2 WAN и load balancing

Тема в разделе "Маршрутизация", создана пользователем 4ikotillo, 30 ноя 2017.

  1. 4ikotillo

    4ikotillo Новый участник

    Добрый день. Сделал конфигурацию на 2 WAN интерфейса, цель была получать доступ с обоих ip адресов. Далее хочу для торентов объединить каналы и включать иногда правила по объединению. Можете проверить конфигурацию и сказать корректно ли я настроил все? На данный момент доступ с 2-х ip работает.

    /interface bridge
    add name=bridge
    /interface ethernet
    set [ find default-name=ether4 ] master-port=ether3
    set [ find default-name=ether5 ] master-port=ether3
    /ip neighbor discovery
    set ether1 discover=no
    set ether2 discover=no
    /interface list
    add name=WAN
    add name=LAN
    /ip pool
    add name=dhcp ranges=192.168.88.10-192.168.88.254
    /ip dhcp-server
    add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge lease-time=3d10m name=DHCP-LAN
    /interface bridge port
    add bridge=bridge interface=ether3
    /interface list member
    add interface=ether1 list=WAN
    add interface=ether2 list=WAN
    add interface=bridge list=LAN
    /ip address
    add address=192.168.88.1/24 interface=bridge network=92.168.88.0
    add address=1.1.1.2/30 interface=ether1 network=1.1.1.0
    add address=2.2.2.2/30 interface=eoip-rostelecom network=2.2.2.0
    /ip dhcp-server network
    add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1
    /ip dns
    set allow-remote-requests=yes servers=8.8.8.8
    /ip firewall address-list
    add address=0.0.0.0/8 list=BOGON
    add address=10.0.0.0/8 list=BOGON
    add address=100.64.0.0/10 list=BOGON
    add address=127.0.0.0/8 list=BOGON
    add address=169.254.0.0/16 list=BOGON
    add address=172.16.0.0/12 list=BOGON
    add address=192.0.0.0/24 list=BOGON
    add address=192.0.2.0/24 list=BOGON
    add address=192.168.0.0/16 list=BOGON
    add address=198.18.0.0/15 list=BOGON
    add address=198.51.100.0/24 list=BOGON
    add address=203.0.113.0/24 list=BOGON
    add address=224.0.0.0/4 list=BOGON
    add address=240.0.0.0/4 list=BOGON
    add address=192.168.88.0/24 list=lan
    /ip firewall filter
    add action=accept chain=input connection-state=established,related
    add action=drop chain=input connection-state=invalid
    add action=reject chain=input dst-port=53,123 in-interface-list=WAN protocol=udp reject-with=icmp-port-unreachable
    add action=reject chain=input dst-port=53,123 in-interface-list=WAN protocol=tcp reject-with=icmp-port-unreachable
    add action=accept chain=input protocol=icmp
    add action=accept chain=input dst-port=8292 protocol=tcp
    add action=accept chain=input protocol=tcp
    add action=accept chain=input protocol=udp
    add action=drop chain=input in-interface-list=WAN src-address-list=BOGON
    add action=drop chain=input src-address=!192.168.88.1
    add action=accept chain=forward comment="Allow established connections" connection-state=established,related,untracked
    add action=accept chain=forward comment="Allow UDP" protocol=udp
    add action=accept chain=forward comment="Allow UDP" protocol=tcp
    add action=accept chain=forward comment="Allow ICMP Ping" log=yes log-prefix=ping protocol=icmp
    add action=accept chain=forward comment="Allow all for LAN"
    add action=drop chain=forward
    add action=drop chain=forward src-address=0.0.0.0/8
    add action=drop chain=forward dst-address=0.0.0.0/8
    add action=drop chain=forward src-address=127.0.0.0/8
    add action=drop chain=forward dst-address=127.0.0.0/8
    add action=drop chain=forward src-address=224.0.0.0/3
    add action=drop chain=forward dst-address=224.0.0.0/3
    add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    add action=drop chain=forward comment="Allow established connections" connection-state=invalid log-prefix=Drop
    /ip firewall mangle
    add action=mark-connection chain=forward comment=isp1 in-interface=ether1 new-connection-mark=to_isp1 passthrough=yes
    add action=mark-routing chain=prerouting comment=isp1 connection-mark=to_isp1 dst-address-list=!lan new-routing-mark=route_isp1 passthrough=yes src-address-list=lan
    add action=mark-connection chain=input comment=isp1 in-interface=ether1 new-connection-mark=in_wan_isp1 passthrough=yes
    add action=mark-routing chain=output comment=isp1 connection-mark=in_wan_isp1 new-routing-mark=ISP1 passthrough=yes src-address=1.1.1.2
    add action=mark-connection chain=forward comment=isp2 in-interface=ether2 new-connection-mark=to_isp2 passthrough=yes
    add action=mark-routing chain=prerouting comment=isp2 connection-mark=to_isp2 dst-address-list=!lan new-routing-mark=route_isp2 passthrough=yes src-address-list=lan
    add action=mark-connection chain=input comment=isp2 in-interface=ether2 new-connection-mark=in_wan_isp2 passthrough=yes
    add action=mark-routing chain=output comment=isp2 connection-mark=in_wan_isp2 new-routing-mark=ISP2 passthrough=yes src-address=2.2.2.2
    /ip firewall nat
    add action=src-nat chain=srcnat comment=isp1 out-interface=ether1 to-addresses=1.1.1.2
    add action=src-nat chain=srcnat comment=isp2 out-interface=ether2 to-addresses=2.2.2.2
    /ip route
    add distance=1 gateway=1.1.1.1 routing-mark=ISP1
    add distance=2 gateway=2.2.2.1 routing-mark=ISP2
    add distance=1 gateway=1.1.1.1
    add distance=2 gateway=2.2.2.1
    /ip service
    set telnet address=192.168.88.0/24
    set ftp disabled=yes
    set www address=192.168.88.0/24 port=8099
    set ssh address=192.168.88.0/24
    set api disabled=yes
    set winbox port=8292
    set api-ssl disabled=yes
    /system clock
    set time-zone-autodetect=no time-zone-name=Europe/Moscow
    /system identity
    set name=Ilya
    /tool mac-server
    set [ find default=yes ] disabled=yes
    add interface=bridge

