3Wan маршрутизация и балансировка + доступ к локальным ресурсам

Тема в разделе "Маршрутизация", создана пользователем sensor, 27 май 2017.

  1. sensor

    sensor Новый участник

    Добрый день.
    Не могу никак побороть проблему работы 3х провайдеров одновременно.
    Имеем, 3 канала (30/90/500) Mbit/s от разных провайдеров.
    Статические белые IP, роутер Mikrotik CCR1009

    До появления 500Mbit/s всё работало и было настроено ECMP load balancing with masquerade. https://wiki.mikrotik.com/wiki/ECMP_loa ... masquerade
    А именно Промаркированы input и output для 2х провайдеров.
    Исходя из инструкции WIKI, для каждого канала для своего routing_mark и общий, где я казала 1:3 шлюзы что бы распаралелить нагрузку. / ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1,1.1.1.1,1.1.1.1,2.2.2.2 check-gateway=ping

    Добавляю 3й провайдер, прописываю аналогично 2м в Mangle правила, добавляю маршрут с маркировкой. Всё работает, но если добавить в эту конструкцию шлюз 500Mbit/s / ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1,1.1.1.1,2.2.2.2,3.3.3.3,3.3.3.3,3.3.3.3,3.3.3.3 check-gateway=ping тоже всё работает, исходящие соеденения паралелятся по разным маршрутам, но вот все внутренние ресурсы сети (сайты, приложения, сервисы) перестают быть доступны из мира. Подскажите куда копать?

    p.s пробывал настраивать роутер https://wiki.mikrotik.com/wiki/Manual:PCC
    то же самое, всё работает, но доступ из мира на внутренние ресурсы, или очень долго заходит или не заходит вовсе.

    пример проброса портов у меня
    ;;; ftp
    chain=dstnat action=dst-nat to-addresses=192.168.101.85 to-ports=21 protocol=tcp dst-address=!192.168.101.0/24
    dst-address-type=local dst-port=21 log=no log-prefix=""
     
  2. Илья Князев

    Илья Князев Администратор Команда форума

    Покажите
    /ip firewall export
    /ip route export
    /ip route print
     
  3. sensor

    sensor Новый участник

    /ip firewall filter
    add action=drop chain=forward comment=DROP_LAN2--->NLT_LAN1 dst-address=192.168.101.0/24 src-address=192.168.101.254
    add action=drop chain=input comment="drop_dns_flood_ to_wan" dst-port=53 in-interface=gic protocol=udp
    add action=drop chain=input dst-port=53 in-interface=datagroup protocol=udp
    add action=drop chain=input dst-port=53 in-interface=triolan protocol=udp
    add action=accept chain=input comment="allow established, related connections" connection-state=established,related
    add action=accept chain=forward connection-state=established,related
    add action=accept chain=input comment="allow ping" protocol=icmp
    add action=accept chain=forward protocol=icmp
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add action=drop chain=forward connection-state=invalid
    add action=accept chain=input comment=allow_udp protocol=udp
    add action=accept chain=forward protocol=udp
    add action=accept chain=forward comment=allow_lan_to_wan src-address=192.168.101.0/24
    add action=accept chain=input comment=allow_lan_to_mikrotik src-address=192.168.101.0/24
    add action=accept chain=input comment=Allow_L2TP port=1701,500,4500 protocol=udp
    add action=accept chain=input protocol=ipsec-esp
    add action=accept chain=input comment=allow_pptp dst-port=1723 protocol=tcp
    add action=accept chain=input protocol=gre
    add action=accept chain=forward in-interface=all-ppp
    add action=accept chain=input comment=winbox_mikrotik dst-port=8291 protocol=tcp
    add action=accept chain=input comment=ssh_mikrotik dst-port=2017 protocol=tcp
    add action=accept chain=input comment=http_mikrotik dst-port=9999 protocol=tcp
    add action=accept chain=forward comment=allow_tcp_port_forwarding dst-port=21,80,443,8080,8888,8890,8899,7999,7000,28025,28026 \
    in-interface=gic protocol=tcp
    add action=accept chain=forward dst-port=21,80,443,25,111,143,587,7000,8080,8888,8890,7999,28025,28026 in-interface=datagroup protocol=\
    tcp
    add action=accept chain=forward disabled=yes dst-port=21,80,443,25,111,143,587,7000,8080,8888,8890,7999,28025,28026 in-interface=triolan \
    protocol=tcp
    add action=drop chain=input comment="drop everything else"
    add action=drop chain=forward
    /ip firewall mangle
    add action=mark-connection chain=input in-interface=gic new-connection-mark=gic_conn passthrough=yes
    add action=mark-connection chain=input in-interface=datagroup new-connection-mark=datagroup_conn passthrough=yes
    add action=mark-connection chain=input in-interface=triolan new-connection-mark=triolan_conn passthrough=yes
    add action=mark-routing chain=output connection-mark=gic_conn new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=output connection-mark=datagroup_conn new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=output connection-mark=triolan_conn new-routing-mark=to_triolan passthrough=yes

