O le fa'asologa o le fa'agasologa o le sailia o le ala sili mo le fa'asalalauina o pepa i luga o feso'otaiga TCP/IP. So'o se masini e fa'afeso'ota'i ile IPv4 feso'ota'iga o lo'o iai se fa'agasolo ma fa'asologa o laulau.
O lenei tusiga e le o se HOWTO, o loʻo faʻamatalaina ai le taʻavale faʻasolosolo i RouterOS ma faʻataʻitaʻiga, na ou faʻateʻaina ma le loto i ai le vaega o totoe (mo se faʻataʻitaʻiga, srcnat mo le mauaina o le Initaneti), o le malamalama i mea e manaʻomia ai se tulaga faʻapitoa o fesoʻotaʻiga ma RouterOS.
Suiga ma ala
O le fesuia'iga o le fa'agasologa lea o le fesuia'i o pepa i totonu o le tasi vaega Layer2 (Ethernet, ppp, ...). Afai e vaʻaia e le masini o loʻo i luga ole laiga Ethernet tutusa le tagata o loʻo mauaina, na te aʻoaʻoina le tuatusi mac e faʻaaoga ai le arp protocol ma faʻasalalau saʻo le pepa, e ala i le alalaupapa. O se feso'ota'iga ppp (point-to-point) e mafai ona na'o le to'alua tagata auai ma o le afifi e lafo i taimi uma i le tuatusi e tasi 0xff.
O le fa'asologa o le fa'agasologa o le fesiitaiga o afifi i le va o Layer2 vaega. Afai e manaʻo se masini e lafo se afifi o loʻo i fafo atu o le vaega o Ethernet, e vaʻavaʻai i lana laulau faʻasolosolo ma pasi atu le pepa i le faitotoʻa, lea na te iloa le mea e tuʻuina atu ai le pepa e sosoo ai (pe atonu e le iloa, o le tagata na auina atu le pepa. e le o iloa lenei mea).
O le auala pito sili ona faigofie e mafaufau ai i se alalaupapa o se masini e fesoʻotaʻi i le lua pe sili atu vaega Layer2 ma mafai ona pasi atu pepa i le va oi latou e ala i le fuafuaina o le auala sili mai le laulau faʻataʻavalevale.
Afai e te malamalama i mea uma, pe ua uma ona e iloaina, ona e faitau lea. Mo le vaega o totoe, ou te fautuaina malosi e te faamasani oe lava i se laʻititi, ae sili ona gafatia .
Fa'asologa i RouterOS ma PacketFlow
Toeitiiti lava o galuega fa'atino uma e feso'ota'i ma ta'avale fa'asolosolo o lo'o i totonu o le afifi faiga. taga palasitika maneta fa'aopoopoina le lagolago mo fa'asologa fa'asolosolo fa'asolosolo (RIP, OSPF, BGP, MME), Filifiliga Fa'atonu ma le BFD.
Menu autu mo le setiina o auala: [IP]->[Route]. O faiga lavelave atonu e mana'omia ai le fa'ailoga muamua o afifi ma se fa'ailoga fa'aala i totonu: [IP]->[Firewall]->[Mangle] ( filifili PREROUTING и OUTPUT).
E tolu nofoaga i luga ole PacketFlow e faia ai fa'ai'uga fa'ata'ita'iina o pusa IP:
- Fa'ata'ita'iina pepa na maua e le router. I lenei laʻasaga, ua filifili pe o le a alu le afifi i le faʻalapotopotoga faʻapitonuʻu pe o le a tuʻuina atu i luga ole fesoʻotaʻiga. E maua pusa fe'avea'i Faʻamatalaga Faʻatino
- Fa'ata'ita'iina o taga i fafo. E maua mai afifi o fafo Faʻamatalaga Faʻatino
- Laasaga fa'aopoopo fa'aalaala mo pepa o lo'o alu i fafo, e mafai ai ona e sui le fa'ai'uga fa'aala i totonu
[Output|Mangle]
- O le ala packet i poloka 1, 2 e faʻalagolago i tulafono i totonu
[IP]->[Route] - O le ala o pusa i vaega 1, 2 ma le 3 e faʻalagolago i tulafono i totonu
[IP]->[Route]->[Rules] - O le ala afifi i poloka 1, 3 e mafai ona faʻaaogaina
[IP]->[Firewall]->[Mangle]
RIB, FIB, Cache Fa'aalaala
Fa'amatalaga Fa'amatalaga Fa'aalaala
Le fa'avae o lo'o aoina mai ai auala mai ta'iala fa'agasolo, auala mai le ppp ma le dhcp, auala fa'atutu ma feso'ota'i. O lenei fa'amaumauga o lo'o i ai auala uma, se'i vagana ai na fa'amamāina e le pule.
Tulaga, e mafai ona tatou faapea [IP]->[Route] faʻaalia RIB.
Tu'u Atu Fa'amatalaga Fa'amatalaga
Le fa'avae o lo'o aoina ai auala sili mai le RIB. O auala uma ile FIB o lo'o fa'agaoioia ma fa'aoga e lafo atu ai pepa. Afai o le auala e le o galue (faʻaletonu e le pule (faiga), poʻo le faʻaoga e tatau ona lafo ai le pusa e le o galue), e aveese le auala mai le FIB.
Ina ia faia se fa'ai'uga ta'avale, o lo'o fa'aogaina e le laulau FIB fa'amatalaga nei e uiga i se pusa IP:
- Tulaga Punavai
- Tuatusi Taunuuga
- fa'apogai puna
- Faailoga auala
- ToS (DSCP)
O le ulufale atu i le pusa FIB e alu i laʻasaga nei:
- Po'o fa'amoemoe le afifi mo se fa'agasologa o le router i le lotoifale?
- O le pepa e fa'atatau i le faiga po'o le fa'aoga tulafono PBR?
- Afai e ioe, ona auina atu lea o le afifi i le laulau fa'atonu
- E auina atu le afifi i le laulau autu
Tulaga, e mafai ona tatou faapea [IP]->[Route Active=yes] faʻaalia FIB.
