Njira ndi njira yopezera njira yabwino kwambiri yotumizira mapaketi pamanetiweki a TCP/IP. Chida chilichonse cholumikizidwa ndi netiweki ya IPv4 chimakhala ndi ndondomeko ndi matebulo owongolera.
Nkhaniyi si ya HOWTO, ikufotokoza maulendo osasunthika mu RouterOS ndi zitsanzo, ndinasiya mwadala zotsalira zonse (mwachitsanzo, srcnat kuti mupeze intaneti), kotero kumvetsetsa nkhaniyi kumafuna mlingo wina wa chidziwitso cha maukonde ndi RouterOS.
Kusintha ndi mayendedwe
Kusinthana ndi njira yosinthira mapaketi mkati mwa gawo limodzi la Layer2 (Ethernet, ppp, ...). Ngati chipangizochi chikuwona kuti wolandila paketiyo ali pagawo la Efaneti yemweyo, amaphunzira adilesi ya Mac pogwiritsa ntchito arp protocol ndikutumiza paketiyo mwachindunji, kudutsa rauta. Kulumikizana kwa ppp (point-to-point) kumatha kukhala ndi otenga nawo mbali awiri okha ndipo paketi nthawi zonse imatumizidwa ku adilesi imodzi 0xff.
Njira ndi njira yosamutsira mapaketi pakati pa zigawo za Layer2. Ngati chipangizo chikufuna kutumiza paketi yomwe wolandirayo ali kunja kwa gawo la Efaneti, imayang'ana pa tebulo lake ndikudutsa paketi pachipata, chomwe chimadziwa komwe mungatumize paketiyo (kapena sakudziwa, wotumiza woyambirira wa paketiyo). sindikudziwa izi).
Njira yosavuta yoganizira za rauta ndi ngati chipangizo cholumikizidwa ndi magawo awiri kapena angapo a Layer2 ndikutha kudutsa mapaketi pakati pawo pozindikira njira yabwino yochokera patebulo lolowera.
Ngati mukumvetsa zonse, kapena mumadziwa kale, werengani. Kwa ena onse, ndikupangira kuti mudziwe bwino ndi kakang'ono, koma kokwanira kwambiri .
Kuwongolera mu RouterOS ndi PacketFlow
Pafupifupi machitidwe onse okhudzana ndi static routing ali mu phukusi dongosolo. Chikwama chapulasitiki wam'mbuyomu imawonjezera kuthandizira kwa ma algorithms osinthika (RIP, OSPF, BGP, MME), Zosefera za Routing ndi BFD.
Menyu yayikulu yokhazikitsira njira: [IP]->[Route]. Machitidwe ovuta angafunike kuti mapaketi alembedwe kale ndi chizindikiro cholowera mu: [IP]->[Firewall]->[Mangle] (maketani PREROUTING ΠΈ OUTPUT).
Pali malo atatu pa PacketFlow pomwe zisankho zamapaketi a IP zimapangidwa:
- Mapaketi oyendetsa olandilidwa ndi rauta. Pakadali pano, zimaganiziridwa ngati paketiyo ipita kumalo komweko kapena itumizidwa ku netiweki. Maulendo amalandila Kutulutsa Kutulutsa
- Kuwongolera mapaketi omwe akutuluka. Mapaketi otuluka amalandira Kutulutsa Kutulutsa
- Njira yowonjezera pamapaketi omwe atuluka, imakupatsani mwayi wosintha njira yolowera
[Output|Mangle]
- Njira ya paketi mu midadada 1, 2 zimatengera malamulo mu
[IP]->[Route] - Njira ya paketi mu mfundo 1, 2 ndi 3 zimatengera malamulo mu
[IP]->[Route]->[Rules] - Njira ya phukusi mu midadada 1, 3 imatha kukhudzidwa pogwiritsa ntchito
[IP]->[Firewall]->[Mangle]
RIB, FIB, Routing Cache
Routing Information Base
Maziko omwe mayendedwe amasonkhanitsidwa kuchokera kumayendedwe osinthika, njira zochokera ku ppp ndi dhcp, mayendedwe osasunthika ndi olumikizidwa. Tsambali lili ndi njira zonse, kupatula zomwe zimasefedwa ndi woyang'anira.
Moyenera, tikhoza kuganiza kuti [IP]->[Route] akuwonetsa RIB.
Forwarding Information Base
Maziko omwe njira zabwino kwambiri zochokera ku RIB zimasonkhanitsidwa. Njira zonse za FIB ndizogwira ntchito ndipo zimagwiritsidwa ntchito kutumiza mapaketi. Ngati njirayo imakhala yosagwira ntchito (yolemala ndi woyang'anira (dongosolo), kapena mawonekedwe omwe paketi iyenera kutumizidwa sikugwira ntchito), njirayo imachotsedwa ku FIB.
Kuti mupange chisankho cholowera, tebulo la FIB limagwiritsa ntchito izi za paketi ya IP:
- Adilesi Yochokera
- Adilesi Yopita
- Source Interface
- Chizindikiro chanjira
- ToS (DSCP)
Kulowa mu phukusi la FIB kumadutsa magawo awa:
- Kodi phukusili lakonzedwa kuti liziyendera rauta yapafupi?
- Kodi paketiyo imadalira malamulo a dongosolo kapena ogwiritsa ntchito a PBR?
- Ngati inde, ndiye kuti paketiyo imatumizidwa ku tebulo lodziwika
- Phukusili limatumizidwa ku tebulo lalikulu
Moyenera, tikhoza kuganiza kuti [IP]->[Route Active=yes] kuwonetsa FIB.
Kutumiza Cache
Njira yosungiramo njira. Router imakumbukira komwe mapaketiwo adatumizidwa ndipo ngati pali ofanana (mwina kuchokera ku kulumikizana komweko) amawalola kupita njira yomweyo, osayang'ana mu FIB. Cache yanjira imachotsedwa nthawi ndi nthawi.
Kwa olamulira a RouterOS, sanapange zida zowonera ndikuwongolera Routing Cache, koma ikatha kuyimitsidwa. [IP]->[Settings].
Makinawa adachotsedwa ku linux 3.6 kernel, koma RouterOS amagwiritsabe ntchito kernel 3.3.5, mwina Routing cahce ndi chimodzi mwazifukwa.
