Mau oyamba
Kutenga nkhaniyi, kuwonjezera pa zachabechabe, kunayambitsidwa ndi kukhumudwa pafupipafupi kwa mafunso pamutuwu m'magulu a mbiri ya anthu olankhula Chirasha. Nkhaniyi ikufuna otsogolera a Mikrotik RouterOS (omwe amatchedwanso ROS). Zimangogwira ntchito ndi multivan, ndikugogomezera njira. Monga bonasi, pali zoikamo zocheperako zokwanira kuti zitsimikizire kuti ntchito yotetezeka komanso yosavuta. Amene akufunafuna kuwululidwa kwa mitu ya mizere, kusanja katundu, ma vlans, milatho, kusanthula kwakuya kwa masitepe ambiri a chikhalidwe cha tchanelo ndi zina zotero - sangawononge nthawi ndi khama kuwerenga.
Zambiri
Monga phunziro loyesera, madoko asanu a Mikrotik router ndi ROS version 6.45.3 anasankhidwa. Idzayendetsa magalimoto pakati pa maukonde awiri am'deralo (LAN1 ndi LAN2) ndi othandizira atatu (ISP1, ISP2, ISP3). Njira yopita ku ISP1 ili ndi adilesi ya "imvi", ISP2 - "yoyera", yopezedwa kudzera pa DHCP, ISP3 - "yoyera" ndi chilolezo cha PPPoE. Chithunzi cholumikizira chikuwonetsedwa pachithunzichi:
Ntchito ndikukonza rauta ya MTK kutengera chiwembucho kuti:
- Perekani zosintha zokha kwa wopereka zosunga zobwezeretsera. Wothandizira wamkulu ndi ISP2, malo osungira oyamba ndi ISP1, malo osungira achiwiri ndi ISP3.
- Konzani mwayi wa netiweki wa LAN1 pa intaneti kudzera pa ISP1.
- Perekani kuthekera koyendetsa kuchuluka kwa magalimoto kuchokera pamanetiweki am'deralo kupita pa intaneti kudzera mwa omwe asankhidwa potengera mndandanda wamaadiresi.
- Perekani mwayi wofalitsa ntchito kuchokera pa netiweki yakomweko kupita pa intaneti (DSTNAT)
- Khazikitsani zosefera zozimitsa moto kuti mupereke chitetezo chokwanira kuchokera pa intaneti.
- Router imatha kutulutsa magalimoto ake kudzera mwa omwe amapereka atatuwo, kutengera adilesi yosankhidwa.
- Onetsetsani kuti mapaketi oyankha atumizidwa ku njira yomwe adachokera (kuphatikiza LAN).
Ndemanga. Tidzakonza rauta "kuyambira pachimake" kuti titsimikizire kuti palibe zodabwitsa pakusintha koyambira "kunja kwa bokosi" komwe kumasintha kuchokera ku mtundu kupita ku mtundu. Winbox idasankhidwa ngati chida chosinthira, pomwe zosintha zidzawonetsedwa. Zosintha zokha zidzakhazikitsidwa ndi malamulo mu Winbox terminal. Kugwirizana kwakuthupi kwa kasinthidwe kumapangidwa ndi kugwirizana kwachindunji ndi mawonekedwe a Ether5.
Kulingalira pang'ono za multivan, kodi ndivuto kapena ndi anthu anzeru ochenjera poluka maukonde achiwembu
Woyang'anira wofuna kudziwa komanso watcheru, akukhazikitsa chiwembu chotere kapena chofananacho payekha, mwadzidzidzi amazindikira kuti ikugwira ntchito kale. Inde, inde, popanda matebulo anu opangira makonda ndi malamulo ena apanjira, omwe zolemba zambiri pamutuwu zadzaza. Tiyeni tione?
Kodi tingathe kukonza maadiresi pama interfaces ndi zipata zosasintha? Inde:
Pa ISP1, adilesi ndi zipata zidalembetsedwa mtunda=2 и cheke-chipata=ping.
Pa ISP2, kusakhazikika kwa kasitomala wa dhcp - motero, mtunda udzakhala wofanana ndi umodzi.
Pa ISP3 mu pppoe kasitomala zokonda pamene njira yowonjezera-yosasinthika=inde kuika mtunda wokhazikika-njira=3.
