Multivan iyo jiheynta Mikrotik RouterOS

Horudhac

Qaadashada maqaalka, marka lagu daro wax aan micne lahayn, waxaa keenay soo noqnoqda niyad-jabka ee su'aalaha mawduucan ee kooxaha astaanta u ah bulshada telegramka ee ku hadla afka Ruushka. Maqaalka waxaa loogu talagalay maamulayaasha Mikrotik RouterOS (oo hadda loo yaqaan ROS). Waxa ay ka shaqaysaa oo keliya multivan-ka, iyada oo xoogga la saarayo hab-socodka. Gunno ahaan, waxaa jira dejinyo ku filan oo ku filan si loo hubiyo badbaadada iyo hawlgal habboon. Kuwa raadinaya siidaynta mawduucyada safafka, isku dheelitirka culeyska, vlans, buundooyinka, falanqaynta qoto dheer ee marxaladaha badan ee xaaladda kanaalka iyo wixii la mid ah - waxaa laga yaabaa inaysan lumin waqti iyo dadaal akhris.

Xogta ugu horeysa

Mawduuca tijaabada ahaan, 6.45.3-deked Mikrotik router leh nooca ROS 1 ayaa la doortay. Waxay marin doontaa isu socodka labada shabakadood ee maxaliga ah (LAN2 iyo LAN1) iyo saddex bixiye (ISP2, ISP3, ISP1). Kanaalka ISP2 wuxuu leeyahay ciwaanka "cawlan" taagan, ISP3 - "caddaan", laga helay DHCP, ISPXNUMX - "caddaan" oo wata oggolaanshaha PPPoE. Jaantuska isku xirka ayaa lagu muujiyay sawirka:

Hawshu waa in la habeeyo MTK router ku salaysan nidaamka si:

1. Sii beddelka tooska ah ee bixiye kayd ah. Bixiyaha ugu weyn waa ISP2, kaydka koowaad waa ISP1, kaydka labaad waa ISP3.
2. Abaabul shabakada LAN1 gelitaanka internetka kaliya ISP1.
3. Sii awoodda aad marin ugu mari karto taraafikada shabakadaha maxalliga ah una gudbiso internetka iyada oo loo marayo bixiyaha la doortay ee ku saleysan liiska-cinwaanka.
4. Bixi suurtagalnimada daabacaadda adeegyada shabakada deegaanka ilaa intarneedka (DSTNAT)
5. Samee filtarrada dab-damiska si aad u bixiso badbaadada ugu yar ee internetka.
6. Router-ku wuxuu soo saari karaa taraafikada u gaarka ah mid ka mid ah saddexda bixiye, iyadoo ku xidhan ciwaanka isha la doortay.
7. Hubi in xidhmooyinka jawaabta loo maro kanaalka ay ka yimaadeen (ay ku jirto LAN).

Faallo. Waxaan u habayn doonaa router "laga bilaabo xoq" si loo dammaanad qaado maqnaanshaha la yaabka ee qaabeynta bilowga "ka baxsan sanduuqa" ee beddela nooca ilaa nooca. Winbox waxaa loo doortay qalab qaabeynta, halkaasoo isbedel lagu soo bandhigi doono muuqaal ahaan. Dejinta laftooda waxaa lagu dejin doonaa amarrada ku jira Terminalka Winbox. Isku xirka jireed ee qaabeynta waxaa lagu sameeyaa isku xirka tooska ah ee Ether5 interface.

Waxoogaa sabab ah oo ku saabsan waxa uu yahay multivan-ku, ma dhibbaa mise waa dad caqli badan oo khiyaano ku leh shabakadaha shirqoolka

Maamule wax weydiinaya oo u fiirsi badan, oo dejinaya qorshe noocaas ah ama la mid ah keligiis, ayaa si lama filaan ah u gartay in ay durba si caadi ah u shaqeyso. Haa, haa, la'aanteed jaantusyadaada dariiqa ah ee caadiga ah iyo sharciyada kale ee dariiqyada, kuwaas oo inta badan maqaalada mawduucan ay ka buuxaan. Aan hubinno?

Ma habeyn karnaa ciwaanka interneedka iyo albaabada caadiga ah? Haa:

ISP1, ciwaanka iyo albaabka laga soo galo ayaa laga diiwaan geliyay fogaansho=2 и check-gateway=ping.
On ISP2, goobta macmiilka ee dhcp ee caadiga ah - si waafaqsan, masaafada waxay la mid tahay hal.
On ISP3 ee pppoe settings macmiilka marka add-default-route=haa dhig default-route-distance=3.

