Ifihan
Gbigba nkan naa, ni afikun si asan, jẹ itusilẹ nipasẹ igbohunsafẹfẹ ti ibanujẹ ti awọn ibeere lori koko yii ni awọn ẹgbẹ profaili ti agbegbe telegram ti o sọ Russian. Nkan naa jẹ ifọkansi si alakobere Mikrotik RouterOS (lẹhinna tọka si bi ROS) awọn alabojuto. O ṣe pẹlu multivan nikan, pẹlu tcnu lori ipa-ọna. Gẹgẹbi ajeseku, awọn eto ti o kere ju wa lati rii daju ailewu ati iṣẹ irọrun. Awọn ti n wa ifihan ti awọn koko-ọrọ ti awọn ila, iwọntunwọnsi fifuye, vlans, awọn afara, itupalẹ jinlẹ pupọ-ipele ti ipo ikanni ati bii - le ma padanu akoko ati kika kika.
Orisun orisun
Gẹgẹbi koko-ọrọ idanwo, olulana Mikrotik ibudo marun-un pẹlu ẹya ROS 6.45.3 ti yan. Yoo ṣe itọsọna ijabọ laarin awọn nẹtiwọọki agbegbe meji (LAN1 ati LAN2) ati awọn olupese mẹta (ISP1, ISP2, ISP3). Awọn ikanni to ISP1 ni a aimi "grẹy" adirẹsi, ISP2 - "funfun", gba nipasẹ DHCP, ISP3 - "funfun" pẹlu PPPoE ašẹ. Aworan asopọ ti han ninu eeya:
Iṣẹ-ṣiṣe ni lati tunto olulana MTK ti o da lori ero naa ki:
- Pese iyipada laifọwọyi si olupese afẹyinti. Olupese akọkọ jẹ ISP2, ifiṣura akọkọ jẹ ISP1, ifiṣura keji jẹ ISP3.
- Ṣeto iwọle si nẹtiwọọki LAN1 si Intanẹẹti nipasẹ ISP1 nikan.
- Pese agbara lati ṣe ipa ọna ijabọ lati awọn nẹtiwọọki agbegbe si Intanẹẹti nipasẹ olupese ti o yan ti o da lori atokọ-adirẹsi.
- Pese fun iṣeeṣe awọn iṣẹ titẹjade lati nẹtiwọọki agbegbe si Intanẹẹti (DSTNAT)
- Ṣeto àlẹmọ ogiriina kan lati pese aabo to kere julọ lati Intanẹẹti.
- Olutọpa le fun ijabọ tirẹ nipasẹ eyikeyi awọn olupese mẹta, da lori adirẹsi orisun ti o yan.
- Rii daju pe awọn idii esi ti wa ni ipalọlọ si ikanni ti wọn ti wa (pẹlu LAN).
Ọrọìwòye. A yoo tunto olulana “lati ibere” lati ṣe iṣeduro isansa ti awọn iyanilẹnu ni awọn atunto ibẹrẹ “lati inu apoti” ti o yipada lati ẹya si ẹya. Winbox ti yan bi ohun elo atunto, nibiti awọn ayipada yoo han ni oju. Awọn eto funrararẹ yoo ṣeto nipasẹ awọn aṣẹ ni ebute Winbox. Asopọ ti ara fun iṣeto ni a ṣe nipasẹ asopọ taara si wiwo Ether5.
Diẹ ninu ironu nipa kini multivan jẹ, o jẹ iṣoro tabi jẹ arekereke awọn eniyan ọlọgbọn ni ayika awọn nẹtiwọọki iditẹ hun.
Oluṣeto iwadii ati ifarabalẹ, ṣeto iru tabi iru ero kan funrararẹ, lojiji rii daju pe o ti n ṣiṣẹ ni deede. Bẹẹni, bẹẹni, laisi awọn tabili ipa ọna aṣa rẹ ati awọn ofin ipa ọna miiran, eyiti ọpọlọpọ awọn nkan lori koko yii kun fun. Jẹ ki a ṣayẹwo?
Njẹ a le tunto adirẹsi lori awọn atọkun ati awọn ẹnu-ọna aiyipada? Bẹẹni:
Lori ISP1, adirẹsi ati ẹnu-ọna ti forukọsilẹ pẹlu ijinna=2 и check-gateway=ping.
Lori ISP2, eto alabara dcp aiyipada - ni ibamu, ijinna yoo dọgba si ọkan.
Lori ISP3 ninu awọn eto alabara pppoe nigbati add-default-route=bẹẹni fi default-route-distance=3.
Maṣe gbagbe lati forukọsilẹ NAT lori ijade:
/ip firewall nat add action=masquerade pq=srcnat out-interface-list=WAN
Bi abajade, awọn olumulo ti awọn aaye agbegbe ni igbadun gbigba awọn ologbo nipasẹ olupese ISP2 akọkọ ati pe ifiṣura ikanni wa ni lilo ẹrọ ṣayẹwo ẹnu-ọna Wo akọsilẹ 1
Ojuami 1 ti iṣẹ-ṣiṣe ti wa ni imuse. Nibo ni multivan pẹlu awọn ami rẹ? Rara…
Siwaju sii. O nilo lati tusilẹ awọn alabara kan pato lati LAN nipasẹ ISP1:
/ip ogiriina mangle add action=ona pq = prerouting dst-address-list=!BOGONS
passthrough=bẹẹni route-dst=100.66.66.1 src-address-list=Nipasẹ_ISP1
/ip ogiriina mangle add action=ona pq = prerouting dst-address-list=!BOGONS
passthrough=ko si ipa-dst=100.66.66.1 src-adirẹsi=192.168.88.0/24
Awọn nkan 2 ati 3 ti iṣẹ-ṣiṣe ti ni imuse. Awọn aami, awọn ontẹ, awọn ofin ipa ọna, nibo ni o wa?!
