/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid

(ka tautuhia e te ture nga hononga ki te hononga-state=muhu te haere i roto i te pouara. E tino taunakitia ana e Mikrotik, engari i etahi ahuatanga onge ka taea te aukati i nga waka whaihua)

/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"  
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(ka whakakorehia e te ture nga paakete ka puta mai i te Ipurangi me te kore i paahi i te tikanga dstnat kia haere ma te pouara. Ma tenei ka tiaki i nga whatunga o te rohe mai i nga kaipahua e noho ana i roto i te rohe haapurororaa kotahi me o tatou whatunga o waho, ka rehita o tatou IP o waho hei kuaha, a, na reira, ngana ki te "tuhura" i o maatau whatunga rohe.)

Ranui. Me whakaaro tatou ko nga whatunga LAN1 me te LAN2 e whakawhirinakihia ana, a, ko te hokohoko i waenga i a raatau me o raatau kaore i te tātarihia.

1.6. Waihangahia he rarangi me te rarangi o nga whatunga kore-whakahaere:

/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
 list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS

(Koinei te rarangi o nga waahi noho me nga whatunga kaore e taea te toro atu ki te Ipurangi, a ka whai i runga i tera.)

Ranui. Ko te rarangi ka huri ke, na reira ka tohutohu ahau ki a koe kia tirohia te whai take.

1.7. Whakaritea DNS mo te pouara ake:

/ip dns set servers=1.1.1.1,8.8.8.8

Ranui. I roto i te putanga o naianei o ROS, ko nga kaitoro hihiri kei mua i nga mea tuuturu. Ka tukuna te tono whakatau ingoa ki te tūmau tuatahi i roto i te raupapa i roto i te rarangi. Ko te whakawhiti ki te tūmau e whai ake nei ka mahia i te wa e kore e waatea te mea o naianei. He nui te waahi - neke atu i te 5 hēkona. Te hokinga mai, ka hoki ano te "tumau kua hinga", kaore e puta aunoa. I runga i tenei algorithm me te waahi o te waka maha, ka tūtohu te kaituhi kia kaua e whakamahi i nga kaitoro e whakaratohia ana e nga kaiwhakarato.

1.8. Whakaritea he whatunga paetata.
1.8.1. Ka whirihorahia e matou nga wahitau IP pateko i runga i nga atanga LAN:

/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"

1.8.2. Ka whakatakotohia e matou nga ture mo nga huarahi ki o maatau whatunga rohe ma te ripanga ararere matua:

/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"

Ranui. Koinei tetahi o nga huarahi tere me te ngawari ki te uru atu ki nga wahitau LAN me nga puna o nga wahitau IP o waho o nga atanga pouara kaore e haere i te huarahi taunoa.

1.8.3. Whakahohehia te Hairpin NAT mo LAN1 me LAN2:

/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1" 
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2" 
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0

Ranui. Ma tenei ka taea e koe te uru atu ki o rauemi (dstnat) ma te IP o waho i a koe e noho ana i roto i te whatunga.

2. Mau, te whakatinanatanga o te multivan tino tika

Hei whakaoti i te rapanga o te "whakautu i te wahi i patai ai ratou", ka whakamahia e matou nga taputapu ROS e rua: tohu hononga и tohu ararere. tohu hononga ka taea e koe te tohu i te hononga e hiahiatia ana ka mahi me tenei tapanga hei tikanga mo te tono tohu ararere. Na kua ki tohu ararere taea ki te mahi i roto i rori ip и ture huarahi. I whakatauhia e matou nga taputapu, inaianei me whakatau koe ko nga hononga hei tohu - kotahi, ko hea hei tohu - e rua.

Ma te mea tuatahi, he ngawari nga mea katoa - me tohu e tatou nga hononga katoa ka tae mai ki te pouara mai i te Ipurangi ma te hongere tika. I a maatau, e toru nga tapanga (ma te maha o nga hongere): "conn_isp1", "conn_isp2" me "conn_isp3".