    И как луше реализовать объединение 2-х каналов, чтобы быстрее качать торенты?
     
  2. 4ikotillo

    4ikotillo Новый участник

    По сути меня интересуют правильно ли я написал часть mangle, nat, route. Правильно ли я делаю что в каждом правиле включаю Passthrough?
    Уместно ли использовать srcnat вместо маскарадинга?

    /ip firewall address-list
    add address=192.168.88.0/24 list=lan

    /ip firewall mangle
    add action=mark-connection chain=forward comment=isp1 in-interface=ether1 new-connection-mark=to_isp1 passthrough=yes
    add action=mark-routing chain=prerouting comment=isp1 connection-mark=to_isp1 dst-address-list=!lan new-routing-mark=route_isp1 passthrough=yes src-address-list=lan
    add action=mark-connection chain=input comment=isp1 in-interface=ether1 new-connection-mark=in_wan_isp1 passthrough=yes
    add action=mark-routing chain=output comment=isp1 connection-mark=in_wan_isp1 new-routing-mark=ISP1 passthrough=yes src-address=1.1.1.2
    add action=mark-connection chain=forward comment=isp2 in-interface=ether2 new-connection-mark=to_isp2 passthrough=yes
    add action=mark-routing chain=prerouting comment=isp2 connection-mark=to_isp2 dst-address-list=!lan new-routing-mark=route_isp2 passthrough=yes src-address-list=lan
    add action=mark-connection chain=input comment=isp2 in-interface=ether2 new-connection-mark=in_wan_isp2 passthrough=yes
    add action=mark-routing chain=output comment=isp2 connection-mark=in_wan_isp2 new-routing-mark=ISP2 passthrough=yes src-address=2.2.2.2

    /ip firewall nat
    add action=src-nat chain=srcnat comment=isp1 out-interface=ether1 to-addresses=1.1.1.2
    add action=src-nat chain=srcnat comment=isp2 out-interface=ether2 to-addresses=2.2.2.2

    /ip route
    add distance=1 gateway=1.1.1.1 routing-mark=ISP1
    add distance=2 gateway=2.2.2.1 routing-mark=ISP2
    add distance=1 gateway=1.1.1.1
    add distance=2 gateway=2.2.2.1
     
  3. Я бы добавил еще к:
    /ip route rule
    add action=lookup-only-in-table src-address=1.1.1.1 table=WAN1
    add action=lookup-only-in-table src-address=2.2.2.2 table=WAN2
    Все остальное вроде хорошо.
     
  4. 4ikotillo

    4ikotillo Новый участник

    Это для того чтобы трафик с этих таблиц маршрутизации уходил именно по нужному интерфейсу?

    А как лучше склейку каналов осуществлять, если 1 канал 100 mb/s а второй 250 mb/s?

    ECMP:

    /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=mixed
    /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1,2.2.2.1,2.2.2.1 routing-mark=mixed

    PCC:
    /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=ISP1 per-connection-classifier=src-address-and-port:3/0
    /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=ISP2 per-connection-classifier=src-address-and-port:3/1
    /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=lISP2 per-connection-classifier=src-address-and-port:3/2