Onjezani kukambirana kwanjira
[IP]->[Route]->[+]
- Subnet yomwe mukufuna kupanga njira (zosakhazikika: 0.0.0.0/0)
- Gateway IP kapena mawonekedwe omwe paketiyo idzatumizidwa (pakhoza kukhala zingapo, onani ECMP pansipa)
- Kuwunika Kupezeka kwa Gateway
- Mtundu wa Record
- Mtunda (metric) wanjira
- Tabu yolowera
- IP yamapaketi otuluka kwanuko kudzera panjira iyi
- Cholinga cha Scope ndi Target Scope chalembedwa kumapeto kwa nkhaniyo.
Njira mbendera
- X - Njirayi imayimitsidwa ndi woyang'anira (
disabled=yes) - A - Njirayi imagwiritsidwa ntchito potumiza mapaketi
- D - Njira yowonjezeredwa mwamphamvu (BGP, OSPF, RIP, MME, PPP, DHCP, Connected)
- C - Subnet imalumikizidwa mwachindunji ndi rauta
- S - Njira Yokhazikika
- r,b,o,m - Njira yowonjezeredwa ndi imodzi mwa njira zosinthira
- B,U,P - Njira yosefera (imagwetsa mapaketi m'malo motumiza)
Zomwe mungatchule pachipata: ip-adilesi kapena mawonekedwe?
Dongosololi limakupatsani mwayi wofotokozera zonse ziwiri, pomwe sililumbira komanso silipereka malingaliro ngati mwachita cholakwika.
Adilesi ya IP
Adilesi yapakhomo iyenera kupezeka pa Layer2. Kwa Efaneti, izi zikutanthauza kuti rauta iyenera kukhala ndi adilesi yochokera ku subnet yomweyo pa imodzi mwazolumikizana za ip yogwira, kwa ppp, kuti adilesi yachipata imatchulidwa pa imodzi mwazolumikizana zogwira ngati subnet adilesi.
Ngati kupezeka kwa Layer2 sikunakwaniritsidwe, njirayo imatengedwa ngati yosagwira ntchito ndipo siyigwera mu FIB.
mawonekedwe
Chilichonse chimakhala chovuta kwambiri ndipo machitidwe a rauta amadalira mtundu wa mawonekedwe:
- Kulumikizana kwa PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) kumangotengera anthu awiri okha ndipo paketiyo nthawi zonse imatumizidwa pachipata chopatsira, ngati chipata chizindikira kuti wolandirayo ndi yekhayo, ndiye kuti amasamutsa paketiyo. ndondomeko yake yakumaloko.
- Ethernet imatengera kukhalapo kwa ambiri omwe atenga nawo mbali ndipo imatumiza zopempha ku mawonekedwe a arp ndi adilesi ya wolandila paketi, izi zimayembekezeredwa komanso machitidwe abwinobwino pamayendedwe olumikizidwa.
Koma mukayesa kugwiritsa ntchito mawonekedwe ngati njira yolowera ku subnet yakutali, mudzapeza zotsatirazi: njirayo ikugwira ntchito, ping kupita pachipata, koma sichifika kwa wolandirayo kuchokera ku subnet yodziwika. Ngati muyang'ana mawonekedwe kudzera pa sniffer, mudzawona zopempha za arp ndi maadiresi kuchokera ku subnet yakutali.
Yesani kutchula adilesi ya ip ngati chipata ngati kuli kotheka. Kupatulapo ndi njira zolumikizidwa (zopangidwa zokha) ndi PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN*).
OpenVPN ilibe mutu wa PPP, koma mutha kugwiritsa ntchito dzina la mawonekedwe a OpenVPN kupanga njira.
Njira Yachindunji
Lamulo loyambira lamayendedwe. Njira yomwe imafotokozera za subnet yaying'ono (yokhala ndi chigoba chachikulu kwambiri cha subnet) imakhala patsogolo pakusankha kwa paketi. Malo a zolembera pa tebulo la njira sizogwirizana ndi chisankho - lamulo lalikulu ndilowonjezera.
Misewu yonse yochokera ku chiwembu chotchulidwa ikugwira ntchito (yomwe ili mu FIB). lozani ma subnet osiyanasiyana ndipo musamasemphane wina ndi mzake.
Ngati chimodzi mwa zipata sichikupezeka, njira yolumikizira idzatengedwa ngati yosagwira ntchito (yochotsedwa ku FIB) ndipo mapaketi adzafufuzidwa kuchokera kunjira zotsalira.
Njira yokhala ndi subnet 0.0.0.0/0 nthawi zina imapatsidwa tanthauzo lapadera ndipo imatchedwa "Default Route" kapena "Gateway of last resort". M'malo mwake, palibe zamatsenga pa izi ndipo zimangophatikiza ma adilesi onse a IPv4, koma mayinawa amafotokoza bwino ntchito yake - akuwonetsa njira yotumizira mapaketi omwe kulibe njira zina zolondola.
Chigoba chachikulu chotheka cha subnet cha IPv4 ndi / 32, njira iyi imaloza kwa wolandirayo ndipo itha kugwiritsidwa ntchito patebulo lolowera.
Kumvetsetsa Njira Yachindunji ndikofunikira pa chipangizo chilichonse cha TCP/IP.
Distance
Mipata (kapena ma Metrics) ndiyofunikira pakusefa koyang'anira njira zopita ku neti imodzi yokha yofikirika kudzera pazipata zingapo. Njira yokhala ndi ma metric otsika imawonedwa ngati yofunika kwambiri ndipo iphatikizidwa mu FIB. Ngati njira yokhala ndi metric yocheperako ikasiya kugwira ntchito, ndiye kuti isinthidwa ndi njira yokhala ndi ma metric apamwamba mu FIB.
Ngati pali njira zingapo zopita ku subnet imodzi yokhala ndi metric yomweyi, rauta imawonjezera imodzi yokha patebulo la FIB, motsogozedwa ndi malingaliro ake amkati.
