Intshayelelo
Ukuthatha inqaku, ngaphezu kwamampunge, kwakubangelwa ukuphindaphinda okudandathekisayo kwemibuzo kwesi sihloko kumaqela eprofayili yoluntu lwe-telegram oluthetha isiRashiya. Eli nqaku lijolise kwi-novice Mikrotik RouterOS (emva koku kuthiwa yi-ROS) abalawuli. Ijongana kuphela ne-multivan, ngokugxininisa kwindlela. Njengebhonasi, kukho iisetingi ezaneleyo ezincinci zokuqinisekisa ukusebenza okukhuselekileyo nokufanelekileyo. Abo bafuna ukuvezwa kwezihloko zemigca, ukulinganisa umthwalo, i-vlans, iibhulorho, uhlalutyo olunzulu lwezigaba ezininzi zobume bejelo kunye nokunye okunjalo - akunakuchitha ixesha kunye nomzamo wokufunda.
Idatha yemvelaphi
Njengesifundo sovavanyo, i-router ye-Mikrotik ye-five-port ene-ROS version 6.45.3 ikhethiwe. Iya kuhola i-traffic phakathi kweenethiwekhi ezimbini zendawo (LAN1 kunye ne-LAN2) kunye nababoneleli abathathu (ISP1, ISP2, ISP3). Ishaneli eya kwi-ISP1 inedilesi ye-static "grey", i-ISP2 - "emhlophe", efunyenwe nge-DHCP, i-ISP3 - "emhlophe" ngokugunyaziswa kwePPPoE. Umzobo wokudibanisa uboniswe kumzobo:
Umsebenzi kukuqwalasela i-router yeMTK esekelwe kwiskim ukuze:
- Ukubonelela ngokutshintshela ngokuzenzekelayo kumboneleli ogcinayo. Umboneleli ophambili yi-ISP2, owokuqala uvimba yi-ISP1, owesibini ube yi-ISP3.
- Lungiselela ukufikelela kwinethiwekhi ye-LAN1 kwi-Intanethi kuphela nge-ISP1.
- Nika amandla okuhambisa itrafikhi ukusuka kuthungelwano lwasekhaya ukuya kwi-Intanethi ngomboneleli okhethiweyo ngokusekelwe kuluhlu lwedilesi.
- Ukubonelela ngokufumaneka kweenkonzo zokupapasha ukusuka kwinethiwekhi yendawo ukuya kwi-Intanethi (DSTNAT)
- Cwangcisa isihluzo somlilo ukunika ubuncinci ukhuseleko olwaneleyo oluvela kwi-Intanethi.
- I-router inokukhupha i-traffic yayo nayiphi na yababoneleli abathathu, kuxhomekeke kwidilesi ekhethiweyo yomthombo.
- Qinisekisa ukuba iipakethi zeempendulo zihanjiswe kwitshaneli eziphuma kuyo (kubandakanywa neLAN).
Gqabaza. Siza kumisa i-router "ukususela ekuqaleni" ukwenzela ukuba siqinisekise ukungabikho kwezinto ezimangalisayo kwizicwangciso zokuqala "ngaphandle kwebhokisi" eguqukayo ukusuka kwinguqulo ukuya kwinguqulo. I-Winbox yakhethwa njengesixhobo soqwalaselo, apho utshintsho luya kuboniswa ngokubonakalayo. Izicwangciso ngokwazo ziyakusetwa yimiyalelo kwiWinbox terminal. Uxhulumaniso lomzimba lokucwangciswa lwenziwa ngokudibanisa ngokuthe ngqo kwi-interface ye-Ether5.
Ukuqiqa kancinci malunga nokuba yintoni i-multivan, ngaba yingxaki okanye ngabantu abakrelekrele ngokuluka iinethiwekhi zeyelenqe
Umlawuli onomdla kunye nokunyamekelayo, ukuseka isicwangciso esinjalo okanye esifanayo ngokwakhe, ngokukhawuleza uyaqonda ukuba sele esebenza ngokuqhelekileyo. Ewe, ewe, ngaphandle kweetafile zomzila wesiko kunye neminye imithetho yendlela, apho amanqaku amaninzi kwesi sihloko agcweleyo. Makhe sijonge?