Musaiwale kulembetsa NAT pakutuluka:
/ip firewall osawonjezera action=masquerade chain=srcnat out-interface-list=WAN
Zotsatira zake, ogwiritsa ntchito masamba am'deralo amasangalala kutsitsa amphaka kudzera kwa omwe amapereka ISP2 ndipo pali kusungitsa njira pogwiritsa ntchito makinawo. fufuzani pachipata Onani mfundo 1
Mfundo 1 ya ntchitoyi ikugwiritsidwa ntchito. Kodi multivan ali kuti ndi zizindikiro zake? Ayi...
Komanso. Muyenera kumasula makasitomala enieni kuchokera ku LAN kudzera pa ISP1:
/ip firewall mangle onjezani zochita=unyolo wanjira=prerouting dst-address-list=!BOGONS
passthrough=yes route-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle onjezani zochita=unyolo wanjira=prerouting dst-address-list=!BOGONS
passthrough=palibe njira-dst=100.66.66.1 src-address=192.168.88.0/24
Zinthu 2 ndi 3 za ntchitoyi zakhazikitsidwa. Zolemba, masitampu, malamulo apanjira, muli kuti?!
Mukufuna kupereka mwayi kwa seva yanu ya OpenVPN yomwe mumakonda ndi adilesi 172.17.17.17 yamakasitomala ochokera pa intaneti? Chonde:
/ip mtambo wakhazikitsa ddns-enabled=yes
Monga anzathu, timapatsa kasitomala zotsatira zake: ":ikani [ip cloud get dns-name]"
Timalembetsa kutumiza madoko kuchokera pa intaneti:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=1194
in-interface-list=WAN protocol=udp to-addresses=172.17.17.17
Chinthu chachinayi chakonzeka.
Timakhazikitsa chowotchera moto ndi chitetezo china pa point 5, nthawi yomweyo ndife okondwa kuti chilichonse chikugwira ntchito kale kwa ogwiritsa ntchito ndikufikira chidebe chokhala ndi chakumwa chomwe mumakonda ...
A! Ngalande zayiwalika.
l2tp-client, yokonzedwa ndi nkhani ya google, yakwera ku Dutch VDS yomwe mumakonda? Inde.
l2tp-server yokhala ndi IPsec yawuka ndipo makasitomala ndi DNS-dzina kuchokera ku IP Cloud (onani pamwambapa.) amamatira? Inde.
Titatsamira pampando wathu, tikumamwa chakumwa, mwaulesi timaganizira mfundo 6 ndi 7 za ntchitoyo. Timaganiza - kodi timafunikira? Momwemonso, zimagwira ntchito monga choncho (c) ... Kotero, ngati sichikufunikabe, ndiye kuti ndizo. Multivan yakhazikitsidwa.
Kodi multivan ndi chiyani? Uku ndikulumikizana kwamakanema angapo pa intaneti pa rauta imodzi.
Simukuyenera kuwerenga nkhaniyi mopitilira, chifukwa ndi chiyani chomwe chingakhalepo pambali pa chiwonetsero chazovuta zokayikitsa?
Kwa iwo omwe atsala, omwe ali ndi chidwi ndi mfundo 6 ndi 7 za ntchitoyi, komanso kumva kuyabwa kwa ungwiro, timadumphira mozama.
Ntchito yofunikira kwambiri pakukhazikitsa multivan ndiyo njira yolondola yamagalimoto. Ndiko kuti: mosasamala kanthu (kapena kuti) Onani. zindikirani 3 njira (ma) ISP imayang'ana njira yokhazikika pa rauta yathu, iyenera kubweza yankho ku njira yeniyeni yomwe paketi idachokera. Ntchitoyo ndi yomveka. Vuto lili kuti? Zowonadi, mumaneti osavuta amderalo, ntchitoyo ndi yofanana, koma palibe amene amavutitsa ndi zoikamo zowonjezera ndipo samamva zovuta. Kusiyana kwake ndikuti node iliyonse yosinthika pa intaneti imapezeka kudzera mumayendedwe athu onse, osati kudzera munjira yeniyeni, monga mu LAN yosavuta. Ndipo "vuto" ndiloti ngati pempho lafika kwa ife la IP adilesi ya ISP3, ndiye kuti kwa ife yankho lidzadutsa pa njira ya ISP2, popeza chipata chokhazikika chikulunjika kumeneko. Imasiya ndipo idzatayidwa ndi woperekayo ngati yolakwika. Vuto ladziwika. Kodi kuthetsa izo?