    ---ВЫКЛЮЧЕНЫ---
    add action=mark-connection chain=output disabled=yes new-connection-mark=gic_conn out-interface=gic passthrough=no
    add action=mark-connection chain=output disabled=yes new-connection-mark=triolan_conn out-interface=triolan passthrough=no
    add action=mark-connection chain=output disabled=yes new-connection-mark=datagroup_conn out-interface=datagroup passthrough=no
    add action=accept chain=prerouting disabled=yes dst-address=1.1.1.0/23 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting disabled=yes dst-address=2.2.2.0/30 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting disabled=yes dst-address=3.3.3.0/24 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting disabled=yes dst-address=192.168.101.0/24 in-interface=NLT_BRIDGE
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=\
    datagroup_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/0
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/1
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/2
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/3
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/4
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/5
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/6
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/7
    add action=mark-connection chain=prerouting disabled=yes dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn \
    passthrough=yes per-connection-classifier=both-addresses-and-ports:9/8
    add action=mark-routing chain=prerouting connection-mark=gic_conn disabled=yes in-interface=NLT_BRIDGE new-routing-mark=to_gic \
    passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=datagroup_conn disabled=yes in-interface=NLT_BRIDGE new-routing-mark=\
    to_datagroup passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=triolan_conn disabled=yes in-interface=NLT_BRIDGE new-routing-mark=to_triolan \
    passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-routing-mark=\
    to_triolan passthrough=no protocol=tcp src-address=192.168.101.101
    add action=mark-routing chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local dst-port=12000 in-interface=\
    NLT_BRIDGE new-routing-mark=to_gic passthrough=no protocol=tcp
    ---ВЫКЛЮЧЕНЫ---
     