Ha iloobin inaad iska diiwaan geliso NAT markaad baxdo:

/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN

Natiijo ahaan, isticmaalayaasha bogagga maxalliga ah ayaa ku raaxaysanaya soo dejinta bisadaha iyada oo loo marayo bixiyaha ISP2 ee ugu weyn waxaana jira boos sii qabsi ah oo isticmaalaya habka hubi albaabka Fiiri qoraalka 1

Qodobka 1aad ee hawsha waa la fuliyay. Aaway multivan-ka oo calamihiisa wata? Maya…

Dheeraad ah. Waxaad u baahan tahay inaad ka sii dayso macaamiil gaar ah LAN-ka adoo isticmaalaya ISP1:

/ip firewall mangle add action=silsiladda jidka=hordhac dst-address-list=!BOGONS
passthrough=haa road-dst=100.66.66.1 src-address-list=Iya_ISP1
/ip firewall mangle add action=silsiladda jidka=hordhac dst-address-list=!BOGONS
passthrough=majiro waddo-dst=100.66.66.1 src-cinwaanka=192.168.88.0/24

Qodobbada 2 iyo 3 ee hawsha waa la fuliyay. Calaamadaha, stamps, xeerarka dariiqa, halkeed joogtaa?!

Ma u baahan tahay inaad gasho server-ka OpenVPN ee aad jeceshahay oo leh ciwaanka 172.17.17.17 ee macaamiisha internetka? Fadlan:

/ip Cloud set ddns-enabled=haa

Asxaab ahaan, waxaan siinaa macmiilka natiijada soosaarka: ": dhig [ip Cloud heli dns-name]"

Waxaan ka diiwaan gelineynaa gudbinta dekedda internetka:

/ip firewall nat add action=dst-nat chain=dstnat dst-port=1194
in-interface-list=Bartakoolka WAN=udp to-addresses=172.17.17.17

Shayga 4 waa diyaar.

Waxaan u dhignay dab-damiska iyo amniga kale ee barta 5, isla markaana waxaan ku faraxsanahay in wax walba ay horeyba ugu shaqeynayeen isticmaaleyaasha oo aan gaarnay weel leh cabitaanka ay jecel yihiin ...
A! Tuulooyinka waa la ilaaway.

l2tp-macmiil, oo uu habeeyay maqaalka google, ayaa kor ugu kacay VDS-ka Nederlandka ee aad ugu jeceshahay? Haa
l2tp-server leh IPsec ayaa kor u kacay oo macaamiishii DNS-magaca IP Cloud (eeg xagga sare) ayaa ku dheggan? Haa
Dib ugu laabashada kursigeena, cabbitaanka cabbitaanka, waxaan si caajisnimo ah u tixgelineynaa qodobada 6 iyo 7 ee hawsha. Waxaan u maleyneynaa - ma u baahanahay? Dhammaan isku mid, waxay u shaqeysaa sida (c) ... Markaa, haddii aan weli loo baahnayn, markaa taasi waa. Multivan waa la fuliyay.

Waa maxay multivan? Tani waa isku xirka dhowr kanaal oo intarneedka ah hal router.

Uma baahnid inaad sii akhrido maqaalka, sababtoo ah maxaa jiri kara marka laga reebo muujinta ku-dhaqanka shakiga leh?

Kuwa haray, kuwaas oo xiisaynaya qodobada 6 iyo 7 ee hawsha, iyo sidoo kale dareemaan cuncunka qummanaanta, waxaan si qoto dheer u quusineynaa.

Hawsha ugu muhiimsan ee hirgelinta gawaadhida kala duwan waa habka saxda ah ee taraafikada. Magac ahaan: iyada oo aan loo eegin (ama midkee) Fiiri. Ogow 3 kanaalka ISP-ga eega dariiqa caadiga ah ee routerkeena, waa in ay ku soo celisaa jawaabta kanaalka saxda ah ee xirmada uu ka yimid. Hawshu waa caddahay. Aaway dhibaatadu? Runtii, shabakad maxalli ah oo fudud, hawshu waa isku mid, laakiin qofna kuma dhibsado goobo dheeri ah mana dareemo dhibaato. Farqiga u dhexeeya ayaa ah in nood kasta oo la isticmaali karo ee internetka laga heli karo mid kasta oo ka mid ah kanaaladayada, ee maaha mid si gaar ah u gaar ah, sida LAN fudud. Iyo "dhibaatada" waa in haddii codsi noo yimid cinwaanka IP-ga ee ISP3, markaa kiiskeena jawaabtu waxay mari doontaa kanaalka ISP2, maadaama albaabka caadiga ah lagu hagayo halkaas. Ka baxo oo uu tuuri doono bixiyaha sida khaldan. Dhibaatada waa la aqoonsaday. Sidee loo xalliyaa?

