Routing ndiyo nzira yekutsvaga yakanakisa nzira yekufambisa mapaketi pamusoro peTCP/IP network. Chero mudziyo wakabatana neIPv4 network ine maitiro uye matafura ekufambisa.
Ichi chinyorwa hachisi HOWTO, chinotsanangura static routing muRouterOS nemienzaniso, ndakasiya nemaune zvimwe zvese (semuenzaniso, srcnat yekuwana Indaneti), saka kunzwisisa zvinhu kunoda imwe nhanho yeruzivo rwemambure uye RouterOS.
Kuchinja uye nzira
Kuchinja ndiyo maitiro ekuchinjana mapaketi mukati mechikamu chimwe cheLayer2 (Ethernet, ppp, ...). Kana mudziyo ukaona kuti anogamuchira packet ari pane imwechete Ethernet subnet nayo, inodzidza mac kero uchishandisa arp protocol uye inotumira pakiti zvakananga, ichipfuura router. A ppp (point-to-point) yekubatanidza inogona kuva nevatori vechikamu vaviri chete uye pakiti inogara ichitumirwa kune imwe kero 0xff.
Routing ndiyo maitiro ekufambisa mapaketi pakati peLayer2 zvikamu. Kana mudziyo uchida kutumira pakiti rine mugamuchiri ari kunze kwechikamu cheEthernet, inotarisa mutafura yayo yekufambisa uye inopfuudza pakiti kugedhi rinoziva kwekutumira pakiti inotevera (kana angave asingazivi, iye akatanga kutumira packet handizive izvi).
Nzira iri nyore yekufunga nezve router yakaita semudziyo wakabatana kune maviri kana anopfuura Layer2 zvikamu uye unokwanisa kupfuudza mapaketi pakati pavo nekuona nzira yakanakisa kubva patafura yekufambisa.
Kana iwe uchinzwisisa zvese, kana iwe watozviziva, zvino verenga. Kune vamwe vose, ndinokurudzira zvakasimba kuti uzvizivise nediki, asi rakanyanyisa .
Kufambisa muRouterOS uye PacketFlow
Anenge ese mashandiro ane chekuita ne static routing ari mupakeji maitiro. Plastic bag routing inowedzera tsigiro yeakasimba routing algorithms (RIP, OSPF, BGP, MME), Routing Filters uye BFD.
Menyu huru yekugadzirisa nzira: [IP]->[Route]. Zvirongwa zvakaomarara zvinogona kuda kuti mapaketi afanonyorwa nechiratidzo chenzira mu: [IP]->[Firewall]->[Mangle] (chains PREROUTING ΠΈ OUTPUT).
Kune nzvimbo nhatu paPacketFlow uko IP packet routing sarudzo dzinoitwa:
- Mapaketi ekufambisa anogamuchirwa nerouter. Panguva ino, zvinosarudzwa kuti pakiti ichaenda kune yemunharaunda maitiro kana kuti ichaendeswa mberi kune network. Mapasuru ekufambisa anogamuchirwa Kubuditsa Kukurukurirana
- Kuendesa mapaketi emunharaunda anobuda. Mapaketi anobuda anogashira Kubuditsa Kukurukurirana
- Yekuwedzera nhanho yekufambisa yemapakiti anobuda, inobvumidza iwe kuti uchinje sarudzo yenzira mukati
[Output|Mangle]
- Iyo packet nzira mumabhuroka 1, 2 zvinoenderana nemitemo mu
[IP]->[Route] - Iyo packet nzira mumapoinzi 1, 2 uye 3 zvinoenderana nemitemo mu
[IP]->[Route]->[Rules] - Iyo pasuru nzira mumabhuraki 1, 3 inogona kufurirwa uchishandisa
[IP]->[Firewall]->[Mangle]
RIB, FIB, Routing Cache
Routing Information Base
Nheyo umo nzira dzinounganidzwa kubva kune dynamic routing protocol, nzira kubva kuppp uye dhcp, static uye yakabatana nzira. Iyi dhatabhesi ine nzira dzese, kunze kweiyo yakasefa nemutungamiriri.
Conditionally, tinogona kufungidzira kuti [IP]->[Route] inoratidza RIB.
Kutumira Nheyo Yemashoko
Nheyo umo nzira dzakanakisa kubva kuRIB dzinounganidzwa. Nzira dzese muFIB dzinoshanda uye dzinoshandiswa kuendesa mberi mapaketi. Kana iyo nzira ikava isingashande (yakaremara nemutungamiriri (system), kana iyo interface iyo iyo packet inofanira kutumirwa haina kushanda), nzira yacho inobviswa kubva kuFIB.
Kuita sarudzo yekufambisa, iyo FIB tafura inoshandisa inotevera ruzivo nezve IP packet:
- Kwakabva Kero
- Kero Yekuenda
- source interface
- Routing mark
- ToS (DSCP)
Kupinda muFIB package inoenda nematanho anotevera:
- Iyo package inoitirwa yemuno router process?
- Iyo pakiti iri pasi pehurongwa kana mushandisi PBR mitemo?
- Kana hongu, saka pakiti inotumirwa kune yakatarwa routing tafura
- Iyo pakiti inotumirwa kutafura huru
Conditionally, tinogona kufungidzira kuti [IP]->[Route Active=yes] inoratidza FIB.
Routing Cache
Route caching mechanism. Iyo router inoyeuka kwaitumirwa mapaketi uye kana paine akafanana (zvichida kubva pakubatana kwakafanana) inovarega vachienda nenzira imwechete, pasina kutarisa muFIB. Iyo cache yenzira inobviswa nguva nenguva.
Kune vatariri veRouterOS, ivo havana kugadzira maturusi ekuona uye kubata iyo Routing Cache, asi kana ichikwanisa kuvharwa mukati. [IP]->[Settings].
Iyi nzira yakabviswa kubva kulinux 3.6 kernel, asi RouterOS ichiri kushandisa kernel 3.3.5, zvichida Routing cahce chimwe chezvikonzero.
Wedzera nzira dialog
[IP]->[Route]->[+]
- Subnet yaunoda kugadzira nzira (default: 0.0.0.0/0)
- Gateway IP kana interface iyo iyo pakiti ichatumirwa (panogona kunge paine akati wandei, ona ECMP pazasi)
- Gateway Availability Check
- Rekodha mhando
- Distance (metric) yenzira
- Tafura yekufambisa
- IP yemapakiti emuno anobuda nenzira iyi
- Nezvechinangwa cheScope uye Target Scope yakanyorwa pakupera kwechinyorwa
Nzira mireza
- X - Iyo nzira yakadzimwa nemutungamiriri (
disabled=yes) - A - Nzira inoshandiswa kutumira mapaketi
- D - Nzira yakawedzerwa zvine simba (BGP, OSPF, RIP, MME, PPP, DHCP, Yakabatanidzwa)
- C - Iyo subnet yakabatana zvakananga kune router
- S - Static Nzira
- r,b,o,m -Nzira yakawedzerwa neimwe yeane simba routing protocol
- B,U,P -Kusefa nzira (inodonhedza mapaketi pachinzvimbo chekutumira)
Chii chekutsanangura mugedhi: ip-kero kana interface?