Njira yothetsera vutoli imagawidwa m'magawo atatu:
- Kukonzekeratu. Pakadali pano, zoikamo zoyambira za rauta zidzakhazikitsidwa: netiweki yakomweko, zozimitsa moto, mindandanda yamaadiresi, hairpin NAT, ndi zina zambiri.
- Multivan. Panthawi imeneyi, zolumikizira zofunika zidzasindikizidwa ndi kusankhidwa kukhala matebulo oyendera.
- Kugwirizana ndi ISP. Pakadali pano, zolumikizira zomwe zimapereka kulumikizana ndi intaneti zidzakonzedwa, kutsata njira ndipo njira yosungitsa njira yapaintaneti idzayatsidwa.
1. Kukonzekeratu
1.1. Timachotsa kasinthidwe ka router ndi lamulo:
/system reset-configuration skip-backup=yes no-defaults=yesgwirizana nazo"Zowopsa! Bwezeraninso? [y/N]:” ndipo, titayambiranso, timalumikizana ndi Winbox kudzera pa MAC. Panthawiyi, kasinthidwe ndi maziko a ogwiritsa ntchito amachotsedwa.
1.2. Pangani wogwiritsa ntchito watsopano:
/user add group=full name=knight password=ultrasecret comment=”Not horse”lowani pansi pake ndikuchotsa yosakhazikika:
/user remove adminNdemanga. Ndikuchotsa komanso kusaletsa wogwiritsa ntchito yemwe wolemba amawona kuti ndi wotetezeka ndipo amalimbikitsa kuti agwiritse ntchito.
1.3. Timapanga mindandanda yoyambira yamawonekedwe kuti ikhale yosavuta kugwiritsa ntchito pa chowotcha moto, zoikamo zopezeka ndi maseva ena a MAC:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Kusaina kumalumikizana ndi ndemanga
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"ndipo lembani mndandanda wamawonekedwe:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Ndemanga. Kulemba ndemanga zomveka ndikoyenera nthawi yogwiritsidwa ntchito pa izi, komanso kumathandizira kwambiri kuthetsa mavuto ndikumvetsetsa kasinthidwe.
Wolembayo amawona kuti ndizofunikira, chifukwa cha chitetezo, kuwonjezera mawonekedwe a ether3 ku mndandanda wa mawonekedwe a "WAN", ngakhale kuti ip protocol sidzadutsamo.
Musaiwale kuti mawonekedwe a PPP atakwezedwa pa ether3, adzafunikanso kuwonjezeredwa pamndandanda wa mawonekedwe "WAN"
1.4. Timabisa rauta kuti zisadziwike komanso kuwongolera kuchokera kumanetiweki operekera kudzera pa MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Timapanga malamulo ochepera okwanira a firewall filter kuti titeteze rauta:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(Lamuloli limapereka chilolezo cha maulumikizidwe okhazikitsidwa ndi ogwirizana omwe amayambitsidwa kuchokera pamanetiweki olumikizidwa ndi rauta yokha)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(ping osati ping yokha. Ma icmp onse amaloledwa kulowa. Zothandiza kwambiri kupeza zovuta za MTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(lamulo lomwe limatseka zolowetsa limaletsa china chilichonse chomwe chimachokera pa intaneti)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(lamulo limalola kulumikizana kokhazikitsidwa ndi kogwirizana komwe kumadutsa pa rauta)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(lamulo limakhazikitsanso maulumikizidwe ndi kulumikizana-state=osavomerezeka kudutsa rauta. Imalimbikitsidwa kwambiri ndi Mikrotik, koma muzochitika zina zosowa imatha kuletsa magalimoto ofunikira)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(lamulo limaletsa mapaketi omwe amachokera pa intaneti ndipo sanadutse njira ya dstnat kuti adutse pa rauta. Izi zidzateteza maukonde am'deralo kuchokera kwa olowa omwe, pokhala mudera lomwelo lawayilesi ndi maukonde athu akunja, adzalembetsa ma IP athu akunja ngati chipata ndipo, motero, kuyesa "kufufuza" maukonde athu am'deralo.)
Ndemanga. Tiyerekeze kuti maukonde LAN1 ndi LAN2 ndi odalirika ndipo magalimoto pakati pawo ndi kuchokera kwa iwo sanasefedwe.