Ṣe o nilo lati fun ni iraye si olupin OpenVPN ayanfẹ rẹ pẹlu adirẹsi 172.17.17.17 fun awọn alabara lati Intanẹẹti? Jowo:
/ip awọsanma ṣeto ddns-enabled=bẹẹni
Gẹgẹbi ẹlẹgbẹ kan, a fun alabara ni abajade abajade: “: fi [ip cloud get dns-name]"
A forukọsilẹ gbigbe ibudo lati Intanẹẹti:
/ ip ogiriina nat fi igbese = dst-nat pq = dstnat dst-port = 1194
in-interface-list= Ilana WAN=udp si-adirẹsi=172.17.17.17
Nkan 4 ti šetan.
A ṣeto ogiriina kan ati aabo miiran fun aaye 5, ni akoko kanna a ni idunnu pe ohun gbogbo ti n ṣiṣẹ tẹlẹ fun awọn olumulo ati de ọdọ eiyan kan pẹlu ohun mimu ayanfẹ kan ...
A! Tunnels ti wa ni gbagbe.
l2tp-onibara, tunto nipasẹ google article, ti dide si ayanfẹ rẹ Dutch VDS? Bẹẹni.
l2tp-server pẹlu IPsec ti jinde ati awọn onibara nipasẹ DNS-orukọ lati IP awọsanma (wo loke.) cling? Bẹẹni.
Titẹramọ si ijoko wa, mimu mimu, a fi ọlẹ ṣe akiyesi awọn aaye 6 ati 7 ti iṣẹ-ṣiṣe naa. A ro - ṣe a nilo rẹ? Gbogbo kanna, o ṣiṣẹ bi iyẹn (c) ... Nitorina, ti ko ba tun nilo, lẹhinna iyẹn ni. Multivan imuse.
Kini multivan? Eyi ni asopọ ti awọn ikanni Intanẹẹti pupọ si olulana kan.
O ko ni lati ka nkan naa siwaju, nitori kini o le wa nibẹ ni afikun si ifihan ti iloyemeji?
Fun awọn ti o wa, ti o nifẹ si awọn aaye 6 ati 7 ti iṣẹ-ṣiṣe, ati tun rilara itch ti perfectionism, a jinlẹ jinlẹ.
Iṣẹ-ṣiṣe pataki julọ ti imuse multivan jẹ ipa ọna opopona ti o tọ. Eyun: laibikita eyiti (tabi eyiti) Wo. akọsilẹ 3 ikanni (s) ti ISP wo ni ọna aiyipada lori olulana wa, o yẹ ki o da esi pada si ikanni gangan ti apo-iwe naa wa lati. Iṣẹ naa jẹ kedere. Nibo ni iṣoro naa wa? Nitootọ, ni nẹtiwọọki agbegbe ti o rọrun, iṣẹ naa jẹ kanna, ṣugbọn ko si ẹnikan ti o ni idamu pẹlu awọn eto afikun ati pe ko ni wahala. Awọn iyato ni wipe eyikeyi routable ipade lori ayelujara wa ni wiwọle nipasẹ kọọkan ti wa awọn ikanni, ki o si ko nipasẹ kan muna kan pato, bi ni kan awọn LAN. Ati "wahala" ni pe ti ibeere kan ba wa fun adiresi IP ti ISP3, lẹhinna ninu ọran wa idahun yoo lọ nipasẹ ikanni ISP2, niwon ẹnu-ọna aiyipada ti wa ni itọsọna nibẹ. Fi oju silẹ ati pe yoo jẹ asonu nipasẹ olupese bi ko tọ. Iṣoro naa ti jẹ idanimọ. Bawo ni lati yanju rẹ?
Ojutu naa ti pin si awọn ipele mẹta:
- Tito tẹlẹ. Ni ipele yii, awọn eto ipilẹ ti olulana yoo ṣeto: nẹtiwọọki agbegbe, ogiriina, awọn atokọ adirẹsi, irun ori NAT, bbl
- Multivan. Ni ipele yii, awọn asopọ pataki yoo wa ni samisi ati lẹsẹsẹ sinu awọn tabili ipa-ọna.
- Nsopọ si ISP kan. Ni ipele yii, awọn atọkun ti o pese asopọ si Intanẹẹti yoo tunto, ipa-ọna ati ẹrọ ifiṣura ikanni Intanẹẹti yoo mu ṣiṣẹ.
1. Tito tẹlẹ
1.1. A ko iṣeto olulana kuro pẹlu aṣẹ:
/system reset-configuration skip-backup=yes no-defaults=yesgba pẹlu"Ewu! Tunto lonakona? [y/N]:” ati, lẹhin atunbere, a sopọ pẹlu Winbox nipasẹ MAC. Ni ipele yii, iṣeto ati ipilẹ olumulo ti yọkuro.