Iyo sisitimu inobvumidza iwe kutsanangura ese ari maviri, nepo isingapike uye isingape mazano kana wakanganisa.
IP kero
Kero yegedhi inofanirwa kuwanikwa pamusoro peLayer2. Kune Ethernet, izvi zvinoreva kuti router inofanira kuva nekero kubva kune imwechete subnet pane imwe inoshanda ip interfaces, yeppp, iyo kero yegedhi inotsanangurwa pane imwe yeanoshanda interfaces se subnet kero.
Kana iyo yekuwana mamiriro eLayer2 isina kusangana, nzira inoonekwa isingashande uye haiwire muFIB.
inowanikwa
Zvese zvakanyanya kuomarara uye maitiro eiyo router anoenderana nerudzi rwechimiro:
- PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) yekubatanidza inotora vatori vechikamu vaviri chete uye pakiti inogara ichitumirwa kugedhi rekutapurirana, kana gedhi raona kuti mugamuchiri wacho ndewe, rinobva raendesa pakiti kuenda. maitiro ayo emunharaunda.
- Ethernet inotora kuvepo kwevazhinji vatori vechikamu uye inotumira zvikumbiro kune arp interface nekero yeanogamuchira packet, izvi zvinotarisirwa uye zvakajairwa maitiro enzira dzakabatana.
Asi kana iwe uchiedza kushandisa iyo interface senzira yeiyo subnet iri kure, iwe unowana inotevera mamiriro: iyo nzira inoshanda, ping kune gedhi inopfuura, asi isingasviki kune anogamuchira kubva kune yakatsanangurwa subnet. Kana iwe ukatarisa iyo interface kuburikidza neino sniffer, iwe uchaona arp zvikumbiro nemakero kubva kure subnet.
Edza kutsanangura ip kero segedhi pese pazvinogoneka. Iyo yakasarudzika nzira dzakabatana (dzakagadzirwa otomatiki) uye PPP (Async, PPTP, L2TP, SSTP, PPPoE, OpenVPN *) inopindirana.
OpenVPN haina musoro wePPP, asi unogona kushandisa zita reOpenVPN interface kugadzira nzira.
More Yakananga Nzira
Basic routing mutemo. Iyo nzira inotsanangura iyo diki subnet (ine yakakura subnet mask) inotungamira mune iyo packet's routing sarudzo. Nzvimbo yezvinyorwa mutafura yekufambisa haina kukodzera kusarudzo - mutemo mukuru unonyanya Kunyanya.
Nzira dzese kubva kuchirongwa chakataurwa dziri kushanda (iri muFIB). nongedzera kuma subnets akasiyana uye musapokane.
Kana imwe yemagedhi isingawanikwe, nzira inosanganisirwa ichaonekwa isingaite (yakabviswa kubva kuFIB) uye mapaketi achatsvakwa kubva kune yasara nzira.
Nzira ine subnet 0.0.0.0/0 dzimwe nguva inopihwa chirevo chakakosha uye inodaidzwa kuti "Default Route" kana "Gateway of last resort". Muchokwadi, hapana mashiripiti mairi uye inongosanganisira ese anogoneka IPv4 kero, asi aya mazita anotsanangura basa rayo nemazvo - anoratidza gedhi rekuenda kumberi mapaketi ayo pasina mamwe, nzira dzakanyatsojeka.
Iyo yepamusoro inogoneka subnet mask yeIPv4 ndeye / 32, iyi nzira inonongedza kune chaiyo muenzi uye inogona kushandiswa patafura yenzira.
Kunzwisisa Yakanyanya Yakananga Nzira kwakakosha kune chero TCP/IP mudziyo.
mufambo
Madistance (kana Metrics) anodiwa pakusefa kwekutonga kwenzira kuenda kune imwe subnet inowanikwa kuburikidza nemagedhi akawanda. Nzira ine metric yakaderera inoonekwa seyakakosha uye ichaverengerwa muFIB. Kana nzira ine metric yakaderera ikarega kushanda, inozotsiviwa neimwe nzira ine metric yakakwira muFIB.
Kana paine nzira dzinoverengeka dzekuenda kune imwechete subnet ine metric yakafanana, iyo router ichawedzera imwe chete yadzo patafura yeFIB, inotungamirwa nemukati wayo logic.
Iyo metric inogona kutora kukosha kubva pa0 kusvika 255:
- 0 - Metric yenzira dzakabatana. Distance 0 haigone kugadzwa nemutungamiriri
- 1-254 - Metrics inowanikwa kune maneja yekuseta nzira. Metrics ane kukosha kwakaderera ane yepamusoro pekutanga
- 255 - Metric inowanikwa kune maneja yekuseta nzira. Kusiyana ne1-254, nzira ine metric ye255 inogara isingaite uye haiwire muFIB.
- chaiwo metrics. Nzira dzakatorwa kubva kune dynamic routing protocol dzine mwero metric value
check gateway
Tarisa gedhi ndeyeMikroTik RoutesOS yekuwedzera yekutarisa kuwanikwa kwegedhi kuburikidza neicmp kana arp. Kamwe kamwe chete masekondi gumi (haagone kuchinjwa), chikumbiro chinotumirwa kugedhi, kana mhinduro isingagamuchirwi kaviri, nzira inoonekwa isingawanikwe uye inobviswa kubva kuFIB. Kana cheki gedhi radzima nzira yekutarisa inoenderera uye nzira inozoshanda zvakare mushure mekutarisa kumwe kwakabudirira.
Tarisa gedhi rinodzima yekupinda mairi yakagadziriswa uye mamwe ese ekupinda (mune ese matafura enzira uye nzira dze ecmp) ine gedhi rakatarwa.
Kazhinji, cheki gedhi rinoshanda zvakanaka chero bedzi pasina matambudziko nekurasikirwa kwepaketi kune gedhi. Tarisa gedhi haazive zviri kuitika nekutaurirana kunze kwegedhi rakatariswa, izvi zvinoda mamwe maturusi: zvinyorwa, inodzokorodza nzira, ine simba routing protocol.
Yakawanda VPN uye tunnel mapuroteni ane akavakirwa-mukati maturusi ekutarisa ekubatanidza chiitiko, achigonesa cheki gedhi kwavari ndeyekuwedzera (asi idiki kwazvo) mutoro panetiweki uye mashandiro echishandiso.
ECMP nzira
Equal-Cost Multi-Path - kutumira mapaketi kune anogamuchira uchishandisa akati wandei magedhi panguva imwe chete uchishandisa Round Robin algorithm.
Nzira yeECMP inogadzirwa nemutongi nekutsanangura akawanda masuwo eimwe subnet (kana otomatiki, kana paine maviri akafanana OSPF nzira).
