Nhanganyaya
Kutora chinyorwa, mukuwedzera kune zvisina maturo, kwakakurudzirwa nekuodza mwoyo kuwanda kwemibvunzo pamusoro pechinyorwa ichi mumapoka embiri enharaunda inotaura chiRussian telegraph. Chinyorwa chakanangana neanovice Mikrotik RouterOS (inozonzi ROS) vatariri. Inobata chete ne multivan, nekusimbiswa kwekufambisa. Sebhonasi, pane zvigadziriso zvishoma zvakakwana kuti ive nechokwadi chekushanda kwakachengeteka uye kuri nyore. Avo vari kutsvaga kuburitswa kwemisoro yemitsara, kuyera mitsetse, vlans, mabhiriji, nhanho dzakawanda dzakadzika ongororo yemamiriro echiteshi uye nezvimwe - vangasatambisa nguva nekuedza kuverenga.
Data yekutanga
Sechidzidzo chekuedza, shanu-port Mikrotik router ine ROS version 6.45.3 yakasarudzwa. Ichafambisa traffic pakati pemanetiweki maviri emunharaunda (LAN1 neLAN2) uye vatatu vanopa (ISP1, ISP2, ISP3). Nzira yeISP1 ine static "grey" kero, ISP2 - "chena", inowanikwa kuburikidza neDHCP, ISP3 - "chena" nemvumo yePPPoE. Iyo dhizaini yekubatanidza inoratidzwa mumufananidzo:
Basa nderekugadzirisa iyo MTK router zvichienderana nechirongwa kuti:
- Ipa otomatiki switching kune backup provider. Mupi mukuru iISP2, yekutanga chengetedzo iISP1, yechipiri chengetedzo iISP3.
- Ronga LAN1 network yekuwana paInternet chete kuburikidza neISP1.
- Ipa kugona kufambisa traffic kubva munharaunda network kuenda kuInternet kuburikidza nemupi akasarudzwa zvichibva pane kero-rondedzero.
- Ipa mukana wekuburitsa masevhisi kubva kunetiweki yemuno kuenda kuInternet (DSTNAT)
- Gadzirisa firewall sefa kuti ipe hudiki hwakakwana chengetedzo kubva paInternet.
- Iyo router inogona kuburitsa traffic yayo kuburikidza nechero yevatatu vanopa, zvichienderana neakasarudzwa kwakabva kero.
- Ita shuwa kuti mapaketi emhinduro aendeswa kuchiteshi kwaakabva (kusanganisira LAN).
Komenda. Tichagadzirisa router "kubva pakutanga" kuitira kuti tive nechokwadi chekusavapo kwezvinoshamisa mukugadzirisa kwekutanga "kunze kwebhokisi" inoshanduka kubva kune shanduro kuenda kune imwe shanduro. Winbox yakasarudzwa sechishandiso chekugadzirisa, uko shanduko dzicharatidzwa zvinooneka. Iwo marongero pachawo achaiswa nemirairo muWinbox terminal. Kubatana kwemuviri kwekugadzirisa kunoitwa nekubatana kwakananga kune Ether5 interface.
Kufunga zvishoma pamusoro pekuti multivan chii, idambudziko here kana kuti vanhu vane hungwaru vane hungwaru pakuruka mambure ekurangana.
Mutariri anobvunza uye anoteerera, achigadzira chirongwa chakadaro kana chakafanana ari ega, anoerekana aona kuti chave kutoshanda zvakajairika. Hongu, hongu, pasina tsika yako yekufambisa matafura nemimwe mitemo yenzira, izvo zvinyorwa zvakawanda pamusoro penyaya iyi zvizere. Ngatitarisei?
Tinogona here kugadzirisa kero pane interfaces uye default gedhi? Ehe:
PaISP1, kero negedhi zvakanyoreswa nazvo chinhambwe=2 и cheki-gedhi=ping.
PaISP2, iyo yakasarudzika dhcp mutengi kuseta - zvinoenderana, chinhambwe chichaenzana neimwe.
PaISP3 mune pppoe mutengi marongero kana add-default-nzira=hongu put default-nzira-chinhambwe=3.