Xalku wuxuu u qaybsan yahay saddex marxaladood:

1. Horudhac Marxaladdan, goobaha aasaasiga ah ee router ayaa la dejin doonaa: shabakada maxaliga ah, firewall, liiska cinwaanka, timaha NAT, iwm.
2. Multivan Marxaladdan, isku xirka lagama maarmaanka ah ayaa la calaamadayn doonaa waxaana loo kala sooci doonaa miisaska dariiqa.
3. Ku xidhida ISP Marxaladdan, is-dhexgalka bixiya xiriirka internetka ayaa la habeyn doonaa, marin-u-habeyn iyo habka boos celinta kanaalka internetka waa la hawlgelin doonaa.

1. Horudhac

1.1. Waxaan ku nadiifineynaa qaabeynta router amarka:

/system reset-configuration skip-backup=yes no-defaults=yes

ku raac"Khatar! Si kastaba ha ahaatee dib u deji? [y/N]:"iyo, ka dib dib-u-kicinta, waxaan ku xireynaa Winbox via MAC. Marxaladdan, qaabeynta iyo saldhigga isticmaalaha waa la nadiifiyaa.

1.2. Abuur isticmaale cusub:

/user add group=full name=knight password=ultrasecret comment=”Not horse”

hoos gal oo tirtir kan caadiga ah:

/user remove admin

Faallo. Waa ka saarista oo aan la curyaamin isticmaalayaasha caadiga ah ee qoraagu u arko inay ka badbaado badan yihiin oo uu ku taliyay in la isticmaalo.

1.3. Waxaan u abuurnaa liisaska is-dhexgalka aasaasiga ah si ay ugu habboonaato ka shaqeynta dab-damiska, goobaha daahfurka iyo server-yada kale ee MAC:

/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"

Saxiixa interneedka faallooyinka

/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"

oo buuxi liisaska interneedka:

/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2 
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN  comment="LAN1"
/interface list member add interface=ether5 list=LAN  comment="LAN2"

Faallo. Qoritaanka faallooyinka la fahmi karo waxay u qalantaa wakhtiga lagu qaatay tan, oo ay u dheer tahay waxay si weyn u fududaynaysaa cilad-raadinta iyo fahamka qaabaynta.

Qoraagu wuxuu u arkaa inay lagama maarmaan tahay, sababo ammaan dartood, in lagu daro ether3 interface liiska "WAN", inkastoo xaqiiqda ah in borotokoolka ip uusan dhex mari doonin.

Ha iloobin in ka dib marka interface-ka PPP lagu soo saaro ether3, waxay sidoo kale u baahan doontaa in lagu daro liiska interface "WAN"

1.4. Waxaanu ka qarinay router-ka ogaanshaha xaafadda iyo xakamaynta shabakadaha bixiyayaasha iyada oo loo sii marayo MAC:

/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

1.5. Waxaan abuurnaa ugu yaraan ku filan xeerarka shaandhada dab-damiska si loo ilaaliyo router-ka:

/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow" 
connection-state=established,related,untracked

(Sharciga wuxuu bixiyaa ogolaansho la sameeyay iyo isku xirnaanta laxiriirta ee laga soo bilaabo labada shabakadood ee isku xiran iyo router laftiisa)

/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp

(ping oo kaliya ma aha ping. Dhammaan icmp waa la oggol yahay. Aad bay faa'iido u leedahay helitaanka dhibaatooyinka MTU)

/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN

(Xeerka xira silsiladda wax gelinta ayaa mamnuucaya wax kasta oo kale oo ka yimaada internetka)

/ip firewall filter add action=accept chain=forward 
comment="Established, Related, Untracked allow" 
connection-state=established,related,untracked

(sharcigu wuxuu ogol yahay isku xirka la aasaasay iyo kuwa la xiriira ee dhex mara router)

/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid

(sharcigu wuxuu dib u dajiyaa isku xirka xiriirinta-state=invalid dhexmarta router-ka. Waxaa si adag ugu taliya Mikrotik, laakiin xaaladaha dhifka ah waxay xannibi kartaa taraafikada waxtarka leh)

/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"  
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

(Sharcigu wuxuu mamnuucayaa xirmooyinka ka yimaada internetka oo aan soo marin nidaamka dstnat si ay u dhex maraan router-ka. Tani waxay ka ilaalin doontaa shabakadaha maxalliga ah kuwa soo galaya kuwaas oo, iyagoo isku mid ah oo ku jira shabakadayada dibadda, waxay diiwaangelin doonaan IP-yada dibadda sida albaabka iyo, sidaas darteed, isku day inaad "sahamiso" shabakadaha maxalliga ah.)