Fa'asinoala Cache
Auala e teu ai masini. E manatua e le router le mea na lafo ai pepa ma afai e iai ni mea tutusa (atonu mai le fesoʻotaʻiga tutusa) e faʻatagaina latou e alu i le ala lava e tasi, e aunoa ma le siakiina o le FIB. E fa'amama i lea taimi ma lea taimi le fa'aogaina o le auala.
Mo RouterOS pule, latou te le'i faia ni mea faigaluega mo le matamataina ma le puleaina o le Routing Cache, ae pe a mafai ona fa'aletonu i totonu. [IP]->[Settings].
O lenei masini na aveese mai le linux 3.6 kernel, ae o loʻo faʻaaogaina pea e le RouterOS le kernel 3.3.5, masalo o le Routing cahce o se tasi lea o mafuaʻaga.
Fa'aopoopo le talanoaga i le auala
[IP]->[Route]->[+]
- Subnet e te mana'o e fai ai se auala (fa'aoga: 0.0.0.0/0)
- Gateway IP poʻo le atinaʻe o le a lafo i ai le pepa (atonu e tele, vaʻai ECMP i lalo)
- Siaki Avanoa Gateway
- Ituaiga faamaumauga
- Mamao (metric) mo se auala
- laulau fa'ata'ita'i
- IP mo pa'u fafo i le lotoifale e ala i lenei auala
- O le faʻamoemoega o le Scope ma le Target Scope o loʻo tusia i le faaiuga o le tusiga.
Fu'a ala
- X - O le auala ua le mafai e le pule (
disabled=yes) - A - O le auala e faʻaaogaina e lafo ai pusa
- D - Fa'aopoopo le auala (BGP, OSPF, RIP, MME, PPP, DHCP, Feso'ota'i)
- C - O loʻo fesoʻotaʻi saʻo le subnet i le router
- S - Auala tumau
- r,b,o,m - Auala ua fa'aopoopoina e se tasi o fa'atonuga fa'aola
- B,U,P - Filifiliga ala (tu'u pepa nai lo le lafoina)
O le a le mea e faʻamaonia i le faitotoa: ip-address poʻo le atinaʻe?
O le faiga e mafai ai ona e faʻamaonia uma, ae e le palauvale ma e le tuʻuina atu faʻamatalaga pe a e faia se mea sese.
Tuatusi IP
Ole tuatusi ole faitotoa e tatau ona avanoa ile Layer2. Mo Ethernet, o lona uiga o le router e tatau ona i ai se tuatusi mai le subnet tutusa i luga o se tasi o fesoʻotaʻiga ip galue, mo ppp, o le tuatusi faitotoa o loʻo faʻamaonia i luga o se tasi o fesoʻotaʻiga galue e pei o le tuatusi subnet.
Afai e le ausia le tulaga avanoa mo Layer2, o le auala e manatu e le aoga ma e le pa'ū i totonu ole FIB.
Ofisa
O mea uma e sili atu ona faigata ma o le amio a le router e faʻalagolago i le ituaiga atinaʻe:
- PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) fesoʻotaʻiga e naʻo le toʻalua tagata auai ma o le a tuʻuina atu le pepa i le faitotoʻa mo le faʻasalalau, pe a iloa e le faitotoa o le tagata e mauaina o ia lava, ona faʻafeiloaʻi lea o le pepa i. o lana faiga fa'alotoifale.
- E talia e Ethernet le i ai o le tele o tagata auai ma o le a tuʻuina atu talosaga i le arp interface ma le tuatusi o le tagata e mauaina le afifi, o lenei mea e faʻamoemoeina ma masani masani mo auala fesoʻotaʻi.
Ae a e taumafai e faʻaoga le atinaʻe e fai ma auala mo se subnet mamao, o le ae mauaina le tulaga lenei: o le auala o loʻo galue, ping i le faitotoa e pasi, ae le oʻo atu i le tagata e mauaina mai le subnet faʻamaonia. Afai e te vaʻai i le faʻaoga e ala i se sniffer, o le a e vaʻai i talosaga arp ma tuatusi mai se subnet mamao.
Taumafai e faʻamaonia le tuatusi IP e fai ma faitotoʻa pe a mafai. O le tuusaunoaga o auala fesoʻotaʻi (faia otometi) ma PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) fesoʻotaʻiga.
OpenVPN e leai se ulutala PPP, ae e mafai ona e faʻaogaina le igoa OpenVPN interface e fai ai se auala.
Auala Fa'apitoa
Tulafono fa'aauala masani. O le auala e fa'amatala ai le la'ititi la'ititi (fa'atasi ai ma le pito sili ona tele) e fa'amuamua i le fa'ai'uga a le pusa. O le tulaga o faʻamaumauga i le laulau faʻataʻavalevale e le talafeagai i le filifiliga - o le tulafono autu e sili atu ona faʻapitoa.
O auala uma mai le polokalame faʻamaonia o loʻo galue (o loʻo i totonu o le FIB). faasino i subnet eseese ma aua le fete'ena'i le tasi ma le isi.
Afai e le maua se tasi o faitoto'a, o le a fa'apea o le auala e feso'ota'i ai e le o toaga (ave'esea mai le FIB) ma o le a su'e pepa mai isi auala.
Ole ala ile subnet 0.0.0.0/0 o nisi taimi e tuʻuina atu ai se uiga faʻapitoa ma e taʻua o le "Ala Faʻatonu" poʻo le "Gateway of last resort". O le mea moni, e leai se mea faʻapitoa i totonu ma e aofia uma ai tuatusi IPv4 e mafai, ae o nei igoa e faʻamatala lelei lana galuega - e faʻaalia ai le faitotoa e tuʻuina atu ai pepa e leai se isi auala sili atu ona saʻo.
Ole pito maualuga ole subnet mask mo IPv4 ole /32, ole ala lea e faasino ile talimalo ma'oti ma e mafai ona fa'aoga ile laulau ta'avale.
Malamalama i Auala Fa'apitoa Fa'apitoa e fa'avae i so'o se masini TCP/IP.
mamao
O mamao (po'o Fuafuaga) e mana'omia mo le fa'atonuina o le fa'amamaina o auala i se la'ititi e tasi e mafai ona maua i le tele o faitoto'a. O se auala e maualalo le metric ua manatu o se fa'amuamua ma o le a aofia i le FIB. Afai e le toe fa'agaoioia se auala e maualalo le metric, ona suia lea i se auala e maualuga atu le metric ile FIB.