Usakanganwa kunyoresa NAT pakubuda:
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
Nekuda kweizvozvo, vashandisi venzvimbo dzenzvimbo vanonakidzwa kurodha katsi kuburikidza nemukuru weISP2 mupi uye pane chiteshi chekuchengetera uchishandisa michina. check gateway Ona chinyorwa 1
Pfungwa 1 yebasa iri kuitwa. Ndeipi multivan ine zviratidzo zvayo? Aihwa…
Uyezve. Iwe unofanirwa kusunungura chaiwo vatengi kubva kuLAN kuburikidza neISP1:
/ip firewall mangle add action=route chain=prerouting dst-address-list=!BOGONS
passthrough=hongu route-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle add action=route chain=prerouting dst-address-list=!BOGONS
passthrough=no route-dst=100.66.66.1 src-address=192.168.88.0/24
Zvinhu 2 ne3 zvebasa zvaitwa. Mazita, zvitambi, mitemo yenzira, uripi?!
Unoda kupa mukana kune yako yaunofarira OpenVPN server nekero 172.17.17.17 yevatengi kubva paInternet? Ndapota:
/ip gore rakaisa ddns-enabled=hongu
Sevezera, tinopa mutengi mhedzisiro: ": isa [ip gore tora dns-zita]"
Isu tinonyoresa kutumira kwechiteshi kubva paInternet:
/ip firewall nat add action=dst-nat chain=dstnat dst-port=1194
in-interface-list=WAN protocol=udp to-addresses=172.17.17.17
Chinhu chechina chakagadzirira.
Isu tinomisa firewall uye kumwe kuchengetedzeka kwepoindi 5, panguva imwechete isu tinofara kuti zvese zvave kutoshandira vashandisi uye kusvika kune mudziyo une chinwiwa chaunofarira ...
A! Tunnels dzakakanganwika.
l2tp-client, yakagadziridzwa neGoogle chinyorwa, yasimuka kune yako yaunofarira Dutch VDS? Ehe.
l2tp-server ine IPsec yasimuka uye vatengi neDNS-zita kubva IP Cloud (ona pamusoro.) kunamatira? Ehe.
Takazendamira pachigaro chedu, tichisveta chinwiwa, neusimbe tinorangarira mapoinzi 6 ne7 ebasa racho. Tinofunga - tinoida here? Zvose zvakafanana, inoshanda saizvozvo (c) ... Saka, kana ichiri kudiwa, ndizvozvo. Multivan yakaitwa.
Chii chinonzi multivan? Uku ndiko kubatana kwematanho akati wandei eInternet kune imwe router.
Iwe haufanirwe kuverenga chinyorwa ichi mberi, nekuti chii chingave chiripo kunze kwekuratidzwa kwekupokana kwekushandisa?
Kune avo vanosara, vanofarira mapoinzi 6 uye 7 ebasa racho, uye zvakare vanonzwa itch yekusakwana, tinonyura zvakadzika.
Basa rakakosha rekushandisa multivan ndiyo chaiyo traffic routing. Kureva: zvisinei kuti ndeipi (kana kuti) Ona. cherechedza 3 iyo ISP's chiteshi tarisa nzira yakasarudzika pane yedu router, inofanirwa kudzosera mhinduro kune chaiyo chiteshi iyo packet yakabva. Basa rakajeka. Dambudziko riri papi? Chokwadi, mune yakapusa network network, basa rakafanana, asi hapana anonetsa nekuwedzera marongero uye haanzwe kunetseka. Musiyano ndewekuti chero routable node paInternet inowanikwa kuburikidza neimwe yenzira dzedu, uye kwete kuburikidza neyakajeka chaiyo, senge iri nyore LAN. Uye "dambudziko" nderekuti kana chikumbiro chakauya kwatiri che IP kero yeISP3, saka kwatiri mhinduro ichaenda kuburikidza neISP2 chiteshi, sezvo gedhi rekutanga rinotungamirwa ipapo. Anosiya uye acharaswa nemupi seasina kururama. Dambudziko raonekwa. Nzira yekuigadzirisa sei?