Faallo. Aynu ka soo qaadno in shabakadaha LAN1 iyo LAN2 la aamini karo oo gaadiidka u dhexeeya iyaga iyo iyaga aan la sifeynin.

1.6. Abuur liis leh liis shabakadaha aan la socon karin:

/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
 list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS

(Kani waa liiska cinwaanada iyo shabakadaha aan la isticmaali karin intarneedka waxaana loo raacayaa si waafaqsan.)

Faallo. Liisku waa uu isbedeli karaa, marka waxaan kugula talinayaa inaad si xilliyo ah u hubiso ku habboonaanta.

1.7. U deji DNS router laftiisa:

/ip dns set servers=1.1.1.1,8.8.8.8

Faallo. Nooca hadda ee ROS, adeegayaasha firfircooni waxay ka hormariyaan kuwa taagan. Codsiga xallinta magaca waxaa loo soo diraa server-ka ugu horreeya sida ay u kala horreeyaan. U gudubka serverka xiga waxa la sameeyaa marka kan hadda jira aanu jirin. Waqtigu waa weyn yahay - in ka badan 5 sekan. Soo noqoshada, marka "serverkii dhacay" dib loo bilaabo, si toos ah uma dhaco. Marka la eego algorithm-ka iyo joogitaanka multivan, qoraagu wuxuu ku talinayaa in aan la isticmaalin server-yada ay bixiyaan bixiyeyaasha.

1.8. Deji shabakad maxalli ah.
1.8.1. Waxaan ku habeyneynaa ciwaanka IP-ga ee istikada LAN:

/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"

1.8.2. Waxaan dejineynaa shuruucda waddooyinka loo maro shabakadaha maxalliga ah iyada oo loo marayo miiska ugu weyn ee dariiqa:

/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"

Faallo. Tani waa mid ka mid ah siyaabaha degdega ah oo sahlan ee lagu galo ciwaanada LAN ee leh ilaha ciwaanka IP-ga ee dibadda ee router-ka ee aan soo marin dariiqa caadiga ah.

1.8.3. U oggolow timaha NAT ee LAN1 iyo LAN2:

/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1" 
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2" 
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0

Faallo. Tani waxay kuu ogolaanaysaa inaad ka gasho agabkaaga (dstnat) adoo isticmaalaya IP dibadeed markaad ku jirto gudaha shabakada.

2. Dhab ahaantii, hirgelinta multivan-ka saxda ah

Si loo xalliyo dhibaatada "jawaabista halka ay ka codsadeen", waxaan isticmaali doonaa laba qalab ROS: calaamada xidhiidhka и calaamadda marin. calaamada xidhiidhka Waxay kuu ogolaaneysaa inaad calaamadiso xiriirka la rabo ka dibna la shaqeyso summadan shuruud ahaan codsiga calaamadda marin. Oo hore ula calaamadda marin suurtagal in lagu shaqeeyo Wadada ip и xeerarka wadada. Waxaan soo saarnay qalabyada, hadda waxaad u baahan tahay inaad go'aansato xiriirka aad calaamadeynayso - hal mar, sida saxda ah meesha lagu calaamadiyo - laba.

Midka ugu horreeya, wax walba waa sahlan yihiin - waa inaan calaamadeynaa dhammaan isku xirka router-ka ee internetka iyada oo loo marayo kanaalka ku habboon. Xaaladeena, kuwani waxay noqonayaan saddex calaamadood (tirada kanaalada): "conn_isp1", "conn_isp2" iyo "conn_isp3".

Nuance labaad ayaa ah in xidhiidhada soo galayaa ay noqon doonaan laba nooc: gaadiidka iyo kuwa loogu talagalay router laftiisa. Habka calaamadaynta isku xirka ayaa ka shaqeysa miiska mangle. Tixgeli dhaqdhaqaaqa xirmada jaantus fudud, oo ay si naxariis leh u soo diyaariyeen khubarada mikrotik-trainings.com kheyraadka (ma aha xayaysiis):

Fallaadhaha raacaya, waxaanu aragnaa in baakidhku soo gaadhayo "is -dhexgalka", waxay martaa silsiladda "Horudhac"ka dibna kaliya ayaa loo qaybiyaa transit iyo local block"Go'aanka dariiqa" Sidaa darteed, si aan laba shimbirood ugu dilno hal dhagax, waxaan isticmaalnaa Calaamadda isku xirka miiska Mangle Pre-routing silsilado Horudhac.

