Selelekela
Ho nka sehlooho sena, ho phaella ho lefeela, ho ile ha susumetsoa ke makhetlo a nyahamisang a lipotso tse mabapi le sehlooho sena lihlopheng tsa boemo ba sechaba sa thelekramo se buang Serussia. Sengoliloeng se lebisitsoe ho ba qalang Mikrotik RouterOS (eo hamorao e tla bitsoa batsamaisi ba ROS). E sebetsana feela le li-multivans, ka ho hatisa ho tsamaisa. Joalo ka bonase, ho na le litlhophiso tse nyane tse lekaneng ho netefatsa ts'ebetso e bolokehileng le e bonolo. Ba batlang ho senoloa ha lihlooho tsa mela, ho leka-lekanya thepa, li-vlans, marokho, tlhahlobo e tebileng ea mekhahlelo e mengata ea boemo ba mocha le tse ling tse joalo - ba ka 'na ba se ke ba senya nako le boiteko ba ho bala.
Lintlha tsa pele
E le taba ea teko, ho ile ha khethoa router ea Mikrotik ea li-port tse hlano e nang le ROS version 6.45.3. E tla tsamaisa sephethephethe lipakeng tsa marang-rang a mabeli a lehae (LAN1 le LAN2) le bafani ba bararo (ISP1, ISP2, ISP3). Mocha o eang ho ISP1 o na le aterese e tsitsitseng ea "grey", ISP2 - "white", e fumanoang ka DHCP, ISP3 - "white" ka tumello ea PPPoE. Setšoantšo sa khokahano se bontšoa setšoantšong:
Mosebetsi ke ho lokisa router ea MTK ho latela morero e le hore:
- Fana ka phetoho ea othomathiki ho mofani oa bekapo. Mofani oa mantlha ke ISP2, sebaka sa pele sa polokelo ke ISP1, sebaka sa bobeli ke ISP3.
- Hlophisa phihlello ea marang-rang ea LAN1 ho Marang-rang feela ka ISP1.
- Fana ka bokhoni ba ho tsamaisa sephethephethe ho tloha ho marang-rang a lehae ho ea Marang-rang ka mofani ea khethiloeng ho latela lethathamo la liaterese.
- Fana ka monyetla oa ho phatlalatsa lits'ebeletso ho tloha marang-rang a lehae ho ea ho Marang-rang (DSTNAT)
- Theha sefefo sa firewall ho fana ka tšireletso e lekaneng ho tsoa Marang-rang.
- Router e ka fana ka sephethephethe sa eona ka leha e le efe ea bafani ba bararo, ho itšetlehile ka aterese ea mohloli o khethiloeng.
- Netefatsa hore liphutheloana tsa likarabo li tsamaisoa ho kanale eo li tsoang ho eona (ho kenyeletsoa LAN).
Hopola. Re tla lokisa router "ho tloha qalong" e le ho netefatsa ho ba sieo ha lintho tse makatsang ha ho etsoa litlhophiso tse qalang "ntle ho lebokose" tse fetohang ho tloha phetolelong ho ea ho phetolelo. Winbox e khethiloe e le sesebelisoa sa tlhophiso, moo liphetoho li tla hlahisoa ka pono. Litlhophiso ka botsona li tla beoa ke litaelo ho terminal ea Winbox. Khokahano ea 'mele bakeng sa tlhophiso e entsoe ka khokahanyo e tobileng ho sebopeho sa Ether5.
Ho beha mabaka ka seo multivan e leng sona, na ke bothata kapa ke batho ba bohlale ba masene ho loha marang-rang a bolotsana
Mookameli ea nang le tsebo le ea hlokolosi, ea ipehelang morero o joalo kapa o tšoanang ka boeena, ka tšohanyetso o hlokomela hore e se e ntse e sebetsa ka mokhoa o tloaelehileng. E, e, ntle le litafole tsa hau tsa tloaelo le melao e meng ea litsela, tseo boholo ba lihlooho tse buang ka taba ena li tletseng. Ha re hlahlobeng?
A na re ka hlophisa aterese ho li-interfaces le li-gateway tsa kamehla? Ho joalo:
Ho ISP1, aterese le heke li ngolisitsoe ka sebaka=2 и tjheke-heke=ping.
Ho ISP2, tlhophiso ea kamehla ea dhcp ea bareki - ka hona, sebaka se tla lekana le se le seng.