Mhinduro yakakamurwa kuita nhanho nhatu:
- Presetting. Panguva ino, iwo ekutanga marongero eiyo router achaiswa: yemuno network, firewall, kero rondedzero, hairpin NAT, nezvimwe.
- Multivan. Panguva ino, kubatanidza kunodiwa kunozoiswa chiratidzo uye kurongwa mumatafura enzira.
- Kubatanidza kune ISP. Panguva ino, mainterface anopa kubatana kuInternet achagadziriswa, nzira uye nzira yekuchengetera nzira yeInternet ichaitwa.
1. Presetting
1.1. Isu tinobvisa iyo router kumisikidzwa nemirairo:
/system reset-configuration skip-backup=yes no-defaults=yesbvumirana nazvo"Dangerous! Reset zvakadaro? [y/N]:” uye, mushure mekutangazve, tinobatana neWinbox kuburikidza neMAC. Panguva ino, iyo yekumisikidza uye base base inobviswa.
1.2. Gadzira mushandisi mutsva:
/user add group=full name=knight password=ultrasecret comment=”Not horse”pinda pasi payo uye bvisa iyo yakasarudzika:
/user remove adminKomenda. Iko kubviswa uye kusadzima kwemushandisi weiyo default iyo munyori anoona yakachengeteka uye anokurudzira kuti ishandiswe.
1.3. Isu tinogadzira manyorerwo emhando yepamusoro kuti zvive nyore kushanda mune firewall, zvigadziriso zvekuwanikwa uye mamwe maseva eMAC:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Kusaina kunopindirana nemhinduro
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"uye zadza iyo interface rondedzero:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Komenda. Kunyora zvinonzwisisika zvinokoshera nguva yakashandiswa pane izvi, uye zvakare zvinofambisa zvakanyanya kugadzirisa matambudziko uye kunzwisisa kurongeka.
Munyori anoona zvakakosha, nekuda kwezvikonzero zvekuchengetedza, kuwedzera ether3 interface kune "WAN" interface list, pasinei nokuti ip protocol haizopfuuri nayo.
Usakanganwa kuti mushure mekunge iyo PPP interface yasimudzwa pa ether3, inoda zvakare kuwedzerwa kune iyo interface list "WAN"
1.4. Isu tinovanza iyo router kubva kunharaunda yekuona uye kutonga kubva kune vanopa network kuburikidza neMAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Isu tinogadzira iyo yakaderera yakakwana seti yefirewall filter mitemo kuchengetedza router:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(mutemo unopa mvumo yekubatanidza uye yakabatana inotangwa kubva kune ese akabatana network uye router pachayo)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(ping uye kwete ping chete. Yese icmp inotenderwa mukati. Inobatsira kwazvo kutsvaga matambudziko eMTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(mutemo unovhara cheni yekupinza unorambidza zvese zvinobva paInternet)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(mutemo unobvumira zvakasimbiswa uye zvine hukama zvinongedzo zvinodarika nepa router)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(mutemo unogadzirisa zvibatanidza ne connection-state=invalid passing through router. Inokurudzirwa zvakasimba neMikrotik, asi mune dzimwe nguva isingawanzoitiki inogona kuvhara traffic inobatsira)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(mutemo unorambidza mapaketi anobva kuInternet uye asina kupfuudza dstnat nzira yekupfuura nepa router. Izvi zvichadzivirira mambure emunharaunda kubva kune vanopinda avo, vari munzvimbo imwechete yekutepfenyura nemanetiweki edu ekunze, vachanyoresa maIP edu ekunze se gedhi uye, nekudaro, edza "kuongorora" network yedu yemuno.)
Komenda. Ngatifungei kuti network LAN1 neLAN2 inovimbwa uye traffic iri pakati pavo uye kubva kwavari haina kusefa.
1.6. Gadzira runyoro nerunyoro rweasingaite network:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Iyi rondedzero yemakero nemanetiweki asingabatike paInternet uye anoteverwa saizvozvo.)