1.2. Ṣẹda titun olumulo:
/user add group=full name=knight password=ultrasecret comment=”Not horse”buwolu wọle labẹ rẹ ki o pa eyi ti o jẹ aiyipada rẹ:
/user remove adminỌrọìwòye. O jẹ yiyọkuro ati kii ṣe piparẹ olumulo aiyipada ti onkọwe ka ailewu ati ṣeduro fun lilo.
1.3. A ṣẹda awọn atokọ wiwo ipilẹ fun irọrun ti ṣiṣẹ ni ogiriina, awọn eto wiwa ati awọn olupin MAC miiran:
/interface list add name=WAN comment="For Internet"
/interface list add name=LAN comment="For Local Area"Wíwọlé awọn atọkun pẹlu comments
/interface ethernet set ether1 comment="to ISP1"
/interface ethernet set ether2 comment="to ISP2"
/interface ethernet set ether3 comment="to ISP3"
/interface ethernet set ether4 comment="to LAN1"
/interface ethernet set ether5 comment="to LAN2"ki o si fọwọsi awọn atokọ wiwo:
/interface list member add interface=ether1 list=WAN comment=ISP1
/interface list member add interface=ether2 list=WAN comment=ISP2
/interface list member add interface=ether3 list=WAN comment="to ISP3"
/interface list member add interface=ether4 list=LAN comment="LAN1"
/interface list member add interface=ether5 list=LAN comment="LAN2"
Ọrọìwòye. Kikọ awọn asọye oye jẹ tọ akoko ti o lo lori eyi, pẹlu o ṣe iranlọwọ pupọ laasigbotitusita ati oye iṣeto ni.
Onkọwe ro pe o jẹ dandan, fun awọn idi aabo, lati ṣafikun wiwo ether3 si atokọ wiwo “WAN”, botilẹjẹpe otitọ pe ilana ip kii yoo lọ nipasẹ rẹ.
Maṣe gbagbe pe lẹhin wiwo PPP ti dide lori ether3, yoo tun nilo lati ṣafikun si atokọ wiwo “WAN”
1.4. A tọju olulana lati wiwa agbegbe ati iṣakoso lati awọn nẹtiwọki olupese nipasẹ MAC:
/ip neighbor discovery-settings set discover-interface-list=!WAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN1.5. A ṣẹda eto ti o kere ju ti awọn ofin àlẹmọ ogiriina lati daabobo olulana naa:
/ip firewall filter add action=accept chain=input comment="Related Established Untracked Allow"
connection-state=established,related,untracked(Ofin naa pese igbanilaaye fun idasilẹ ati awọn asopọ ti o ni ibatan ti o bẹrẹ lati awọn nẹtiwọọki ti o sopọ mejeeji ati olulana funrararẹ)
/ip firewall filter add action=accept chain=input comment="ICMP from ALL" protocol=icmp(ping ati ki o ko nikan ping. Gbogbo icmp ti wa ni laaye ni. Pupọ wulo fun wiwa MTU isoro)
/ip firewall filter add action=drop chain=input comment="All other WAN Drop" in-interface-list=WAN(Ofin ti o tilekun pq titẹ sii kọ gbogbo ohun miiran ti o wa lati Intanẹẹti)
/ip firewall filter add action=accept chain=forward
comment="Established, Related, Untracked allow"
connection-state=established,related,untracked(ofin gba idasilẹ ati awọn asopọ ti o ni ibatan ti o kọja nipasẹ olulana)
/ip firewall filter add action=drop chain=forward comment="Invalid drop" connection-state=invalid(ofin n tun awọn asopọ pọ pẹlu asopọ-state=aiṣedeede ti nkọja nipasẹ olulana naa. A gbaniyanju gidigidi nipasẹ Mikrotik, ṣugbọn ni diẹ ninu awọn ipo toje o le dènà ijabọ iwulo)
/ip firewall filter add action=drop chain=forward comment="Drop all from WAN not DSTNATed"
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN(Ofin naa ṣe idiwọ awọn apo-iwe ti o wa lati Intanẹẹti ati pe ko ti kọja ilana dstnat lati kọja nipasẹ olulana naa. Eyi yoo daabobo awọn nẹtiwọki agbegbe lati awọn intruders ti, ti o wa ni agbegbe igbohunsafefe kanna pẹlu awọn nẹtiwọọki ita wa, yoo forukọsilẹ awọn IPs ita wa bi a ẹnu-ọna ati, nitorinaa, gbiyanju lati “ṣawari” awọn nẹtiwọọki agbegbe wa.)
Ọrọìwòye. Jẹ ki a ro pe awọn nẹtiwọọki LAN1 ati LAN2 ni igbẹkẹle ati awọn ijabọ laarin wọn ati lati ọdọ wọn kii ṣe filtered.