Ho ISP3 ho litlhophiso tsa moreki oa pppoe ha tlatsetso-tsela-ea kamehla=e beha kamehla-tsela-bohole=3.
Se ke oa lebala ho ngolisa NAT ha u tsoa:
/ip firewall ha e eketse ketso=ketane ea masquerade=srcnat out-interface-list=WAN
Ka lebaka leo, basebelisi ba libaka tsa lehae ba thabela ho khoasolla likatse ka mofani oa mantlha oa ISP2 mme ho na le pehelo ea seteishene ho sebelisa mochini. hlahloba heke Sheba ntlha ea 1
Ntlha ea 1 ea mosebetsi e kenngoa ts'ebetsong. Multivan e kae e nang le matšoao a eona? Che...
Ho feta moo. U hloka ho lokolla bareki ba itseng ho LAN ka ISP1:
/ip firewall mangle eketsa action=tsela ketane=prerouting dst-address-list=!BOGONS
passthrough=e route-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle eketsa action=tsela ketane=prerouting dst-address-list=!BOGONS
passthrough=ha ho tsela-dst=100.66.66.1 src-aterese=192.168.88.0/24
Lintlha tsa 2 le 3 tsa mosebetsi li se li kentsoe tšebetsong. Li-labels, litempe, melao ea litsela, u hokae?!
U hloka ho fana ka phihlello ho seva ea hau eo u e ratang ea OpenVPN ka aterese ea 172.17.17.17 bakeng sa bareki ba Marang-rang? Ka kopo:
/ip cloud set ddns-enabled=e
Joaloka lithaka, re fa moreki sephetho: ": beha [ip cloud get dns-name]"
Re ngolisa ho fetisa ka boema-kepe ho tsoa Marang-rang:
/ip firewall nat eketsa action=dst-nat chain=dstnat dst-port=1194
in-interface-list=WAN protocol=udp to-addresses=172.17.17.17
Ntho ea 4 e lokile.
Re thehile firewall le ts'ireletso e 'ngoe bakeng sa ntlha ea 5, ka nako e ts'oanang re thabetse hore ntho e' ngoe le e 'ngoe e se e ntse e sebetsa bakeng sa basebelisi' me e fihlella setshelo se nang le seno se ratoang ...
A! Lithanele li lebetsoe.
l2tp-client, e hlophisitsoeng ke sengoloa sa google, e nyolohetse ho VDS eo u e ratang haholo ea Dutch? Ee.
l2tp-server e nang le IPsec e tsohile mme bareki ka DNS-lebitso ho tloha IP Cloud (bona ka holimo.) khomarela? Ee.
Re itšetlehile ka setulo sa rona, re noa seno, ka botsoa re nahana ka lintlha tsa 6 le 7 tsa mosebetsi. Re nahana - na rea e hloka? Leha ho le joalo, e sebetsa joalo (c) ... Kahoo, haeba e ntse e sa hlokahale, ke eona. Multivan kenngwa tshebetsong.
Multivan ke eng? Ena ke khokahano ea likanale tse 'maloa tsa Marang-rang ho router e le' ngoe.
Ha ua tlameha ho bala sengoloa ho ea pele, hobane ho ka ba le eng ntle le pontšo ea ts'ebetso e belaetsang?
Bakeng sa ba setseng, ba thahasellang lintlha tsa 6 le 7 tsa mosebetsi, hape ba utloa ho hlohlona ha phetheho, re qoela ka botebo.
Mosebetsi oa bohlokoa ka ho fetisisa oa ho kenya ts'ebetsong ea multivan ke tsela e nepahetseng ea sephethephethe. E leng: ho sa natsoe hore na (kapa efe) Bona. hlokomela 3 liteishene tsa ISP li sheba tsela ea kamehla ho router ea rona, e lokela ho khutlisa karabo ho mocha oo pakete e tsoang ho oona. Mosebetsi o hlakile. Bothata bo hokae? Ha e le hantle, ka marang-rang a bonolo a sebaka, mosebetsi o tšoana, empa ha ho motho ea khathatsang ka litlhophiso tse eketsehileng 'me ha a ikutloe a le khathatso. Phapang ke hore node leha e le efe e ka sebelisoang Inthaneteng e fumaneha ka mocha o mong le o mong oa rona, eseng ka mokhoa o tobileng, joalo ka LAN e bonolo. 'Me "bothata" ke hore haeba kopo e tlile ho rona bakeng sa aterese ea IP ea ISP3, joale ho rona karabo e tla feta ka mocha oa ISP2, kaha heke ea kamehla e lebisitsoe moo. E tsamaea 'me e tla lahloa ke mofani e le e fosahetseng. Bothata bo boletsoe. Joang ho e rarolla?