Afai e tele auala i le subnet tutusa ma le metric tutusa, o le a faʻaopoopo e le router le tasi o latou i le laulau FIB, taʻitaʻia e lona mafaufau i totonu.
Ole metric e mafai ona ave se tau mai le 0 i le 255:
- 0 - Fuafuaga mo auala feso'ota'i. O le mamao 0 e le mafai ona seti e le pule
- 1-254 - Fuafuaga avanoa i le pule mo le setiina o auala. O fua fa'atatau e maualalo le tau e maualuga lona fa'amuamua
- 255 - Metric e avanoa i le pule mo le setiina o auala. E le pei o le 1-254, o se auala e iai le metric o le 255 e tumau pea le le toaga ma e le pa'ū i le FIB.
- fua fa'atatau. O auala e maua mai i fa'asologa fa'asolosolo fa'asolosolo e iai fua fa'atatau masani
siaki faitotoa
Siaki faitotoa o se faʻaopoopoga MikroTik RoutesOS mo le siakiina o le avanoa o le faitotoa e ala ile icmp poʻo le arp. E tasi i le 10 sekone (e le mafai ona suia), e lafo atu se talosaga i le faitotoa, afai e le maua faalua le tali, o le auala e manatu e le maua ma aveese mai le FIB. Afai ua fa'aletonu le faitoto'a siaki e fa'aauau pea le ala siaki ma o le a toe fa'agaoioia le auala pe a mae'a se siaki manuia.
Check gateway e fa'amalo le ulufale i totonu o lo'o fa'atulaga ai ma isi fa'amaumauga uma (i laulau fa'ata'ita'i uma ma ala ecmp) fa'atasi ai ma le faitoto'a fa'apitoa.
I se tulaga lautele, siaki faitotoa e galue lelei pe afai e leai ni faʻafitauli i le gau o le pepa i le faitotoa. Check gateway e le iloa le mea o loʻo tupu i fesoʻotaʻiga i fafo atu o le faitotoʻa siaki, e manaʻomia ai meafaigaluega faʻaopoopo: faʻamaumauga, faʻasologa faʻasolosolo, faʻasologa faʻamalosi.
Ole tele ole VPN ma le tunnel protocols o lo'o iai meafaigaluega fa'apipi'i mo le siakiina o gaioiga feso'ota'iga, e mafai ai ona siaki faitotoa mo latou o se uta fa'aopoopo (ae la'ititi) i luga o feso'otaiga ma fa'atinoga o masini.
ECMP auala
Equal-Cost Multi-Path - auina atu pepa i le tagata e mauaina e faʻaaoga ai le tele o faitotoa i le taimi e tasi e faʻaaoga ai le Round Robin algorithm.
O se auala ECMP e faia e le pule e ala i le faʻamaotiina o faitotoa e tele mo le tasi subnet (pe otometi, pe a fai e lua auala OSPF tutusa).
O le ECMP e faʻaaogaina mo le paleni o uta i le va o auala e lua, i le talitonuga, pe a iai ni auala se lua i le auala ecmp, ona tatau lea ona ese le auala i fafo mo pepa taʻitasi. Ae o le Routing cache mechanism e auina atu afifi mai le fesoʻotaʻiga i luga o le auala na ave e le pepa muamua, o se taunuuga, tatou te maua se ituaiga o paleni e faʻavae i luga o fesoʻotaʻiga (per-connection loading balancing).
Afai e te faʻamalo le Routing Cache, o le a faʻasoa saʻo pepa i le auala ECMP, ae o loʻo i ai se faʻafitauli ile NAT. Ole tulafono ole NAT e fa'agasolo na'o le pepa muamua mai le feso'ota'iga (o le isi vaega e fa'agasolo otometi), ma e foliga mai o pepa fa'atasi ai ma tuatusi fa'apogai e tu'u ese ai feso'ota'iga.
Siaki faitotoa e le aoga i ala ECMP (RouterOS bug). Ae e mafai ona e faʻaogaina lenei tapulaʻa e ala i le fatuina o auala faʻamaonia faaopoopo e faʻamalo ai faʻamaumauga i le ECMP.
Filifiliga e ala ile Fa'aalaala
O le ituaiga filifiliga e fuafua ai le mea e fai i le afifi:
- unicast - lafo i le faitoto'a fa'apitoa (interface)
- blackhole - lafoa'i se taga
- fa'asa, le mafai ona o'o atu - lafoa'i le pepa ae lafo se fe'au icmp i le tagata na lafo
E masani ona fa'aoga le filiga pe a mana'omia e fa'amautu le tu'uina atu o pepa i luga o le ala sese, ioe, e mafai ona e fa'amamaina lenei mea e ala i le pa puipui.
O nai faataitaiga
Ina ia tuufaatasia mea faavae e uiga i le auala.
Ulafale masani ile fale
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1- Auala tumau i le 0.0.0.0/0 (auala masani)
- Auala feso'ota'i i luga o le fa'aoga ma le tagata e tu'uina atu
- Auala feso'ota'i ile fa'aoga LAN
Ole ala masani ile fale ile PPPoE
- Auala fa'amau i le ala fa'aletonu, fa'aopoopo otometi. o lo'o fa'amaoti mai i meatotino feso'ota'iga
- Auala feso'ota'i mo feso'ota'iga PPP
- Auala feso'ota'i ile fa'aoga LAN
Fa'ata'ita'iga fa'asalalau fale e lua 'au'aunaga ma toe fa'aola
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2- Auala fa'ata'atia i le auala fa'aletonu e ala i le 'au'aunaga muamua ma le metric 1 ma le siakiina o avanoa avanoa
- Auala fa'ata'atia ile auala fa'aletonu ile kamupani lona lua ile metric 2
- Auala fesootai
Ta'avale i le 0.0.0.0/0 e alu i le 10.10.10.1 a'o avanoa lenei faitotoa, a leai e sui i le 10.20.20.1
O sea faiga e mafai ona ta'ua o se fa'aagaga auala, ae e leai ni fa'aletonu. Afai e tupu se malologa i fafo atu o le faitotoa o le kamupani (mo se faʻataʻitaʻiga, i totonu o le fesoʻotaʻiga a le tagata faʻatautaia), o le a le iloa e lau router ma o le a faʻaauau pea ona mafaufau i le auala o loʻo galue.