Ngaba sinokuyiqwalasela indlela yokujongana nojongano kunye namasango angagqibekanga? Ewe:
Kwi-ISP1, idilesi kunye nesango labhaliswa nge umgama=2 и khangela-isango=i-ping.
Kwi-ISP2, i-dhcp yokumisela umxhasi ongagqibekanga - ngokufanelekileyo, umgama uyakulingana nenye.
Kwi-ISP3 kwizicwangciso zomthengi wepppoe xa yongeza-emiyo-indlela=ewe beka umgama-undlela-omiselweyo=3.
Ungalibali ukubhalisa i-NAT xa uphuma:
/i-firewall ayifakeli intshukumo=itsheyini le-masquerade=srcnat out-interface-list=WAN
Ngenxa yoko, abasebenzisi beesayithi zasekhaya bayonwabela ukukhuphela iikati ngomboneleli ophambili we-ISP2 kwaye kukho ugcino lwesitishi kusetyenziswa isixhobo. khangela isango Jonga inqaku loku-1
Inqaku loku-1 lomsebenzi liphunyeziwe. Iphi i-multivan enamanqaku ayo? Hayi…
Ngokubhekele phaya. Kufuneka ukhulule abathengi abathile kwi-LAN nge-ISP1:
/ip firewall mangle yongeza isenzo=ikhonkco lendlela=prerouting dst-address-list=!BOGONS
passthrough=ewe route-dst=100.66.66.1 src-address-list=Via_ISP1
/ip firewall mangle yongeza isenzo=ikhonkco lendlela=prerouting dst-address-list=!BOGONS
passthrough=akukho ndlela-dst=100.66.66.1 src-address=192.168.88.0/24
Amanqaku 2 kunye no-3 omsebenzi aphunyeziwe. Iileyibhile, izitampu, imithetho yendlela, uphi?!
Ngaba ufuna ukunika ufikelelo kumncedisi wakho owuthandayo we-OpenVPN ngedilesi ethi 172.17.17.17 kubathengi abasuka kwi-Intanethi? Ndiyacela:
/ip cloud set ddns-enabled=ewe
Njengontanga, sinika umxhasi umphumo wesiphumo: ": beka [i-ip cloud fumana i-dns-igama]"
Sibhalisa ukuthunyelwa kwezibuko kwi-Intanethi:
/i-firewall ayifakeli intshukumo=dst-nat chain=dstnat dst-port=1194
in-interface-list=Iprothokholi yeWAN=udp to-addresses=172.17.17.17
Into yesi-4 ilungile.
Siseta i-firewall kunye nolunye ukhuseleko lwenqaku lesi-5, kwangaxeshanye siyavuya kuba yonke into sele isebenza kubasebenzisi kwaye ifikelele kwisitya esinesiselo esisithandayo ...
A! Amatonela alityalwa.
I-l2tp-client, iqwalaselwe linqaku likagoogle, inyukele kwi-VDS yakho yesiDatshi oyithandayo? Ewe.
I-l2tp-server ene-IPsec ivukile kwaye abathengi nge-DNS-igama ukusuka kwi-IP Cloud (bona ngasentla.) ubambelele? Ewe.
Singqiyame esitulweni sethu, siphunga isiselo, sisonqena siqwalasela amanqaku 6 no-7 alo msebenzi. Sicinga - siyayifuna? Konke okufanayo, kusebenza ngolo hlobo (c) ... Ngoko, ukuba ayikadingeki, yiloo nto. I-Multivan iphunyeziwe.
Yintoni i-multivan? Olu luqhagamshelo lweendlela ezininzi ze-Intanethi kwirutha enye.
Akunyanzelekanga ukuba ulifunde ngakumbi eli nqaku, kuba yintoni enokubakho ngaphandle komboniso wokusebenza othandabuzekayo?