Ogow. Gudaha ROS, calaamadaha "Routing calamada" waxay ku taxan yihiin "Shaxda" qaybta Ip/Routes/Rules, iyo sida"Routing Mark" qaybaha kale. Tani waxay u horseedi kartaa xoogaa jahawareer ah fahamka, laakiin, dhab ahaantii, tani waa isla shay, waana analoogga rt_tables ee iproute2 ee linux.

2.1. Waxaan calaamadeynaa xiriirka ka imaanaya mid kasta oo ka mid ah bixiyeyaasha:

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1  new-connection-mark=conn_isp1 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2  new-connection-mark=conn_isp2 passthrough=no

/ip firewall mangle add action=mark-connection chain=prerouting 
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3  new-connection-mark=conn_isp3 passthrough=no

Faallo. Si aanan u calaamadin isku xirka hore loo calaamadeeyay, waxaan isticmaalaa xidhiidhka-mark=no-mark condition halkii aad ka isticmaali lahayd xidhiidh-state=cusub sababtoo ah waxaan u malaynayaa in tani ay ka saxsan tahay, iyo sidoo kale diidmada hoos u dhigista xidhiidhada aan ansax ahayn ee shaandhada gelinta.

passthrough=maya - sababtoo ah habkan hirgelinta, dib u calaamadinta waa laga saaray, si loo dedejiyo, waxaad joojin kartaa tirinta sharciyada ka dib ciyaarta ugu horeysa.

Waa in maskaxda lagu hayaa in aynaan weli faragelin sinaba hagida. Hadda waxaa jira oo kaliya marxaladaha diyaarinta. Marxaladda xigta ee hirgelinta waxay noqon doontaa habaynta taraafikada gaadiidka ee ka soo noqda xidhiidhka la aasaasay ee ka yimid meesha loo socdo ee shabakada degaanka. Kuwaas. Xirmooyinkaas (fiiri jaantuska) dhex maray router intii ay jidka ku jireen:

"Input Interface"=>"Prerouting"=>"Go'aanka Dariiqa ah"=>"Forward"=>"Rooting Post"=>"Interface Output" waxayna u tageen cinwaankooda shabakada deegaanka.

Muhiim! ROS, ma jirto qayb macquul ah oo u kala qaybsanta dibadda iyo gudaha. Haddii aan raad raacno dariiqa xirmada jawaabta si waafaqsan jaantuska kore, markaas waxay raaci doontaa dariiqa macquulka ah ee codsiga:

"Input Interface"=>"Prerouting"=>"Go'aanka Dariiqa ah"=>"Forward"=>"Rooting Post"=>"Interface Output" codsi uun"Dhexgalka Input"wuxuu ahaa interface ISP, iyo jawaabta - LAN

2.2. Waxaanu ku toosinnaa taraafikada gaadiidka ee jadwalyada u dhigma:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP1" connection-mark=conn_isp1 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP2" connection-mark=conn_isp2 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Routemark transit out via ISP3" connection-mark=conn_isp3 
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=no

Faallo. in-interface-list=!WAN - waxaanu ku shaqaynaa kaliya taraafikada shabakada maxaliga ah iyo dst-address-type=!maxali ah oo aan lahayn ciwaanka loo socdo ciwaanka interfiska ee router laftiisa.

Waxa la mid ah baakadaha maxalliga ah ee u yimi router intii ay jidka ku jireen:

"Input Interface"=>"Prerouting"=>"Go'aanka Dariiqa"=>"Input"=>"Nidaamka Maxaliga ah"

Muhiim! Jawaabtu waxay noqon doontaa sida soo socota:

"Nidaamka Maxaliga ah"=>"Go'aanka Jideynta"=>"Wax soo saar"=>"Rooting Post"=>"Interface Output"

2.3. Waxaan toos uga jawaabeynaa taraafikada maxalliga ah jaantusyada u dhigma:

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local 
new-routing-mark=to_isp1 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local 
new-routing-mark=to_isp2 passthrough=no

/ip firewall mangle add action=mark-routing chain=output 
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local 
new-routing-mark=to_isp3 passthrough=no