Ole ala masani ile fale ile lua e tu'uina atu, redundancy ma le ECMP
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1- Auala tumau mo le siakiina o faitotoa o le chack
- ECMP auala
- Auala fesootai
O auala e siaki ai e lanumoana (le lanu o auala e le o toaga), ae e le fa'alavelaveina le faitotoa o siaki. O le lomiga o loʻo iai nei (6.44) o le RoS e tuʻuina atu ai le faʻamuamua otometi i le auala ECMP, ae sili atu le faʻaopoopoina o auala faʻataʻitaʻi i isi laulau taʻavale (filifiliga routing-mark)
I luga o le Speedtest ma isi nofoaga faapena, o le a leai se faʻateleina o le saoasaoa (ECMP vaeluaina feoaiga i fesoʻotaʻiga, ae le o paʻu), ae o p2p talosaga e tatau ona vave sii mai.
Filifiliga e ala ile Fa'aala
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole- Ala fa'atete'e ile ala fa'aletonu
- Auala tumau i le 192.168.200.0/24 i luga ole alavai ipip
- Faʻasaina le ala faʻasolosolo ile 192.168.200.0/24 e ala ile ISP router
O se filifiliga filiga lea e le alu ai le alalaupapa auala i le router's provider pe a le atoatoa le ipip interface. O ia faiga e seasea manaomia, aua e mafai ona e faia le polokaina e ala i le pa puipui.
Ta'amilosaga ta'avale
Ta'avale fa'aalaala - ose tulaga pe a alu se afifi i le va o alaala a'o le'i muta le ttl. E masani lava o le iʻuga o se faʻasologa o mea sese, i totonu o fesoʻotaʻiga tetele e togafitia e ala i le faʻatinoina o faʻataʻitaʻiga faʻatautaia, i mea laiti - ma le faʻaeteete.
E pei o lenei:
O se faʻataʻitaʻiga (sili ona faigofie) o le auala e maua ai se tali tutusa:
O le fa'ata'ita'iga o le Routing loop e leai se fa'aoga aoga, ae e fa'aalia ai e leai se manatu o le au ta'avale e uiga i le laulau ta'avale a latou tuaoi.
Faiga Fa'avae Fa'ata'ita'iga ma Laulau Fa'aopoopo
Pe a filifilia se auala, e faʻaaogaina e le router naʻo le tasi le fanua mai le ulutala packet (Dst. Address) - o le auala autu lea. Fa'asinomaga e fa'atatau i isi tulaga, e pei ole tuatusi fa'apogai, ituaiga o fe'avea'i (ToS), paleni e aunoa ma le ECMP, e iai ile Faiga Fa'avae Fa'atonu (PBR) ma fa'aoga laulau fa'aopoopo.
Auala Fa'apitoa o le tulafono autu o le filifilia o auala i totonu o le laulau auala.
Ona o le faaletonu, ua faaopoopo uma tulafono faatonutonu i le laulau autu. E mafai e le pule ona fa'atupuina se numera fa'aopoopo o laulau fa'aola fa'aopoopo ma fa'aputu auala ia i latou. O tulafono i laulau eseese e le fete'ena'i le tasi ma le isi. Afai e le maua e le afifi se tulafono talafeagai i le laulau faʻamaonia, o le a alu i le laulau autu.
Fa'ata'ita'iga ma tufatufaga e ala i le Pa puipui:
- 192.168.100.10 -> 8.8.8.8
- Fa'ailoga mai le 192.168.100.10 ala-isp1 в
[Prerouting|Mangle] - I le tulaga Fa'auala ile laulau ala-isp1 su'e se auala i le 8.8.8.8
- Ua maua le auala, ua auina atu taavale i le faitotoa 10.10.10.1
- Fa'ailoga mai le 192.168.100.10 ala-isp1 в
- 192.168.200.20 -> 8.8.8.8
- Fa'ailoga mai le 192.168.200.20 ala-isp2 в
[Prerouting|Mangle] - I le tulaga Fa'auala ile laulau ala-isp2 su'e se auala i le 8.8.8.8
- Ua maua le auala, ua auina atu taavale i le faitotoa 10.20.20.1
- Fa'ailoga mai le 192.168.200.20 ala-isp2 в
- Afai e le maua se tasi o faitotoa (10.10.10.1 po o le 10.20.20.1), ona alu lea o le afifi i le laulau. tele ma o le a vaavaai mo se auala talafeagai iina
Fa'amatalaga mataupu
O loʻo i ai i le RouterOS nisi faʻamatalaga faʻamatalaga.
Pe a galue ma tulafono i totonu [IP]->[Routes] o loʻo faʻaalia le laulau faʻasolosolo, e ui lava o loʻo tusia o le igoa:
В [IP]->[Routes]->[Rule] e saʻo mea uma, i le tulaga faʻailoga i le gaioiga o le laulau:
Fa'afefea ona lafo se afifi i se laulau fa'ata'ita'i fa'apitoa
RouterOS e maua ai le tele o meafaigaluega:
- Tulafono i
[IP]->[Routes]->[Rules] - Fa'ailoga auala (
action=mark-routing) i[IP]->[Firewall]->[Mangle] - VRF
Tulafono [IP]->[Route]->[Rules]
O tulafono e fa'agasolo fa'asolosolo, pe a fetaui le afifi ma tulaga o le tulafono, e le toe pasi.
Tulafono Fa'atonutonu e fa'ataga ai oe e fa'alautele le avanoa o le fa'aogaina, fa'alagolago e le gata i le tuatusi o lo'o mauaina, ae fa'apea fo'i ile tuatusi fa'apogai ma le fa'aoga na maua ai le pepa.
O tulafono e aofia ai aiaiga ma se gaioiga:
- Tulaga. Toe fai le lisi o faʻailoga e siaki ai le afifi i le FIB, naʻo ToS o loʻo misi.