1.6. Pangani mndandanda wokhala ndi mndandanda wamanetiweki osasinthika:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Uwu ndi mndandanda wamaadiresi ndi ma netiweki omwe sasintha pa intaneti ndipo adzatsatiridwa moyenerera.)
Ndemanga. Mndandandawu ukhoza kusintha, kotero ndikukulangizani kuti mufufuze kufunikira kwake.
1.7. Konzani DNS ya rauta yokha:
/ip dns set servers=1.1.1.1,8.8.8.8Ndemanga. Mu mtundu waposachedwa wa ROS, ma seva amphamvu amakhala patsogolo kuposa omwe ali osasunthika. Pempho losintha dzina limatumizidwa ku seva yoyamba motsatira mndandanda. Kusintha kwa seva yotsatira kumachitika pamene yomwe ilipo panopa palibe. Nthawi yopuma ndi yayikulu - kuposa masekondi 5. Kubwereranso, pamene "seva yakugwa" ikuyambiranso, sizichitika zokha. Chifukwa cha algorithm iyi komanso kukhalapo kwa multivan, wolemba amalimbikitsa kuti asagwiritse ntchito ma seva operekedwa ndi opereka.
1.8. Konzani netiweki yapafupi.
1.8.1. Timakonza ma adilesi a IP osasintha pama LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Timakhazikitsa malamulo amayendedwe opita kumanetiweki amdera lathu kudzera pa tebulo lalikulu lamayendedwe:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Ndemanga. Iyi ndi imodzi mwa njira zofulumira komanso zosavuta zopezera ma adilesi a LAN okhala ndi ma adilesi akunja a IP a ma rauta omwe samadutsa njira yosasinthika.
1.8.3. Yambitsani Hairpin NAT ya LAN1 ndi LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Ndemanga. Izi zimakupatsani mwayi wopeza zinthu zanu (dstnat) kudzera pa IP yakunja mukakhala mkati mwa netiweki.
2. Kwenikweni, kukhazikitsidwa kwa multivan yolondola kwambiri
Kuti tithane ndi vuto la "kuyankha komwe adafunsa", tigwiritsa ntchito zida ziwiri za ROS: chizindikiro cholumikizira и chizindikiro chanjira. chizindikiro cholumikizira limakupatsani chizindikiro kugwirizana ankafuna ndiyeno ntchito ndi chizindikiro ichi ngati chikhalidwe ntchito chizindikiro chanjira. Ndipo kale ndi chizindikiro chanjira wokonzeka kugwira ntchito njira и malamulo a njira. Tidapeza zida, tsopano muyenera kusankha maulalo oti mulembe - kamodzi, komwe mungalembe - ziwiri.
Ndi yoyamba, zonse ndi zophweka - tiyenera kuyika zizindikiro zonse zomwe zimabwera ku rauta kuchokera pa intaneti kudzera pa njira yoyenera. Kwa ife, awa adzakhala malemba atatu (ndi chiwerengero cha tchanelo): "conn_isp1", "conn_isp2" ndi "conn_isp3".
Nuance ndi yachiwiri ndikuti kulumikizana komwe kukubwera kudzakhala kwamitundu iwiri: mayendedwe ndi omwe amapangidwira rauta yokha. Njira yolumikizira chizindikiro imagwira ntchito patebulo mangolo. Ganizirani za kayendedwe ka phukusi pajambula chosavuta, chopangidwa mokoma mtima ndi akatswiri amikrotik-trainings.com (osati kutsatsa):
Kutsatira miviyo, tikuwona kuti paketi ikufika "mawonekedwe olowetsera", amadutsa mu unyolo "Prerouting” ndipo pokhapo ndipamene imagawidwa kukhala yodutsa ndi yapafupi mu chipikacho “Chisankho cha njira". Choncho, kupha mbalame ziwiri ndi mwala umodzi, timagwiritsa ntchito Chizindikiro Cholumikizira pagome Mangle Pre-routing unyolo Prerouting.
Zindikirani. Mu ROS, zolemba za "Routing mark" zimalembedwa ngati "Table" mu gawo la Ip/Routes/Rules, komanso "Routing Mark" m'zigawo zina. Izi zitha kuyambitsa chisokonezo pakumvetsetsa, koma, kwenikweni, izi ndi zomwezi, ndipo ndi analogue ya rt_tables mu iproute2 pa linux.