Kwabo baseleyo, abanomdla kumanqaku e-6 kunye ne-7 yomsebenzi, kwaye bazive benobunzima bokugqibelela, sintywila nzulu.
Umsebenzi obaluleke kakhulu wokuphumeza i-multivan yindlela echanekileyo yendlela yokuhamba. Oko kukuthi: nokuba yeyiphi (okanye yeyiphi) Bona. Qaphela 3 itshaneli ye-ISP ijonge indlela engagqibekanga kumzila wethu, kufuneka ibuyisele impendulo kwitshaneli ngqo ipakethi evela kuyo. Umsebenzi ucacile. Iphi ingxaki? Enyanisweni, kwinethiwekhi yendawo elula, umsebenzi uyafana, kodwa akukho mntu ukhathazayo ngezicwangciso ezongezelelweyo kwaye akaziva enengxaki. Umahluko kukuba nayiphi na i-node esebenzisekayo kwi-Intanethi iyafikeleleka kwitshaneli yethu nganye, kwaye hayi ngeyona ingqalileyo, njengakwi-LAN elula. Kwaye "ingxaki" kukuba ukuba isicelo sifike kuthi kwidilesi ye-IP ye-ISP3, ngoko kwimeko yethu impendulo iya kudlula kwitshaneli ye-ISP2, ekubeni isango elingagqibekanga liqondiswe apho. Amagqabi kwaye aya kulahlwa ngumboneleli njengengalunganga. Ingxaki ichongiwe. Indlela yokusombulula ngayo?
Isisombululo sahlulwe ngokwamanqanaba amathathu:
- Ukusetha kwangaphambili. Kule nqanaba, izicwangciso ezisisiseko ze-router ziya kusekwa: inethiwekhi yendawo, i-firewall, uluhlu lweedilesi, i-hairpin NAT, njl.
- I-Multivan. Kweli nqanaba, uqhagamshelo oluyimfuneko luya kumakishwa kwaye luhlelwe ngokweetafile zomzila.
- Ukuqhagamshela kwi-ISP. Kweli nqanaba, ujongano olubonelela uqhagamshelo kwi-Intanethi luya kumiselwa, uthungelwano kunye nendlela yogcino lwesitishi se-Intanethi iya kwenziwa isebenze.
1. Ukusetha kwangaphambili
1.1. Sicoca ukucwangciswa kwe-router ngomyalelo:
/system reset-configuration skip-backup=yes no-defaults=yesvumelana nayo"Iyingozi! Seta kwakhona? [y/N]:” kwaye, emva kokuqalisa kwakhona, sidibanisa neWinbox nge-MAC. Kweli nqanaba, uqwalaselo kunye nesiseko somsebenzisi siyacinywa.
1.2. Yenza umsebenzisi omtsha:
/user add group=full name=knight password=ultrasecret comment=”Not horse”ngena phantsi kwayo kwaye ucime engagqibekanga:
/user remove adminGqabaza. Kukususa kunye nokungakhubeki komsebenzisi ongagqibekanga athi umbhali acinge ukuba ukhuselekile kwaye ucebisa ukuba asetyenziswe.
1.3. Senza uluhlu olusisiseko lojongano ukuze kube lula ukusebenza kwi-firewall, useto lokufumanisa kunye nezinye iiseva ze-MAC:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Ukutyikitya ujongano kunye nezimvo
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"kwaye ugcwalise uluhlu lojongano:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Gqabaza. Ukubhala amagqabantshintshi aqondakalayo kulixabisa ixesha elichithwe koku, kwaye kuququzelela kakhulu ukusombulula iingxaki kunye nokuqonda uqwalaselo.
Umbhali ubona kuyimfuneko, ngenxa yezizathu zokhuseleko, ukongeza i-interface ye-ether3 kwi-interface ye "WAN", nangona i-protocol ye-ip ayiyi kuhamba ngayo.