Tharollo e arotsoe ka mekhahlelo e meraro:
- Ho seta esale pele. Mothating ona, litlhophiso tsa mantlha tsa router li tla beoa: marang-rang a lehae, firewall, manane a aterese, hairpin NAT, joalo-joalo.
- Multivan. Mothating ona, likhokahano tse hlokahalang li tla tšoauoa le ho hlophisoa ka litafole tsa litsela.
- Ho hokela ho ISP. Mothating ona, likhokahano tse fanang ka khokahanyo ho Marang-rang li tla lokisoa, ho tsamaisoa 'me mokhoa oa ho boloka mocha oa Marang-rang o tla kengoa tšebetsong.
1. Ho seta esale pele
1.1. Re hlakola tlhophiso ea router ka taelo:
/system reset-configuration skip-backup=yes no-defaults=yeslumellana le "E kotsi! E seta bocha? [y/N]:” mme, kamora ho qala bocha, re hokela Winbox ka MAC. Mothating ona, tlhophiso le setsi sa basebelisi lia hlakoloa.
1.2. Theha mosebelisi e mocha:
/user add group=full name=knight password=ultrasecret comment=”Not horse”kena ka tlas'a eona 'me u hlakole ea kamehla:
/user remove adminHopola. Ke ho tlosoa le ho se holofale ha mosebelisi ea kamehla eo sengoli e e nkang e bolokehile ebile e khothaletsa tšebeliso.
1.3. Re theha manane a mantlha a sehokelo bakeng sa boiketlo ba ho sebetsa ka har'a firewall, litlhophiso tsa ho sibolla le li-server tse ling tsa MAC:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Likhokahano tsa ho saena tse nang le maikutlo
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"'me u tlatse manane a li-interface:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Hopola. Ho ngola maikutlo a utloahalang ho bohlokoa nako e sebelisitsoeng ho sena, 'me ho thusa haholo ho rarolla mathata le ho utloisisa tlhophiso.
Mongoli o nka ho hlokahala, ka mabaka a ts'ireletso, ho eketsa sebopeho sa ether3 lethathamong la "WAN", ho sa tsotellehe hore ip protocol e ke ke ea feta ho eona.
U se ke ua lebala hore ka mor'a hore sebopeho sa PPP se phahamisoe ho ether3, se tla hloka ho kenngoa lethathamong la "WAN"
1.4. Re pata router hore e se ke ea fumanoa le ho e laola ho tsoa ho marang-rang a bafani ka MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Re theha melao e fokolang e lekaneng ea li-firewall filter ho sireletsa router:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(molao o fana ka tumello bakeng sa likhokahano tse thehiloeng le tse amanang tse qalisoang ho tsoa ho marang-rang a hokahaneng le router ka boeona)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(ping eseng feela ping. All icmp has allowed in. E thusa haholo bakeng sa ho fumana mathata a MTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(molao o koalang ketane ea ho kenya o thibela ntho e 'ngoe le e' ngoe e tsoang Inthaneteng)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(molao o lumella likhokahano tse thehiloeng le tse amanang tse fetang router)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(molao o tsosolosa likhokahano ka khokahano-state=invalid passing through the router. E khothaletsoa ka matla ke Mikrotik, empa maemong a mang a sa tloaelehang e ka thibela sephethephethe se sebetsang)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(molao o thibela lipakete tse tsoang Inthaneteng 'me ha li e-s'o fetise mokhoa oa dstnat ho feta router. Sena se tla sireletsa marang-rang a sebaka ho bahlaseli bao, ba leng sebakeng se le seng sa phatlalatso le marang-rang a rona a ka ntle, ba tla ngolisa IP ea rona e ka ntle e le gateway, ka hona, leka ho “lekola” marangrang a lehae.)
Hopola. A re nke hore marang-rang a LAN1 le LAN2 a tšeptjoa 'me sephethephethe se pakeng tsa bona le ho tloha ho bona ha se hlophisoe.