Metric imatha kutenga mtengo kuchokera pa 0 mpaka 255:
- 0 - Metric yamanjira olumikizidwa. Mtunda 0 sungathe kukhazikitsidwa ndi woyang'anira
- 1-254 - Ma metric omwe akupezeka kwa woyang'anira pakukhazikitsa njira. Ma metric okhala ndi mtengo wotsika amakhala ndi zofunika kwambiri
- 255 - Metric ikupezeka kwa woyang'anira pakukhazikitsa njira. Mosiyana ndi 1-254, njira yokhala ndi metric ya 255 nthawi zonse imakhala yosagwira ntchito ndipo siyigwera mu FIB.
- miyeso yeniyeni. Njira zochokera kumayendedwe osinthika amakhala ndi miyeso yokhazikika
fufuzani pachipata
Chongani chipata ndikuwonjezera kwa MikroTik RoutesOS kuti muwone kupezeka kwa chipata kudzera pa icmp kapena arp. Kamodzi pa masekondi a 10 (osasinthika), pempho limatumizidwa kuchipata, ngati yankho silinalandire kawiri, njirayo imatengedwa kuti siyikupezeka ndipo imachotsedwa ku FIB. Ngati cheke chipata chayimitsidwa njira yowunika ikupitilira ndipo njirayo iyambiranso kugwira ntchito pambuyo cheke kamodzi kopambana.
Kuwona pachipata kumalepheretsa kulowa komwe kumakonzedweratu ndi zolemba zina zonse (m'matebulo onse amayendedwe ndi njira za ecmp) ndi chipata chodziwika.
Nthawi zambiri, cheke chipata chimagwira ntchito bwino bola ngati palibe vuto ndi kutayika kwa paketi pachipata. Yang'anani pachipata sichikudziwa zomwe zikuchitika ndi kulumikizana kunja kwa chipata chofufuzidwa, izi zimafuna zida zowonjezera: zolemba, njira zobwerezabwereza, ma protocol amayendedwe osinthika.
Ma protocol ambiri a VPN ndi tunnel ali ndi zida zomangidwira zowunikira ntchito yolumikizira, kuwapangitsa kuti ayang'ane pachipata chawo ndichowonjezera (koma chochepa kwambiri) pamaneti ndi magwiridwe antchito.
Njira za ECMP
Equal-Cost Multi-Path - kutumiza mapaketi kwa wolandira pogwiritsa ntchito zipata zingapo nthawi imodzi pogwiritsa ntchito Round Robin algorithm.
Njira ya ECMP imapangidwa ndi woyang'anira pofotokoza zipata zingapo za subnet imodzi (kapena zokha, ngati pali njira ziwiri zofanana za OSPF).
ECMP imagwiritsidwa ntchito potengera katundu pakati pa njira ziwiri, mwamalingaliro, ngati pali njira ziwiri munjira ya ecmp, ndiye pa paketi iliyonse njira yotuluka iyenera kukhala yosiyana. Koma makina a cache a Routing amatumiza mapaketi kuchokera pamalumikizidwewo panjira yomwe paketi yoyamba idatenga, chifukwa chake, timapeza mtundu wofananira potengera maulumikizidwe (kulumikizana kwapaintaneti).
Ngati muletsa Routing Cache, ndiye kuti mapaketi munjira ya ECMP adzagawidwa moyenera, koma pali vuto ndi NAT. Lamulo la NAT limangotengera paketi yoyamba yolumikizana (zotsalazo zimasinthidwa zokha), ndipo zimakhala kuti mapaketi okhala ndi adilesi yomweyi amasiya mawonekedwe osiyanasiyana.
Chongani chipata sichigwira ntchito munjira za ECMP (RouterOS bug). Koma mutha kuzungulira izi popanga njira zina zotsimikizira zomwe zingalepheretse zolembera mu ECMP.
Kusefa pogwiritsa ntchito Njira
Chosankha cha Type chimasankha zoyenera kuchita ndi phukusi:
- unicast - tumizani pachipata chodziwika (mawonekedwe)
- blackhole - kutaya paketi
- kuletsa, osafikirika - kutaya paketi ndikutumiza uthenga wa icmp kwa wotumiza
Kusefa nthawi zambiri kumagwiritsidwa ntchito ngati kuli kofunikira kuti muteteze kutumiza kwa mapaketi panjira yolakwika, inde, mutha kusefa izi kudzera pa firewall.
Zitsanzo zingapo
Kuphatikizira zinthu zofunika panjira.
Router yodziwika bwino yakunyumba
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1- Njira yosasunthika kupita ku 0.0.0.0/0 (njira yofikira)
- Njira yolumikizidwa pamawonekedwe ndi wopereka
- Njira yolumikizidwa pa LAN mawonekedwe
Router yodziwika bwino yakunyumba yokhala ndi PPPoE
- Njira yosasunthika kupita kunjira yokhazikika, yowonjezedwa yokha. zimatchulidwa mu katundu wogwirizanitsa
- Njira yolumikizirana ndi kulumikizana kwa PPP
- Njira yolumikizidwa pa LAN mawonekedwe
Router yodziwika bwino yokhala ndi othandizira awiri komanso redundancy
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2- Njira yosasunthika yopita kumayendedwe okhazikika kudzera kwa wothandizira woyamba wokhala ndi metric 1 ndi cheke cha kupezeka kwa zipata
- Njira yosasunthika yopita ku njira yosasinthika kudzera kwa wothandizira wachiwiri wokhala ndi metric 2
- Njira zolumikizidwa
Magalimoto opita ku 0.0.0.0/0 amadutsa 10.10.10.1 pomwe chipata ichi chilipo, apo ayi chimasinthira ku 10.20.20.1
Chiwembu choterocho chikhoza kuonedwa ngati kusungitsa tchanelo, koma sichikhala ndi zovuta zake. Ngati kupuma kukuchitika kunja kwa chipata cha wothandizira (mwachitsanzo, mkati mwa netiweki ya opareshoni), rauta yanu siidziwa za izo ndipo idzapitiriza kulingalira njirayo ngati yogwira ntchito.
Router yodziwika bwino yokhala ndi othandizira awiri, redundancy ndi ECMP
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1- Njira zokhazikika zowonera chack gateway
- Njira ya ECMP
- Njira zolumikizidwa
Njira zowunika ndi za buluu (mtundu wa misewu yosagwira ntchito), koma izi sizimasokoneza cheke. Mtundu waposachedwa (6.44) wa RoS umapereka patsogolo njira ya ECMP, koma ndikwabwino kuwonjezera njira zoyeserera pamatebulo ena (njira zina). routing-mark)
Pa Speedtest ndi masamba ena ofanana, sipadzakhala kuwonjezeka kwa liwiro (ECMP imagawaniza magalimoto ndi maulumikizidwe, osati ndi mapaketi), koma mapulogalamu a p2p ayenera kutsitsa mwachangu.