  4. sensor

    sensor Новый участник

    /ip firewall nat
    add action=masquerade chain=srcnat comment=NAT src-address=192.168.101.0/24
    add action=dst-nat chain=dstnat comment=mail_uarank dst-address=!192.168.101.0/24 dst-address-type=local dst-port=25,111,143,587 \
    protocol=tcp to-addresses=192.168.101.24
    add action=dst-nat chain=dstnat comment=ftp_nlt dst-address=!192.168.101.0/24 dst-address-type=local dst-port=21 protocol=tcp \
    to-addresses=192.168.101.85 to-ports=21
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=45450-45500 protocol=tcp to-addresses=\
    192.168.101.85 to-ports=45450-45500
    add action=dst-nat chain=dstnat comment=http/https dst-address=!192.168.101.0/24 dst-address-type=local dst-port=80 protocol=tcp \
    to-addresses=192.168.101.29 to-ports=80
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=443 protocol=tcp to-addresses=\
    192.168.101.29 to-ports=443
    add action=dst-nat chain=dstnat comment=redmine_old dst-address=!192.168.101.0/24 dst-address-type=local dst-port=12000 protocol=tcp \
    to-addresses=192.168.101.113 to-ports=80
    add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=12000 protocol=tcp to-addresses=192.168.101.113 to-ports=80
    add action=dst-nat chain=dstnat comment=IIS_for_VOVA dst-address=!192.168.101.0/24 dst-address-type=local dst-port=8890 protocol=tcp \
    to-addresses=192.168.101.29 to-ports=8890
    add action=dst-nat chain=dstnat comment=NIK_UBUNTU_SERVER dst-address=!192.168.101.0/24 dst-address-type=local dst-port=9000 protocol=tcp \
    to-addresses=192.168.101.140 to-ports=80
    add action=dst-nat chain=dstnat comment=RTMP dst-address=!192.168.101.0/24 dst-address-type=local dst-port=8899 protocol=tcp \
    to-addresses=192.168.101.244 to-ports=80
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=7999 pr
    192.168.101.154 to-ports=80
    add action=dst-nat chain=dstnat comment=Andrey_Kursenko_project dst-address=!192.168.101.0/24 dst-add
    protocol=tcp to-addresses=192.168.101.20 to-ports=8080
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=8888 pr
    192.168.101.20 to-ports=8888
    add action=dst-nat chain=dstnat comment=redmine_new dst-address=!192.168.101.0/24 dst-address-type=lo
    to-addresses=192.168.101.178 to-ports=80
    add action=dst-nat chain=dstnat disabled=yes dst-address-type=local dst-port=13000 protocol=tcp to-ad
    add action=dst-nat chain=dstnat comment=iBroker dst-address=!192.168.101.0/24 dst-address-type=local
    to-addresses=192.168.101.221 to-ports=80
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=16000 p
    192.168.101.221 to-ports=80
    add action=dst-nat chain=dstnat comment=tfb dst-address=!192.168.101.0/24 dst-address-type=local dst-
    to-addresses=192.168.101.184 to-ports=80
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=20001 p
    192.168.101.184 to-ports=443
    add action=dst-nat chain=dstnat comment=FTP_EM dst-address=!192.168.101.0/24 dst-address-type=local d
    to-addresses=192.168.101.29 to-ports=7000
    add action=dst-nat chain=dstnat comment=RUST_SERVER dst-address=!192.168.101.0/24 dst-address-type=lo
    to-addresses=192.168.101.15
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=28025 p
    192.168.101.15
    add action=dst-nat chain=dstnat dst-address=!192.168.101.0/24 dst-address-type=local dst-port=28026 p
    192.168.101.15
    /ip firewall service-port
    set ftp ports=21,7000
    set tftp disabled=yes
    set irc disabled=yes
    set h323 disabled=yes
    set sip disabled=yes
    set dccp disabled=yes

    /ip route
    add check-gateway=ping distance=1 gateway=1.1.1.1 routing-mark=to_gic
    add check-gateway=ping distance=1 gateway=2.2.2.2 routing-mark=to_datagroup
    add check-gateway=ping distance=1 gateway=3.3.3.3 routing-mark=to_triolan
    add check-gateway=ping distance=1 gateway=1.1.1.1,1.1.1.1,1.1.1.1,2.2.2.2
    ---ВЫКЛЮЧЕНО---
    add check-gateway=ping disabled=yes distance=1 gateway=8.8.8.8
    add check-gateway=ping disabled=yes distance=2 gateway=8.8.4.4
    add check-gateway=ping disabled=yes distance=3 gateway=77.88.8.8
    add disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=3.3.3.3 scope=10
    add disabled=yes distance=1 dst-address=8.8.8.8/32 gateway=1.1.1.1 scope=10
    add disabled=yes distance=1 dst-address=77.88.8.8/32 gateway=2.2.2.2 scope=10
    ---ВЫКЛЮЧЕНО---
    /ip route rule
    add comment=Dmitrii_Bosak src-address=192.168.101.202/32 table=to_datagroup
    add comment=Alexander_Dizayner src-address=192.168.101.108/32 table=to_triolan
    add comment=ITL src-address=192.168.101.254/32 table=to_gic
    add comment=ADMIN disabled=yes src-address=192.168.101.101/32 table=to_triolan



    # DST-ADDRESS PREF-SRC GATEWAY DISTANCE
    0 A S 0.0.0.0/0 1.1.1.1 1
    1 A S 0.0.0.0/0 2.2.2.2 1
    2 A S 0.0.0.0/0 3.3.3.3 1
    3 A S 0.0.0.0/0 1.1.1.1 1
    1.1.1.1
    1.1.1.1
    2.2.2.2