ECMP inoshandiswa kuenzanisa mitoro pakati pematanho maviri, muchirevo, kana paine machani maviri mugwara re ecmp, saka pakiti rega rega chiteshi chinobuda chinofanira kunge chakasiyana. Asi iyo Routing cache mechanism inotumira mapaketi kubva pakubatanidza munzira iyo yekutanga pakiti yakatora, semhedzisiro, tinowana mhando yekuyeresa yakavakirwa pakubatanidza (per-yekubatanidza kurodha kuenzanisa).
Kana ukadzima Routing Cache, ipapo mapaketi ari munzira yeECMP anogovaniswa nemazvo, asi pane dambudziko neNAT. Mutemo weNAT unobata chete pakiti yekutanga kubva pakubatanidza (mamwe ose anogadziriswa otomatiki), uye zvinoitika kuti mapaketi ane imwechete sosi kero anosiya akasiyana interface.
Tarisa gedhi haashande muECMP nzira (RouterOS bug). Asi iwe unogona kutenderedza ichi chipimo nekugadzira dzimwe nzira dzekusimbisa dzinozodzima mapinda muECMP.
Kusefa nenzira yeKuendesa
Iyo Type sarudzo inosarudza zvekuita nepakeji:
- unicast - tumira kune yakatarwa gedhi (interface)
- blackhole - kurasa pakiti
- kurambidza, kusasvikika - rasa pakiti uye tumira icmp meseji kune anotumira
Kusefa kunowanzo shandiswa kana zvichidikanwa kuchengetedza kutumira kwepaketi munzira isiriyo, hongu, unogona kusefa izvi kuburikidza nefirewall.
Mienzaniso miviri
Kubatanidza zvinhu zvakakosha nezve routing.
Yakajairika imba router
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1- Static nzira kuenda 0.0.0.0/0 (default nzira)
- Yakabatanidzwa nzira pane interface nemupi
- Yakabatanidzwa nzira paLAN interface
Yakajairika imba router ine PPPoE
- Static nzira kune default nzira, inowedzerwa otomatiki. inotsanangurwa muzvinhu zvekubatanidza
- Yakabatanidzwa nzira yePPP yekubatanidza
- Yakabatanidzwa nzira paLAN interface
Yakajairika imba router ine vaviri vanopa uye redundancy
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2- Yakamira nzira yekuenda kunzira yekusarudzika kuburikidza neyekutanga mupi ane metric 1 uye gedhi kuwanikwa kwekutarisa
- Static nzira yekuenda kune default nzira kuburikidza wechipiri mupi ane metric 2
- Nzira dzakabatana
Traffic kuenda ku0.0.0.0/0 inoenda nepa10.10.10.1 uku gedhi iri riripo, zvikasadaro rinochinja kuenda ku10.20.20.1
Chirongwa chakadaro chinogona kutorwa sekuchengetedza chiteshi, asi hachisi pasina matambudziko. Kana kuzorora kuchiitika kunze kwegedhi remupi (somuenzaniso, mukati me network network), router yako haizozive nezvazvo uye icharamba ichifunga nzira seyakashanda.
Yakajairika imba router ine vaviri vanopa, redundancy uye ECMP
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1,10.20.20.1 distance=1- Nzira dzakasimba dzekutarisa chack gateway
- ECMP nzira
- Nzira dzakabatana
Nzira dzekutarisa ibhuruu (ruvara rwemakwara asingashande), asi izvi hazvikanganise cheki gedhi. Iyo yazvino vhezheni (6.44) yeRoS inopa otomatiki pamberi peiyo ECMP nzira, asi zviri nani kuwedzera nzira dzekuyedza kune mamwe matafura enzira (sarudzo. routing-mark)
PaSpeedtest nedzimwe nzvimbo dzakafanana, hapazove nekuwedzera kwekumhanya (ECMP inoparadzanisa traffic nekubatanidza, kwete nemapaketi), asi p2p zvikumbiro zvinofanirwa kurodha nekukurumidza.
Kusefa uchishandisa Routing
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1
add dst-address=192.168.200.0/24 gateway=10.30.30.1 distance=1
add dst-address=192.168.200.0/24 gateway=10.10.10.1 distance=2 type=blackhole- Static nzira kune default nzira
- Static nzira kuenda 192.168.200.0/24 pamusoro ipip mugero
- Kurambidza static nzira kuenda ku192.168.200.0/24 kuburikidza neISP router
Sarudzo yekusefa umo tunnel traffic isingaende kune router yemupi kana ipip interface yakadzimwa. Zvirongwa zvakadaro hazviwanzodikanwa, nekuti unogona kushandisa blocking kuburikidza ne firewall.
Routing loop
Routing loop - mamiriro ezvinhu apo pakiti inomhanya pakati pema routers isati yapera ttl. Kazhinji ndiyo mhedzisiro yekukanganisa kwekugadzirisa, mumambure makuru inobatwa nekuitwa kweiyo dynamic routing protocol, mune madiki - nehanya.
Zvinotaridzika seizvi:
Muenzaniso (wakapusa) wekuti ungawana sei mhedzisiro yakafanana:
Muenzaniso weRouting loop haushandi, asi zvinoratidza kuti ma router haana ruzivo nezve tafura yemuvakidzani wavo.
Policy Base Routing uye Yekuwedzera Routing Tables
Paunosarudza nzira, router inoshandisa munda mumwe chete kubva pakiti yepakiti (Dst. Kero) - iyi ndiyo nzira inokosha. Kufambisa kunoenderana nemamwe mamiriro, akadai seanobva kero, mhando yetraffic (ToS), kuenzanisa pasina ECMP, ndeyePolicy Base Routing (PBR) uye inoshandisa mamwe matafura enzira.
More Yakananga Nzira ndiwo mutemo mukuru wekusarudza nzira mukati metafura yekufambisa.
Nekutadza, mitemo yese yekufambisa inowedzerwa kutafura huru. Mutungamiri anogona kugadzira nhamba isingaverengeki yemamwe matafura enzira uye mapakeji enzira kwavari. Mitemo mumatafura akasiyana haipesane. Kana iyo pasuru isingawani mutemo wakakodzera mutafura yakatarwa, ichaenda kune iyo huru tafura.