Kusefa kudzera pa Routing
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole- Njira yosasunthika kupita ku njira yokhazikika
- Njira yosasunthika kupita ku 192.168.200.0/24 paipip tunnel
- Kuletsa njira yosasunthika kupita ku 192.168.200.0/24 kudzera pa rauta ya ISP
Njira yosefera yomwe kuchuluka kwa magalimoto sikungapite ku rauta ya wothandizira pomwe mawonekedwe a ipip atsekedwa. Zoterezi sizifunikanso kawirikawiri, chifukwa mukhoza kukhazikitsa blocking kudzera pa firewall.
Njira yodutsa
Routing loop - nthawi yomwe paketi imayenda pakati pa ma routers ttl isanathe. Nthawi zambiri zimakhala chifukwa cha cholakwika cha kasinthidwe, mu maukonde akulu amathandizidwa ndi kukhazikitsidwa kwa ma protocol amphamvu, ang'onoang'ono - mosamala.
Zikuwoneka motere:
Chitsanzo (chosavuta) cha momwe mungapezere zotsatira zofanana:
Chitsanzo cha Routing loop sichithandiza, koma chikuwonetsa kuti ma router sadziwa za tebulo la oyandikana nawo.
Policy Base Routing ndi Matebulo Owonjezera a Njira
Posankha njira, rauta amagwiritsa ntchito gawo limodzi lokha kuchokera pamutu wa paketi (Dst. Adilesi) - iyi ndiyo njira yoyambira. Kuyenda motengera mikhalidwe ina, monga adilesi yochokera, mtundu wa traffic (ToS), kusanja popanda ECMP, ndi ya Policy Base Routing (PBR) ndipo imagwiritsa ntchito matebulo owonjezera.
Njira Yachindunji ndiye lamulo lalikulu losankha njira mkati mwa tebulo lamayendedwe.
Mwachikhazikitso, malamulo onse oyendetsa amawonjezedwa ku tebulo lalikulu. Woyang'anira atha kupanga nambala yosasinthika ya matebulo owonjezera olowera ndi mapaketi anjira kwa iwo. Malamulo m'magome osiyanasiyana satsutsana. Ngati phukusi silipeza lamulo loyenera patebulo lotchulidwa, lidzapita ku tebulo lalikulu.
Chitsanzo ndi kugawa kudzera pa Firewall:
- 192.168.100.10 -> 8.8.8.8
- Magalimoto ochokera ku 192.168.100.10 amalembedwa ku-isp1 Π²
[Prerouting|Mangle] - Pa Routing stage patebulo ku-isp1 amafufuza njira yopita ku 8.8.8.8
- Njira yopezeka, magalimoto amatumizidwa ku chipata 10.10.10.1
- Magalimoto ochokera ku 192.168.100.10 amalembedwa ku-isp1 Π²
- 192.168.200.20 -> 8.8.8.8
- Magalimoto ochokera ku 192.168.200.20 amalembedwa ku-isp2 Π²
[Prerouting|Mangle] - Pa Routing stage patebulo ku-isp2 amafufuza njira yopita ku 8.8.8.8
- Njira yopezeka, magalimoto amatumizidwa ku chipata 10.20.20.1
- Magalimoto ochokera ku 192.168.200.20 amalembedwa ku-isp2 Π²
- Ngati chimodzi mwa zipata (10.10.10.1 kapena 10.20.20.1) sichikupezeka, ndiye kuti paketiyo idzapita ku tebulo. waukulu ndipo adzayang'ana njira yoyenera kumeneko
Nkhani za Terminology
RouterOS ili ndi zovuta za terminology.
Pogwira ntchito ndi malamulo mu [IP]->[Routes] The routing table ikuwonetsedwa, ngakhale kuti zalembedwa kuti:
Π [IP]->[Routes]->[Rule] Chilichonse ndichabwino, muzolemba zomwe zili patebulo:
Momwe mungatumizire paketi ku tebulo linalake lamayendedwe
RouterOS imapereka zida zingapo:
- Malamulo mu
[IP]->[Routes]->[Rules] - Zolembera njira (
action=mark-routing) mkati[IP]->[Firewall]->[Mangle] - Chithunzi cha VRF
Malamulo [IP]->[Route]->[Rules]
Malamulo amakonzedwa motsatizana, ngati paketiyo ikugwirizana ndi malamulo, sichidutsa.
Malamulo a Njira amakulolani kuti muwonjezere mwayi wodutsa, osadalira adiresi yolandira, komanso pa adiresi yochokera ndi mawonekedwe omwe paketiyo inalandiridwa.
Malamulo ali ndi zikhalidwe ndi zochita:
- Zoyenera. Bwererani pang'onopang'ono mndandanda wazizindikiro zomwe phukusili limayang'aniridwa mu FIB, ToS yokha ndiyosowa.
- Zochita
- kuyang'ana - tumizani paketi patebulo
- kuyang'ana patebulo - kutseka phukusi patebulo, ngati njirayo sipezeka, phukusi silingapite ku tebulo lalikulu.
- dontho - kuponya paketi
- osafikirika - tayani paketiyo ndi chidziwitso cha wotumiza
Mu FIB, kuchuluka kwa magalimoto kupita kumayendedwe akumaloko kumakonzedwa modutsa malamulo [IP]->[Route]->[Rules]:
Kulemba [IP]->[Firewall]->[Mangle]
Zolemba zamayendedwe zimakulolani kuti muyike chipata cha paketi pogwiritsa ntchito zikhalidwe zilizonse za Firewall:
Kwenikweni, chifukwa si onse omwe amamveka bwino, ndipo ena amatha kugwira ntchito mosakhazikika.