    10 ADC 2.2.2.0/30 2.2.2.2 datagroup 0
    11 ADC 1.1.1.0/23 1.1.1.1 gic 0
    12 ADC 3.3.3.0/24 3.3.3.3 triolan 0
    13 ADC 192.168.101.0/24 192.168.101.1 NLT_BRIDGE 0


    В данный момент у меня настроено 2 Конфигурации, старая по ECMP
    И новая код между ---ВЫКЛЮЧЕНО--- пометил.
    на текущем варианте , если добавить к
    3 A S 0.0.0.0/0 1.1.1.1 , 1.1.1.1, 1.1.1.1, 2.2.2.2 , 3.3.3.3 , 3.3.3.3 , 3.3.3.3 , 3.3.3.3

    У меня всё работает, но из мира в сеть уже доступа к ресурсам и сайтам нету.

    Если активировать маркировку Mangle и выключенные маршруты и выключить маршрут 3 A S 0.0.0.0/0 1.1.1.1 , 1.1.1.1, 1.1.1.1, 2.2.2.2
    у меня тоже всё работает, но доступ из мира к внутренним ресурсам очень долгий, сайты еле-еле открываются.
    Я так понял, это можно решить, если привязать порт или сервер к конкретному провайдеру,
    к примеру 80 привязать только только к wan1 (gic)

    А как быть если у меня входящий порт 12000 а внутренний 80?
     
  5. Илья Князев

    Илья Князев Администратор Команда форума

    Ну так у вас при пробросе портов нужно тоже маркировать трафик.
    Код:
    /ip firewall mangle
    add action=mark-connection chain=prerouting in-interface=gic new-connection-mark=gic_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=datagroup new-connection-mark=datagroup_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=triolan new-connection-mark=triolan_conn passthrough=yes
    
    add action=mark-routing chain=output connection-mark=gic_conn new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=output connection-mark=datagroup_conn new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=output connection-mark=triolan_conn new-routing-mark=to_triolan passthrough=yes
    #Важно правильно прописать in-interface
    add action=mark-routing chain=prerouting in-interface=LAN connection-mark=gic_conn new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=prerouting in-interface=LAN connection-mark=datagroup_conn new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=prerouting in-interface=LAN connection-mark=triolan_conn new-routing-mark=to_triolan passthrough=yes 
     
  6. sensor

    sensor Новый участник

    Я правильно оформил финальный вариант маркировок?


    /ip firewall mangle
    add action=mark-connection chain=input in-interface=gic new-connection-mark=gic_conn passthrough=yes
    add action=mark-connection chain=input in-interface=datagroup new-connection-mark=datagroup_conn passthrough=yes
    add action=mark-connection chain=input in-interface=triolan new-connection-mark=triolan_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=gic new-connection-mark=gic_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=datagroup new-connection-mark=datagroup_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=triolan new-connection-mark=triolan_conn passthrough=yes
    add action=mark-routing chain=output connection-mark=gic_conn new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=output connection-mark=datagroup_conn new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=output connection-mark=triolan_conn new-routing-mark=to_triolan passthrough=yes
    add action=accept chain=prerouting dst-address=91.222.248.0/23 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=77.222.144.132/30 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=109.86.200.0/24 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=192.168.101.0/24 in-interface=NLT_BRIDGE
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=datagroup_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/0
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/1
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/2
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/3
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/4
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/5
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/6
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/7
    add action=mark-connection chain=prerouting dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/8
    add action=mark-routing chain=prerouting connection-mark=gic_conn in-interface=NLT_BRIDGE new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=datagroup_conn in-interface=NLT_BRIDGE new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=triolan_conn s in-interface=NLT_BRIDGE new-routing-mark=to_triolan passthrough=yes
     
  7. Илья Князев

    Илья Князев Администратор Команда форума

    Можно убрать. Перекрывается следующими тремя
    Обратите внимание, что на этот момент пакеты уже могут иметь маркировку
     
  8. sensor

    sensor Новый участник

    СПАСИБо огромное. Теперь всё работает.