1.6. Etsa lenane le nang le lethathamo la marang-rang a sa tsamaeeng:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Lena ke lethathamo la liaterese le marang-rang a sa khoneng ho sebelisoa Marang-rang, 'me a tla lateloa ka nepo.)
Hopola. Lethathamo le ka fetoha, kahoo ke u eletsa hore nako le nako u hlahlobe bohlokoa.
1.7. Beha DNS bakeng sa router ka boeona:
/ip dns set servers=1.1.1.1,8.8.8.8Hopola. Phetolelong ea hajoale ea ROS, li-server tse matla li tla pele ho tse tsitsitseng. Kopo ea ho rarolla mabitso e romelloa ho seva sa pele ka tatellano lethathamong. Phetoho ho seva e latelang e etsoa ha ea hajoale e le sieo. Nako ea nako e kholo - ho feta metsotsoana e 5. Ho khutlela morao, ha "server e oeleng" e tsosolosoa, ha e etsahale ka bo eona. Ho fanoe ka algorithm ena le boteng ba multivan, mongoli o khothalletsa ho se sebelise lisebelisoa tse fanoeng ke bafani.
1.8. Theha marang-rang a lehae.
1.8.1. Re lokisa liaterese tsa IP tse sa fetoheng ho li-interface tsa LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Re beha melao ea litsela tse eang marang-rang a lehae ka tafole e kholo ea litsela:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Hopola. Ena ke e 'ngoe ea litsela tse potlakileng le tse bonolo tsa ho fumana liaterese tsa LAN tse nang le mehloli ea liaterese tsa IP tsa kantle tsa li-interface tsa router tse sa tsamaeeng ka tsela e sa lekanyetsoang.
1.8.3. Numella Hairpin NAT bakeng sa LAN1 le LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Hopola. Sena se o lumella ho fihlella lisebelisoa tsa hau (dstnat) ka IP e kantle ha o ntse o le ka har'a marang-rang.
2. Ha e le hantle, ts'ebetsong ea multivan e nepahetseng haholo
Ho rarolla bothata ba "ho araba moo ba botsang teng", re tla sebelisa lisebelisoa tse peli tsa ROS: letshwao la kgokelo и letshwao la tsela. letshwao la kgokelo e o lumella ho tšoaea khokahano e lakatsehang ebe o sebetsa ka letšoao lena e le boemo ba ho etsa kopo letshwao la tsela. 'Me e se e ntse e le letshwao la tsela ho khoneha ho sebetsa tsela ea ip и melao ea tsela. Re fumane lisebelisoa, joale o hloka ho etsa qeto ea hore na ke likhokahano life tseo u lokelang ho li tšoaea - hang, hantle moo u lokelang ho tšoaea - tse peli.
Ka ea pele, ntho e 'ngoe le e' ngoe e bonolo - re tlameha ho tšoaea likhokahano tsohle tse tlang ho router ho tsoa Inthaneteng ka mocha o nepahetseng. Tabeng ea rona, tsena e tla ba li-label tse tharo (ka palo ea likanale): "conn_isp1", "conn_isp2" le "conn_isp3".
The nuance le ea bobeli ke hore likhokahano tse tlang e tla ba tsa mefuta e 'meli: lipalangoang le tse reretsoeng router ka boeona. Mochine oa letšoao la khokahanyo o sebetsa tafoleng mangle. Nahana ka ho sisinyeha ha sephutheloana setšoantšong se nolofalitsoeng, se hlophisitsoeng ka mosa ke litsebi tsa lisebelisoa tsa mikrotik-trainings.com (eseng papatso):
Ho latela metsu, re bona hore pakete e fihla "segokanyimmediamentsi sa sebolokigolo input", e feta ka ketane "Prerouting” 'me ke moo feela e arotsoeng ka lipalangoang le tsa lehae ka har'a boloko "Qeto ea ho tsamaisa". Ka hona, ho bolaea linonyana tse peli ka lejoe le le leng, re sebelisa Letšoao la Khokahano tafoleng Mangle Pre-routing diketane Prerouting.
Hlokomela. Ho ROS, lileibole tsa "Routing mark" li thathamisitsoe e le "Tafole" karolong ea Ip/Routes/Rules, le "Routing Mark" likarolong tse ling. Sena se ka hlahisa pherekano e itseng kutloisisong, empa, ha e le hantle, sena ke ntho e le 'ngoe,' me ke analogue ea rt_tables ho iproute2 ho linux.