Pali njira ziwiri zolembera paketi:
- Nthawi yomweyo kuika chizindikiro chanjira
- Ikani poyamba mgwirizano - chizindikiro, ndiye potengera mgwirizano - chizindikiro kuyika chizindikiro chanjira
M'nkhani yokhudza zozimitsa moto, ndidalemba kuti njira yachiwiri ndiyabwino. amachepetsa katundu pa CPU, pankhani yolemba njira - izi sizowona kwathunthu. Njira zolembera izi sizikhala zofanana nthawi zonse ndipo zimagwiritsidwa ntchito kuthetsa mavuto osiyanasiyana.
Zitsanzo Zogwiritsa Ntchito
Tiyeni tipitirire ku zitsanzo zogwiritsa ntchito Policy Base Routing, ndizosavuta kuwonetsa chifukwa chake zonsezi zikufunika.
MultiWAN ndikubweza magalimoto otuluka (Output).
Vuto lodziwika bwino ndi kasinthidwe ka MultiWAN: Mikrotik imapezeka kuchokera pa intaneti kokha kudzera mwa wothandizira "wogwira ntchito".
Router samasamala zomwe ip pempholo linabwera, pamene ikupanga yankho, idzayang'ana njira mu tebulo loyendetsa kumene njira yodutsa isp1 ikugwira ntchito. Kupitilira apo, paketi yotereyi imatha kusefedwa panjira yopita kwa wolandila.
Mfundo ina yosangalatsa. Ngati gwero "losavuta" nat lidakonzedwa pa mawonekedwe a ether1: /ip fi nat add out-interface=ether1 action=masquerade phukusi lidzapita pa intaneti ndi src. adilesi=10.10.10.100, zomwe zimapangitsa kuti zinthu ziipireipire.
Pali njira zingapo zothetsera vutoli, koma iliyonse idzafunika matebulo owonjezera:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2Gwiritsani ntchito [IP]->[Route]->[Rules]
Tchulani tebulo lomwe lidzagwiritsidwe ntchito pamapaketi okhala ndi Source IP.
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2Angagwiritse ntchito action=lookup, koma pamagalimoto otuluka m'derali, njira iyi imachotsa kulumikizana kolakwika.
- Dongosololi limapanga paketi yoyankha ndi Src. Adilesi: 10.20.20.200
- Chisankho cha Routing (2) chiwunika
[IP]->[Routes]->[Rules]ndipo paketi imatumizidwa ku tebulo lamayendedwe pa-isp2 - Malinga ndi tebulo lamayendedwe, paketiyo iyenera kutumizidwa kuchipata 10.20.20.1 kudzera pa mawonekedwe a ether2.
Njirayi sifunikira Connection Tracker yogwira ntchito, mosiyana ndi kugwiritsa ntchito tebulo la Mangle.
Gwiritsani ntchito [IP]->[Firewall]->[Mangle]
Kulumikizana kumayamba ndi paketi yomwe ikubwera, ndiye timayiyika (action=mark-connection), pamapaketi otuluka kuchokera pamalumikizidwe odziwika, ikani chizindikiro cholowera (action=mark-routing).
/ip firewall mangle
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° Π²Ρ
ΠΎΠ΄ΡΡΠΈΡ
ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° ΠΈΡΡ
ΠΎΠ΄ΡΡΠΈΡ
ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=noNgati ma ips angapo akhazikitsidwa pa mawonekedwe amodzi, mutha kuwonjezera pachikhalidwecho dst-address kukhala wotsimikiza.
- Phukusi limatsegula kulumikizana kwa mawonekedwe a ether2. Phukusi limalowa
[INPUT|Mangle]zomwe zimati chongani mapaketi onse kuchokera ku kulumikizana ngati ku-isp2 - Dongosololi limapanga paketi yoyankha ndi Src. Adilesi: 10.20.20.200
- Pa siteji ya Routing Decision(2), paketiyo, molingana ndi tebulo lamayendedwe, imatumizidwa pachipata 10.20.20.1 kudzera pa mawonekedwe a ether1. Mutha kutsimikizira izi polowetsa mapaketiwo
[OUTPUT|Filter] - Pa siteji
[OUTPUT|Mangle]chizindikiro cholumikizira chafufuzidwa ku-isp2 ndipo paketi imalandira chizindikiro cha njira pa-isp2 - Gawo la Routing Adjusment(3) limayang'ana ngati pali cholembera ndikutumiza ku tebulo loyenera.
- Malinga ndi tebulo lamayendedwe, paketiyo iyenera kutumizidwa kuchipata 10.20.20.1 kudzera pa mawonekedwe a ether2.
MultiWAN ndikubweza dst-nat traffic
Chitsanzo ndi chovuta kwambiri, choti muchite ngati pali seva (mwachitsanzo, intaneti) kumbuyo kwa rauta pa subnet yachinsinsi ndipo muyenera kupereka mwayi wopeza kudzera mwa aliyense wa opereka.
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100Chomwe chimayambitsa vutoli chidzakhala chofanana, yankho ndilofanana ndi njira ya Firewall Mangle, maunyolo ena okha adzagwiritsidwa ntchito:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
Chithunzichi sichikuwonetsa NAT, koma ndikuganiza kuti zonse zimveka bwino.
MultiWAN ndi maulumikizidwe otuluka
Mutha kugwiritsa ntchito kuthekera kwa PBR kuti mupange maulalo angapo a vpn (SSTP muchitsanzo) kuchokera panjira zosiyanasiyana za rauta.
Matebulo owonjezera apanjira:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3Zolemba phukusi:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=noMalamulo osavuta a NAT, apo ayi paketiyo idzasiya mawonekedwe ndi Src yolakwika. adilesi:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masqueradeKupanga:
- Router imapanga njira zitatu za STTP
- Pa siteji ya Kusankha Njira (2), njira imasankhidwa panjira izi kutengera tebulo lalikulu lamayendedwe. Kuchokera panjira yomweyi, paketi imalandira Src. Adilesi yolumikizidwa ku mawonekedwe a ether1
- Π
[Output|Mangle]mapaketi ochokera kumalumikizidwe osiyanasiyana amalandira zilembo zosiyanasiyana - Mapaketi lowetsani matebulo olingana ndi zilembo pagawo la Routing Adjusment ndikulandila njira yatsopano yotumizira mapaketi.