Ungalibali ukuba emva kokuba ujongano lwePPP luphakanyiswe kwi-ether3, kuya kufuneka kwakhona ukuba yongezwe kuluhlu lojongano "WAN"
1.4. Sifihla i-router ekubhaqweni kunye nolawulo kwinethiwekhi yababoneleli nge-MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. Senza ubuncinci bemithetho yokucoca i-firewall ukukhusela i-router:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(umgaqo ubonelela ngemvume yoqhagamshelo olusekiweyo nolunxulumeneyo oluqalwa kuzo zombini iinethiwekhi eziqhagamshelweyo kunye nomzila ngokwawo)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(i-ping kwaye hayi i-ping kuphela. Yonke i-icmp ivunyelwe ngaphakathi. Iluncedo kakhulu ekufumaneni iingxaki ze-MTU)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(umgaqo ovala ikhonkco longeniso uyala yonke enye into evela kwi-Intanethi)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(umgaqo uvumela uqhagamshelo olusekiweyo nolunxulumeneyo oludlula kwi-router)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(umgaqo ubeka ngokutsha uqhagamshelo nge-connection-state=indlela engasebenziyo yokugqitha kwirutha. Iyakhuthazwa ngamandla yiMikrotik, kodwa kwiimeko ezithile ezinqabileyo inokuvala itrafikhi eluncedo)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(umgaqo uvimbela iipakethi ezivela kwi-Intanethi kwaye azizange zidlule inkqubo ye-dstnat yokudlula kwi-router. Oku kuya kukhusela amanethiwekhi asekuhlaleni kubangeneleli abathi, bekwindawo efanayo yosasazo kunye neenethiwekhi zethu zangaphandle, baya kubhalisa ii-IP zethu zangaphandle njenge isango kwaye, ke, zama "ukukhangela" iinethiwekhi zethu zasekhaya.)
Gqabaza. Masicinge ukuba iinethiwekhi ze-LAN1 kunye ne-LAN2 zithenjwa kwaye i-traffic phakathi kwabo kwaye isuka kubo ayihluzwanga.
1.6. Yenza uluhlu ngoluhlu lothungelwano olungathuthwanga:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Olu luhlu lweedilesi kunye nothungelwano olungathuthwanga kwi-Intanethi kwaye luya kulandelwa ngokufanelekileyo.)
Gqabaza. Uluhlu lunokutshintshwa, ngoko ke ndikucebisa ukuba uhlolisise ukufaneleka.
1.7. Seta i-DNS yerouter ngokwayo:
/ip dns set servers=1.1.1.1,8.8.8.8Gqabaza. Kwinguqulelo yangoku ye-ROS, iiseva eziguquguqukayo zithatha indawo yokuqala kune-static. Isicelo sesisombululo segama sithunyelwa kwiseva yokuqala ngokulandelelana kuluhlu. Ukutshintshela kumncedisi olandelayo kuqhutywa xa le yangoku ingafumaneki. Ixesha lokuvala likhulu - ngaphezu kwemizuzwana emi-5. Ukubuyela emva, xa "iseva ewileyo" iphinda iqaliswe, ayenzeki ngokuzenzekelayo. Ukunikezelwa le algorithm kunye nobukho be-multivan, umbhali uncoma ukuba angasebenzisi amaseva anikezelwe ngababoneleli.
1.8. Cwangcisa inethiwekhi yendawo.
1.8.1. Siqwalasela iidilesi ze-IP ezingatshintshiyo kujongano lwe-LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. Siseta imigaqo yeendlela eziya kuthungelwano lwethu lwasekhaya ngetheyibhile ephambili yomzila:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Gqabaza. Le yenye yeendlela ezikhawulezayo nezilula zokufikelela kwiidilesi ze-LAN ezinemithombo yeedilesi ze-IP zangaphandle ze-router interfaces ezingahambi ngendlela engagqibekanga.
1.8.3. Vumela i-Hairpin NAT ye-LAN1 kunye ne-LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Gqabaza. Oku kukuvumela ukuba ufikelele kwizibonelelo zakho (dstnat) usebenzisa i-IP yangaphandle ngelixa ungaphakathi kwinethiwekhi.