- Gaioiga
- su'e - lafo se afifi ile laulau
- su'e na'o le laulau - loka le afifi i le laulau, afai e le maua le auala, o le a le alu le afifi i le laulau autu
- tu'u - tu'u se afifi
- e le mafai ona o'o i ai - lafoa'i le pepa ma fa'ailoa mai e le au lafo
I totonu o le FIB, o felauaiga i faiga fa'apitonu'u o lo'o fa'agasolo i lalo o tulafono [IP]->[Route]->[Rules]:
Faailoga [IP]->[Firewall]->[Mangle]
Fa'ailoga fa'asologa e fa'ataga ai oe e fa'atulaga le faitoto'a mo se afifi e fa'aoga toetoe lava o so'o se Pa puipui:
Fa'ata'ita'i, aua e le o mea uma e talafeagai, ma o nisi e mafai ona fa'aletonu.
E lua auala e fa'ailoga ai se afifi:
- Tuu loa fa'ailoga auala
- Fa'amuamua fa'ailoga feso'ota'iga, ona faavae lea i luga fa'ailoga feso'ota'iga e tuu fa'ailoga auala
I se tusiga e uiga i firewalls, na ou tusia o le filifiliga lona lua e sili. faʻaitiitia le uta i luga o le cpu, i le tulaga o le makaina o auala - e leʻo atoatoa lenei mea. O nei faiga fa'ailoga e le tutusa i taimi uma ma e masani ona fa'aoga e foia ai fa'afitauli eseese.
Faataitaiga Faʻaaoga
Sei o tatou agai i luma i faʻataʻitaʻiga o le faʻaaogaina o Faiga Faʻavae Faʻavae, e sili atu ona faigofie ona faʻaalia pe aisea e manaʻomia ai nei mea uma.
TeleWAN ma toe fo'i atu i fafo (Output) feoaiga
O se faʻafitauli masani i se faʻatulagaga MultiWAN: Mikrotik e maua mai le Initaneti naʻo se "galue" e tuʻuina atu.
E le popole le router po'o le a le ip na o'o mai ai le talosaga, pe a fa'atupuina se tali, o le a va'ava'ai mo se auala i le laulau ta'avale lea o lo'o galue ai le ala i le isp1. E le gata i lea, o sea afifi o le a sili atu ona faamamaina i luga o le ala i le tagata e mauaina.
O le isi manatu manaia. Afai o se "faigofie" puna nat ua faʻapipiʻiina i luga o le ether1 interface: /ip fi nat add out-interface=ether1 action=masquerade o le a alu le afifi i luga ole laiga ma src. address=10.10.10.100, lea e atili ai ona leaga.
E tele auala e foia ai le faʻafitauli, ae o soʻo se tasi o ia mea e manaʻomia ai ni laulau faʻaopoopo:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2Faaaoga [IP]->[Route]->[Rules]
Fa'ailoa le laulau fa'ata'ita'i o le a fa'aogaina mo afifi o lo'o iai le Source IP.
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2E mafai ona faʻaaoga action=lookup, ae mo feoaiga i fafo i le lotoifale, o lenei filifiliga e matua le aofia ai fesoʻotaʻiga mai le faʻaoga sese.
- O le faiga e faʻatupuina ai se pusa tali ma Src. Tuatusi: 10.20.20.200
- Ole Fa'ai'uga Fa'auala(2) e siaki
[IP]->[Routes]->[Rules]ma o le afifi e auina atu i le laulau auala ova-isp2 - E tusa ai ma le laulau taʻavale, e tatau ona lafo le afifi i le faitotoa 10.20.20.1 e ala i le ether2 interface
Ole auala lea e le mana'omia ai se Su'e Feso'ota'iga galue, e le pei ole fa'aogaina ole laulau Mangle.
Faaaoga [IP]->[Firewall]->[Mangle]
E amata le feso'ota'iga i se afifi o lo'o sau, o lea matou te makaina (action=mark-connection), mo pepa o lo'o alu ese mai se feso'ota'iga ua fa'ailogaina, fa'atulaga le fa'ailoga o le ta'avale (action=mark-routing).
/ip firewall mangle
#Маркировка входящих соединений
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#Маркировка исходящих пакетов на основе соединений
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=noAfai e tele ips ua faʻapipiʻiina i luga o le tasi faʻaoga, e mafai ona e faʻaopopo i le tulaga dst-address ia mautinoa.
- O se afifi e tatalaina le fesoʻotaʻiga i luga o le ether2 interface. O le afifi e alu i totonu
[INPUT|Mangle]lea e fai mai e maka uma afifi mai le sootaga e pei mai-isp2 - O le faiga e faʻatupuina ai se pusa tali ma Src. Tuatusi: 10.20.20.200
- I le laasaga o le Faʻatonuga (2), o le pepa, e tusa ai ma le laulau faʻasolosolo, e lafoina i le faitotoa 10.20.20.1 e ala i le ether1 interface. E mafai ona e faʻamaonia lenei mea e ala i le taina o afifi i totonu
[OUTPUT|Filter] - I le tulaga
[OUTPUT|Mangle]ua siaki le igoa sootaga mai-isp2 ma e maua e le afifi se igoa o le auala ova-isp2 - Ole Laasaga ole Fa'atonuga(3) e siaki ai le iai ole igoa ole ta'avale ma auina atu ile laulau talafeagai.
- E tusa ai ma le laulau taʻavale, e tatau ona lafo le afifi i le faitotoa 10.20.20.1 e ala i le ether2 interface
TeleWAN ma toe fa'afo'i fa'atauga dst-nat
O se faʻataʻitaʻiga e sili atu ona faigata, o le a le mea e fai pe a iai se 'auʻaunaga (mo se faʻataʻitaʻiga, upega tafaʻilagi) i tua o le router i luga o se upega tafaʻilagi tumaoti ma e te manaʻomia le tuʻuina atu o avanoa i ai e ala i soʻo se kamupani e tuʻuina atu.
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100Ole aano o le faʻafitauli o le a tutusa, o le fofo e tutusa ma le Firewall Mangle filifiliga, naʻo isi filifili o le a faʻaaogaina:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
O le ata e le o faʻaalia le NAT, ae ou te manatu o loʻo manino mea uma.
TeleWAN ma feso'ota'iga i fafo
E mafai ona e faʻaogaina le malosi o le PBR e fatuina ai le tele o vpn (SSTP i le faʻataʻitaʻiga) fesoʻotaʻiga mai fesoʻotaʻiga alalaupapa eseese.