- Koma mapaketi akadali ndi Src. Adilesi yochokera ku ether1, pa siteji
[Nat|Srcnat]adilesi imalowetsedwa m'malo molingana ndi mawonekedwe
Chochititsa chidwi, pa rauta muwona tebulo lolumikizira ili:
Connection Tracker imagwira ntchito kale [Mangle] ΠΈ [Srcnat], kotero maulumikizidwe onse amachokera ku adilesi yomweyo, ngati muyang'ana mwatsatanetsatane, ndiye mu Replay Dst. Address padzakhala ma adilesi pambuyo pa NAT:
Pa seva ya VPN (ndili ndi imodzi pa benchi yoyesera), mukhoza kuona kuti malumikizidwe onse amachokera ku maadiresi olondola:
Dikirani njira
Pali njira yosavuta, mutha kutchulanso chipata cha ma adilesi aliwonse:
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1Koma misewu yotereyi idzakhudza osati zotuluka komanso zamayendedwe apaulendo. Kuphatikiza apo, ngati simukufuna magalimoto kupita ku seva ya vpn kuti mudutse njira zolumikizirana zosayenera, ndiye kuti muyenera kuwonjezera malamulo ena 6 [IP]->[Routes]Ρ type=blackhole. Mu Baibulo lapita - 3 malamulo mu [IP]->[Route]->[Rules].
Kugawidwa kwa maulumikizidwe a ogwiritsa ntchito ndi njira zoyankhulirana
Zosavuta, ntchito za tsiku ndi tsiku. Apanso, matebulo owonjezera adzafunika:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2Kugwiritsa ntchito [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2Ngati mungagwiritse ntchito action=lookup, ndiye pamene imodzi mwa njirazo ili yolephereka, magalimoto adzapita ku tebulo lalikulu ndikudutsa njira yogwirira ntchito. Kaya izi ndizofunikira kapena ayi zimadalira ntchitoyo.
Kugwiritsa ntchito zizindikiro mu [IP]->[Firewall]->[Mangle]
Chitsanzo chosavuta chokhala ndi mndandanda wa ma adilesi a ip. Kwenikweni, pafupifupi mikhalidwe iliyonse ingagwiritsidwe ntchito. Chenjezo lokhalo la layer7, ngakhale litaphatikizidwa ndi zilembo zolumikizirana, zitha kuwoneka kuti zonse zikuyenda bwino, koma magalimoto ena adzapitabe molakwika.
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2Mutha "kutseka" ogwiritsa ntchito patebulo limodzi lolowera [IP]->[Route]->[Rules]:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2Kapena kudzera [IP]->[Firewall]->[Filter]:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=rejectRetreat pro dst-address-type=!local
Mkhalidwe wowonjezera dst-address-type=!local ndikofunikira kuti magalimoto ochokera kwa ogwiritsa ntchito afikire njira zakomweko za rauta (dns, winbox, ssh, ...). Ngati ma subnet angapo am'deralo alumikizidwa ndi rauta, ndikofunikira kuwonetsetsa kuti magalimoto pakati pawo sapita pa intaneti, mwachitsanzo, kugwiritsa ntchito. dst-address-table.
Mu chitsanzo ntchito [IP]->[Route]->[Rules] palibe kuchotsera koteroko, koma magalimoto amafika pazochitika zakomweko. Chowonadi ndi chakuti kulowa mu phukusi la FIB lolembedwamo [PREROUTING|Mangle] ili ndi chizindikiro cha njira ndipo imapita patebulo lanjira kupatulapo lalikulu, pomwe mulibe mawonekedwe am'deralo. Pankhani ya Malamulo a Njira, choyamba imawunikiridwa ngati paketiyo idapangidwa kuti ichitike komweko ndipo pokhapokha pa Mtumiki wa PBR pomwe imapita patebulo lofotokozera.
Kugwiritsa ntchito [IP]->[Firewall]->[Mangle action=route]
Izi zimangogwira ntchito mkati [Prerouting|Mangle] ndikukulolani kuti muwongolere kuchuluka kwa magalimoto pachipata chomwe mwatchulidwa popanda kugwiritsa ntchito matebulo owonjezera, pofotokoza mwachindunji adilesi yapazipata:
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1zotsatira route ali ndi zofunika zochepa kuposa malamulo oyendetsera ([IP]->[Route]->[Rules]). Pankhani ya zizindikiro njira, chirichonse chimadalira pa udindo wa malamulo, ngati ulamuliro ndi action=route wamtengo wapatali kuposa action=mark-route, ndiye idzagwiritsidwa ntchito (mosasamala kanthu za mbendera passtrough), poyika chizindikiro panjira.
Pali chidziwitso chochepa pa wiki chokhudza izi ndipo ziganizo zonse zidapezedwa moyesera, mulimonse, sindinapeze zosankha mukamagwiritsa ntchito njirayi imapereka zabwino kuposa ena.
PPC yochokera ku dynamic balancing
Per Connection Classifier - ndi analogue yosinthika kwambiri ya ECMP. Mosiyana ndi ECMP, imagawaniza magalimoto ndi maulumikizidwe mosamalitsa (ECMP sadziwa chilichonse chokhudza kulumikizana, koma ikalumikizidwa ndi Routing Cache, chofananacho chimapezeka).
PCC ikupita minda yotchulidwa kuchokera pamutu wa ip, amawatembenuza kukhala mtengo wa 32-bit, ndikugawa ndi chipembedzo. Gawo lotsalalo likufananizidwa ndi zomwe zafotokozedwa chotsalira ndipo ngati zikugwirizana, ndiye kuti zomwe zanenedwazo zimagwiritsidwa ntchito. . Zikumveka zopenga, koma zimagwira ntchito.
Chitsanzo chokhala ndi ma adilesi atatu:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1Chitsanzo cha kugawa kosinthika kwa magalimoto ndi src.address pakati pa mayendedwe atatu:
#Π’Π°Π±Π»ΠΈΡΠ° ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ ΠΈ ΠΌΠ°ΡΡΡΡΡΠΎΠ²
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3Polemba njira, pali zina zowonjezera: in-interface=br-lan, popanda izo pansi action=mark-routing kuchuluka kwa mayankho kuchokera pa intaneti kudzalowa ndipo, molingana ndi matebulo owongolera, abwerera kwa wopereka.