2. Enyanisweni, ukuphunyezwa kwe-multivan echanekileyo kakhulu
Ukusombulula ingxaki "yokuphendula apho babuze khona", siya kusebenzisa izixhobo ezimbini zeROS: uphawu loqhagamshelwano и uphawu lomzila. uphawu loqhagamshelwano ikuvumela ukuba uphawule udibaniso olufunekayo kwaye emva koko usebenze ngolu phawu njengemeko yokufaka isicelo uphawu lomzila. Kwaye sele kunye uphawu lomzila kunokwenzeka ukusebenza indlela ye-ip и imithetho yendlela. Sifumene izixhobo, ngoku kufuneka uthathe isigqibo sokuba yeyiphi imidibaniso omakishayo - kube kanye, kanye apho ungamakisha khona-ezimbini.
Ngeyokuqala, yonke into ilula - kufuneka siphawule zonke iziqhagamshelo eziza kwi-router evela kwi-Intanethi ngokusebenzisa itshaneli efanelekileyo. Kwimeko yethu, ezi ziya kuba zielebhile ezintathu (ngenani lamajelo): "conn_isp1", "conn_isp2" kunye ne "conn_isp3".
I-nuance kunye neyesibini kukuba uxhulumaniso olungenayo luya kuba lweentlobo ezimbini: ukuhamba kunye nezo zenzelwe i-router ngokwayo. Indlela yokudibanisa uphawu isebenza kwitheyibhile i mangile. Qwalasela ukuhamba kwepakethe kumzobo owenziwe lula, ohlanganiswe ngobubele ziingcali zesixhobo se-mikrotik-trainings.com (kungekhona intengiso):
Ukulandela iintolo, sibona ukuba ipakethi ifika "igalelo lonxibelelwano", uhamba ngetsheyini"Prerouting” kwaye kuphela emva koko yahlulwe ibe yindlela yokuhamba kunye neyendawo kwibhloko "Isigqibo somzila". Ngoko ke, ukubulala iintaka ezimbini ngelitye elinye, sisebenzisa Uphawu loQhagamshelwano etafileni I-Mangle Pre-routing imixokelelwane Prerouting.
Qaphela. Kwi-ROS, iileyibhile ze-"Routing mark" zidweliswe njenge "Table" kwicandelo le-Ip / Routes / Rules, kwaye "njenge-Routing Mark" kwamanye amacandelo. Oku kunokwazisa ukubhideka okuthile ekuqondeni, kodwa, enyanisweni, iyafana, kwaye yi-analogue ye-rt_tables kwi-iproute2 kwi-linux.
2.1. Siphawula uqhagamshelo olungenayo kumnikezeli ngamnye:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noGqabaza. Ukuze ndingaphawuli imidibaniso esele iphawulwe, ndisebenzisa i-connect-mark=no-mark condition endaweni ye-connection-state=entsha kuba ndicinga ukuba oku kuchanekile ngakumbi, kunye nokulahlwa koqhagamshelo olungasebenziyo kwisihluzo songeniso.
passthrough=no - kuba kule ndlela yokuphumeza, ukuphinda kumakishwe kukhutshiwe kwaye, ukukhawulezisa, unokuphazamisa ubalo lwemigaqo emva komdlalo wokuqala.
Kufuneka kukhunjulwe ukuba asiphazamisi ngayo nayiphi na indlela ukukhokela okwangoku. Ngoku kukho amanqanaba okulungiselela kuphela. Inqanaba elilandelayo lophunyezo liya kuba kukusetyenzwa kwetrafikhi yothutho ebuyela phezu koqhagamshelo olusekiweyo ukusuka kwindawo ekusingwa kuyo kuthungelwano lwendawo. Ezo. ezo pakethe ezithi (jonga umzobo) zidlule kwi-router endleleni:
“I-Input Interface”=>”Prerouting”=>”Isigqibo seNdlela”=>”Phambili”=>”Uthungelwano lwePost”=>”I-Output Interface” kwaye ndafumana idilesi yabo kwinethiwekhi yendawo.