Marxaladdan, hawsha diyaarinta in jawaab loo diro kanaalka internetka ee codsigu ka yimid ayaa loo qaadan karaa in la xalliyey. Wax walba waa la calaamadeeyay, calaamadeeyay oo diyaar u ah in la jabiyo.
Saamaynta wanaagsan ee "dhinaca" ee habayntan ayaa ah awooda lagu la shaqaynayo gudbinta dekeda DSNAT ee labada (ISP2, ISP3) bixiyeyaasha isku mar. Haba yaraatee, tan iyo ISP1 waxaan leenahay ciwaanka aan la isticmaali karin. Saamayntani waxay muhiim u tahay, tusaale ahaan, server-ka boostada oo leh laba MXs oo eegaya kanaalada internetka ee kala duwan.

Si loo baabi'iyo nuucyada hawlgalka shabakadaha maxalliga ah ee leh router IP-ga dibadda ah, waxaan isticmaalnaa xalalka cutubyada. 1.8.2 iyo 3.1.2.6.

Intaa waxaa dheer, waxaad isticmaali kartaa qalab leh calaamado si aad u xalliso cutubka 3 ee dhibaatada. Waxaan u hirgelineynaa sidatan:

2.4. Waxaan ka haganaa taraafikada macaamiisha maxalliga ah liisaska dariiqa ilaa miisaska ku habboon:

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1 
passthrough=no src-address-list=Via_ISP1

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2 
passthrough=no src-address-list=Via_ISP2

/ip firewall mangle add action=mark-routing chain=prerouting 
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3 
passthrough=no src-address-list=Via_ISP3

Natiijo ahaan, waxay u egtahay sidan:

3. Samee xiriirinta ISP oo awood u yeelo marin sumadeysan

3.1. Deji xidhiidhka ISP1:
3.1.1. Habee ciwaanka IP ee taagan:

/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"

3.1.2. Deji marin toosan:
3.1.2.1. Ku dar dariiqa "xaalad degdeg ah" ee caadiga ah:

/ip route add comment="Emergency route" distance=254 type=blackhole

Faallo. Jidkani wuxuu u oggolaanayaa taraafikada hababka maxalliga ah inay ka gudbaan marxaladda Go'aanka Waddada, iyada oo aan loo eegin xaaladda xiriirinta mid ka mid ah bixiyeyaasha. Nuucyada taraafikada maxalliga ah ee baxaysa waa in si baakidhku u dhaqaaqo ugu yaraan meel, miiska dariiqa ugu weyni waa inuu lahaadaa waddo firfircoon oo loo maro albaabka hore. Haddii kale, markaa xirmada si fudud ayaa loo burburin doonaa.

Sida qalab kordhin hubi albaabka Si loo falanqeeyo qoto dheer ee xaaladda kanaalka, waxaan soo jeedinayaa in la isticmaalo habka dariiqa soo noqnoqda. Nuxurka habka ayaa ah in aan u sheegno router-ka inuu raadiyo dariiqa albaabkiisa si toos ah, laakiin iyada oo loo marayo albaab dhexdhexaad ah. 4.2.2.1, 4.2.2.2 iyo 4.2.2.3 ayaa loo dooran doonaa sida albaabada "imtixaanka" ee ISP1, ISP2 iyo ISP3 siday u kala horreeyaan.

3.1.2.2. Waddada ciwaanka "xaqiijinta":

/ip route add check-gateway=ping comment="For recursion via ISP1"  
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10

Faallo. Waxaan hoos u dhignaa qiimaha baaxadda heerka caadiga ah ee baaxadda bartilmaameedka ROS si aan u isticmaalno 4.2.2.1 sidii albaab soo noqnoqda mustaqbalka. Waxaan ku nuuxnuuxsaday: baaxadda dariiqa loo marayo ciwaanka "imtixaamka" waa inuu ka yaraada ama la siman yahay baaxadda bartilmaameedka dariiqa tixraaci doona midka imtixaanka.

3.1.2.3. Jidka caadiga ah ee taraafikada oo aan lahayn calaamad marin:

/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1

Faallo. Fogaanta=qiimaha 2 ayaa la isticmaalay sababtoo ah ISP1 waxaa lagu dhawaaqay inay tahay kaydka ugu horreeya iyadoo loo eegayo shuruudaha hawsha.

3.1.2.4. Jidka caadiga ah ee taraafikada oo leh calaamadda "to_isp1":

/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1 
routing-mark=to_isp1

Faallo. Dhab ahaantii, halkan waxaan ugu dambeyntii bilaabaynaa inaan ku raaxaysanno midhaha shaqada diyaarinta ah ee lagu fuliyay cutubka 2.