Muenzaniso nekugovera kuburikidza neFirewall:
- 192.168.100.10 -> 8.8.8.8
- Traffic kubva ku192.168.100.10 inonyorwa kuburikidza-isp1 Π²
[Prerouting|Mangle] - PaRouting stage patafura kuburikidza-isp1 inotsvaga nzira inoenda ku8.8.8.8
- Nzira yawanikwa, traffic inotumirwa kugedhi 10.10.10.1
- Traffic kubva ku192.168.100.10 inonyorwa kuburikidza-isp1 Π²
- 192.168.200.20 -> 8.8.8.8
- Traffic kubva ku192.168.200.20 inonyorwa kuburikidza-isp2 Π²
[Prerouting|Mangle] - PaRouting stage patafura kuburikidza-isp2 inotsvaga nzira inoenda ku8.8.8.8
- Nzira yawanikwa, traffic inotumirwa kugedhi 10.20.20.1
- Traffic kubva ku192.168.200.20 inonyorwa kuburikidza-isp2 Π²
- Kana imwe yemagedhi (10.10.10.1 kana 10.20.20.1) ikasavapo, ipapo pakiti ichaenda patafura. kuru uye achatsvaga nzira yakakodzera ikoko
Nyaya dzeTeminology
RouterOS ine dzimwe nyaya dzematemu.
Paunenge uchishanda nemitemo mu [IP]->[Routes] tafura yekufambisa inoratidzwa, kunyangwe zvakanyorwa kuti iyo label:
Π [IP]->[Routes]->[Rule] zvese zvakanaka, mune iyo label mamiriro mune tafura chiitiko:
Maitiro ekutumira pakiti kune chaiyo routing tafura
RouterOS inopa akati wandei maturusi:
- Mitemo mukati
[IP]->[Routes]->[Rules] - Mavara enzira (
action=mark-routing) mukati[IP]->[Firewall]->[Mangle] - VRF
Mitemo [IP]->[Route]->[Rules]
Mitemo inogadziriswa sequentially, kana packet ichienderana nemamiriro emutemo, haipfuuri mberi.
Mitemo Yekutenderera inokubvumira kuti uwedzere mikana yekufambisa, uchivimba kwete chete nekero yevagamuchiri, asiwo nekero yekwakabva uye interface iyo packet yakagamuchirwa.
Mitemo inosanganisira mamiriro uye chiito:
- Conditions. Nyatsodzokorora runyoro rwezviratidzo izvo pasuru inotariswa muFIB, ToS chete ndiyo isipo.
- Zviito
- kutarisa - tumira pakiti patafura
- tarisa mutafura chete - kiya pasuru mutafura, kana nzira yacho isingawanikwe, iyo package haizoendi kutafura huru.
- kudonha - donhedza pakiti
- zvisingasvikike - rasa pakiti ine ziviso yeanotumira
MuFIB, traffic kune maitirwo enzvimbo inogadziriswa nekupfuura mitemo [IP]->[Route]->[Rules]:
Kucherechedza [IP]->[Firewall]->[Mangle]
Mavara ekufambisa anotendera iwe kuseta gedhi repaketi uchishandisa chero mamiriro eFirewall:
Chaizvoizvo, nekuti haasi ese ane musoro, uye mamwe anogona kushanda asina kugadzikana.
Pane nzira mbiri dzekuti pasuru:
- Pakarepo isa routing mark
- Isa pekutanga connection-mark, ipapo zvichibva pa connection-mark kuisa routing mark
Mune chinyorwa nezve firewalls, ndakanyora kuti yechipiri sarudzo inodiwa. inoderedza mutoro paCPu, munyaya yekumaka nzira - izvi hazvisi zvechokwadi zvachose. Idzi nzira dzekumaka hadzina kuenzana nguva dzose uye dzinowanzo shandiswa kugadzirisa matambudziko akasiyana.
Mienzaniso yekushandiswa
Ngatienderere mberi kune mienzaniso yekushandisa Policy Base Routing, zviri nyore kuratidza kuti nei zvese izvi zvichidikanwa.
MultiWAN uye dzoka inobuda (Output) traffic
Dambudziko rinowanzoitika neMultiWAN configuration: Mikrotik inowanikwa kubva paInternet chete kuburikidza ne "anoshanda" anopa.
Iyo router haina hanya kuti ip chikumbiro chakauya kunei, kana ichigadzira mhinduro, ichatsvaga nzira mutafura yekufambisa iyo nzira kuburikidza neisp1 inoshanda. Uyezve, pakiti yakadaro inogona kunge yakasefa munzira inoenda kumugamuchiri.
Imwe pfungwa inofadza. Kana iyo "nyore" sosi nat yakagadziriswa pane ether1 interface: /ip fi nat add out-interface=ether1 action=masquerade iyo package ichaenda online ne src. address=10.10.10.100, izvo zvinoita kuti zvinhu zvitonyanya kuipa.
Pane nzira dzinoverengeka dzekugadzirisa dambudziko, asi chero ipi zvayo inoda mamwe matafura enzira:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 check-gateway=ping distance=1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 check-gateway=ping distance=2
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 routing-mark=over-isp2Shandisa [IP]->[Route]->[Rules]
Rondedzera tafura yekufambisa iyo ichashandiswa pamapakiti ane yakataurwa Source IP.
/ip route rule
add src-address=10.10.10.100/32 action=lookup-only-in-table table=over-isp1
add src-address=10.20.20.200/32 action=lookup-only-in-table table=over-isp2Unogona kushandisa action=lookup, asi kune yemuno inobuda traffic, iyi sarudzo haibatanidzi zvachose kubatana kubva kune isiriyo interface.
- Iyo sisitimu inogadzira mhinduro pakiti neSrc. Kero: 10.20.20.200
- Iyo Routing Sarudzo (2) nhanho inoongorora
[IP]->[Routes]->[Rules]uye pakiti inotumirwa kutafura yekufambisa pamusoro-isp2 - Zvinoenderana netafura yekufambisa, packet inofanira kutumirwa kugedhi 10.20.20.1 kuburikidza ne ether2 interface.
Iyi nzira haidi kushanda Connection Tracker, kusiyana nekushandisa Mangle tafura.
Shandisa [IP]->[Firewall]->[Mangle]
Kubatanidza kunotanga nepakiti inopinda, saka tinoimaka (action=mark-connection), pamapakiti anobuda kubva kune yakanyorwa, isa iyo routing label (action=mark-routing).
/ip firewall mangle
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° Π²Ρ
ΠΎΠ΄ΡΡΠΈΡ
ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ
add chain=input in-interface=ether1 connection-state=new action=mark-connection new-connection-mark=from-isp1
add chain=input in-interface=ether2 connection-state=new action=mark-connection new-connection-mark=from-isp2
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° ΠΈΡΡ
ΠΎΠ΄ΡΡΠΈΡ
ΠΏΠ°ΠΊΠ΅ΡΠΎΠ² Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ
add chain=output connection-mark=from-isp1 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=output connection-mark=from-isp2 action=mark-routing new-routing-mark=over-isp2 passthrough=noKana akati wandei ips akagadzirirwa pane imwe interface, unogona kuwedzera kune iyo mamiriro dst-address kuva nechokwadi.