Kusintha njira zoyankhulirana
Yang'anani ping ndi chida chabwino, koma imangoyang'ana kugwirizana ndi anzako apafupi a IP, maukonde operekera nthawi zambiri amakhala ndi ma routers ambiri ndipo kutha kwa kugwirizana kungathe kuchitika kunja kwa anzawo omwe ali pafupi, ndiyeno pali ogwiritsira ntchito telecom omwe angakhale nawo. kukhala ndi mavuto, nthawi zambiri kuyang'ana ping sikumawonetsa zaposachedwa zapadziko lonse lapansi.
Ngati opereka chithandizo ndi mabungwe akuluakulu ali ndi njira yosinthira ya BGP, ndiye kuti ogwiritsa ntchito kunyumba ndi maofesi ayenera kudzifufuza okha momwe angayang'anire mwayi wopezeka pa intaneti kudzera pa njira inayake yolumikizirana.
Kawirikawiri, malemba amagwiritsidwa ntchito kuti, kupyolera mu njira ina yolankhulirana, yang'anani kupezeka kwa adilesi ya ip pa intaneti, posankha chinthu chodalirika, mwachitsanzo, google dns: 8.8.8.8. 8.8.4.4. Koma m'dera la Mikrotik, chida chosangalatsa kwambiri chasinthidwa pa izi.
Mawu ochepa okhudza kubwerezabwereza
Kubwereza kobwereza ndikofunikira pomanga Multihop BGP kuyang'ana ndikulowa m'nkhani yokhudzana ndi zoyambira zamayendedwe osasunthika chifukwa chanzeru za ogwiritsa ntchito a MikroTik omwe adazindikira momwe angagwiritsire ntchito njira zobwerezabwereza zophatikizidwa ndi cheke pachipata chosinthira njira zoyankhulirana popanda zolemba zina.
Yakwana nthawi yoti mumvetsetse kukula kwake / chandamale zomwe mungasankhe mwachisawawa komanso momwe njirayo imalumikizirana ndi mawonekedwe:
- Njirayi imayang'ana mawonekedwe kuti atumize paketiyo kutengera kuchuluka kwake komanso zolemba zonse patebulo lalikulu zomwe zili ndi milingo yocheperako kapena yofanana.
- Kuchokera pamawonekedwe opezeka, yomwe mungatumize paketi kupita pachipata chodziwika imasankhidwa
- Mawonekedwe a zolowera zolumikizidwa zopezeka amasankhidwa kutumiza paketi pachipata
Pamaso pa njira yobwereza, zonse zimachitika chimodzimodzi, koma m'magawo awiri:
- 1-3 Njira ina yowonjezera imawonjezedwa kumayendedwe olumikizidwa, kudzera momwe chipata chodziwika chikhoza kufikira
- 4-6 Kupeza njira yolumikizira njira yolowera pachipata "chapakati".
Zosintha zonse ndi kusaka kobwerezabwereza zimachitika mu RIB, ndipo zotsatira zomaliza zokha zimasamutsidwa ku FIB: 0.0.0.0/0 via 10.10.10.1 on ether1.
Chitsanzo chogwiritsa ntchito njira zobwerezabwereza kusintha njira
Kusintha:
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2Mutha kuwona kuti mapaketi atumizidwa ku 10.10.10.1:
Chongani pachipata sadziwa chilichonse chokhudza kubwerezabwereza ndipo amangotumiza ma pings ku 8.8.8.8, omwe (kutengera tebulo lalikulu) amapezeka kudzera pachipata 10.10.10.1.
Ngati pali kutayika kwa kulankhulana pakati pa 10.10.10.1 ndi 8.8.8.8, ndiye kuti njirayo imachotsedwa, koma mapaketi (kuphatikizapo pings yoyesera) mpaka 8.8.8.8 akupitiriza kudutsa 10.10.10.1:
Ngati ulalo wa ether1 watayika, ndiye kuti zinthu zosasangalatsa zimachitika pamene mapaketi asanafike 8.8.8.8 adutsa wopereka wachiwiri:
Ili ndi vuto ngati mukugwiritsa ntchito NetWatch kuyendetsa zolemba pomwe 8.8.8.8 palibe. Ngati ulalo wasweka, NetWatch ingogwiritsa ntchito njira yolumikizirana yosunga zobwezeretsera ndikuganiza kuti zonse zili bwino. Yathetsedwa powonjezera njira yowonjezera yosefera:
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
Pali pa habrΓ© , pomwe zochitika ndi NetWatch zimaganiziridwa mwatsatanetsatane.
Ndipo inde, mukamagwiritsa ntchito kusungitsa koteroko, adilesi 8.8.8.8 idzakhala yolimba kwa m'modzi wa opereka, kotero kusankha ngati gwero la dns si lingaliro labwino.
Mawu ochepa okhudza Virtual Routing and Forwarding (VRF)
Tekinoloje ya VRF idapangidwa kuti ipange ma router angapo mkati mwa thupi limodzi, ukadaulo uwu umagwiritsidwa ntchito kwambiri ndi ogwiritsira ntchito ma telecom (nthawi zambiri molumikizana ndi MPLS) kuti apereke ntchito za L3VPN kwa makasitomala omwe ali ndi ma adilesi apansi panthaka:
Koma VRF ku Mikrotik imapangidwa pamaziko a matebulo oyendetsa ndipo ili ndi zovuta zingapo, mwachitsanzo, ma adilesi a IP a rauta akupezeka kuchokera ku VRFs onse, mutha kuwerenga zambiri. .
vrf kasinthidwe chitsanzo:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0Kuchokera pa chipangizo cholumikizidwa ndi ether2, tikuwona kuti ping imapita ku adilesi ya rauta kuchokera ku vrf ina (ndipo ili ndi vuto), pomwe ping siyipita pa intaneti:
Kuti mupeze intaneti, muyenera kulembetsa njira yowonjezera yomwe imafikira patebulo lalikulu (m'mawu a vrf, izi zimatchedwa kutulutsa njira):
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2Nazi njira ziwiri zowotchera njira: kugwiritsa ntchito tebulo lolowera: 172.17.0.1@main ndikugwiritsa ntchito dzina lachiwonekedwe: 172.17.0.1%wlan1.