Komenda. Rondedzero yacho inogona kuchinja, saka ndinokupa zano kuti nguva nenguva utarise kukosha kwayo.
1.7. Gadzira DNS yerouter pachayo:
/ip dns set servers=1.1.1.1,8.8.8.8Komenda. Mune yazvino vhezheni yeROS, maseva ane simba anotungamira pane akamira. Chikumbiro chekugadzirisa zita chinotumirwa kune yekutanga sevha kuitira mune rondedzero. Shanduko kune inotevera sevha inoitwa kana yazvino isipo. Nguva yekupera yakakura - inodarika masekonzi mashanu. Kudzokera kumashure, kana "sevha yakadonha" yatangwazve, haingoitike. Zvichipa iyi algorithm uye kuvapo kwe multivan, munyori anokurudzira kusashandisa maseva anopiwa nevanopa.
1.8. Gadzira network yemuno.
1.8.1. Isu tinogadzirisa static IP kero pane LAN interfaces:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Isu tinoseta iyo mirairo yenzira kune edu emunharaunda network kuburikidza neiyo huru routing tafura:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Komenda. Iyi ndiyo imwe yenzira dzinokurumidza uye dziri nyore dzekuwana kero dzeLAN ine masosi ekunze IP kero ye router interfaces isingapfuuri nenzira yekusarudzika.
1.8.3. Gonesa Hairpin NAT yeLAN1 uye LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Komenda. Izvi zvinokutendera kuti uwane zviwanikwa zvako (dstnat) kuburikidza neyekunze IP uchiri mukati metiweki.
2. Chaizvoizvo, kushandiswa kweiyo chaiyo multivan
Kugadzirisa dambudziko re "kupindura kwavakabvunza kubva", isu tichashandisa maviri maROS maturusi: chiratidzo chekubatanidza и routing mark. chiratidzo chekubatanidza inokubvumira kumaka chinongedzo chaunoda uye wozoshanda neichi chiratidzo sechimiro chekunyorera routing mark. Uye nechekare routing mark zvinokwanisika kushanda mukati ip nzira и nzira mitemo. Isu takafunga maturusi, ikozvino iwe unofanirwa kusarudza kuti ndezvipi zvinongedzo zvekumaka - kamwe, chaipo pekumaka - maviri.
Neyokutanga, zvese zviri nyore - isu tinofanirwa kumaka zvese zvinongedzo zvinouya kurouter kubva kuInternet kuburikidza nechiteshi chakakodzera. Kwatiri, aya achave mavara matatu (nenhamba yematanho): "conn_isp1", "conn_isp2" uye "conn_isp3".
Iyo nuance neyechipiri ndeyekuti inouya inobatana ichave yemhando mbiri: yekufambisa uye iyo inoitirwa iyo router pachayo. Iyo yekubatanidza chiratidzo meshini inoshanda mutafura mangle. Funga nezvekufamba kwepakeji padhiyagiramu rakareruka, rakanyorwa nemutsa nenyanzvi dzemikrotik-trainings.com resource (kwete kushambadza):
Tichitevera miseve, tinoona kuti pakiti ichisvika pa“yekuisa interface", inopinda nepakati"Prerouting” uye chete ipapo inokamurwa kuita yekufambisa uye yemuno mubhuroko “Sarudzo yekufambisa". Naizvozvo, kuuraya shiri mbiri nedombo rimwe, tinoshandisa Connection Mark patafura Mangle Pre-routing maketani Prerouting.
Cherechedza. MuROS, "Routing mark" mavara akanyorwa se "Table" muIp/Routes/Mitemo chikamu, uye se "Routing Mark" mune zvimwe zvikamu. Izvi zvinogona kuunza imwe nyonganiso mukunzwisisa, asi, kutaura zvazviri, ichi chinhu chimwe chete, uye analogue ye rt_matafura mu iproute2 palinux.