Ko te ahua o te tuarua ko nga hononga taumai e rua nga momo: te whakawhiti me nga mea e tika ana mo te pouara ake. Ka mahi te tikanga tohu hononga ki te ripanga mangle. Whakaarohia te nekehanga o te kete i runga i te hoahoa ngawari, i whakahiatohia e nga tohunga o te rauemi mikrotik-trainings.com (kaore i te panui):

Multivan me te ararere i runga i Mikrotik RouterOS

I muri i nga pere, ka kite tatou kua tae te kete ki te "atanga whakauru", ka haere ma te mekameka"Te arataki mua" katahi ka wehewehea ki te whakawhiti me te rohe ki te poraka "Te whakatau huarahi". Na reira, ki te patu i nga manu e rua ki te kohatu kotahi, ka whakamahia e matou Tohu Hononga i roto i te tepu Mangle Tuhinga o mua mekameka Te arataki mua.

Tuhipoka:. I roto i te ROS, kua whakarārangihia nga tapanga "Routing Mark" hei "Ripanga" i te waahanga Ip/Routes/Rules, me te "Routing Mark" i etahi atu waahanga. Ma tenei pea ka whakamaarama te whakamaaramatanga, engari, he rite tonu tenei, he riterite ki nga rt_tables i iproute2 i runga i te linux.

2.1. Ka tohu matou i nga hononga taumai mai i ia o nga kaiwhakarato:

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1  new-connection-mark=conn_isp1 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2  new-connection-mark=conn_isp2 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3  new-connection-mark=conn_isp3 passthrough=no

Ranui. Kia kore ai e tohu i nga hononga kua tohua kua tohua, ka whakamahia e ahau te hononga-tohu = kore-tohu huru hei utu mo te hononga-state = hou no te mea ki taku whakaaro he tika ake tenei, me te whakakore i nga hononga koretake i roto i te tātari whakauru.


passthrough=no - na te mea i roto i tenei tikanga whakatinanatanga, ka whakakorehia te re-marking, a, kia tere ake, ka taea e koe te haukoti i te tatau o nga ture i muri i te tukinga tuatahi.

Me mahara tonu kaore matou e pokanoa ki te ararere. Inaianei he waahanga noa iho o te whakarite. Ko te waahanga o muri o te whakatinanatanga ko te tukatuka o nga waka whakawhiti ka hoki mai i runga i te hononga kua whakaritea mai i te haerenga ki te whatunga rohe. Ko era. ko nga paatete i haere (tirohia te hoahoa) i te pouara i te huarahi:

“Atanga Whakauru”=>”Whakahaere Ake”=>”Whakatau Ararere”=>”Whakamua”=>”Whakaatu Ararere”=>”Atanga Huaputa” a ka tae ki to ratou kaikorero i roto i te whatunga rohe.

Mea nui! I roto i te ROS, kaore he wehewehenga arorau ki nga hononga o waho me roto. Mena ka whai tatou i te ara o te kete whakautu i runga i te hoahoa i runga ake nei, ka whai i te ara arorau rite ki te tono:

“Atanga Whakauru”=>”Whakahaere Ake”=>”Whakatau Ararere”=>”Whakamua”=>”Whakaatu Ararere”=>”Atanga Huaputa” mo te tono noa"Atanga Input” ko te atanga ISP, mo te whakautu - LAN

2.2. Ka whakatika matou i nga waka whakawhiti urupare ki nga ripanga ararere e pa ana:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP1" connection-mark=conn_isp1 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP2" connection-mark=conn_isp2 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP3" connection-mark=conn_isp3 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=no

Kōrero. in-interface-list=!WAN - ka mahi noa matou me nga waka mai i te whatunga paetata me te dst-address-type=!local karekau he wahitau ūnga o te wahitau o nga atanga o te pouara ake.