Ndipo konzani zolembera za traffic yobwerera mkati [PREROUTING|Mangle]:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
Ma subnet okhala ndi adilesi yomweyo
Gulu lofikira ma subnet okhala ndi ma adilesi omwewo pa rauta yomweyo pogwiritsa ntchito VRF ndi netmap:
Kukonzekera koyambira:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0malamulo a firewall:
#ΠΠ°ΡΠΊΠΈΡΡΠ΅ΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ Π΄Π»Ρ ΠΎΡΠΏΡΠ°Π²ΠΊΠΈ Π² ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΡΡ ΡΠ°Π±Π»ΠΈΡΡ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#Π‘ΡΠ΅Π΄ΡΡΠ²Π°ΠΌΠΈ netmap Π·Π°ΠΌΠ΅Π½ΡΠ΅ΠΌ Π°Π΄ΡΠ΅ΡΠ° "ΡΡΠΈΠΌΠ΅ΡΠ½ΡΡ
" ΠΏΠΎΠ΄ΡΠ΅ΡΠ΅ΠΉ Π½Π° ΡΠ΅Π°Π»ΡΠ½ΡΠ΅ ΠΏΠΎΠ΄ΡΠ΅ΡΠΈ
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24Malamulo oyendetsera magalimoto obwerera:
#Π£ΠΊΠ°Π·Π°Π½ΠΈΠ΅ ΠΈΠΌΠ΅Π½ΠΈ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° ΡΠΎΠΆΠ΅ ΠΌΠΎΠΆΠ΅Ρ ΡΡΠΈΡΠ°ΡΡΡΡ route leaking, Π½ΠΎ ΠΏΠΎ ΡΡΡΠΈ ΡΡΡ ΡΠΎΠ·Π΄Π°Π΅ΡΡΡ Π°Π½Π°Π»ΠΎΠ³ connected ΠΌΠ°ΡΡΡΡΡΠ°
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2Kuwonjeza mayendedwe olandilidwa kudzera pa dhcp ku tebulo loperekedwa
VRF ikhoza kukhala yosangalatsa ngati mukufuna kuwonjezera njira yosinthira (mwachitsanzo, kuchokera kwa kasitomala wa dhcp) kupita patebulo linalake.
Kuwonjezera mawonekedwe ku vrf:
/ip route vrf
add interface=ether1 routing-mark=over-isp1Malamulo otumizira magalimoto (otuluka ndi opita) kudzera patebulo pa-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=noKuphatikiza apo, njira yabodza yopitira kunja kukagwira ntchito:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=bareNjirayi ndiyofunikira kokha kuti mapaketi omwe akutuluka adutse pachisankho cha Njira (2) m'mbuyomu [OUTPUT|Mangle] ndikupeza chizindikiro chowongolera, ngati pali njira zina zogwirira ntchito pa rauta pamaso pa 0.0.0.0/0 patebulo lalikulu, sizofunikira.
Minyolo connected-in ΠΈ dynamic-in Π² [Routing] -> [Filters]
Zosefera njira (zolowera ndi zotuluka) ndi chida chomwe nthawi zambiri chimagwiritsidwa ntchito limodzi ndi ma protocol a mayendedwe osinthika (ndipo amangopezeka mutakhazikitsa phukusi. wam'mbuyomu), koma pali maunyolo awiri osangalatsa muzosefera zomwe zikubwera:
- olumikizidwa - kusefa njira zolumikizidwa
- dynamic-in - kusefa njira zosinthika zolandilidwa ndi PPP ndi DCHP
Kusefa kumakupatsani mwayi kuti musamangotaya mayendedwe, komanso kuti musinthe njira zingapo: mtunda, chizindikiro cholowera, ndemanga, kukula, kuchuluka kwa chandamale, ...
Ichi ndi chida cholondola kwambiri ndipo ngati mungathe kuchita china popanda Routing Zosefera (koma osati zolembedwa), ndiye musagwiritse ntchito Zosefera za Routing, musadzisokoneze nokha ndi omwe angakonze rauta pambuyo panu. Pankhani yamayendedwe osinthika, Zosefera za Routing zidzagwiritsidwa ntchito pafupipafupi komanso mopindulitsa.
Kukhazikitsa Chizindikiro cha Njira Zanjira Zamphamvu
Chitsanzo chochokera pa rauta yakunyumba. Ndili ndi maulumikizidwe awiri a VPN okonzedwa ndipo kuchuluka kwa magalimoto mkati mwake kuyenera kukulungidwa molingana ndi matebulo olowera. Panthawi imodzimodziyo, ndikufuna kuti maulendo apangidwe okha pamene mawonekedwe atsegulidwa:
#ΠΡΠΈ ΡΠΎΠ·Π΄Π°Π½ΠΈΠΈ vpn ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠΉ ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ default route ΠΈ Π·Π°Π΄Π°Π΅ΠΌ Π΄ΠΈΡΡΠ°Π½ΡΠΈΡ
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#Π€ΠΈΠ»ΡΡΡΠ°ΠΌΠΈ ΠΎΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ ΠΌΠ°ΡΡΡΡΡΡ Π² ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠ΅ ΡΠ°Π±Π»ΠΈΡΡ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΏΠΎΠ΄ΡΠ΅ΡΠΈ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈ Π΄ΠΈΡΡΠ°Π½ΡΠΈΠΈ
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2Sindikudziwa chifukwa chake, mwinamwake cholakwika, koma ngati mupanga vrf kwa mawonekedwe a ppp, ndiye njira yopita ku 0.0.0.0/0 idzalowabe mu tebulo lalikulu. Apo ayi, chirichonse chikanakhala chophweka.
Kuyimitsa Njira Zolumikizidwa
Nthawi zina izi zimafunika:
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=rejectDebugging Zida
RouterOS imapereka zida zingapo zosinthira njira:
[Tool]->[Tourch]- amakulolani kuti muwone mapaketi pamawonekedwe/ip route check- amakulolani kuti muwone njira yomwe paketiyo idzatumizidwa, sikugwira ntchito ndi matebulo oyendetsa/ping routing-table=<name>ΠΈ/tool traceroute routing-table=<name>- ping ndi kufufuza pogwiritsa ntchito tebulo lomwe latchulidwaaction=logΠ²[IP]->[Firewall]- chida chabwino kwambiri chomwe chimakupatsani mwayi wofufuza njira ya paketi pakuyenda kwa paketi, izi zimapezeka muunyolo ndi matebulo onse.
Source: www.habr.com