2.1. Timayika chizindikiro pamalumikizidwe omwe akubwera kuchokera kwa aliyense wopereka:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noNdemanga. Kuti ndisalembe maulalo omwe alembedwa kale, ndimagwiritsa ntchito kulumikizana-mark=no-mark condition m'malo mwa connection-state=new chifukwa ndikuganiza kuti izi ndi zolondola, komanso kukana kugwetsa osagwirizana ndi zosefera.
passthrough = ayi - chifukwa mu njira iyi yokhazikitsira, kuyikanso chizindikiro sikuphatikizidwa ndipo, kuti mufulumizitse, mutha kusokoneza kuwerengera kwa malamulo pambuyo pamasewera oyamba.
Ziyenera kukumbukiridwa kuti sitikusokoneza mwanjira ina iliyonse. Tsopano pali magawo okha okonzekera. Gawo lotsatira la kukhazikitsidwa lidzakhala kukonza kwa magalimoto apaulendo omwe amabwereranso pamalumikizidwe okhazikitsidwa kuchokera komwe akupita mu netiweki yakomweko. Iwo. mapaketi omwe (onani chithunzi) adadutsa pa rauta panjira:
“Input Interface”=>”Prerouting”=>”Kusankha Njira”=>”Patsogolo”=>”Post Routing”=>”Chiyankhulo Chotulutsa” ndipo adafika kwa adilesi yawo pamaneti akomweko.
Zofunika! Mu ROS, palibe kugawanika koyenera mu mawonekedwe akunja ndi amkati. Ngati titsata njira ya paketi yoyankhira molingana ndi chithunzi pamwambapa, ndiye kuti itsatira njira yomveka yofanana ndi pempho:
“Input Interface”=>”Prerouting”=>”Kusankha Njira”=>”Patsogolo”=>”Post Routing”=>”Chiyankhulo Chotulutsa” kungopempha basi"Kulowetsa Ndondomeko"Anali mawonekedwe a ISP, ndi yankho - LAN
2.2. Timalozera momwe magalimoto amayankhira kumatebulo ofananira nawo:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noNdemanga. mu-interface-list=!WAN - timagwira ntchito kokha ndi magalimoto ochokera pa netiweki yapafupi ndi dst-address-type=!local yomwe ilibe adilesi yofikira ya adilesi yamalo olumikizirana rauta yokha.
Zomwezo pamapaketi am'deralo omwe adabwera ku rauta panjira:
“Input Interface”=>”Prerouting”=>”Kusankha Njira”=>”Lowetsa”=>”Njira Yapafupi”
Zofunika! Yankho lidzapita motere:
”Njira Yam’deralo”=>”Chisankho cha Njira”=>”Zotulutsa”=>”Post Routing”=>”Chiyankhulo Chotulutsa”
2.3. Timalozera mayankhidwe amdera lanu kumatebulo ofananira nawo:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noPakadali pano, ntchito yokonzekera kutumiza yankho ku njira yapaintaneti yomwe pempholo idachokera lingathe kuthetsedwa. Chilichonse chalembedwa, cholembedwa ndipo chakonzeka kuyendetsedwa.
Zotsatira zabwino kwambiri za "mbali" yakukhazikitsa uku ndikutha kugwira ntchito ndi kutumiza kwa DSNAT kuchokera kwa onse awiri (ISP2, ISP3) opereka nthawi imodzi. Ayi, popeza pa ISP1 tili ndi adilesi yosasinthika. Izi ndizofunikira, mwachitsanzo, kwa seva yamakalata yokhala ndi ma MX awiri omwe amayang'ana njira zosiyanasiyana za intaneti.
Kuchotsa ma nuances a kagwiritsidwe ntchito ka maukonde akomweko ndi ma router akunja a IP, timagwiritsa ntchito mayankho a ndime. 1.8.2 ndi 3.1.2.6.