2.1. Re tšoaea likhokahano tse kenang ho tsoa ho e 'ngoe le e 'ngoe ea barekisi:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noHopola. E le hore ke se ke ka tšoaea likhokahano tse seng li tšoailoe, ke sebelisa connection-mark=no-mark condition ho e-na le connection-state=ncha hobane ke nahana hore sena se nepahetse haholoanyane, hammoho le ho hanoa ha likhokahano tse sa sebetseng ka har'a sefe ea ho kenya.
passthrough = che - hobane ka mokhoa ona oa ho kenya ts'ebetsong, ho tšoaea hape ha ho akaretsoe 'me, ho potlakisa, o ka sitisa ho baloa ha melao ka mor'a papali ea pele.
E lokela ho hopoloa hore ha re kena-kenane le mokhoa leha e le ofe oa ho tsamaisa litsela. Hona joale ho na le mekhahlelo feela ea ho lokisetsa. Mohato o latelang oa ts'ebetsong e tla ba ts'ebetso ea sephethephethe sa lipalangoang se khutlang holim'a khokahanyo e thehiloeng ho tloha sebakeng sa marang-rang sa sebaka seo. Tseo. lipakete tseo (bona setšoantšo) li fetile router tseleng:
“Input Interface”=>”Prerouting”=>”Qeto ya Tsela”=>”Fetela”=>”Post Routing”=>”Output Interface” mme ba fihla ho aterese ea bona marang-rang a lehae.
Bohlokoa! Ho ROS, ha ho na karohano e utloahalang ho li-interfaces tsa ka ntle le tsa ka hare. Haeba re latela tsela ea sephutheloana sa karabo ho latela setšoantšo se ka holimo, se tla latela tsela e tšoanang le ea kopo:
“Input Interface”=>”Prerouting”=>”Qeto ya Tsela”=>”Fetela”=>”Post Routing”=>”Output Interface” bakeng sa kopo feela"Sesebelisoa sa ho Kenyelletsa” e ne e le sebopeho sa ISP, mme bakeng sa karabo - LAN
2.2. Re lebisa sephethephethe sa lipalangoang ho litafole tse tsamaellanang:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noMaikutlo. in-interface-list=!WAN - re sebetsa feela ka sephethephethe se tsoang marangrang a lehae le dst-address-type=!local e se nang aterese ea moo e eang teng ea aterese ea likhokahano tsa router ka boeona.
Hoa tšoana le bakeng sa lipakete tsa lehae tse ileng tsa tla ho router tseleng:
“Input Interface”=>”Prerouting”=>”Qeto ya Tsela”=>”Kenyo”=>”Tshebetso ya Sebaka”
Bohlokoa! Karabo e tla tsamaea ka tsela e latelang:
”Tsamaiso ya Sebaka”=>”Qeto ya Tsela”=>”Output”=>”Post Routing”=>”Output Interface”
2.3. Re lebisa sephethephethe sa lehae ho litafole tse tsamaellanang:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noNakong ena, mosebetsi oa ho lokisetsa ho romela karabo ho mocha oa Inthanete oo kopo e tsoang ho oona o ka nkoa o rarollotsoe. Ntho e 'ngoe le e 'ngoe e tšoailoe, e tšoailoe 'me e loketse ho tsamaisoa.
Phello e ntle ea "lehlakore" la seta sena ke bokhoni ba ho sebetsa le ho fetisa koung ea DSNAT ho tsoa ho bafani ba bobeli (ISP2, ISP3) ka nako e le 'ngoe. Ho hang, kaha ho ISP1 re na le aterese eo e seng e ka tsamaisoang. Phello ena ke ea bohlokoa, ka mohlala, bakeng sa seva sa poso se nang le li-MX tse peli tse shebang likanale tse fapaneng tsa Inthanete.
Ho felisa li-nuances tsa ts'ebetso ea marang-rang a lehae ka li-routers tsa IP tsa kantle, re sebelisa tharollo ho tsoa lirapeng. 1.8.2 le 3.1.2.6.