Siata fa'aopoopo fa'asologa:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3Faailoga o afifi:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=noO tulafono faigofie a le NAT, a leai o le a tuʻua e le afifi le faʻaoga ma le Src sese. tuatusi:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masqueradeFasiga:
- E faia e le Router tolu faiga SSTP
- I le Fa'ai'uga Fa'aalaala (2), ua filifilia se ala mo nei fa'agasologa e fa'avae i luga o le laulau fa'aauala autu. Mai le auala lava e tasi, e maua e le pepa Src. O le tuatusi o lo'o fusifusia i le ether1 interface
- В
[Output|Mangle]pepa mai feso'ota'iga eseese e maua fa'ailoga eseese - O afifi e ulufale i laulau e fetaui ma fa'ailoga i le Fa'atonuga Fa'atonu tulaga ma maua ai se auala fou mo le lafoina o pepa.
- Ae o afifi o loʻo i ai pea Src. Tulaga mai le ether1, i luga o le tulaga
[Nat|Srcnat]e sui le tuatusi e tusa ai ma le faʻaoga
O le mea e malie ai, i luga o le router o le ae vaʻai i le laulau fesoʻotaʻiga lea:
So'oga Su'esu'e e galue muamua [Mangle] и [Srcnat], o lea e sau uma fesoʻotaʻiga mai le tuatusi e tasi, pe a e vaʻai atili i auiliiliga, ona i totonu Replay Dst. Address o le ai ai tuatusi pe a uma le NAT:
I luga o le VPN server (e i ai laʻu tasi i luga o le nofoa suʻega), e mafai ona e vaʻaia o fesoʻotaʻiga uma e sau mai tuatusi saʻo:
Taofi i luga le ala
O loʻo i ai se auala faigofie, e mafai ona e faʻamaonia se faitotoa faʻapitoa mo tuatusi taʻitasi:
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1Ae o ia auala o le a aafia ai e le gata i fafo ae faapea foi felauaiga. Ma le isi, afai e te le manaʻomia le fefaʻatauaʻiga i le vpn server e alu i auala fesoʻotaʻiga le talafeagai, ona e manaʻomia lea e faʻaopoopo 6 isi tulafono i [IP]->[Routes]с type=blackhole. I le lomiga muamua - 3 tulafono i totonu [IP]->[Route]->[Rules].
Fa'asoaina o feso'ota'iga a tagata e ala i feso'ota'iga
Faigofie, galuega i aso uma. Ma toe, o le a manaʻomia ni laulau faʻaola faaopoopo:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2Faʻaaogaina [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2Afai e te faʻaaogaina action=lookup, pe a faʻaletonu se tasi o auala, o le a alu le taʻavale i le laulau autu ma alu i le auala galue. Pe talafeagai pe leai e fa'alagolago i le galuega.
Faʻaaogaina o faʻailoga i totonu [IP]->[Firewall]->[Mangle]
O se faʻataʻitaʻiga faigofie ma lisi o tuatusi IP. I le mataupu faavae, toetoe lava o soʻo se tulaga e mafai ona faʻaaogaina. Na o le pau lava le faʻamatalaga o le layer7, e tusa lava pe faʻapipiʻi ma faʻamaufaʻailoga fesoʻotaʻiga, e foliga mai o loʻo lelei mea uma, ae o nisi o auala o le a alu i le ala sese.
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2E mafai ona e "loka" tagata fa'aoga i totonu o le laulau e tasi e ta'avale ai [IP]->[Route]->[Rules]:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2Poo le ala [IP]->[Firewall]->[Filter]:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=rejectToe solomuli pro dst-address-type=!local
Tulaga faaopoopo dst-address-type=!local e manaʻomia le feʻaveaʻi mai tagata faʻaoga e oʻo atu i faiga faʻapitonuʻu o le router (dns, winbox, ssh, ...). Afai e fesoʻotaʻi le tele o subnets i le lotoifale i le router, e tatau ona faʻamautinoa o le fefaʻatauaiga i le va o latou e le alu i luga ole Initaneti, mo se faʻataʻitaʻiga, faʻaaogaina dst-address-table.
I le faʻataʻitaʻiga faʻaaogaina [IP]->[Route]->[Rules] e leai ni tuusaunoaga faapea, ae oo atu felauaiga i faiga faalotoifale. O le mea moni o le ulufale atu i totonu o le pusa FIB ua faailogaina i totonu [PREROUTING|Mangle] ei ai le igoa o le auala ma alu i totonu o se laulau fa'ata'avalevale e ese mai le autu, lea e leai se fa'aoga fa'apitonu'u. I le tulaga o Tulafono Faʻatonu, muamua e siaki pe o le afifi e faʻamoemoe mo se faʻalapotopotoga faʻapitonuʻu ma naʻo le User PBR stage e alu i le laulau faʻatonuina.
Faʻaaogaina [IP]->[Firewall]->[Mangle action=route]
O lenei gaioiga e naʻo le galue i totonu [Prerouting|Mangle] ma fa'atagaina oe e fa'atonuina le ta'avale i le faitoto'a fa'apitoa e aunoa ma le fa'aogaina o laulau fa'aopoopo fa'aala, e ala i le fa'ailoa sa'o o le tuatusi o le faitoto'a:
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1aafiaga route e maualalo le fa'amuamua nai lo tulafono fa'atonutonu ([IP]->[Route]->[Rules]). I le tulaga o faailoga auala, e faalagolago mea uma i le tulaga o tulafono, pe afai o le tulafono ma action=route e sili atu le taua nai lo action=mark-route, ona faʻaaogaina lea (e tusa lava po o le a le fuʻa passtrough), a lē o lea e makaina le auala.
E itiiti lava faʻamatalaga i luga o le wiki e uiga i lenei gaioiga ma faʻaiuga uma e maua faʻataʻitaʻiga, i soʻo se tulaga, ou te leʻi mauaina ni filifiliga pe a faʻaaogaina lenei filifiliga e maua ai le lelei i luga o isi.