- Paketi inovhura chinongedzo pane ether2 interface. Iyo package inopinda
[INPUT|Mangle]iyo inoti kumaka mapaketi ese kubva pakubatanidza se kubva-isp2 - Iyo sisitimu inogadzira mhinduro pakiti neSrc. Kero: 10.20.20.200
- PaRouting Decision (2) danho, pakiti, maererano netafura yekufambisa, inotumirwa kugedhi 10.20.20.1 kuburikidza ne ether1 interface. Unogona kuona izvi nekupinda mukati
[OUTPUT|Filter] - Padariro
[OUTPUT|Mangle]kubatanidza label inotariswa kubva-isp2 uye pakiti inogamuchira chirairo chenzira pamusoro-isp2 - Iyo Routing Adjusment(3) nhanho inotarisa kuvepo kweiyo routing label uye inotumira kune yakakodzera tafura yenzira.
- Zvinoenderana netafura yekufambisa, packet inofanira kutumirwa kugedhi 10.20.20.1 kuburikidza ne ether2 interface.
MultiWAN uye dzorera dst-nat traffic
Muenzaniso wakanyanya kuomarara, chii chaunofanira kuita kana paine sevha (somuenzaniso, webhu) kuseri kweiyo router pane yakavanzika subnet uye iwe unofanirwa kupa mukana kune iyo kuburikidza nechero wevanopa.
/ip firewall nat
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether1 action=dst-nat to-address=192.168.100.100
add chain=dstnat proto=tcp dst-port=80,443 in-interface=ether2 action=dst-nat to-address=192.168.100.100Iyo yakakosha yedambudziko ichave yakafanana, mhinduro yakafanana neiyo Firewall Mangle sarudzo, mamwe maketani chete achashandiswa:
/ip firewall mangle
add chain=prerouting connection-state=new in-interface=ether1 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp1
add chain=prerouting connection-state=new in-interface=ether2 protocol=tcp dst-port=80,443 action=mark-connection new-connection-mark=web-input-isp2
add chain=prerouting connection-mark=web-input-isp1 in-interface=ether3 action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting connection-mark=web-input-isp2 in-interface=ether3 action=mark-routing new-routing-mark=over-isp2 passthrough=no
Dhiagiramu hairatidzi NAT, asi ndinofunga zvese zvakajeka.
MultiWAN uye inobuda kubatanidza
Iwe unogona kushandisa iyo PBR kugona kugadzira akawanda vpn (SSTP mumuenzaniso) zvinongedzo kubva kune akasiyana router interfaces.
Mamwe matafura ekufambisa:
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=over-isp3
add dst-address=0.0.0.0/0 gateway=192.168.100.1 distance=1
add dst-address=0.0.0.0/0 gateway=192.168.200.1 distance=2
add dst-address=0.0.0.0/0 gateway=192.168.0.1 distance=3Package marks:
/ip firewall mangle
add chain=output dst-address=10.10.10.100 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp1 passtrough=no
add chain=output dst-address=10.10.10.101 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp2 passtrough=no
add chain=output dst-address=10.10.10.102 proto=tcp dst-port=443 action=mark-routing new-routing-mark=over-isp3 passtrough=noYakareruka NAT inotonga, zvikasadaro iyo packet inosiya iyo interface ine isiriyo Src. kero:
/ip firewall nat
add chain=srcnat out-interface=ether1 action=masquerade
add chain=srcnat out-interface=ether2 action=masquerade
add chain=srcnat out-interface=ether3 action=masqueradeKutsiva:
- Router inogadzira matatu maitiro eSSTP
- Paiyo Routing Sarudzo (2) nhanho, nzira inosarudzirwa maitiro aya zvichienderana neiyo huru routing tafura. Kubva munzira imwechete, iyo packet inogamuchira Src. Kero yakasungwa kune ether1 interface
- Π
[Output|Mangle]mapaketi kubva pakubatana kwakasiyana anogamuchira mavara akasiyana - Mapaketi anopinda mumatafura anoenderana nemazita ari paRouting Adjusment nhanho uye anogashira nzira nyowani yekutumira mapaketi.
- Asi mapakeji achine Src. Kero kubva ether1, pachikuva
[Nat|Srcnat]kero inotsiviwa maererano neinterface
Sezvineiwo, pane iyo router iwe uchaona inotevera yekubatanidza tafura:
Connection Tracker inoshanda kare [Mangle] ΠΈ [Srcnat], saka zvese zvinongedzo zvinobva kune imwechete kero, kana iwe ukatarisa zvakadzama, ipapo mukati Replay Dst. Address pachava nemakero mushure meNAT:
PaVPN server (ndine imwe pabhenji rekuyedza), unogona kuona kuti zvese zvinongedzo zvinobva kumakero chaiwo:
Mirira imwe nzira
Pane nzira iri nyore, unogona kungotsanangura gedhi reimwe neimwe yemakero:
/ip route
add dst-address=10.10.10.100 gateway=192.168.100.1
add dst-address=10.10.10.101 gateway=192.168.200.1
add dst-address=10.10.10.102 gateway=192.168.0.1Asi nzira dzakadai hadzingokanganisa kubuda chete asiwo migwagwa. Uyezve, kana iwe usingade traffic kune vpn server kuti uende nenzira isina kufanira yekutaurirana nzira, ipapo iwe uchafanirwa kuwedzera 6 mimwe mitemo ku. [IP]->[Routes]Ρ type=blackhole. Mune shanduro yapfuura - 3 mitemo mukati [IP]->[Route]->[Rules].
Kugoverwa kwekubatanidza kwevashandisi nematanho ekutaurirana
Akareruka, emazuva ese mabasa. Zvekare, mamwe matafura ekufambisa anozodiwa:
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2Uchishandisa [IP]->[Route]->[Rules]
/ip route rules
add src-address=192.168.100.0/25 action=lookup-only-in-table table=over-isp1
add src-address=192.168.100.128/25 action=lookup-only-in-table table=over-isp2Kana iwe ukashandisa action=lookup, zvino kana imwe yemigwagwa yakaremara, motokari ichaenda kune tafura huru uye inopinda nemugero wekushanda. Kuti izvi zvakakosha here kana kuti kwete zvinoenderana nebasa racho.
Kushandisa zviratidzo mukati [IP]->[Firewall]->[Mangle]
Muenzaniso wakapfava une zvinyorwa zve ip kero. In musimboti, anenge chero mamiriro anogona kushandiswa. Iyo chete caveat ye7 layer, kunyangwe kana yakapetwa nekubatanidza mavara, zvingaite senge zvese zviri kushanda nemazvo, asi mamwe traffic acharamba achienda nenzira isiriyo.