1.6. Ṣẹda atokọ pẹlu atokọ ti awọn nẹtiwọọki ti kii ṣe ipa ọna:
/ip firewall address-list
add address=0.0.0.0/8 comment=""This" Network" list=BOGONS
add address=10.0.0.0/8 comment="Private-Use Networks" list=BOGONS
add address=100.64.0.0/10 comment="Shared Address Space. RFC 6598" list=BOGONS
add address=127.0.0.0/8 comment=Loopback list=BOGONS
add address=169.254.0.0/16 comment="Link Local" list=BOGONS
add address=172.16.0.0/12 comment="Private-Use Networks" list=BOGONS
add address=192.0.0.0/24 comment="IETF Protocol Assignments" list=BOGONS
add address=192.0.2.0/24 comment=TEST-NET-1 list=BOGONS
add address=192.168.0.0/16 comment="Private-Use Networks" list=BOGONS
add address=198.18.0.0/15 comment="Network Interconnect Device Benchmark Testing"
list=BOGONS
add address=198.51.100.0/24 comment=TEST-NET-2 list=BOGONS
add address=203.0.113.0/24 comment=TEST-NET-3 list=BOGONS
add address=224.0.0.0/4 comment=Multicast list=BOGONS
add address=192.88.99.0/24 comment="6to4 Relay Anycast" list=BOGONS
add address=240.0.0.0/4 comment="Reserved for Future Use" list=BOGONS
add address=255.255.255.255 comment="Limited Broadcast" list=BOGONS(Eyi jẹ atokọ ti awọn adirẹsi ati awọn nẹtiwọọki ti kii ṣe ọna ẹrọ si Intanẹẹti ati pe yoo tẹle ni ibamu.)
Ọrọìwòye. Atokọ naa jẹ koko ọrọ si iyipada, nitorinaa Mo gba ọ ni imọran lati ṣayẹwo lorekore ibaramu.
1.7. Ṣeto DNS fun olulana funrararẹ:
/ip dns set servers=1.1.1.1,8.8.8.8Ọrọìwòye. Ninu ẹya ti isiyi ti ROS, awọn olupin ti o ni agbara gba iṣaaju ju awọn ti o duro. Ibeere ipinnu orukọ ni a fi ranṣẹ si olupin akọkọ ni ibere ninu atokọ naa. Iyipada si olupin atẹle ni a ṣe nigbati ti isiyi ko si. Akoko ipari jẹ nla - diẹ sii ju awọn aaya 5 lọ. Pada pada, nigbati “olupin ti o ṣubu” ti tun bẹrẹ, ko waye laifọwọyi. Fi fun algorithm yii ati wiwa multivan kan, onkọwe ṣeduro ko lo awọn olupin ti a pese nipasẹ awọn olupese.
1.8. Ṣeto nẹtiwọki agbegbe kan.
1.8.1. A tunto awọn adirẹsi IP aimi lori awọn atọkun LAN:
/ip address add interface=ether4 address=192.168.88.254/24 comment="LAN1 IP"
/ip address add interface=ether5 address=172.16.1.0/23 comment="LAN2 IP"1.8.2. A ṣeto awọn ofin fun awọn ipa-ọna si awọn nẹtiwọọki agbegbe wa nipasẹ tabili ipa-ọna akọkọ:
/ip route rule add dst-address=192.168.88.0/24 table=main comment=”to LAN1”
/ip route rule add dst-address=172.16.0.0/23 table=main comment="to LAN2"Ọrọìwòye. Eyi jẹ ọkan ninu awọn ọna iyara ati irọrun lati wọle si awọn adirẹsi LAN pẹlu awọn orisun ti awọn adirẹsi IP ita ti awọn atọkun olulana ti ko lọ nipasẹ ọna aiyipada.
1.8.3. Mu NAT Hairpin ṣiṣẹ fun LAN1 ati LAN2:
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN1"
out-interface=ether4 src-address=192.168.88.0/24 to-addresses=192.168.88.254
/ip firewall nat add action=src-nat chain=srcnat comment="Hairpin to LAN2"
out-interface=ether5 src-address=172.16.0.0/23 to-addresses=172.16.1.0Ọrọìwòye. Eyi n gba ọ laaye lati wọle si awọn orisun rẹ (dstnat) nipasẹ IP ita lakoko ti o wa ninu nẹtiwọọki naa.
2. Lootọ, imuse ti multivan ti o tọ pupọ
Lati yanju iṣoro ti “dahun nibiti wọn ti beere lati”, a yoo lo awọn irinṣẹ ROS meji: ami asopọ и ami afisona. ami asopọ gba ọ laaye lati samisi asopọ ti o fẹ lẹhinna ṣiṣẹ pẹlu ami yii bi ipo fun lilo ami afisona. Ati tẹlẹ pẹlu ami afisona ṣee ṣe lati ṣiṣẹ ni ip ipa и awọn ofin ipa ọna. A ṣe apejuwe awọn irinṣẹ, bayi o nilo lati pinnu iru awọn asopọ lati samisi - lẹẹkan, ni pato ibiti o ti samisi - meji.
Pẹlu ọkan akọkọ, ohun gbogbo rọrun - a gbọdọ samisi gbogbo awọn asopọ ti o wa si olulana lati Intanẹẹti nipasẹ ikanni ti o yẹ. Ninu ọran wa, iwọnyi yoo jẹ awọn aami mẹta (nipasẹ nọmba awọn ikanni): “conn_isp1”, “conn_isp2” ati “conn_isp3”.
Iyatọ pẹlu keji ni pe awọn asopọ ti nwọle yoo jẹ ti awọn oriṣi meji: irekọja ati awọn ti a pinnu fun olulana funrararẹ. Ilana ami asopọ ṣiṣẹ ninu tabili mangle. Wo iṣipopada ti package lori aworan ti o rọrun, ti a ṣe akojọpọ nipasẹ awọn alamọja ti orisun mikrotik-trainings.com (kii ṣe ipolowo):
Ni atẹle awọn itọka naa, a rii pe apo-iwe ti de “ni wiwo input", lọ nipasẹ awọn pq"Itọkasi" ati pe lẹhinna o pin si ọna gbigbe ati agbegbe ni bulọki "Ipinnu ipa ọna". Nitorina, lati pa eye meji pẹlu okuta kan, a lo Asopọmọra Mark ninu tabili Mangle Pre-afisona awọn ẹwọn Itọkasi.