Jidkaan, dhammaan taraafikada leh dariiqa calaamadda "to_isp1" waxaa lagu jiheynayaa albaabka bixiyaha ugu horreeya, iyadoon loo eegin albaabka caadiga ah ee hadda ka shaqeeya miiska weyn.

3.1.2.5. Dariiqa toosan ee dib-u-dhaca koowaad ee ISP2 iyo ISP3 taraafikada calaamadeysan:

/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1 
routing-mark=to_isp3

Faallo. Wadooyinkan ayaa loo baahan yahay, iyo waxyaabo kale, si loo ilaaliyo gaadiidka shabakadaha maxalliga ah ee xubnaha ka ah liiska ciwaanka "to_isp*"'

3.1.2.6. Waxaan diiwaan gelineynaa dariiqa maxalli ah ee router-ka ee internetka iyada oo loo marayo ISP1:

/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1

Faallo. Marka lagu daro shuruucda cutubka 1.8.2, waxay ku siinaysaa marin u helka kanaalka la rabo oo leh ilo la bixiyay. Tani waxay muhiim u tahay dhisidda tunnelyada cayimaya ciwaanka IP-ga ee dhinaca deegaanka (EoIP, IP-IP, GRE). Maaddaama xeerarka ku jira qawaaniinta marinka ip laga fuliyo kor ilaa hoos, ilaa ciyaarta ugu horeysa ee shuruudaha, markaa xeerkani waa inuu ahaadaa ka dib sharciyada faqradda 1.8.2.

3.1.3. Waxaan diiwaan gelineynaa xeerka NAT ee gaadiidka baxaya:

/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"  
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2

Faallo. NATim wax kasta oo soo baxa, marka laga reebo waxa gala siyaasadaha IPsec. Waxaan isku dayaa inaanan isticmaalin action=masquerade ilaa aan loo baahnayn. Way ka gaabis tahay oo way ka dhaqaale badan tahay src-nat sababtoo ah waxay xisaabinaysaa ciwaanka NAT ee xidhiidh kasta oo cusub.

3.1.4. Waxaan liiska uga dirnaa macaamiisha laga mamnuucay inay ka galaan bixiyeyaasha kale si toos ah albaabka bixiyaha ISP1.

/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only" 
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1 
src-address-list=Via_only_ISP1 place-before=0

Faallo. action=wadadu waxay leedahay mudnaan sare waxaana la dabaqaa ka hor sharciyada kale ee marinka

place-before=0 - waxay dhigaysaa xeerkeena marka hore liiska.

3.2. Deji xidhiidhka ISP2.

Mar haddii bixiyaha ISP2 uu ina siiyo habaynta DHCP, waa macquul in lagu sameeyo isbeddelada lagama maarmaanka ah qoraal ka bilaabma marka macmiilka DHCP uu kiciyo:

/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
    n    /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1 
           dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
    n    /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
    n    /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2 
           routing-mark=to_isp2;r
    n    /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2 
           routing-mark=to_isp1;r
    n    /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2 
           routing-mark=to_isp3;r
    n    /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
           out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2" 
           place-before=1;r
    n    if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
    n        /ip route rule add comment="From ISP2 IP to Inet" 
               src-address=$"lease-address" table=to_isp2 r
    n    } else={r
    n       /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no 
              src-address=$"lease-address"r
    n    }      r
    n} else={r
    n   /ip firewall nat remove  [find comment="NAT via ISP2"];r
    n   /ip route remove [find comment="For recursion via ISP2"];r
    n   /ip route remove [find comment="Unmarked via ISP2"];r
    n   /ip route remove [find comment="Marked via ISP2 Main"];r
    n   /ip route remove [find comment="Marked via ISP1 Backup1"];r
    n   /ip route remove [find comment="Marked via ISP3 Backup2"];r
    n   /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
    n}r
    n" use-peer-dns=no use-peer-ntp=no

Qoraalka laftiisa ee daaqada Winbox:

Faallo. Qaybta hore ee qoraalka waxay kicisaa marka heshiiska si guul leh loo helo, tan labaad - ka dib marka heshiiska la sii daayo.Fiiri qoraalka 2

3.3. Waxaanu samaynay xidhiidh bixiyaha ISP3.

Maadaama bixiyaha habayntu uu ina siinayo firfircooni, waa macquul in lagu sameeyo isbeddelada lagama maarmaanka ah qoraallada bilaabma ka dib marka interface-ka ppp la kiciyo iyo ka dib dayrta.