Kuphatikiza apo, mutha kugwiritsa ntchito chida chokhala ndi zolembera kuti muthetse ndime 3 ya vutolo. Timakhazikitsa monga chonchi:
2.4. Timawongolera kuchuluka kwamakasitomala am'deralo kuchokera pamndandanda wopita kumatebulo oyenera:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3Chifukwa chake, zikuwoneka motere:
3. Khazikitsani kulumikizana ndi ISP ndikuyambitsa njira zama brand
3.1. Konzani kulumikizana ndi ISP1:
3.1.1. Konzani adilesi ya IP yokhazikika:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Konzani static routing:
3.1.2.1. Onjezani njira yokhazikika "yadzidzidzi":
/ip route add comment="Emergency route" distance=254 type=blackholeNdemanga. Njirayi imalola kuchuluka kwa magalimoto kuchokera kumayendedwe akumaloko kuti adutse gawo la Chigamulo cha Njira, mosasamala kanthu za momwe maulalo amtundu uliwonse alili. Kuchuluka kwa magalimoto am'deralo omwe akutuluka ndikuti kuti paketi isamuke kwinakwake, tebulo lalikulu lolowera liyenera kukhala ndi njira yolowera pachipata chosasinthika. Ngati sichoncho, ndiye kuti phukusilo lidzawonongeka.
Monga chida chowonjezera fufuzani pachipata Kuti muwunike mozama momwe mungayendere, ndikupangira kugwiritsa ntchito njira yobwerezabwereza. Chofunikira cha njirayi ndikuti timauza rauta kuti ayang'ane njira yopita kuchipata chake osati mwachindunji, koma kudzera pachipata chapakati. 4.2.2.1, 4.2.2.2 ndi 4.2.2.3 zidzasankhidwa ngati "zoyesa" zipata za ISP1, ISP2 ndi ISP3 motsatana.
3.1.2.2. Njira yopita ku adilesi "yotsimikizira":
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Ndemanga. Timatsitsa mtengo wofikira kukhala wosasinthika mu ROS chandamale kuti tigwiritse ntchito 4.2.2.1 ngati chipata chobwereza mtsogolo. Ndikutsindika: kuchuluka kwa njira yopita ku adilesi ya "mayeso" kuyenera kukhala kochepera kapena kofanana ndi kuchuluka kwa njira yomwe ingatchule oyesa.
3.1.2.3. Njira yobwerezabwereza yamagalimoto popanda chizindikiro:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Ndemanga. Mtunda=mtengo wa 2 umagwiritsidwa ntchito chifukwa ISP1 imalengezedwa ngati zosunga zobwezeretsera zoyamba malinga ndi momwe ntchito ikuyendera.
3.1.2.4. Njira yobwerezabwereza ya magalimoto okhala ndi chizindikiro "to_isp1":
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Ndemanga. Kwenikweni, pano tikuyamba kusangalala ndi zipatso za ntchito yokonzekera imene inachitidwa m’ndime 2.
Panjira iyi, magalimoto onse omwe ali ndi njira yolembera "to_isp1" adzalunjikitsidwa pachipata cha wothandizira woyamba, mosasamala kanthu kuti ndi chipata chotani chomwe chikugwira ntchito patebulo lalikulu.
3.1.2.5. Njira yoyamba yobwereza yobwereza ya ISP2 ndi ISP3 yokhala ndi ma tag:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Ndemanga. Njirazi ndizofunikira, mwa zina, kusungitsa kuchuluka kwa magalimoto kuchokera pamanetiweki am'deralo omwe ali pamndandanda wa ma adilesi “to_isp*”'
3.1.2.6. Timalembetsa njira yamagalimoto am'deralo a rauta kupita pa intaneti kudzera pa ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Ndemanga. Kuphatikiza ndi malamulo a ndime 1.8.2, imapereka mwayi wopita ku njira yomwe mukufuna ndi gwero lopatsidwa. Izi ndizofunikira pomanga ngalande zomwe zimatchula adilesi ya IP (EoIP, IP-IP, GRE). Popeza kuti malamulo mu malamulo a ip amachitidwa kuchokera pamwamba mpaka pansi, mpaka machesi oyambirira a zikhalidwe, ndiye kuti lamuloli liyenera kukhala pambuyo pa malamulo a ndime 1.8.2.
3.1.3. Timalembetsa lamulo la NAT pamagalimoto otuluka:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Ndemanga. NATim zonse zomwe zimatuluka, kupatula zomwe zimalowa mu ndondomeko za IPsec. Ndimayesetsa kusagwiritsa ntchito action=masquerade pokhapokha ngati kuli kofunikira. Ndiwocheperako komanso wogwiritsa ntchito kwambiri kuposa src-nat chifukwa imawerengera adilesi ya NAT pa kulumikizana kwatsopano kulikonse.