Akiyesi. Ni ROS, "Ami ipa-ọna" ti wa ni akojọ si bi "Table" ni apakan Ip/Routes/Rules, ati bi "Ami ipa ọna" ni awọn apakan miiran. Eyi le ṣafihan diẹ ninu iporuru sinu oye, ṣugbọn, ni otitọ, eyi jẹ ohun kanna, ati pe o jẹ afọwọṣe ti rt_tables ni iproute2 lori linux.
2.1. A samisi awọn asopọ ti nwọle lati ọdọ awọn olupese kọọkan:
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP1" connection-mark=no-mark in-interface=ether1 new-connection-mark=conn_isp1 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP2" connection-mark=no-mark in-interface=ether2 new-connection-mark=conn_isp2 passthrough=no
/ip firewall mangle add action=mark-connection chain=prerouting
comment="Connmark in from ISP3" connection-mark=no-mark in-interface=pppoe-isp3 new-connection-mark=conn_isp3 passthrough=noỌrọìwòye. Ni ibere lati ma ṣe samisi awọn asopọ ti o ti samisi tẹlẹ, Mo lo ipo asopọ-mark=no-mark dipo asopọ-state=tuntun nitori Mo ro pe eyi jẹ deede diẹ sii, bakanna bi ijusile awọn asopọ ti ko tọ silẹ ninu àlẹmọ titẹ sii.
passthrough=ko si – nitori ninu ọna imuse yii, a yọkuro ifamisi-tun-un ati, lati yara, o le da kikọ awọn ofin duro lẹhin ibaamu akọkọ.
O yẹ ki o gbe ni lokan pe a ko dabaru ni eyikeyi ọna pẹlu afisona sibẹsibẹ. Bayi awọn ipele igbaradi nikan wa. Ipele ti imuse ti o tẹle yoo jẹ sisẹ ti ijabọ irekọja ti o pada lori asopọ ti iṣeto lati ibi-ajo ni nẹtiwọọki agbegbe. Awon. awọn apo-iwe wọnyẹn ti (wo aworan atọka) kọja nipasẹ olulana ni ọna:
"Iro-ọrọ Input"=>"Itọkasi"=>"Ipinnu Itọnisọna"=>"Siwaju"=>"Itọpa ifiweranṣẹ"=>"Irorojade Ijade" ati pe o wa si adiresi wọn ni nẹtiwọọki agbegbe.
Pataki! Ni ROS, ko si pipin ọgbọn si ita ati awọn atọkun inu. Ti a ba tọpa ọna ti apo idahun ni ibamu si aworan ti o wa loke, lẹhinna yoo tẹle ọna ọgbọn kanna gẹgẹbi ibeere naa:
"Iro-ọrọ Input"=>"Itọkasi"=>"Ipinnu Itọnisọna"=>"Siwaju"=>"Itọpa ifiweranṣẹ"=>"Irorojade Ijade" kan fun ìbéèrè"Atọka Input” ni wiwo ISP, ati fun idahun - LAN
2.2. A ṣe itọsọna ijabọ irekọja esi si awọn tabili ipa ọna ti o baamu:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP1" connection-mark=conn_isp1
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP2" connection-mark=conn_isp2
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Routemark transit out via ISP3" connection-mark=conn_isp3
dst-address-type=!local in-interface-list=!WAN new-routing-mark=to_isp3 passthrough=noỌrọìwòye. in-interface-list=!WAN - a ṣiṣẹ nikan pẹlu ijabọ lati netiwọki agbegbe ati dst-address-type=!agbegbe ti ko ni adiresi opin irin ajo ti awọn atọkun ti olulana funrararẹ.
Kanna fun awọn apo-iwe agbegbe ti o wa si olulana ni ọna:
"Itumọ Atẹwọle"=>"Iṣaaju"=>"Ipinnu Ipa ọna"=>"Igbewọle"=>"Ilana Agbegbe"
Pataki! Idahun naa yoo lọ ni ọna atẹle:
"Ilana agbegbe"=>"Ipinnu Itọnisọna"=>"Ijade"=>"Ipaṣẹ ifiweranṣẹ"=>"Oju-ọna atọwọdọwọ"
2.3. A ṣe itọsọna esi ijabọ agbegbe si awọn tabili ipa ọna ti o baamu:
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP1" connection-mark=conn_isp1 dst-address-type=!local
new-routing-mark=to_isp1 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP2" connection-mark=conn_isp2 dst-address-type=!local
new-routing-mark=to_isp2 passthrough=no
/ip firewall mangle add action=mark-routing chain=output
comment="Routemark local out via ISP3" connection-mark=conn_isp3 dst-address-type=!local
new-routing-mark=to_isp3 passthrough=noNi ipele yii, iṣẹ ṣiṣe ti ngbaradi lati firanṣẹ esi si ikanni Intanẹẹti lati eyiti ibeere naa wa ni a le gbero pe o yanju. Ohun gbogbo ti wa ni samisi, aami ati ki o setan lati wa ni ipa.
Ipa “ẹgbẹ” ti o dara julọ ti iṣeto yii ni agbara lati ṣiṣẹ pẹlu gbigbe ibudo DSNAT lati ọdọ awọn olupese mejeeji (ISP2, ISP3) ni akoko kanna. Ko ṣe rara, niwon lori ISP1 a ni adiresi ti kii-routable. Ipa yii jẹ pataki, fun apẹẹrẹ, fun olupin meeli pẹlu MXs meji ti o wo awọn ikanni Ayelujara ti o yatọ.