Kubalulekile! Kwi-ROS, akukho ulwahlulo olunengqiqo kwi-interfaces zangaphandle nangaphakathi. Ukuba silanda umendo wepakethe yempendulo ngokwalo mzobo ungasentla, ngoko iya kulandela indlela efanayo enengqiqo njengesicelo:
“I-Input Interface”=>”Prerouting”=>”Isigqibo seNdlela”=>”Phambili”=>”Uthungelwano lwePost”=>”I-Output Interface” nje ngesicelo"Isingeniso sokungenelela” ibiyi-ISP interface, kunye nempendulo - LAN
2.2. Sithumela impendulo kwi-traffic transit kwitheyibhile ezihambelanayo:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noComment. in-interface-list=!WAN - sisebenza kuphela ngetrafikhi ephuma kuthungelwano lwengingqi kunye ne-dst-address-type=!local engenayo idilesi yendawo ekuyiwa kuyo yedilesi yojongano lwendlela ngokwayo.
Okufanayo kwiipakethi zasekhaya ezize kwi-router endleleni:
“Input Interface”=>”Prerouting”=>”Isigqibo seNdlela”=>”Igalelo”=>”Inkqubo yasekuhlaleni”
Kubalulekile! Impendulo iya kuhamba ngolu hlobo lulandelayo:
”Inkqubo yeNdawo”=>”Isigqibo seNdlela”=>”Imveliso”=>”Uthungelwano lwePost”=>”INtsebenziswano yokuPhuma”
2.3. Sijolisa impendulo kwitrafiki yasekuhlaleni kwiitheyibhile ezihambelanayo:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noNgeli nqanaba, umsebenzi wokulungiselela ukuthumela impendulo kwitshaneli ye-Intanethi apho isicelo sivela khona sinokuqwalaselwa njengesonjululwe. Yonke into imakishwa, ifakwe ilebhile kwaye ilungele ukuhanjiswa.
Umphumo ogqwesileyo "wecala" wolu cwangciso kukukwazi ukusebenza kunye nokuthunyelwa kwezibuko le-DSNAT ukusuka kubo bobabini ababoneleli (ISP2, ISP3) ngaxeshanye. Akunjalo konke konke, kuba kwi-ISP1 sinedilesi engathuthwayo. Esi siphumo sibalulekile, umzekelo, kwiseva yeposi ene-MX ezimbini ezijonga amajelo e-Intanethi ahlukeneyo.
Ukuphelisa i-nuances yokusebenza kweenethiwekhi zendawo kunye nee-router ze-IP zangaphandle, sisebenzisa izisombululo ezivela kwimihlathi. 1.8.2 kunye 3.1.2.6.
Ukongeza, ungasebenzisa isixhobo esinamanqaku ukusombulula umhlathi 3 wengxaki. Siyiphumeza ngolu hlobo:
2.4. Siqondisa itrafikhi kubathengi basekhaya ukusuka kuluhlu lweendlela ukuya kwiitafile ezifanelekileyo:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3Ngenxa yoko, kubonakala ngathi:
3. Cwangcisa umdibaniso kwi-ISP kwaye wenze umzila onebrand
3.1. Seta umdibaniso kwi-ISP1:
3.1.1. Qwalasela idilesi yeIP engatshintshiyo:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Seta indlela engatshintshiyo:
3.1.2.1. Yongeza indlela "yexesha likaxakeka" engagqibekanga:
/ip route add comment="Emergency route" distance=254 type=blackholeGqabaza. Le ndlela ivumela i-traffic esuka kwiinkqubo zendawo ukuba idlule inqanaba leSigqibo seNdlela, kungakhathaliseki ukuba imo yekhonkco yabaphi na ababoneleli. I-nuance ye-traffic yendawo ephumayo kukuba ukuze ipakethe ihambe ubuncinane kwindawo ethile, itafile ephambili yomzila kufuneka ibe nendlela esebenzayo eya kwisango elingagqibekanga. Ukuba akunjalo, iphakheji iya kutshatyalaliswa ngokulula.