2.1. Isu tinomaka chinongedzo chinopinda kubva kune mumwe nemumwe wevanopa:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noKomenda. Kuti ndisamaka kubatanidza kwakatotarwa, ndinoshandisa iyo connection-mark=no-mark condition pachinzvimbo chekubatanidza-state=new nekuti ndinofunga kuti izvi ndizvo chaizvo, pamwe nekuramba kudonhedza kubatanidza kusiri kushanda musefa yekupinza.
passthrough=kwete - nekuti mune iyi nzira yekumisikidza, kumakazve hakuna kubatanidzwa uye, kukurumidza, unogona kukanganisa kuverengerwa kwemitemo mushure memutambo wekutanga.
Zvinofanira kurangarirwa kuti isu hatikanganise nenzira ipi neipi nekufamba. Iye zvino pane matanho ekugadzirira chete. Danho rinotevera rekuita richave rekugadziriswa kwetraffic traffic inodzoka pamusoro peiyo yakasimbiswa yekubatanidza kubva kunzvimbo yekuenda kune network yenzvimbo. Avo. iwo mapaketi ayo (ona dhairekitori) akapfuura nepa router munzira:
“Input Interface”=>”Prerouting”=>”Sarudzo Yenzira”=>”Pamberi”=>”Post Routing”=>”Output Interface” uye ndakasvika kune mukero wavo mune network yenzvimbo.
Zvinokosha! MuROS, hapana kupatsanurwa kunonzwisisika mune zvekunze uye zvemukati. Kana tikatsvaga nzira yepakiti yemhinduro zvinoenderana nedhayagiramu iri pamusoro, zvino ichatevera nzira ine musoro sechikumbiro:
“Input Interface”=>”Prerouting”=>”Sarudzo Yenzira”=>”Pamberi”=>”Post Routing”=>”Output Interface” zvechikumbiro chete"Input Interface” yaive ISP interface, uye yemhinduro - LAN
2.2. Isu tinonangisa mhinduro yetraffic traffic kune inoenderana matafura matafura:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noComment. in-interface-list=!WAN - tinoshanda chete netraffic kubva kunetiweki yemuno uye dst-address-type=!local iyo isina kero yekwainoenda yekero yenzvimbo dzerouter pachayo.
Zvakafanana pamapaketi emunharaunda akauya kune router munzira:
“Input Interface”=>”Prerouting”=>”Sarudzo Yenzira”=>”Input”=>”Maitirwo Emunharaunda”
Zvinokosha! Mhinduro ichaenda nenzira inotevera:
”Local Process”=>”Sarudzo Yenzira”=>”Zvakabuda”=>”Post Routing”=>”Output Interface”
2.3. Isu tinotungamira mhinduro yenzvimbo kune matafura anoenderana:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noPanguva ino, basa rekugadzirira kutumira mhinduro kuInternet chiteshi kubva kwakabva chikumbiro chinogona kutariswa chagadziriswa. Zvese zvakaiswa chiratidzo, zvakanyorwa uye zvakagadzirira kufambiswa.
Yakanakisa "divi" mhedzisiro yekuseta iyi kugona kushanda neDSNAT chiteshi chekutumira kubva kune vese (ISP2, ISP3) vanopa panguva imwe chete. Kwete, sezvo paISP1 tine kero isingachinjike. Izvi zvakakosha, semuenzaniso, kune mail server ine maviri MXs anotarisa akasiyana eInternet chiteshi.
Kubvisa nuances yekushanda kwema network emunharaunda nekunze IP routers, tinoshandisa mhinduro kubva mundima. 1.8.2 uye 3.1.2.6.
Uye zvakare, unogona kushandisa chishandiso chine mamaki kugadzirisa ndima 3 yedambudziko. Tinozviita sezvizvi:
2.4. Isu tinotungamira traffic kubva kune vatengi venzvimbo kubva kune routing runyorwa kuenda kumatafura akakodzera:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3Nekuda kweizvozvo, zvinotaridzika seizvi:
3. Gadzirisa chinongedzo kuISP uye gonesa branded routing
3.1. Gadzira chinongedzo kuISP1:
3.1.1. Gadzirisa static IP kero:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Gadzirisa static routing:
3.1.2.1. Wedzera nzira ye "emergency" yakasarudzika:
/ip route add comment="Emergency route" distance=254 type=blackholeKomenda. Iyi nzira inobvumira traffic kubva kumatanho emunharaunda kuti ipfuure Route Sarudzo nhanho, zvisinei nemamiriro ehukama hwechero wevanopa. Iyo nuance yekubuda kwetraffic traffic ndeye kuti kuti packet ifambe zvishoma pane imwe nzvimbo, iyo huru yenzira tafura inofanirwa kuve neino shanda nzira yekuenda kune default gedhi. Kana zvisina kudaro, pasuru yacho inongoparadzwa.