PPC faʻavae paleni faʻamalosi
Per Connection Classifier - o se fa'atusa sili atu ona fetu'una'i o le ECMP. E le pei o le ECMP, e vaeluaina feʻaveaʻi e ala i fesoʻotaʻiga sili atu ona saʻo (ECMP e le iloa se mea e uiga i fesoʻotaʻiga, ae a faʻatasi ma Routing Cache, e maua se mea faapena).
PCC ave fanua fa'apitoa mai le ulutala ip, liliu i latou i se tau 32-bit, ma vaevaeina e denominator. O le vaega o totoe o le vaega e faʻatusatusa i le faʻamaonia totoe ma afai latou te fetaui, ona faʻaaogaina lea o le gaioiga faʻapitoa. . E foliga valea, ae e aoga.
Faataitaiga e tolu tuatusi:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1O se faʻataʻitaʻiga o le tufatufaina malosi o fefaʻatauaiga e ala i le src.address i le va o auala e tolu:
#Таблица маршрутизации
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#Маркировка соединений и маршрутов
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3Pe a makaina auala, e iai se tulaga faaopoopo: in-interface=br-lan, e aunoa ma lalo ifo action=mark-routing tali fe'avea'i mai le Initaneti o le a maua ma, e tusa ai ma le fa'asologa o laulau, o le a toe fo'i atu i le kamupani.
Suia ala feso'ota'iga
Siaki ping o se meafaigaluega lelei, ae naʻo le siakiina o le fesoʻotaʻiga ma le IP lata ane, o fesoʻotaʻiga tuʻufaʻatasia e masani ona aofia ai le tele o alalaupapa ma e mafai ona tupu se vaeluaga i fafo atu o le tupulaga lata ane, ona i ai lea o le telefoni feaveaʻi e mafai foi. i ai faʻafitauli, i le tulaga lautele siaki ping e le faʻaalia i taimi uma faʻamatalaga lata mai e uiga i le avanoa i le fesoʻotaiga i le lalolagi.
Afai o lo'o i ai i kamupani ma kamupani tetele le BGP dynamic routing protocol, ona tatau loa lea i tagata o le fale ma le ofisa ona fuafua tuto'atasi pe fa'afefea ona siaki le Initaneti e ala i se ala feso'ota'iga patino.
E masani lava, o tusitusiga e faʻaaogaina, e ala i se auala fesoʻotaʻiga, siaki le maua o se tuatusi IP i luga ole Initaneti, aʻo filifilia se mea faʻalagolago, mo se faʻataʻitaʻiga, google dns: 8.8.8.8. 8.8.4.4. Ae i totonu o le sosaiete Mikrotik, o se meafaigaluega sili atu ona manaia ua faʻafetaui mo lenei mea.
O nai upu e uiga i le toe fa'asolo
Recursive routing e manaʻomia pe a fausia le Multihop BGP peering ma oʻo i totonu o le tusiga e uiga i faʻavae o le static routing naʻo le faʻaogaina o tagata faʻaoga MikroTik o loʻo mafaufau i le auala e faʻaogaina ai auala toe faʻapipiʻiina ma siaki faitotoa e fesuiaʻi auala fesoʻotaʻiga e aunoa ma ni tusitusiga faaopoopo.
Ua oʻo i le taimi e malamalama ai i le lautele / faʻamoemoega avanoa avanoa i tulaga lautele ma pe faʻafefea ona fusia le auala i le atinaʻe:
- O le auala e su'e ai se fa'aoga e lafo ai le afifi e fa'atatau i lona tau aofa'i ma fa'amaumauga uma i le laulau autu e la'ititi ifo pe tutusa le tau fa'atatau o le lautele.
- Mai fesoʻotaʻiga maua, o le tasi e mafai ona e lafoina ai se afifi i le faitotoa faʻamaonia ua filifilia
- O le fa'aoga o le ulufale feso'ota'i maua ua filifilia e lafo le afifi i le faitotoa
I le i ai o se auala toe faʻaleleia, o mea uma e tupu tutusa, ae i ni vaega se lua:
- 1-3 E tasi le isi auala e faʻaopoopoina i auala fesoʻotaʻi, lea e mafai ona oʻo atu i ai le faitotoa faʻamaonia
- 4-6 Su'eina o le auala e feso'ota'i ai mo le faitoto'a "intermediate".
O togafiti uma ma le suʻesuʻega faʻasolosolo e tupu i le RIB, ma naʻo le iuga mulimuli e tuʻuina atu i le FIB: 0.0.0.0/0 via 10.10.10.1 on ether1.
O se faʻataʻitaʻiga o le faʻaogaina o le faʻaogaina o auala e fesuiaʻi ai auala
Fa'atonuga:
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2E mafai ona e siaki o le a lafo atu afifi i le 10.10.10.1:
E leai se mea e iloa e Check gateway e uiga i le ta'avale fa'asolosolo ma na'o le lafoina o pings i le 8.8.8.8, lea (fa'avae i luga o le laulau autu) e mafai ona maua i le faitotoa 10.10.10.1.
Afai e leiloa le fesoʻotaʻiga i le va o le 10.10.10.1 ma le 8.8.8.8, ona motusia lea o le auala, ae o paʻu (e aofia ai suʻega pings) i le 8.8.8.8 faʻaauau pea ona alu i le 10.10.10.1:
Afai e leiloa le feso'ota'iga i le ether1, ona tupu lea o se tulaga le lelei pe a o'o atu pusa i luma ole 8.8.8.8 ile kamupani lona lua:
Ole fa'afitauli lea pe afai o lo'o e fa'aogaina le NetWatch e fa'agasolo ai tusitusiga pe a le maua le 8.8.8.8. Afai ua motusia le sootaga, NetWatch o le a na ona galue e ala i le fesoʻotaʻiga fesoʻotaʻiga fesoʻotaʻiga ma faʻapea o loʻo lelei mea uma. Foia e ala i le fa'aopoopoina o se isi auala faamama:
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
E iai i luga o le habré , lea o loʻo vaʻavaʻai atili ai le tulaga i NetWatch.
Ma ioe, pe a faʻaaogaina sea faʻaagaga, o le tuatusi 8.8.8.8 o le a faʻapipiʻiina i se tasi o tuʻuina atu, o lona uiga o le filifilia o se puna dns e le o se manatu lelei.