Lati yọkuro awọn nuances ti iṣẹ ti awọn nẹtiwọọki agbegbe pẹlu awọn onimọ ipa-ọna IP ita, a lo awọn ojutu lati awọn paragira. 1.8.2 ati 3.1.2.6.
Ni afikun, o le lo ọpa kan pẹlu awọn ami-ami lati yanju ìpínrọ 3 ti iṣoro naa. A ṣe imuse rẹ gẹgẹbi eyi:
2.4. A ṣe itọsọna ijabọ lati ọdọ awọn alabara agbegbe lati awọn atokọ ipa-ọna si awọn tabili ti o yẹ:
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP1" dst-address-list=!BOGONS new-routing-mark=to_isp1
passthrough=no src-address-list=Via_ISP1
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP2" dst-address-list=!BOGONS new-routing-mark=to_isp2
passthrough=no src-address-list=Via_ISP2
/ip firewall mangle add action=mark-routing chain=prerouting
comment="Address List via ISP3" dst-address-list=!BOGONS new-routing-mark=to_isp3
passthrough=no src-address-list=Via_ISP3Bi abajade, o dabi iru eyi:
3. Ṣeto soke a asopọ si awọn ISP ati ki o jeki iyasọtọ afisona
3.1. Ṣeto asopọ kan si ISP1:
3.1.1. Ṣe atunto adiresi IP aimi kan:
/ip address add interface=ether1 address=100.66.66.2/30 comment="ISP1 IP"3.1.2. Ṣeto ipa ọna aimi:
3.1.2.1. Ṣafikun ipa ọna “pajawiri” aiyipada:
/ip route add comment="Emergency route" distance=254 type=blackholeỌrọìwòye. Ọna yii ngbanilaaye ijabọ lati awọn ilana agbegbe lati kọja ipele Ipinnu Ipa ọna, laibikita ipo awọn ọna asopọ ti eyikeyi awọn olupese. Iyatọ ti ijabọ agbegbe ti njade ni pe ni ibere fun apo-iwe naa lati gbe o kere ju ibikan, tabili ipa ọna akọkọ gbọdọ ni ipa ọna ti nṣiṣe lọwọ si ẹnu-ọna aiyipada. Ti kii ba ṣe bẹ, lẹhinna package yoo jẹ run lasan.
Bi ohun elo itẹsiwaju ṣayẹwo ẹnu-ọna Fun itupalẹ ti o jinlẹ ti ipo ikanni, Mo daba lilo ọna ipa-ọna loorekoore. Koko-ọrọ ti ọna naa ni pe a sọ fun olulana lati wa ọna si ẹnu-ọna rẹ kii ṣe taara, ṣugbọn nipasẹ ẹnu-ọna agbedemeji. 4.2.2.1, 4.2.2.2 ati 4.2.2.3 yoo wa ni ti a ti yan bi iru "igbeyewo" ẹnu-ọna fun ISP1, ISP2 ati ISP3 lẹsẹsẹ.
3.1.2.2. Ipa ọna si adirẹsi “ifọwọsi”:
/ip route add check-gateway=ping comment="For recursion via ISP1"
distance=1 dst-address=4.2.2.1 gateway=100.66.66.1 scope=10Ọrọìwòye. A sọ iye iwọn naa silẹ si aiyipada ni aaye ibi-afẹde ROS lati le lo 4.2.2.1 bi ẹnu-ọna isọdọtun ni ọjọ iwaju. Mo tẹnumọ: ipari ti ipa ọna si adirẹsi “idanwo” gbọdọ jẹ kere ju tabi dogba si opin ibi-afẹde ti ipa-ọna ti yoo tọka si ọkan idanwo naa.
3.1.2.3. Ipa ọna aiyipada loorekoore fun ijabọ laisi ami afisona:
/ip route add comment="Unmarked via ISP1" distance=2 gateway=4.2.2.1Ọrọìwòye. Ijinna = iye 2 ni a lo nitori ISP1 ti kede bi afẹyinti akọkọ ni ibamu si awọn ipo iṣẹ-ṣiṣe.
3.1.2.4. Ipa ọna aiyipada loorekoore fun ijabọ pẹlu ami ipa-ọna “to_isp1”:
/ip route add comment="Marked via ISP1 Main" distance=1 gateway=4.2.2.1
routing-mark=to_isp1Ọrọìwòye. Ní ti gidi, níhìn-ín a ti bẹ̀rẹ̀ sí í gbádùn àwọn èso iṣẹ́ ìmúrasílẹ̀ tí a ṣe ní ìpínrọ̀ 2 níkẹyìn.
Ni ipa ọna yii, gbogbo awọn ijabọ ti o ni ọna ami “to_isp1” yoo jẹ itọsọna si ẹnu-ọna ti olupese akọkọ, laibikita iru ẹnu-ọna aiyipada ti n ṣiṣẹ lọwọlọwọ fun tabili akọkọ.