3.1.4. Timatumiza makasitomala omwe ali pamndandanda omwe saloledwa kulowa kudzera kwa othandizira ena mwachindunji kupita pachipata cha operekera ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Ndemanga. action=njira ndiyofunika kwambiri ndipo imagwiritsidwa ntchito pamaso pa malamulo ena olowera.
place-before=0 - imayika malamulo athu patsogolo pamndandanda.
3.2. Konzani kulumikizana ndi ISP2.
Popeza wopereka ISP2 amatipatsa zoikamo kudzera pa DHCP, ndizomveka kupanga zosintha zofunika ndi script yomwe imayamba pomwe kasitomala wa DHCP ayambika:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noScript yokha pawindo la Winbox:
Ndemanga. Gawo loyamba la script limayambitsidwa pamene kubwereketsa kumapezeka bwino, chachiwiri - pambuyo potulutsidwa.Onani mfundo 2
3.3. Timakhazikitsa kulumikizana kwa wopereka ISP3.
Popeza wopereka zoikamo amatipatsa mphamvu, ndizomveka kupanga zosintha zofunika ndi zolemba zomwe zimayamba pambuyo poti mawonekedwe a ppp akwezedwa komanso kugwa.
3.3.1. Choyamba timapanga mbiri:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Script yokha pawindo la Winbox:
Ndemanga. Mzere
/ip firewall mangle set [pezani ndemanga="Connmark in from ISP3"] in-interface=$"interface";
imakupatsani mwayi wowongolera kusinthidwa kwa mawonekedwe, chifukwa imagwira ntchito ndi code yake osati dzina lowonetsera.
3.3.2. Tsopano, pogwiritsa ntchito mbiri, pangani kulumikizana kwa ppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientMonga kukhudza komaliza, tiyeni tiyike koloko:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgKwa amene amawerenga mpaka kumapeto
Njira yokonzedweratu yogwiritsira ntchito multivan ndizokonda zaumwini za wolemba ndipo sizomwe zingatheke. Chida cha ROS ndi chochuluka komanso chosinthika, chomwe, kumbali imodzi, chimayambitsa zovuta kwa oyamba kumene, ndipo, kumbali ina, ndicho chifukwa cha kutchuka kwake. Phunzirani, yesani, pezani zida zatsopano ndi mayankho. Mwachitsanzo, monga kugwiritsa ntchito chidziwitso chomwe mwapeza, ndizotheka kusintha chidacho pakukhazikitsa kwa multivan cheke-chipata ndi njira zobwerezabwereza ku netwatch.
Mfundo
- cheke-chipata - makina omwe amakulolani kuti muyimitse njirayo pambuyo pofufuza kawiri motsatizana mosachita bwino pachipata cha kupezeka. Chekecho chimachitika kamodzi pa masekondi 10 aliwonse, kuphatikiza nthawi yoyankha. Ponseponse, nthawi yeniyeni yosinthira ili mu masekondi 20-30. Ngati kusintha kotereku sikukwanira, pali mwayi wogwiritsa ntchito chidacho netwatch, kumene cheki chowerengera chikhoza kukhazikitsidwa pamanja. cheke-chipata sichiyatsa pakutayika kwa paketi pakanthawi pa ulalo.
Zofunika! Kuletsa njira yoyamba kuletsa njira zina zonse zomwe zimatengera njirayo. Chifukwa chake, kuti afotokoze cheke-chipata=ping osafunikira.
- Zimachitika kuti kulephera kumachitika pamakina a DHCP, omwe amawoneka ngati kasitomala atakhazikika pakukonzanso. Pankhaniyi, gawo lachiwiri la script silingagwire ntchito, koma silingalepheretse magalimoto kuyenda bwino, chifukwa boma likutsatira njira yobwerezabwereza.
- ECMP (Equal Cost Multi-Path) - mu ROS ndizotheka kukhazikitsa njira yokhala ndi zipata zingapo komanso mtunda womwewo. Pachifukwa ichi, zolumikizira zidzagawidwa pamakina onse pogwiritsa ntchito algorithm yozungulira ya robin, molingana ndi kuchuluka kwa zipata zomwe zafotokozedwa.
Kuti mukhale ndi chilimbikitso cholembera nkhaniyi, thandizani kupanga mapangidwe ake ndi kuyika kwa mawu - kuyamikira kwaumwini kwa Evgeny.
Source: www.habr.com