    Вопрос касательно перекрытия.
    add action=mark-connection chain=input in-interface=gic new-connection-mark=gic_conn passthrough=yes - мы маркируем входящие соеденения на роутер
    add action=accept chain=prerouting dst-address=91.222.248.0/23 in-interface=NLT_BRIDGE - Это его перекрывает? или вы имеете ввиду
    add action=mark-connection chain=prerouting in-interface=gic new-connection-mark=gic_conn passthrough=yes ?


    Ещё вопрос касательно балансировки, у меня 3 канала 30/90/500
    как понять какое соотношение ставить per-connection-classifier=both-addresses-and-ports ?
    просто если сделать по правилу дял каждого провайдера будет одно и то же к тому что я сделал сейчас соотношение 1/2/6
     
    Последнее редактирование: 30 май 2017
  9. Илья Князев

    Илья Князев Администратор Команда форума

    Сначала пакет попадает в Prerouting и только потом в input. Если в prerouting вы уже отмаршировали соединение, то зачем это делать еще раз?
    Просто в прероутинг попадают пакеты которые в итоге попадут как в input, так и в форвард.
    скорее только Address.
     
  10. sensor

    sensor Новый участник

    всё порешал. работает как надо. Огромное Спасибо.
    Оставлю финалочку, может кому-то будет полезго.

    /ip firewall mangle
    add action=accept chain=prerouting dst-address=91.222.248.0/23 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=77.222.144.132/30 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=109.86.200.0/24 in-interface=NLT_BRIDGE
    add action=accept chain=prerouting dst-address=192.168.101.0/24 in-interface=NLT_BRIDGE
    add action=mark-connection chain=prerouting in-interface=gic new-connection-mark=gic_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=datagroup new-connection-mark=datagroup_conn passthrough=yes
    add action=mark-connection chain=prerouting in-interface=triolan new-connection-mark=triolan_conn passthrough=yes
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=datagroup_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/0
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/1
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=gic_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/2
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/3
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/4
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/5
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/6
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/7
    add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-connection-mark=triolan_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:9/8
    add action=mark-routing chain=prerouting connection-mark=gic_conn in-interface=NLT_BRIDGE new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=datagroup_conn in-interface=NLT_BRIDGE new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=triolan_conn in-interface=NLT_BRIDGE new-routing-mark=to_triolan passthrough=yes
    add action=mark-routing chain=output connection-mark=gic_conn new-routing-mark=to_gic passthrough=yes
    add action=mark-routing chain=output connection-mark=datagroup_conn new-routing-mark=to_datagroup passthrough=yes
    add action=mark-routing chain=output connection-mark=triolan_conn new-routing-mark=to_triolan passthrough=yes
     
    Последнее редактирование: 30 май 2017
  11. sensor

    sensor Новый участник

    что бы не плодить темы, такой вопрос. некторые пользователи сети жалуются, что из-за разных внешних IP адресов они не могут нормлаьно работать с внешними сервисами. Есть необходимость привязки конкретного пользователя к одному WAN адресу.
    В начале я попробывал через Route Rules IP привязал к конкретной таблице - работает. но доступ к данному пользователю из сети пропадает.
    Попробывал прописать так
    add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=NLT_BRIDGE new-routing-mark=to_triolan passthrough=no src-address=192.168.101.10
    Вроде работает, но как-то криво. Хотя доступ из сети уже к этому пользоват есть.
     
  12. Илья Князев

    Илья Князев Администратор Команда форума

    Делайте распределение по PCC с классификатором по srs-address
     
  13. djmirbel

    djmirbel Новый участник

    Приветствую. тоже появилась проблема. решил перейти с рандома на балансировку PCC теперь нет доступа к роутеру по впн, нет просто доступа к роутеру по ИП, и с компа не могу по впн ни куда подключится.сервер из вне виден. из локалки нет