3.3.1. Marka hore waxaanu habaynaynaa profile-ka:

/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client 
on-down="/ip firewall nat remove  [find comment="NAT via ISP3"];r
    n/ip route remove [find comment="For recursion via ISP3"];r
    n/ip route remove [find comment="Unmarked via ISP3"];r
    n/ip route remove [find comment="Marked via ISP3 Main"];r
    n/ip route remove [find comment="Marked via ISP1 Backup2"];r
    n/ip route remove [find comment="Marked via ISP2 Backup2"];r
    n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;" 
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1 
    dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
    n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
    n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3 
    routing-mark=to_isp3;r
    n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp1;r
    n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3 
    routing-mark=to_isp2;r
    n/ip firewall mangle set [find comment="Connmark in from ISP3"] 
    in-interface=$"interface";r
    n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none 
    out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3" 
    place-before=1;r
    nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
    n   /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address" 
    table=to_isp3 r
    n} else={r
    n   /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no 
    src-address=$"local-address"r
    n};r
    n"

Qoraalka laftiisa ee daaqada Winbox:

Faallo. String
/ip firewall mangle set [ka hel faallo = "Connmark ka ISP3"] gudaha-interface=$"interface";
Waxay kuu ogolaaneysaa inaad si sax ah u maareyso magac-beddelka interface-ka, maadaama ay la shaqeyso koodkeeda oo aan ahayn magaca bandhigga.

3.3.2. Hadda, addoo isticmaalaya astaanta, samee xidhiidhka pp:

/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no 
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_client

Taabashada kama dambaysta ah, aynu dejino saacadda:

/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org

Kuwa wax akhriya ilaa dhamaadka

Habka la soo jeediyay ee lagu hirgelinayo multivan waa dookha shakhsi ahaaneed ee qoraaga mana aha ta keliya ee suurtagal ah. Qalabka ROS waa mid ballaaran oo dabacsan, taas oo, dhinaca kale, u keenta dhibaatooyin bilowga ah, iyo, dhinaca kale, waa sababta ay caan u tahay. Baro, isku day, hel qalab cusub iyo xalal. Tusaale ahaan, sida codsiga aqoonta la helay, waxaa suurtagal ah in lagu beddelo qalabka hirgelintan multivan jeeg-irid oo leh dariiqyo soo noqnoqda netwatch.

Ogeysiis

1. jeeg-irid - hab kuu ogolaanaya inaad damiso jidka ka dib laba hubin oo isku xigta oo aan lagu guulaysan oo albaabka laga heli karo. Jeegaga waxa la sameeyaa hal mar 10kii ilbiriqsi kasta, oo lagu daray wakhtiga jawaabta. Wadar ahaan, wakhtiga beddelka dhabta ahi waxa uu ku jiraa inta u dhaxaysa 20-30 ilbiriqsi. Haddii wakhtiga beddelka noocaas ahi aanu ku filnayn, waxa jira ikhtiyaar lagu isticmaalo qalabka netwatch, halkaas oo saacada hubinta lagu dejin karo gacanta. jeeg-irid kuma shido luminta baakidhka joogtada ah ee xidhiidhka.

   Muhiim! Deminta dariiqa aasaasiga ah waxay baabi'in doontaa dhammaan waddooyinka kale ee tixraacaya. Sidaa darteed, si ay u muujiyaan check-gateway=ping looma baahna.

2. Waxay dhacdaa in guuldarradu ay ku dhacdo habka DHCP, kaas oo u eg macmiil ku xayiran gobolka cusboonaysiinta. Xaaladdan oo kale, qaybta labaad ee qoraalka ma shaqeyn doonto, laakiin kama hor istaagi doonto taraafikada inay si sax ah u socdaan, maadaama uu gobolku raadiyo dariiqa soo noqnoqda ee u dhigma.
3. ECMP (Qiimaha Kala Duwan ee Siman) - ROS gudaheeda waxaa suurtagal ah in la dejiyo waddo leh dhowr albaab oo isku mid ah. Xaaladdan oo kale, isku xirka ayaa loo qaybin doonaa kanaalada iyada oo la adeegsanayo wareegga robin algorithm, iyadoo loo eegayo tirada albaabada la cayimay.

Si aad u dhiirigeliso qorista maqaalka, ka caawi qaabaynta qaab dhismeedka iyo meelaynta lahjadaha - mahadnaq shakhsi ahaaneed Evgeny @jscar

Source: www.habr.com