Njengolwandiso lwesixhobo khangela isango Uhlalutyo olunzulu lwesimo setshaneli, ndicebisa ukusebenzisa indlela yokuphindaphinda. Ingundoqo yendlela kukuba sitshela i-router ukuba ikhangele indlela eya kwisango layo kungekhona ngokuthe ngqo, kodwa ngesango eliphakathi. 4.2.2.1, 4.2.2.2 kunye 4.2.2.3 ziya kukhethwa njengesango “lovavanyo” lwe-ISP1, ISP2 kunye ne-ISP3 ngokulandelelanayo.
3.1.2.2. Indlela eya kwidilesi “yokuqinisekisa”:
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Gqabaza. Sinciphisa ixabiso lomda wokungagqibekanga kwi-ROS target scope ukwenzela ukuba sisebenzise i-4.2.2.1 njengesango lokuphindaphinda kwixesha elizayo. Ndiyagxininisa: umda wendlela eya kwidilesi “yovavanyo” kufuneka ube ngaphantsi okanye ulingane nomda ekujoliswe kuwo wendlela eya kubhekisa kuvavanyo.
3.1.2.3. Indlela ebuyela umva yetrafikhi ngaphandle kophawu lomkhombandlela:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Gqabaza. Umgama=2 ixabiso liyasetyenziswa kuba i-ISP1 ibhengezwe njengogcino lokuqala ngokweemeko zomsebenzi.
3.1.2.4. Indlela ebuyela umva yetrafikhi enophawu “to_isp1”:
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Gqabaza. Eneneni, ngoku ekugqibeleni siqalisa ukunandipha iziqhamo zomsebenzi wokulungiselela owenziwe kwisiqendu sesi-2.
Kule ndlela, zonke iitrafikhi ezinomzila wamanqaku “ukuya_isp1” ziyakubhekiswa kwisango lomboneleli wokuqala, nokuba leliphi isango elimiselweyo elisebenzayo ngoku kwitheyibhile engundoqo.
3.1.2.5. Indlela yokuqala yokubuyela umva esisiseko ye-ISP2 kunye ne-ISP3 yetrafikhi ephawulweyo:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Gqabaza. Ezi ndlela ziyafuneka, phakathi kwezinye izinto, ukugcina itrafikhi kuthungelwano lwasekhaya olungamalungu oluhlu lweedilesi “to_isp*”'
3.1.2.6. Sibhalisa indlela yetrafikhi yasekhaya ye-router kwi-Intanethi nge-ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Gqabaza. Ngokudibanisa nemigaqo evela kumhlathi 1.8.2, inika ukufikelela kumjelo ofunekayo kunye nomthombo onikeziweyo. Oku kubalulekile ekwakheni itonela echaza idilesi ye-IP yecala lendawo (EoIP, IP-IP, GRE). Ekubeni imigaqo kwimigaqo ye-ip iqhutywe ukusuka phezulu ukuya phezulu, kude kube ngumdlalo wokuqala weemeko, ngoko lo mgaqo kufuneka ube emva kwemigaqo evela kwigatya 1.8.2.
3.1.3. Sibhalisa umgaqo we-NAT kwitrafikhi ephumayo:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Gqabaza. I-NATim yonke into ephumayo, ngaphandle koko kungena kwiipolisi ze-IPsec. Ndiyazama ukungasebenzisi i-action=masquerade ngaphandle kokuba kuyimfuneko. Iyacotha kwaye inzima kakhulu kune-src-nat kuba ibala idilesi ye-NAT kuqhagamshelwano olutsha ngalunye.
3.1.4. Sithumela abathengi abakuluhlu abathintelwayo ekufikeleleni ngabanye ababoneleli ngokuthe ngqo kwisango lomboneleli we-ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Gqabaza. action=indlela inokubaluleka okuphezulu kwaye isetyenziswa phambi kweminye imigaqo yendlela.
indawo-phambi=0 - ibeka umthetho wethu kuqala kuluhlu.