Ntle le moo, o ka sebelisa sesebelisoa se nang le matšoao ho rarolla serapa sa 3 sa bothata. Re e sebelisa ka tsela ena:
2.4. Re tsamaisa sephethephethe ho tsoa ho bareki ba lehae ho tloha lethathamong la litsela ho ea litafoleng tse loketseng:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3Ka lebaka leo, e shebahala tjena:
3. Theha khokahanyo ho ISP 'me u nolofalletse ho tsamaisa marang-rang
3.1. Etsa khokahano ho ISP1:
3.1.1. Lokisa aterese ea IP e sa fetoheng:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Beha static routing:
3.1.2.1. Kenya tsela ea "tsietsi" ea kamehla:
/ip route add comment="Emergency route" distance=254 type=blackholeHopola. Tsela ena e lumella sephethephethe ho tsoa lits'ebetsong tsa lehae ho feta mohato oa Qeto ea Tsela, ho sa tsotelehe boemo ba likhokahano tsa mofani ofe kapa ofe oa bafani. Ntho ea bohlokoa ea sephethephethe sa lehae se tsoang ke hore e le hore pakete e tsamaee bonyane kae-kae, tafole e kholo ea ho tsamaisa e tlameha ho ba le tsela e sebetsang ho ea hekeng ea kamehla. Haeba ho se joalo, joale sephutheloana se tla senyeha feela.
E le katoloso ea lisebelisoa hlahloba heke Bakeng sa tlhahlobo e tebileng ea boemo ba mocha, ke fana ka tlhahiso ea ho sebelisa mokhoa oa ho khutlela morao. Ntho ea bohlokoa ea mokhoa ona ke hore re bolella router hore e batle tsela e eang hekeng ea eona eseng ka ho toba, empa ka heke e bohareng. 4.2.2.1, 4.2.2.2 le 4.2.2.3 li tla khethoa joalo ka liheke tsa "teko" tsa ISP1, ISP2 le ISP3 ka ho latellana.
3.1.2.2. Tsela e eang atereseng ea "netefatso":
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Hopola. Re theola boleng ba skoupo ho ea kamehla ho scope target scope e le hore re sebelise 4.2.2.1 e le heke e phetoang nakong e tlang. Ke hatisa: sebaka sa tsela e lebang atereseng ea "teko" e tlameha ho ba ka tlase ho kapa ho lekana le sebaka se lebeletsoeng sa tsela e tla bua ka ea teko.
3.1.2.3. Tsela ea kamehla ea sephethephethe ntle le letšoao la ho tsamaisa:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Hopola. Bolelele=2 boleng bo sebelisoa hobane ISP1 e phatlalatsoa e le bekapo ea pele ho latela maemo a mosebetsi.
3.1.2.4. Tsela ea kamehla ea sephethephethe e nang le letšoao la "to_isp1":
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Hopola. Ha e le hantle, mona qetellong re qala ho thabela litholoana tsa mosebetsi oa boitokisetso o ileng oa etsoa serapeng sa 2.
Tseleng ena, sephethephethe sohle se nang le tsela ea "to_isp1" se tla lebisoa hekeng ea mofani oa pele, ho sa tsotelehe hore na ke tsela efe ea kamehla e sebetsang bakeng sa tafole e kholo.
3.1.2.5. Tsela ea pele ea ho khutlela morao bakeng sa sephethephethe se tšoailoeng sa ISP2 le ISP3:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Hopola. Litsela tsena lia hlokahala, har'a tse ling, ho boloka sephethephethe ho tsoa ho marang-rang a lehae ao e leng litho tsa lethathamo la liaterese “to_isp*”'
3.1.2.6. Re ngolisa tsela bakeng sa sephethephethe sa lehae sa router ho ea Marang-rang ka ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Hopola. Ho kopantsoe le melao e tsoang serapeng sa 1.8.2, e fana ka monyetla oa ho fumana mocha o lakatsehang ka mohloli o fanoeng. Sena se bohlokoa bakeng sa ho aha lithanele tse hlalosang aterese ea IP ea lehae (EoIP, IP-IP, GRE). Kaha melao ea melao ea litsela tsa ip e etsoa ho tloha holimo ho ea tlaase, ho fihlela papali ea pele ea maemo, joale molao ona o lokela ho ba ka mor'a melao e tsoang ho polelo ea 1.8.2.
3.1.3. Re ngolisa molao oa NAT bakeng sa sephethephethe se tsoang:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Hopola. NATim ntho e 'ngoe le e' ngoe e tsoang, ntle le e kenang ho maano a IPsec. Ke leka ho se sebelise action=masquerade ntle le haeba ho hlokahala. E lieha ebile e na le lisebelisoa tse ngata ho feta src-nat hobane e bala aterese ea NAT bakeng sa khokahanyo e 'ngoe le e 'ngoe e ncha.