/ip firewall mangle
add chain=prerouting src-address-list=users-over-isp1 dst-address-type=!local action=mark-routing new-routing-mark=over-isp1
add chain=prerouting src-address-list=users-over-isp2 dst-address-type=!local action=mark-routing new-routing-mark=over-isp2Iwe unogona "kuvhara" vashandisi mune imwe nzira yetafura kuburikidza [IP]->[Route]->[Rules]:
/ip route rules
add routing-mark=over-isp1 action=lookup-only-in-table table=over-isp1
add routing-mark=over-isp2 action=lookup-only-in-table table=over-isp2Pamwe kuburikidza [IP]->[Firewall]->[Filter]:
/ip firewall filter
add chain=forward routing-mark=over-isp1 out-interface=!ether1 action=reject
add chain=forward routing-mark=over-isp2 out-interface=!ether2 action=rejectRetreat pro dst-address-type=!local
Mamiriro ekuwedzera dst-address-type=!local zvinodikanwa kuti traffic kubva kune vashandisi isvike maitiro emunharaunda ye router (dns, winbox, ssh, ...). Kana akati wandei emunharaunda ma subnet akabatana kune router, zvinodikanwa kuve nechokwadi kuti traffic iri pakati pavo haiendi kuInternet, semuenzaniso, kushandisa. dst-address-table.
Mumuenzaniso kushandisa [IP]->[Route]->[Rules] hapana zvakadaro, asi traffic inosvika maitiro emunharaunda. Icho chokwadi ndechekuti kupinda muFIB package yakanyorwa mukati [PREROUTING|Mangle] ine chinyorwa chenzira uye inopinda mutafura yenzira kunze kweiyo huru, uko pasina chimiro chenzvimbo. Panyaya yeMitemo Yekutenderera, chokutanga chinotariswa kuti pakiti yacho yakarongedzerwa maitiro enzvimbo uye chete paMushandisi PBR nhanho inoenda kune yakatsanangurwa tafura tafura.
Uchishandisa [IP]->[Firewall]->[Mangle action=route]
Ichi chiito chinoshanda chete mukati [Prerouting|Mangle] uye inobvumidza iwe kutungamira traffic kune yakataurwa gedhi usingashandisi mamwe matafura enzira, uchitsanangura kero yegedhi zvakananga:
/ip firewall mangle
add chain=prerouting src-address=192.168.100.0/25 action=route gateway=10.10.10.1
add chain=prerouting src-address=192.168.128.0/25 action=route gateway=10.20.20.1kushanda route ine kukosha kwakaderera pane mitemo yenzira ([IP]->[Route]->[Rules]) Kana iri nzira mamaki, zvese zvinoenderana nenzvimbo yemitemo, kana mutemo uine action=route inokosha kupfuura action=mark-route, ipapo ichashandiswa (zvisinei nemureza passtrough), zvimwe zvichimaka nzira.
Pane ruzivo rudiki kwazvo pawiki nezve chiitiko ichi uye zvese mhedziso dzinowanikwa mukuyedza, chero zvakadaro, ini handina kuwana sarudzo pakushandisa iyi sarudzo inopa zvakanakira pane vamwe.
PPC yakavakirwa dynamic balancing
Per Connection Classifier - iri nyore kuchinjika analogue yeECMP. Kusiyana neECMP, inokamura traffic nekubatanidza zvakanyanya (ECMP haizive chinhu nezve kubatana, asi kana yapetwa ne Routing Cache, chimwe chinhu chakafanana chinowanikwa).
PCC inotora minda yakatarwa kubva pane ip musoro, inovashandura kuita 32-bit kukosha, uye inokamura ne dhinomineta. Iyo yasara yekupatsanurwa inofananidzwa neyakatsanangurwa zvasara uye kana vakafanana, ipapo chiito chakataurwa chinoshandiswa. . Inonzwika kupenga, asi inoshanda.
Muenzaniso une kero nhatu:
192.168.100.10: 192+168+100+10 = 470 % 3 = 2
192.168.100.11: 192+168+100+11 = 471 % 3 = 0
192.168.100.12: 192+168+100+12 = 472 % 3 = 1Muenzaniso wekuparadzirwa kwetraffic ne src.address pakati pematanho matatu:
#Π’Π°Π±Π»ΠΈΡΠ° ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ
/ip route
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.10.10.1 dist=1 routing-mark=over-isp1
add dst-address=0.0.0.0/0 gateway=10.20.20.1 dist=1 routing-mark=over-isp2
add dst-address=0.0.0.0/0 gateway=10.30.30.1 dist=1 routing-mark=over-isp3
#ΠΠ°ΡΠΊΠΈΡΠΎΠ²ΠΊΠ° ΡΠΎΠ΅Π΄ΠΈΠ½Π΅Π½ΠΈΠΉ ΠΈ ΠΌΠ°ΡΡΡΡΡΠΎΠ²
/ip firewall mangle
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/0 action=mark-connection new-connection-mark=conn-over-isp1
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/1 action=mark-connection new-connection-mark=conn-over-isp2
add chain=prerouting in-interface=br-lan dst-address-type=!local connection-state=new per-connection-classifier=src-address:3/2 action=mark-connection new-connection-mark=conn-over-isp3
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp1 action=mark-routing new-routing-mark=over-isp1
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp2 action=mark-routing new-routing-mark=over-isp2
add chain=prerouting in-interface=br-lan connection-mark=conn-over-isp3 action=mark-routing new-routing-mark=over-isp3Paunenge uchimaka nzira, pane imwezve mamiriro: in-interface=br-lan, pasina iyo pasi action=mark-routing mhinduro kubva kuInternet ichawana uye, maererano nematafura ekufambisa, ichadzokera kumupi.
Kuchinja nzira dzekukurukurirana
Tarisa ping chishandiso chakanaka, asi chinongotarisa kubatana neiyo IP peer iri pedyo, mupi wetiweki anowanzo kuve nenhamba huru ye routers uye kutyora kwekubatanidza kunogona kuitika kunze kwevezera riri pedyo, uyezve kune backbone telecom operators vanogonawo. vane matambudziko, kazhinji cheki ping haiwanzo kuratidza ruzivo rwezvino nezve kuwana kune network yepasirese.
Kana vanopa uye makambani makuru vaine iyo BGP dynamic routing protocol, saka vashandisi vekumba nehofisi vanofanirwa kufunga vakazvimiririra kuti vangatarisa sei kuwanikwa kweInternet kuburikidza neimwe nzira yekutaurirana.
Kazhinji, zvinyorwa zvinoshandiswa kuti, kuburikidza neimwe nzira yekukurukurirana, tarisa kuwanikwa kwep kero paInternet, uchisarudza chimwe chinhu chakavimbika, semuenzaniso, google dns: 8.8.8.8. 8.8.4.4. Asi munharaunda yeMikrotik, chimwe chinhu chinonakidza chakagadziridzwa kune izvi.
Mazwi mashoma nezve recursive routing
Recursive routing inodiwa paunenge uchivaka Multihop BGP kutarisisa uye wakapinda muchinyorwa nezve izvo zvekutanga zve static routing chete nekuda kwehungwaru vashandisi veMikroTik vakafunga mashandisiro enzira dzinodzokororwa dzakabatanidzwa necheki gedhi rekuchinja nzira dzekutaurirana pasina mamwe manyoro.