3.1.2.5. Ipa ọna aiyipada ifẹhinti akọkọ fun ISP2 ati ISP3 ti a samisi ijabọ:
/ip route add comment="Marked via ISP2 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp2
/ip route add comment="Marked via ISP3 Backup1" distance=2 gateway=4.2.2.1
routing-mark=to_isp3Ọrọìwòye. Awọn ipa-ọna wọnyi nilo, laarin awọn ohun miiran, lati ṣe ifipamọ ijabọ lati awọn nẹtiwọọki agbegbe ti o jẹ ọmọ ẹgbẹ ti atokọ adirẹsi “to_isp*”'
3.1.2.6. A forukọsilẹ ọna fun ijabọ agbegbe ti olulana si Intanẹẹti nipasẹ ISP1:
/ip route rule add comment="From ISP1 IP to Inet" src-address=100.66.66.2 table=to_isp1Ọrọìwòye. Ni apapo pẹlu awọn ofin lati paragira 1.8.2, o pese wiwọle si ikanni ti o fẹ pẹlu orisun ti a fun. Eyi ṣe pataki fun kikọ awọn oju eefin ti o pato adiresi IP ẹgbẹ agbegbe (EoIP, IP-IP, GRE). Niwọn igba ti awọn ofin ti o wa ninu awọn ofin ipa ọna ip ti ṣiṣẹ lati oke de isalẹ, titi di ibaamu akọkọ ti awọn ipo, lẹhinna ofin yii yẹ ki o wa lẹhin awọn ofin lati gbolohun ọrọ 1.8.2.
3.1.3. A forukọsilẹ ofin NAT fun ijabọ ti njade:
/ip firewall nat add action=src-nat chain=srcnat comment="NAT via ISP1"
ipsec-policy=out,none out-interface=ether1 to-addresses=100.66.66.2Ọrọìwòye. NAtim ohun gbogbo ti o jade, ayafi fun ohun ti n wọle sinu IPsec imulo. Mo gbiyanju lati ma lo igbese = masquerade ayafi ti o jẹ dandan. O lọra ati diẹ sii awọn orisun aladanla ju src-nat nitori pe o ṣe iṣiro adiresi NAT fun asopọ tuntun kọọkan.
3.1.4. A fi awọn onibara ranṣẹ lati inu atokọ ti o jẹ eewọ lati wọle nipasẹ awọn olupese miiran taara si ẹnu-ọna olupese ISP1.
/ip firewall mangle add action=route chain=prerouting comment="Address List via ISP1 only"
dst-address-list=!BOGONS passthrough=no route-dst=100.66.66.1
src-address-list=Via_only_ISP1 place-before=0Ọrọìwòye. action=opopona ni ayo ti o ga julọ ati pe a lo ṣaaju awọn ofin ipa-ọna miiran.
place-before=0 - gbe ofin wa ni akọkọ ninu atokọ.
3.2. Ṣeto asopọ kan si ISP2.
Niwọn igba ti olupese ISP2 ti fun wa ni awọn eto nipasẹ DHCP, o jẹ oye lati ṣe awọn ayipada to ṣe pataki pẹlu iwe afọwọkọ ti o bẹrẹ nigbati alabara DHCP ba ti ṣiṣẹ:
/ip dhcp-client
add add-default-route=no disabled=no interface=ether2 script=":if ($bound=1) do={r
n /ip route add check-gateway=ping comment="For recursion via ISP2" distance=1
dst-address=4.2.2.2/32 gateway=$"gateway-address" scope=10r
n /ip route add comment="Unmarked via ISP2" distance=1 gateway=4.2.2.2;r
n /ip route add comment="Marked via ISP2 Main" distance=1 gateway=4.2.2.2
routing-mark=to_isp2;r
n /ip route add comment="Marked via ISP1 Backup1" distance=2 gateway=4.2.2.2
routing-mark=to_isp1;r
n /ip route add comment="Marked via ISP3 Backup2" distance=3 gateway=4.2.2.2
routing-mark=to_isp3;r
n /ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"lease-address" comment="NAT via ISP2"
place-before=1;r
n if ([/ip route rule find comment="From ISP2 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP2 IP to Inet"
src-address=$"lease-address" table=to_isp2 r
n } else={r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=no
src-address=$"lease-address"r
n } r
n} else={r
n /ip firewall nat remove [find comment="NAT via ISP2"];r
n /ip route remove [find comment="For recursion via ISP2"];r
n /ip route remove [find comment="Unmarked via ISP2"];r
n /ip route remove [find comment="Marked via ISP2 Main"];r
n /ip route remove [find comment="Marked via ISP1 Backup1"];r
n /ip route remove [find comment="Marked via ISP3 Backup2"];r
n /ip route rule set [find comment="From ISP2 IP to Inet"] disabled=yesr
n}r
n" use-peer-dns=no use-peer-ntp=noIwe afọwọkọ funrararẹ ni window Winbox:
Ọrọìwòye. Abala akọkọ ti iwe afọwọkọ naa nfa nigbati o ba gba adehun ni aṣeyọri, keji - lẹhin igbati o ti tu adehun naa.Wo akọsilẹ 2
3.3. A ṣeto asopọ kan si olupese ISP3.
Niwọn igba ti olupese eto fun wa ni agbara, o jẹ oye lati ṣe awọn ayipada pataki pẹlu awọn iwe afọwọkọ ti o bẹrẹ lẹhin ti a ti gbe wiwo ppp dide ati lẹhin isubu.