O nai upu e uiga i le Virtual Routing and Forwarding (VRF)
VRF tekinolosi ua mamanuina e fatu ai le tele o telefoni feaveaʻi i totonu o le tino e tasi, o lenei tekinolosi e masani ona faʻaogaina e le telefoni feaveaʻi (masani faʻatasi ma le MPLS) e tuʻuina atu auaunaga L3VPN i tagata faʻatau ma tuatusi subnet lapoʻa:
Ae o le VRF i Mikrotik o loʻo faʻatulagaina i luga o le faʻavae o laulau taʻavale ma e iai le tele o mea le lelei, mo se faʻataʻitaʻiga, tuatusi IP i le lotoifale o le router e maua mai VRF uma, e mafai ona e faitau atili. .
vrf fa'ata'ita'iga fa'atulagaina:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0Mai le masini e fesoʻotaʻi atu i le ether2, matou te vaʻaia o le ping e alu i le tuatusi o le router mai se isi vrf (ma o se faʻafitauli lea), aʻo le ping e le alu i luga ole Initaneti:
Ina ia maua le Initaneti, e tatau ona e resitalaina se auala faaopoopo e maua ai le laulau autu (i le vrf terminology, e taʻua o le auala leaking):
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2O auala nei e lua e tafe ai le auala: fa'aaoga le laulau fa'aalaala: 172.17.0.1@main ma le fa'aogaina o le igoa fa'aoga: 172.17.0.1%wlan1.
Ma fa'atulaga maka mo le toe fo'i atu i totonu [PREROUTING|Mangle]:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
Subnets e tutusa le tuatusi
Fa'atulagaina o avanoa i subnets fa'atasi ai ma tuatusi tutusa i luga o le router tutusa e fa'aaoga ai le VRF ma le netmap:
Fa'atonuga autu:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0tulafono firewall:
#Маркируем пакеты для отправки в правильную таблицу маршрутизации
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#Средствами netmap заменяем адреса "эфимерных" подсетей на реальные подсети
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24Tulafono fa'atonutonu mo feoaiga toe fo'i:
#Указание имени интерфейса тоже может считаться route leaking, но по сути тут создается аналог connected маршрута
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2Fa'aopoopoina ala na maua e ala i le dhcp i se laulau fa'ata'avalevale
E mafai ona manaia le VRF pe afai e te manaʻomia le faʻaopoopoina otometi se auala malosi (mo se faʻataʻitaʻiga, mai le dhcp client) i se laulau taʻavale patino.
Fa'aopoopoina le fa'aoga ile vrf:
/ip route vrf
add interface=ether1 routing-mark=over-isp1Tulafono mo le auina atu o felauaiga (fafo ma femalagaiga) i luga o le laulau ova-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=noFa'aopoopo, auala fa'asese mo le alu i fafo i le galuega:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=bareE na'o le auala lea e mana'omia ina ia mafai ai e pusa fafo atu i le lotoifale ona pasia le fa'ai'uga Fa'aala (2) muamua [OUTPUT|Mangle] ma maua le faʻailoga faʻasologa, pe afai o loʻo i ai isi auala galue i luga o le router i luma o le 0.0.0.0/0 i le laulau autu, e le manaʻomia.
filifili connected-in и dynamic-in в [Routing] -> [Filters]
Fa'amama ala (i totonu ma fafo) o se meafaigaluega e masani ona fa'aogaina fa'atasi ma fa'asologa fa'asolosolo fa'amalosi (ma e na'o avanoa pe a uma ona tu'u le afifi. maneta), ae e lua ni filifili mataʻina i totonu o filiga o loʻo sau:
- feso'ota'i-i totonu - fa'amama ala feso'ota'i
- dynamic-in - fa'amama ala fa'amalosi e maua e le PPP ma le DCHP
O le filiga e mafai ai ona e le gata e lafoaʻia auala, ae ia suia foi le tele o filifiliga: mamao, faʻailoga-faʻailoga, faʻamatalaga, lautele, faʻamoemoe, ...
O se meafaigaluega saʻo maʻoti ma afai e mafai ona e faia se mea e aunoa ma le Routing Filters (ae le o faʻamaumauga), ona e le faʻaaogaina lea o Routing Filters, aua le faʻafememeaʻi oe ma i latou o le a faʻapipiʻi le router pe a uma oe. I le tulaga o le faʻaogaina o auala, o le a sili atu ona faʻaoga Faʻasalalau Faʻasalalau ma sili atu ona aoga.
Fa'atulaga le Fa'ailoga Fa'ata'ita'i mo Auala Fa'aola
O se faʻataʻitaʻiga mai se router ile fale. E lua aʻu VPN fesoʻotaʻiga faʻapipiʻiina ma o fefaʻatauaiga i totonu e tatau ona afifi e tusa ai ma laulau taʻavale. I le taimi lava e tasi, ou te manaʻo ia faʻapipiʻiina auala pe a faʻagaoioia le atinaʻe:
#При создании vpn подключений указываем создание default route и задаем дистанцию
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#Фильтрами отправляем маршруты в определенные таблицы маршрутизации на основе подсети назначения и дистанции
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2Ou te le iloa pe aisea, masalo o se pusa, ae afai e te fatuina se vrf mo le ppp interface, o le auala i le 0.0.0.0/0 o le a alu pea i le laulau autu. A leai, o le a sili atu ona faigofie mea uma.
Fa'aleaogaina Auala Feso'ota'i
O nisi taimi e manaʻomia ai:
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=rejectDebugging meafaigaluega
RouterOS e maua ai le tele o meafaigaluega mo le faʻaogaina o auala:
[Tool]->[Tourch]- faʻatagaina oe e vaʻai i afifi i luga o fesoʻotaʻiga/ip route check- fa'atagaina oe e va'ai po'o fea le faitoto'a o le a lafo i ai le pepa, e le aoga i laulau fa'ata'ita'i/ping routing-table=<name>и/tool traceroute routing-table=<name>- ping ma siaki e fa'aaoga ai le laulau fa'atonuaction=logв[IP]->[Firewall]- o se meafaigaluega sili ona lelei e mafai ai ona e suʻeina le ala o se afifi i luga o le paʻu tafe, o loʻo avanoa lenei gaioiga i filifili uma ma laulau
puna: www.habr.com