Sechishandiso chekuwedzera check gateway Kuti uongorore zvakadzama mamiriro echiteshi, ini ndinokurudzira kushandisa nzira inodzokororwa. Chinokosha cheiyo nzira ndeyokuti tinoudza router kuti itarise nzira yekuenda kugedhi rayo kwete zvakananga, asi kuburikidza negedhi repakati. 4.2.2.1, 4.2.2.2 uye 4.2.2.3 zvichasarudzwa semasuwo e“test” eISP1, ISP2 neISP3 zvakateerana.
3.1.2.2. Nzira yekuenda kukero ye "verification":
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Komenda. Isu tinodzikisira kukosha kwechiyero kune default muROS chinangwa scope kuitira kushandisa 4.2.2.1 segedhi recursive mune ramangwana. Ini ndinosimbisa: kuwanda kwenzira kuenda kukero ye "yedzo" kunofanirwa kunge kuri kushoma pane kana kuenzana nechiyero chenzira inozoreva bvunzo.
3.1.2.3. Recursive default nzira yetraffic isina routing chiratidzo:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Komenda. Chinhambwe=2 kukosha chinoshandiswa nekuti ISP1 inoziviswa seyokutanga backup zvinoenderana nemamiriro ebasa.
3.1.2.4. Recursive default nzira yetraffic ine routing chiratidzo "to_isp1":
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Komenda. Chaizvoizvo, pano pakupedzisira tava kutanga kufarikanya zvibereko zvebasa rokugadzirira iro rakaitwa mundima 2.
Munzira iyi, traffic yese ine mucherechedzo we "ku_isp1" inotungamirwa kugedhi remupi wekutanga, zvisinei kuti nderipi gedhi rekutanga riri kushanda patafura huru.
3.1.2.5. Chekutanga kudzoreredza nzira yekudzoreredza yeISP2 uye ISP3 tagged traffic:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Komenda. Nzira idzi dzinodiwa, pakati pezvimwe zvinhu, kuchengetedza traffic kubva kunetiweki emunharaunda inhengo dzekero rondedzero "to_isp*"'
3.1.2.6. Isu tinonyoresa nzira yetraffic yemuno ye router kuenda kuInternet kuburikidza neISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Komenda. Mukubatana nemitemo kubva mundima 1.8.2, inopa mukana kune inodiwa chiteshi neinopihwa sosi. Izvi zvakakosha pakuvaka matanoro anotsanangura iyo yepanzvimbo IP kero (EoIP, IP-IP, GRE). Sezvo mitemo iri mu ip nzira mitemo inourawa kubva kumusoro kusvika pasi, kusvika pamutambo wekutanga wemamiriro ezvinhu, zvino mutemo uyu unofanira kunge uri mushure memitemo kubva muchikamu 1.8.2.
3.1.3. Isu tinonyoresa mutemo weNAT wekubuda traffic:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Komenda. NATim zvese zvinobuda, kunze kweizvo zvinopinda muIPsec policy. Ini ndinoedza kusashandisa action=masquerade kunze kwekunge zvakakodzera. Inononoka uye yakawedzera zviwanikwa kupfuura src-nat nekuti inoverenga kero yeNAT yekubatanidza kutsva kwega kwega.
3.1.4. Isu tinotumira vatengi kubva kurondedzero avo vanorambidzwa kupinda kuburikidza nevamwe vanopa zvakananga kune ISP1 mupi wegedhi.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Komenda. chiito=nzira ine kukosha kwepamusoro uye inoshandiswa pamberi pemimwe mitemo yenzira.
nzvimbo-pamberi=0 - inoisa mutemo wedu pekutanga mune rondedzero.