3.3.1. Ni akọkọ a tunto profaili:
/ppp profile
add comment="for PPPoE to ISP3" interface-list=WAN name=isp3_client
on-down="/ip firewall nat remove [find comment="NAT via ISP3"];r
n/ip route remove [find comment="For recursion via ISP3"];r
n/ip route remove [find comment="Unmarked via ISP3"];r
n/ip route remove [find comment="Marked via ISP3 Main"];r
n/ip route remove [find comment="Marked via ISP1 Backup2"];r
n/ip route remove [find comment="Marked via ISP2 Backup2"];r
n/ip route rule set [find comment="From ISP3 IP to Inet"] disabled=yes;"
on-up="/ip route add check-gateway=ping comment="For recursion via ISP3" distance=1
dst-address=4.2.2.3/32 gateway=$"remote-address" scope=10r
n/ip route add comment="Unmarked via ISP3" distance=3 gateway=4.2.2.3;r
n/ip route add comment="Marked via ISP3 Main" distance=1 gateway=4.2.2.3
routing-mark=to_isp3;r
n/ip route add comment="Marked via ISP1 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp1;r
n/ip route add comment="Marked via ISP2 Backup2" distance=3 gateway=4.2.2.3
routing-mark=to_isp2;r
n/ip firewall mangle set [find comment="Connmark in from ISP3"]
in-interface=$"interface";r
n/ip firewall nat add action=src-nat chain=srcnat ipsec-policy=out,none
out-interface=$"interface" to-addresses=$"local-address" comment="NAT via ISP3"
place-before=1;r
nif ([/ip route rule find comment="From ISP3 IP to Inet"] ="") do={r
n /ip route rule add comment="From ISP3 IP to Inet" src-address=$"local-address"
table=to_isp3 r
n} else={r
n /ip route rule set [find comment="From ISP3 IP to Inet"] disabled=no
src-address=$"local-address"r
n};r
n"Iwe afọwọkọ funrararẹ ni window Winbox:
Ọrọìwòye. Laini
/ ip ogiriina mangle ṣeto [wa ọrọìwòye = "Connmark ni lati ISP3"] in-interface = $ "ni wiwo";
gba ọ laaye lati ṣe deede fun lorukọmii ti wiwo, nitori pe o ṣiṣẹ pẹlu koodu rẹ kii ṣe orukọ ifihan.
3.3.2. Bayi, ni lilo profaili, ṣẹda asopọ ppp kan:
/interface pppoe-client add allow=mschap2 comment="to ISP3" disabled=no
interface=ether3 name=pppoe-isp3 password=isp3_pass profile=isp3_client user=isp3_clientGẹgẹbi ifọwọkan ikẹhin, jẹ ki a ṣeto aago naa:
/system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.orgFun awon ti o ka si opin
Ọna ti a dabaa lati ṣe imuse multivan jẹ ayanfẹ ti ara ẹni ti onkọwe ati kii ṣe ọkan ṣee ṣe nikan. Ohun elo irinṣẹ ROS jẹ sanlalu ati rọ, eyiti, ni apa kan, fa awọn iṣoro fun awọn olubere, ati, ni apa keji, jẹ idi fun olokiki rẹ. Kọ ẹkọ, gbiyanju, ṣawari awọn irinṣẹ ati awọn solusan tuntun. Fun apẹẹrẹ, bi ohun elo ti imo ti o gba, o ṣee ṣe lati rọpo ọpa ni imuse yii ti multivan ṣayẹwo-adena pẹlu recursive ipa-si netwatch.
Awọn akọsilẹ
- ṣayẹwo-adena - ẹrọ ti o fun ọ laaye lati mu maṣiṣẹ ipa-ọna lẹhin awọn sọwedowo ti ko ni aṣeyọri meji ti ẹnu-ọna fun wiwa. Ayẹwo naa ni a ṣe lẹẹkan ni gbogbo iṣẹju-aaya 10, pẹlu akoko idahun. Ni apapọ, akoko iyipada gangan wa ni iwọn 20-30 awọn aaya. Ti iru akoko yiyi ko ba to, aṣayan wa lati lo ọpa naa netwatch, nibiti a ti le ṣeto aago ayẹwo pẹlu ọwọ. ṣayẹwo-adena ko ni ina lori isonu soso igba diẹ lori ọna asopọ.
Pataki! Pa ipa ọna akọkọ ṣiṣẹ yoo mu maṣiṣẹ gbogbo awọn ipa-ọna miiran ti o tọka si. Nitorina, fun wọn lati fihan check-gateway=ping ko wulo.
- O ṣẹlẹ pe ikuna waye ninu ẹrọ DHCP, eyiti o dabi alabara ti o di ni ipo isọdọtun. Ni ọran yii, apakan keji ti iwe afọwọkọ kii yoo ṣiṣẹ, ṣugbọn kii yoo ṣe idiwọ ijabọ lati rin bi o ti tọ, nitori ipinlẹ naa tọpa ipa ọna isọdọtun ti o baamu.
- ECMP (Ona-Ona-iye-dogba) - ni ROS o ṣee ṣe lati ṣeto ọna kan pẹlu ọpọlọpọ awọn ẹnu-ọna ati ijinna kanna. Ni ọran yii, awọn asopọ yoo pin kaakiri awọn ikanni nipa lilo algoridimu iyipo robin, ni ibamu si nọmba awọn ẹnu-ọna pato.
Fun iwuri lati kọ nkan naa, ṣe iranlọwọ ni ṣiṣe apẹrẹ rẹ ati gbigbe awọn asẹnti - ọpẹ ti ara ẹni si Evgeny
orisun: www.habr.com