He pera ano mo nga paatete rohe i tae mai ki te pouara i te ara:

“Atanga Whakauru”=>”Whakarerea”=>”Whakatau Ararere”=>”Whakauru”=>”Tukanga Paetata”

Mea nui! Ka penei te whakautu:

"Tukanga Paetata" =>"Whakatau Whakataunga Ararere" =>"Putanga" =>"Whakahaere Ararere" =>"Atanga Huaputa"

2.3. Ka tukuna e matou te whakautu i nga waka a-rohe ki nga ripanga ararere e pa ana:

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local 
new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local 
new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local 
new-routing-mark=to_isp3 passthrough=no

I tenei wa, ko te mahi whakarite ki te tuku urupare ki te hongere Ipurangi i puta mai ai te tono ka taea te whakaaro kua whakatauhia. Ko nga mea katoa kua tohua, kua tapaina, kua rite mo te haere.
Ko te painga "taha" pai o tenei tatūnga ko te kaha ki te mahi me te tauranga DSNAT whakamua mai i nga kaiwhakarato e rua (ISP2, ISP3) i te wa kotahi. Kare rawa, na te mea i runga i te ISP1 he wahitau kore-whakahaere. He mea nui tenei paanga, hei tauira, mo te tūmau mēra me nga MX e rua e titiro ana ki nga hongere Ipurangi rereke.

Hei whakakore i nga ahuatanga o te mahi o nga whatunga rohe me nga pouara IP o waho, ka whakamahia e matou nga otinga mai i nga waahanga. 1.8.2 me 3.1.2.6.

I tua atu, ka taea e koe te whakamahi i tetahi taputapu me nga tohu hei whakaoti i te waahanga 3 o te rapanga. Ka whakatinanahia e maatau penei:

2.4. Ka tukuna e matou nga hokohoko mai i nga kaihoko o te rohe mai i nga rarangi ararere ki nga ripanga e tika ana:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1 
passthrough=no src-address-list=Via_ISP1

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2 
passthrough=no src-address-list=Via_ISP2

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3 
passthrough=no src-address-list=Via_ISP3

Ko te mutunga, he penei te ahua:

Multivan me te ararere i runga i Mikrotik RouterOS

3. Whakaritea he hononga ki te ISP ka taea te ararere parani

3.1. Whakaritea he hononga ki te ISP1:
3.1.1. Whirihorahia he wāhitau IP pateko:

/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"

3.1.2. Whakaritea ararere pateko:
3.1.2.1. Tāpirihia he ara "awahotata" taunoa:

/ip route add comment="Emergency route" distance=254 type=blackhole

Ranui. Ma tenei ara ka taea e nga waka mai i nga mahi a-rohe te whakawhiti i te wahanga Whakatau Ara, ahakoa te ahua o nga hononga o tetahi o nga kaiwhakarato. Ko te ahua o nga waka a-rohe e puta atu ana ko te mea kia neke te paatete ki tetahi waahi, me whai huarahi kaha te ripanga ararere ki te kuaha taunoa. Ki te kore, ka pakaru noa te kete.

Hei toronga taputapu tirohia te kuwaha Mo te tātaritanga hohonu ake o te ahua o te hongere, ka whakaaro ahau ki te whakamahi i te huarahi ara recursive. Ko te ngako o te tikanga ko te kii atu ki te pouara ki te rapu huarahi ki tona keeti kaua e tika, engari ma te keeti takawaenga. Ko te 4.2.2.1, 4.2.2.2 me te 4.2.2.3 ka tohua hei huarahi "whakamatautau" mo ISP1, ISP2 me ISP3.

3.1.2.2. Ararere ki te wahitau "manatoko":

/ip route add check-gateway=ping comment="For recursion via ISP1"  
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10

Ranui. Ka whakahekehia e matou te uara awhi ki te taunoa i roto i te whaanui whaainga ROS kia taea ai te whakamahi i te 4.2.2.1 hei keeti recursive a muri ake nei. Ka whakanuia e au: me iti ake, kia rite ranei te whānuitanga o te huarahi ki te wahitau "whakamatautau" ki te whanui o te huarahi e tohu ana ki te waahanga whakamatautau.

3.1.2.3. Te ara taunoa recursive mo te waka me te kore tohu ararere:

/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1

Ranui. Ka whakamahia te uara tawhiti=2 na te mea kua kiia ko ISP1 te tārua tuatahi i runga i nga tikanga mahi.

3.1.2.4. Te ara taunoa recursive mo nga waka me te tohu ararere "ki_isp1":

/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1 
routing-mark=to_isp1

Ranui. Inaa, i konei ka timata tatou ki te koa ki nga hua o te mahi whakarite i mahia i te wharangi 2.