3.1.4. Re romela bareki ho tsoa lenaneng ba thibetsoeng ho kena ka bafani ba bang ka kotloloho ho liheke tsa mofani oa ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Hopola. action=tsela e na le bohlokoa bo holimo mme e sebelisoa pele ho melao e meng ea ho tsamaisa.
sebaka-pele=0 - e beha molao oa rona pele lethathamong.
3.2. Etsa khokahano ho ISP2.
Kaha mofani oa ISP2 o re fa litlhophiso ka DHCP, hoa utloahala ho etsa liphetoho tse hlokahalang ka sengoloa se qalang ha moreki oa DHCP a qala:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noScript ka boeona fensetereng ea Winbox:
Hopola. Karolo ea pele ea script e hlahisoa ha khiriso e fumanoa ka katleho, ea bobeli - ka mor'a hore khiriso e lokolloe.Sheba ntlha ea 2
3.3. Re theha khokahano ho mofani oa ISP3.
Kaha mofani oa litlhophiso o re fa matla, hoa utloahala ho etsa liphetoho tse hlokahalang ka mangolo a qalang ka mor'a hore sebopeho sa ppp se phahamisoe le ka mor'a ho oa.
3.3.1. Pele, re lokisa profil:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Script ka boeona fensetereng ea Winbox:
Hopola. Lintja
/ ip firewall mangle set [fumana maikutlo = "Connmark in from ISP3"] in-interface=$"interface";
e u lumella ho sebetsana ka nepo ho reha lebitso la sebopeho, kaha e sebetsa le khoutu ea eona eseng lebitso la ponts'o.
3.3.2. Joale, u sebelisa profil, theha khokahano ea ppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientE le ho ama la ho qetela, a re hlophiseng nako:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgBakeng sa ba balang ho isa qetellong
Mokhoa o reriloeng oa ho kenya ts'ebetsong multivan ke khetho ea botho ea mongoli mme ha se eona feela e ka khonehang. The ROS toolkit e pharaletse ebile e tenyetseha, eo, ka lehlakoreng le leng, e bakang mathata ho ba qalang, 'me, ka lehlakoreng le leng, ke lebaka la ho tsebahala ha eona. Ithute, leka, fumana lisebelisoa tse ncha le tharollo. Ka mohlala, e le tšebeliso ea tsebo e fumanoeng, hoa khoneha ho nkela sesebelisoa sebaka sa ts'ebetsong ena ea multivan cheke-heke ka litsela tse phetoang ho netwatch.
Lintlha
- cheke-heke - mochine o u lumellang ho koala tsela ka mor'a licheke tse peli tse latellanang tse sa atleheng tsa heke bakeng sa ho fumaneha. Cheke e etsoa hang ka mor'a metsotsoana e meng le e meng e 10, hammoho le nako ea ho arabela. Ka kakaretso, nako ea ho fetola nako e ka har'a metsotsoana e 20-30. Haeba nako e joalo ea ho fetola e sa lekana, ho na le khetho ea ho sebelisa sesebelisoa netwatch, moo sebali sa nako se ka beoang ka letsoho. cheke-heke ha e chese ho lahleheloa ke pakete ea nakoana ho sehokelo.
Bohlokoa! Ho koala tsela ea mantlha ho tla koala litsela tse ling kaofela tse buang ka eona. Ka hona, hore ba bontše tjheke-heke=ping ha ho hlokahale.
- Hoa etsahala hore ho hloleha ho etsahala mochine oa DHCP, o shebahalang eka mofani o khomaretsoe boemong bo bocha. Tabeng ena, karolo ea bobeli ea script e ke ke ea sebetsa, empa e ke ke ea thibela sephethephethe ho tsamaea ka tsela e nepahetseng, kaha mmuso o latela tsela e lumellanang le eona.
- ECMP (Equal Cost Multi-Path) - ho ROS hoa khoneha ho beha tsela e nang le liheke tse 'maloa le sebaka se le seng. Tabeng ena, likhokahano li tla ajoa ho pholletsa le likanale ho sebelisoa algorithm ea robin e pota-potileng, ho latela palo ea liheke tse boletsoeng.
Bakeng sa ts'usumetso ea ho ngola sengoloa, thusa ho theha sebopeho sa eona le ho beoa ha li-accents - teboho ea botho ho Evgeny.
Source: www.habr.com