Yave nguva yekunzwisisa chiyero / chinangwa chekuyera sarudzo mune zvakajairika uye kuti nzira inosungwa sei kune interface:
- Nzira yacho inotarisa kumusoro kwechiratidziro chekutumira pakiti zvichienderana nechiyero chayo uye zvese zvinopinda mutafura huru ine isingasviki kana yakaenzana chinangwa scope values.
- Kubva pane anowanikwa mainterfaces, iyo yaunogona kutumira pakiti kune yakatsanangurwa gedhi inosarudzwa
- Iyo interface yeiyo yakawanikwa yakabatana yekupinda inosarudzwa kutumira iyo pakiti kugedhi
Pamberi penzira inodzokororwa, zvese zvinoitika zvakafanana, asi mumatanho maviri:
- 1-3 Imwezve nzira inowedzerwa kune yakabatana nzira, kuburikidza iyo yakatsanangurwa gedhi inogona kusvika
- 4-6 Kutsvaga nzira yakabatana nzira ye "yepakati" gedhi
Zvese manipulations nekutsvaga kwekudzokorora kunoitika muRIB, uye chete mhedzisiro inoendeswa kuFIB: 0.0.0.0/0 via 10.10.10.1 on ether1.
Muenzaniso wekushandisa recursive routing kuchinja nzira
Configuration:
/ip route
add dst-address=0.0.0.0/0 gateway=8.8.8.8 check-gateway=ping distance=1 target-scope=10
add dst-address=8.8.8.8 gateway=10.10.10.1 scope=10
add dst-address=0.0.0.0/0 gateway=10.20.20.1 distance=2Unogona kutarisa kuti mapaketi achatumirwa ku10.10.10.1:
Cheka gedhi hapana chainoziva nezve recursive routing uye inongotumira pings ku8.8.8.8, iyo (yakavakirwa patafura huru) inosvikika kuburikidza negedhi 10.10.10.1.
Kana pane kurasikirwa kwekutaurirana pakati pe10.10.10.1 ne8.8.8.8, ipapo nzira inobviswa, asi mapaketi (kusanganisira test pings) kusvika ku8.8.8.8 inoramba ichipfuura 10.10.10.1:
Kana chinongedzo kune ether1 chikarasika, ipapo mamiriro asingafadzi anoitika kana mapaketi asati asvika 8.8.8.8 achipfuura nemupi wechipiri:
Iri idambudziko kana uri kushandisa NetWatch kuita zvinyorwa kana 8.8.8.8 isipo. Kana chinongedzo chatyorwa, NetWatch inongoshanda kuburikidza neiyo backup yekutaurirana chiteshi uye yofunga kuti zvese zvakanaka. Yakagadziriswa nekuwedzera imwe nzira yekusefa:
/ip route
add dst-address=8.8.8.8 gateway=10.20.20.1 distance=100 type=blackhole
Pane habrΓ© , uko mamiriro neNetWatch anotariswa zvakadzama.
Uye hongu, kana uchishandisa kuchengetwa kwakadaro, kero 8.8.8.8 ichave yakaoma kune mumwe wevanopa, saka kuisarudza se dns sosi haisi pfungwa yakanaka.
Mazwi mashoma nezve Virtual Routing uye Forwarding (VRF)
VRF tekinoroji yakagadzirirwa kugadzira akati wandei ma routers mukati meimwe yemuviri, tekinoroji iyi inoshandiswa zvakanyanya nevashandisi venharembozha (kazhinji yakabatana neMPLS) kupa L3VPN masevhisi kune vatengi vane inopindirana subnet kero:
Asi VRF muMikrotik yakarongeka pamusana pematafura ekufambisa uye ine zvipingamupinyi zvakawanda, semuenzaniso, ip ip addresses ye router inowanikwa kubva kuVRFs yose, unogona kuverenga zvakawanda. .
vrf gadziriso muenzaniso:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.200.1/24 interface=ether2 network=192.168.200.0Kubva pachigadzirwa chakabatana ne ether2, tinoona kuti ping inoenda kurouter kero kubva kune imwe vrf (uye iri idambudziko), nepo ping isingaendi kuInternet:
Kuti uwane iyo Internet, unofanirwa kunyoresa imwe nzira inowana iyo huru tafura (mu vrf terminology, iyi inonzi nzira inodonha):
/ip route
add distance=1 gateway=172.17.0.1@main routing-mark=vrf1
add distance=1 gateway=172.17.0.1%wlan1 routing-mark=vrf2Hedzino nzira mbiri dzekudonha nzira: kushandisa tafura yenzira: 172.17.0.1@main uye kushandisa zita rekushandisa: 172.17.0.1%wlan1.
Uye gadzira yekumaka yekudzoka traffic mukati [PREROUTING|Mangle]:
/ip firewall mangle
add chain=prerouting in-interface=ether1 action=mark-connection new-connection-mark=from-vrf1 passthrough=no
add chain=prerouting connection-mark=from-vrf1 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting in-interface=ether2 action=mark-connection new-connection-mark=from-vrf2 passthrough=no
add chain=prerouting connection-mark=from-vrf2 routing-mark=!vrf1 action=mark-routing new-routing-mark=vrf2 passthrough=no
Subnets ine kero imwe chete
Sangano rekuwana ma subnets ane kero yakafanana pane imwechete router uchishandisa VRF uye netmap:
Basic configuration:
/ip route vrf
add interfaces=ether1 routing-mark=vrf1
add interfaces=ether2 routing-mark=vrf2
/ip address
add address=192.168.100.1/24 interface=ether1 network=192.168.100.0
add address=192.168.100.1/24 interface=ether2 network=192.168.100.0
add address=192.168.0.1/24 interface=ether3 network=192.168.0.0firewall mitemo:
#ΠΠ°ΡΠΊΠΈΡΡΠ΅ΠΌ ΠΏΠ°ΠΊΠ΅ΡΡ Π΄Π»Ρ ΠΎΡΠΏΡΠ°Π²ΠΊΠΈ Π² ΠΏΡΠ°Π²ΠΈΠ»ΡΠ½ΡΡ ΡΠ°Π±Π»ΠΈΡΡ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ
/ip firewall mangle
add chain=prerouting dst-address=192.168.101.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf1 passthrough=no
add chain=prerouting dst-address=192.168.102.0/24 in-interface=ether3 action=mark-routing new-routing-mark=vrf2 passthrough=no
#Π‘ΡΠ΅Π΄ΡΡΠ²Π°ΠΌΠΈ netmap Π·Π°ΠΌΠ΅Π½ΡΠ΅ΠΌ Π°Π΄ΡΠ΅ΡΠ° "ΡΡΠΈΠΌΠ΅ΡΠ½ΡΡ
" ΠΏΠΎΠ΄ΡΠ΅ΡΠ΅ΠΉ Π½Π° ΡΠ΅Π°Π»ΡΠ½ΡΠ΅ ΠΏΠΎΠ΄ΡΠ΅ΡΠΈ
/ip firewall nat
add chain=dstnat dst-address=192.168.101.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24
add chain=dstnat dst-address=192.168.102.0/24 in-interface=ether3 action=netmap to-addresses=192.168.100.0/24Mitemo yenzira yekudzoka traffic:
#Π£ΠΊΠ°Π·Π°Π½ΠΈΠ΅ ΠΈΠΌΠ΅Π½ΠΈ ΠΈΠ½ΡΠ΅ΡΡΠ΅ΠΉΡΠ° ΡΠΎΠΆΠ΅ ΠΌΠΎΠΆΠ΅Ρ ΡΡΠΈΡΠ°ΡΡΡΡ route leaking, Π½ΠΎ ΠΏΠΎ ΡΡΡΠΈ ΡΡΡ ΡΠΎΠ·Π΄Π°Π΅ΡΡΡ Π°Π½Π°Π»ΠΎΠ³ connected ΠΌΠ°ΡΡΡΡΡΠ°
/ip route
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf1
add distance=1 dst-address=192.168.0.0/24 gateway=ether3 routing-mark=vrf2Kuwedzera nzira dzakagamuchirwa kuburikidza nedhcp kune yakapihwa tafura yenzira
VRF inogona kunakidza kana iwe uchida kuwedzera otomatiki nzira ine simba (semuenzaniso, kubva kune dhcp mutengi) kune yakatarwa tafura tafura.