I tenei ara, ko nga waka katoa e whai tohu ana te ara “to_isp1” ka anga ki te keeti o te kaiwhakarato tuatahi, ahakoa ko wai te keeti taunoa e kaha ana mo te ripanga matua.

3.1.2.5. Ko te ara taunoa whakamuri tuatahi mo te ISP2 me te ISP3 nga waka kua tohua:

/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp3

Ranui. Ko enei huarahi e hiahiatia ana, i roto i era atu mea, ki te rahui i nga waka mai i nga whatunga rohe he mema o te rarangi wahitau “to_isp*”'

3.1.2.6. Ka rehita matou i te huarahi mo nga waka a-rohe o te pouara ki te Ipurangi ma te ISP1:

/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1

Ranui. I te whakakotahitanga me nga ture mai i te wharangi 1.8.2, ka whai waahi ki te hongere e hiahiatia ana me tetahi puna. He mea nui tenei mo te hanga kauhanga e tohu ana i te wahitau IP taha rohe (EoIP, IP-IP, GRE). I te mea ko nga ture i roto i nga ture ara ip ka mahia mai i runga ki raro, tae noa ki te tukinga tuatahi o nga tikanga, me noho tenei ture i muri i nga ture mai i rara 1.8.2.

3.1.3. Ka rehita matou i te ture NAT mo nga waka puta:

/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"  
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2

Ranui. NATim nga mea katoa ka puta, haunga nga mea ka uru ki nga kaupapa here IPsec. Ka ngana ahau kia kaua e whakamahi mahi=masquerade ki te kore e tino tika. He puhoi ake, he kaha rawa atu i te src-nat na te mea ka tatau i te wahitau NAT mo ia hononga hou.

3.1.4. Ka tukuna e matou nga kaihoko mai i te rarangi karekau kia uru atu ma etahi atu kaiwhakarato ki te kuaha o te kaiwhakarato ISP1.

/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only" 
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1 
src-address-list=Via_only_ISP1 place-before=0

Ranui. action=ara he kaupapa matua ake, ka whakamahia i mua i etahi atu ture ararere.


place-before=0 - ka tuu i to tatou ture ki te rarangi tuatahi.

3.2. Whakaritea he hononga ki te ISP2.

I te mea ka homai e te kaiwhakarato ISP2 nga tautuhinga ma te DHCP, he mea tika ki te whakarereke i nga huringa e tika ana me te tuhinga ka timata i te wa e whakaohohia ana te kaihoko DHCP:

/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
    n    /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1 
           dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
    n    /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
    n    /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 
           routing-mark=to_isp2;r
    n    /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2 
           routing-mark=to_isp1;r
    n    /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2 
           routing-mark=to_isp3;r
    n    /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
           out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2" 
           place-before=1;r
    n    if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
    n        /ip route rule add comment="From ISP2 IP to Inet" 
               src-address=$"lease-address" table=to_isp2 r
    n    } else={r
    n       /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no 
              src-address=$"lease-address"r
    n    }      r
    n} else={r
    n   /ip firewall nat remove  [find comment="NAT via ISP2"];r
    n   /ip route remove [find comment="For recursion via ISP2"];r
    n   /ip route remove [find comment="Unmarked via ISP2"];r
    n   /ip route remove [find comment="Marked via ISP2 Main"];r
    n   /ip route remove [find comment="Marked via ISP1 Backup1"];r
    n   /ip route remove [find comment="Marked via ISP3 Backup2"];r
    n   /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
    n}r
    n" use-peer-dns=no use-peer-ntp=no

Ko te tuhinga ake i te matapihi Winbox:

Multivan me te ararere i runga i Mikrotik RouterOS
Ranui. Ko te wahanga tuatahi o te tuhinga ka puta i te wa e whiwhi angitu ana te riihi, ko te tuarua - i muri i te tukunga o te riihi.Tirohia te tuhipoka 2

3.3. I whakaturia e matou he hononga ki te kaiwhakarato ISP3.

I te mea ka tukuna mai e te kaiwhakarato tautuhinga te hihiri, he mea tika ki te whakarereke i nga huringa e tika ana me nga tuhinga ka timata i muri i te whakarewanga o te atanga ppp me muri i te hinga.