3.2. Gadzira chinongedzo kuISP2.
Sezvo mupi weISP2 achitipa zvigadziriso kuburikidza neDHCP, zvine musoro kuita shanduko dzinodiwa nerunyoro rwunotanga kana mutengi weDHCP atanga:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noIyo script pachayo muWinbox hwindo:
Komenda. Chikamu chekutanga che script chinokonzeresa kana chibvumirano chikabudirira kuwanikwa, chechipiri - mushure mekunge chibvumirano chaburitswa.Ona chinyorwa 2
3.3. Isu takagadzira chinongedzo kune ISP3 mupi.
Sezvo mupi wezvigadziriso achitipa simba, zvine musoro kuita shanduko dzinodiwa nemagwaro anotanga mushure mekunge ppp interface yasimudzwa uye mushure mekudonha.
3.3.1. Kutanga isu tinogadzirisa iyo profil:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Iyo script pachayo muWinbox hwindo:
Komenda. Mutsara
/ip firewall mangle set [tsvaga mhinduro = "Connmark in kubva kuISP3"] mu-interface=$"interface";
inobvumidza iwe kubata nemazvo kudhindwa kweiyo interface, sezvo inoshanda nekodhi yayo uye kwete zita rekuratidzira.
3.3.2. Zvino, uchishandisa chimiro, gadzira chinongedzo cheppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientSekubata kwekupedzisira, ngatisete wachi:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgKune vanoverenga kusvika kumagumo
Nzira yakarongwa yekushandisa multivan ndeyekuda kwemunyori uye haisi iyo chete inogoneka. IROS toolkit yakakura uye inoshanduka, iyo, kune rumwe rutivi, inokonzera matambudziko kune vanotanga, uye, kune rumwe rutivi, ndicho chikonzero chekuzivikanwa kwayo. Ongorora, edza, tsvaga zvishandiso zvitsva uye mhinduro. Semuenzaniso, sekushandiswa kweruzivo rwakawanikwa, zvinokwanisika kutsiva chishandiso mukuitwa uku kwe multivan check-gedhi nenzira dzinodzokororwa kuenda netwatch.
Notes
- check-gedhi - Mechanicha inobvumidza iwe kudzima nzira mushure mekutarisa maviri akateedzana asina kubudirira egedhi rekuwanikwa. Cheki inoitwa kamwe chete masekonzi gumi, pamwe nekupindura nguva yekupera. Pakazara, iyo chaiyo yekuchinja nguva iri muhuwandu hwe10-20 masekondi. Kana iyo nguva yekuchinja isina kukwana, pane sarudzo yekushandisa chishandiso netwatch, apo cheki timer inogona kuiswa nemaoko. check-gedhi haibatise pakurasikirwa kwepaketi kwepakati pane chinongedzo.
Zvakakosha! Kudzima nzira yekutanga kunodzima dzimwe nzira dzese dzinotaura nezvayo. Naizvozvo, kuti vatsanangure cheki-gedhi=ping hazvina basa.
- Zvinoitika kuti kukundikana kunoitika muDHCP mechanism, iyo inoratidzika semutengi akanamatira mumamiriro ekuvandudza. Muchiitiko ichi, chikamu chechipiri che script hachizoshanda, asi hachizodziviriri motokari kubva kufamba zvakanaka, sezvo nyika inotevedza nzira inoenderana inodzokorora.
- ECMP (Equal Cost Multi-Path) - muROS zvinokwanisika kuseta nzira ine akati wandei magedhi uye chinhambwe chakafanana. Muchiitiko ichi, zvinongedzo zvichagovaniswa pamatanho uchishandisa iyo round robin algorithm, zvichienderana nehuwandu hwemasuwo akatsanangurwa.
Nokuda kwekukurudzira kunyora chinyorwa, rubatsiro mukugadzirisa chimiro chayo uye kuiswa kwemazwi - kuonga kwega kuna Evgeny.
Source: www.habr.com