Kuwedzera interface kuvrf:
/ip route vrf
add interface=ether1 routing-mark=over-isp1Mitemo yekutumira traffic (inobuda uye yekufambisa) kuburikidza netafura pamusoro-isp1:
/ip firewall mangle
add chain=output out-interface=!br-lan action=mark-routing new-routing-mark=over-isp1 passthrough=no
add chain=prerouting in-interface=br-lan dst-address-type=!local action=mark-routing new-routing-mark=over-isp1 passthrough=noKuwedzera, nzira yekunyepedzera yekubuda nzira kuenda kubasa:
/interface bridge
add name=bare
/ip route
add dst-address=0.0.0.0/0 gateway=bareIyi nzira inongodiwa kuitira kuti mapaketi emuno anobuda akwanise kupfuura nemusarudzo yeRouting (2) pamberi [OUTPUT|Mangle] uye tora iyo routing label, kana pane dzimwe nzira dzinoshanda pane router pamberi pe 0.0.0.0/0 mutafura huru, hazvidiwi.
maketani connected-in ΠΈ dynamic-in Π² [Routing] -> [Filters]
Kusefa nzira (inopinda uye inobuda) chishandiso chinowanzo shandiswa pamwe chete neane simba routing protocol (uye saka inongowanikwa mushure mekuisa pasuru. routing), asi kune maketani maviri anonakidza mumafirita anouya:
- yakabatana-mukati - kusefa nzira dzakabatana
- dynamic-in - kusefa nzira dzine simba dzakatambirwa nePPP neDCHP
Kusefa kunobvumira iwe kwete kungorasa nzira, asi zvakare kushandura akati wandei sarudzo: chinhambwe, nzira-mucherechedzo, kutaura, chiyero, chiyero chechinangwa, ...
Ichi chishandiso chakanyanya uye kana iwe uchigona kuita chimwe chinhu pasina Routing Filters (asi kwete zvinyorwa), saka usashandise Routing Mafirita, usazvivhiringa iwe nevaya vanozogadzirisa router mushure mako. Mukati memamiriro ekuchinja ane simba, Routing Mafirita achashandiswa zvakanyanya kazhinji uye zvine pundutso.
Kuisa iyo Routing Mark yeDynamic Routes
Muenzaniso kubva kune router yepamba. Ndine maVPN maviri ekubatanidza akagadziriswa uye traffic mavari inofanirwa kuputirwa zvinoenderana nematafura ekufambisa. Panguva imwecheteyo, ini ndinoda kuti nzira dzigadzirwe otomatiki kana iyo interface yaitwa:
#ΠΡΠΈ ΡΠΎΠ·Π΄Π°Π½ΠΈΠΈ vpn ΠΏΠΎΠ΄ΠΊΠ»ΡΡΠ΅Π½ΠΈΠΉ ΡΠΊΠ°Π·ΡΠ²Π°Π΅ΠΌ ΡΠΎΠ·Π΄Π°Π½ΠΈΠ΅ default route ΠΈ Π·Π°Π΄Π°Π΅ΠΌ Π΄ΠΈΡΡΠ°Π½ΡΠΈΡ
/interface pptp-client
add connect-to=X.X.X.X add-default-route=yes default-route-distance=101 ...
add connect-to=Y.Y.Y.Y add-default-route=yes default-route-distance=100 ...
#Π€ΠΈΠ»ΡΡΡΠ°ΠΌΠΈ ΠΎΡΠΏΡΠ°Π²Π»ΡΠ΅ΠΌ ΠΌΠ°ΡΡΡΡΡΡ Π² ΠΎΠΏΡΠ΅Π΄Π΅Π»Π΅Π½Π½ΡΠ΅ ΡΠ°Π±Π»ΠΈΡΡ ΠΌΠ°ΡΡΡΡΡΠΈΠ·Π°ΡΠΈΠΈ Π½Π° ΠΎΡΠ½ΠΎΠ²Π΅ ΠΏΠΎΠ΄ΡΠ΅ΡΠΈ Π½Π°Π·Π½Π°ΡΠ΅Π½ΠΈΡ ΠΈ Π΄ΠΈΡΡΠ°Π½ΡΠΈΠΈ
/routing filter
add chain=dynamic-in distance=100 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn1
add chain=dynamic-in distance=101 prefix=0.0.0.0/0 action=passthrough set-routing-mark=over-vpn2Handizivi kuti sei, zvichida bug, asi kana iwe ukagadzira vrf yeppp interface, ipapo nzira inoenda ku0.0.0.0/0 icharamba ichipinda mutafura huru. Zvikasadaro, zvinhu zvese zvinenge zviri nyore.
Kudzima Nzira Dzakabatanidzwa
Dzimwe nguva izvi zvinodiwa:
/route filter
add chain=connected-in prefix=192.168.100.0/24 action=rejectDebugging zvishandiso
RouterOS inopa akati wandei maturusi ekugadzirisa nzira:
[Tool]->[Tourch]- inobvumidza iwe kuti utarise mapaketi pane interfaces/ip route check- inobvumidza iwe kuti uone kuti ndeipi gedhi iro pakiti richatumirwa, harishande nematafura ekufambisa/ping routing-table=<name>ΠΈ/tool traceroute routing-table=<name>- ping uye tsvaga uchishandisa iyo yakatsanangurwa routing tafuraaction=logΠ²[IP]->[Firewall]- chishandiso chakanakisa chinokutendera kuti uteedzere nzira yepakiti pamwe nekuyerera kwepaketi, ichi chiitiko chinowanikwa mumaketani ese nematafura.
Source: www.habr.com