3.3.1. Tuatahi ka whirihorahia e matou te kōtaha:

/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client 
on-down="/ip firewall nat remove  [find comment="NAT via ISP3"];r
    n/ip route remove [find comment="For recursion via ISP3"];r
    n/ip route remove [find comment="Unmarked via ISP3"];r
    n/ip route remove [find comment="Marked via ISP3 Main"];r
    n/ip route remove [find comment="Marked via ISP1 Backup2"];r
    n/ip route remove [find comment="Marked via ISP2 Backup2"];r
    n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;" 
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1 
    dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
    n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
    n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3 
    routing-mark=to_isp3;r
    n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp1;r
    n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp2;r
    n/ip firewall mangle set [find comment="Connmark in from ISP3"] 
    in-interface=$"interface";r
    n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
    out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3" 
    place-before=1;r
    nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
    n   /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address" 
    table=to_isp3 r
    n} else={r
    n   /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no 
    src-address=$"local-address"r
    n};r
    n"

Ko te tuhinga ake i te matapihi Winbox:

Multivan me te ararere i runga i Mikrotik RouterOS
Ranui. Raina
/ ip firewall mangle set [find comment="Connmark in from ISP3"] in-interface=$"atanga";
ka taea e koe te whakahaere tika i te whakaingoatanga o te atanga, na te mea e mahi ana me tana waehere, kaua ko te ingoa whakaatu.

3.3.2. Inaianei, ma te whakamahi i te kōtaha, hanga he hononga ppp:

/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no 
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_client

Hei pa whakamutunga, me whakarite te karaka:

/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org

Mo te hunga panui ki te mutunga

Ko te huarahi e whakaarohia ana mo te whakatinana i te waka maha ko te hiahia o te kaituhi, ehara ko te mea anake ka taea. Ko te kete taputapu ROS he whanui me te ngawari, i tetahi taha, he uaua ki te hunga timata, a, i tetahi atu taha, ko te take mo tona rongonui. Ako, ngana, kitea nga taputapu hou me nga otinga. Hei tauira, hei tono mo te matauranga kua riro, ka taea te whakakapi i te taputapu i roto i tenei whakatinanatanga o te multivan kuaha taki me nga ara recursive ki whatu kupenga.

Tuhipoka

  1. kuaha taki - he tikanga e taea ai e koe te whakakore i te huarahi i muri i nga tirotirohanga kore angitu e rua o te kuaha mo te waatea. Ka mahia te taki kotahi ia 10 hēkona, me te wa paunga whakautu. I roto i te katoa, kei roto i te awhe o te 20-30 hēkona te wā whakawhiti tūturu. Mena kaore i te rawaka te waa whakawhiti, he huarahi kee te whakamahi i te taputapu whatu kupenga, ka taea te whakarite ā-ringa te matawā taki. kuaha taki e kore e pupuhi i runga i te ngaronga o te paatete i runga i te hono.

    He mea nui! Ko te whakakore i tetahi huarahi tuatahi ka whakakorehia nga huarahi katoa e tohu ana ki a ia. No reira, ma ratou e tohu taki-kuwaha=ping e kore e tika.

  2. Ka puta he rahunga i roto i te tikanga DHCP, he rite te ahua o te kiritaki kua mau ki te ahua whakahou. I tenei keehi, ko te waahanga tuarua o te tuhinga kaore e mahi, engari kaore e aukati i te haere tika o nga waka, na te mea kei te whai te kawanatanga i te huarahi recursive e rite ana.
  3. ECMP (Ara-maha Utu Ōrite) - i roto i te ROS ka taea te whakarite ara me etahi keeti me te tawhiti ano. I tenei keehi, ka tohatohahia nga hononga puta noa i nga hongere ma te whakamahi i te algorithm round robin, kia rite ki te maha o nga kuaha kua tohua.

Mo te kaha ki te tuhi i te tuhinga, awhina ki te hanga i tona hanganga me te whakanoho i nga tohu - te mihi whaiaro ki a Evgeny @jscar

Source: will.com