3.2. Seta umdibaniso kwi-ISP2.
Ekubeni umboneleli we-ISP2 esinika izicwangciso nge-DHCP, kunengqiqo ukwenza utshintsho oluyimfuneko ngeskripthi esiqala xa umxhasi we-DHCP eqala:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noUmbhalo ngokwawo kwiWinbox window:
Gqabaza. Inxalenye yokuqala yeskripthi ibangelwa xa uqeshiso lufunyenwe ngempumelelo, okwesibini - emva kokukhululwa kwesivumelwano.Jonga inqaku loku-2
3.3. Siseta umdibaniso kumnikezeli we-ISP3.
Ekubeni umboneleli wesethingi esinika amandla, kunengqiqo ukwenza utshintsho oluyimfuneko kunye nezikripthi eziqala emva kokuba i-interface ye-ppp iphakanyisiwe kwaye emva kokuwa.
3.3.1. Okokuqala siqwalasela iprofayile:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Umbhalo ngokwawo kwiWinbox window:
Gqabaza. Umgca
/ip firewall mangle iseti [fumana izimvo = "Connmark in from ISP3"] in-interface=$"interface";
ikuvumela ukuba uphathe ngokuchanekileyo ukuthiywa ngokutsha kojongano, kuba isebenza ngekhowudi yayo hayi igama elibonisiweyo.
3.3.2. Ngoku, usebenzisa iprofayile, yenza uqhagamshelwano lweppp:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientNjengokubamba okokugqibela, masisete iwotshi:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgKwabo bafunda kude kube sekupheleni
Indlela ecetywayo yokuphumeza i-multivan yinto ekhethiweyo yombhali kwaye akuyena kuphela onokwenzeka. I-ROS toolkit ibanzi kwaye iguquguqukayo, leyo, kwelinye icala, ibangela ubunzima kubaqalayo, kwaye, ngakolunye uhlangothi, isizathu sokuthandwa kwayo. Funda, zama, fumana izixhobo ezitsha kunye nezisombululo. Ngokomzekelo, njengesicelo solwazi olufunyenweyo, kunokwenzeka ukutshintsha isixhobo kule mveliso ye-multivan khangela-isango kunye neendlela ezibuyelayo ukuya umnatha.
Amanqaku
- khangela-isango - isixhobo esikuvumela ukuba uvale indlela emva kokutshekishwa okungaphumelelanga kabini kwesango lokufumaneka. Itshekhi yenziwa kanye rhoqo kwimizuzwana eyi-10, kunye nexesha lokuphuma kwempendulo. Lilonke, ixesha lokutshintsha langempela lilele kuluhlu lwemizuzwana engama-20-30. Ukuba ixesha lokutshintsha okunjalo alanelanga, kukho ukhetho lokusebenzisa isixhobo umnatha, apho isibali-xesha sinokusetwa ngesandla. khangela-isango ayitshisi kwilahleko yepakethi yethutyana kwikhonkco.
Kubalulekile! Ukuyekisa indlela engundoqo kuya kuphelisa zonke ezinye iindlela ezibhekiselele kuyo. Ngoko ke, ukuze bachaze khangela-isango=i-ping akunyanzelekanga.
- Kwenzeka ukuba ukusilela kwenzeka kwindlela ye-DHCP, ebonakala ngathi umxhasi unamathele kwimeko yokuhlaziya. Kule meko, inxalenye yesibini yeskripthi ayiyi kusebenza, kodwa ayiyi kuthintela i-traffic ekuhambeni ngokuchanekileyo, ekubeni i-state ilandelela indlela ehambelana nayo.
- ECMP (Equal Cost Multi-Path) - kwi-ROS kunokwenzeka ukuseta indlela enamasango amaninzi kunye nomgama ofanayo. Kule meko, uxhulumaniso luya kuhanjiswa kuwo wonke amajelo kusetyenziswa i-algorithm ye-robin ejikelezayo, ngokulingana nenani leesango ezikhankanyiweyo.
Ukukhuthaza ukubhala inqaku, uncedo ekuqulunqeni isakhiwo sayo kunye nokubekwa kwezigxina - umbulelo wobuqu ku-Evgeny
umthombo: www.habr.com