    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=MTCPCC connection-mark=no-mark disabled=yes in-interface=MTS-PPPOE new-connection-mark=cin_MTS passthrough=yes
    add action=mark-routing chain=prerouting comment=MTCPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP3PCCMTC passthrough=yes per-connection-classifier=src-address-a
    add action=mark-routing chain=output comment=MTCPCC connection-mark=cin_MTS new-routing-mark=ISP3PCCMTC passthrough=yes
    add action=mark-connection chain=input comment=MTCPCC disabled=yes in-interface=MTS-PPPOE new-connection-mark=cin_MTS passthrough=yes
    add action=mark-connection chain=prerouting comment=NBNPCC connection-mark=no-mark disabled=yes in-interface=NBN new-connection-mark=cin_NBN passthrough=yes
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-a
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-a
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-a
    add action=mark-routing chain=output comment=NBNPCC connection-mark=cin_NBN new-routing-mark=ISP2PCCNBN passthrough=yes
    add action=mark-connection chain=input comment=NBNPCC disabled=yes in-interface=NBN new-connection-mark=cin_NBN passthrough=yes
    add action=mark-connection chain=prerouting comment=RUSICHPCC connection-mark=no-mark disabled=yes in-interface=RUSICH new-connection-mark=cin_Rusich passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=no src-address=10.5.27.169
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=src-add
    add action=mark-routing chain=output comment=RUSICHPCC connection-mark=cin_Rusich new-routing-mark=ISP1PCCRUSICH passthrough=yes
    add action=mark-connection chain=input comment=RUSICHPCC disabled=yes in-interface=RUSICH new-connection-mark=cin_Rusich passthrough=yes

    /ip firewall nat
    add action=masquerade chain=srcnat comment=PCC out-interface=RUSICH
    add action=masquerade chain=srcnat comment=PCC out-interface=NBN
    add action=masquerade chain=srcnat comment=PCC out-interface=MTS-PPPOE
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=80 in-interface=NBN protocol=tcp to-addresses=192.168.1.102 to-ports=80
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=8080 in-interface=NBN protocol=tcp to-addresses=192.168.1.102 to-ports=8080
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=8083 in-interface=NBN protocol=tcp to-addresses=192.168.1.102 to-ports=8083
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=443 in-interface=NBN protocol=tcp to-addresses=192.168.1.102 to-ports=443
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=3074 in-interface=NBN protocol=tcp to-addresses=10.5.27.208 to-ports=3074
    add action=dst-nat chain=dstnat dst-address=(1)Белый ИП dst-port=3389 in-interface=NBN protocol=tcp to-addresses=10.5.27.201 to-ports=3389
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=80 in-interface=RUSICH protocol=tcp to-addresses=192.168.1.102 to-ports=80
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=8080 in-interface=RUSICH protocol=tcp to-addresses=192.168.1.102 to-ports=8080
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=8083 in-interface=RUSICH protocol=tcp to-addresses=192.168.1.102 to-ports=8083
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=443 in-interface=RUSICH protocol=tcp to-addresses=192.168.1.102 to-ports=443
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=3074 in-interface=RUSICH protocol=tcp to-addresses=10.5.27.208 to-ports=3074
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=3389 in-interface=RUSICH protocol=tcp to-addresses=10.5.27.201 to-ports=3389
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=80 in-interface=MTS-PPPOE protocol=tcp to-addresses=192.168.1.102 to-ports=80
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=8083 in-interface=MTS-PPPOE protocol=tcp to-addresses=192.168.1.102 to-ports=8083
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=8080 in-interface=MTS-PPPOE protocol=tcp to-addresses=192.168.1.102 to-ports=8080
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=443 in-interface=MTS-PPPOE protocol=tcp to-addresses=192.168.1.102 to-ports=443
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=3074 in-interface=MTS-PPPOE protocol=tcp to-addresses=10.5.27.208 to-ports=3074
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=3389 in-interface=MTS-PPPOE protocol=tcp to-addresses=10.5.27.201 to-ports=3389
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=53 in-interface=NBN protocol=udp to-addresses=192.168.1.102 to-ports=53
    add action=dst-nat chain=dstnat dst-address=(3)Белый ИП dst-port=53 in-interface=MTS-PPPOE protocol=udp to-addresses=192.168.1.102 to-ports=53
    add action=dst-nat chain=dstnat dst-address=(2)Белый ИП dst-port=53 in-interface=RUSICH protocol=udp to-addresses=192.168.1.102 to-ports=53
     
  14. djmirbel

    djmirbel Новый участник

    /ip route
    add check-gateway=ping comment=ISP1PCCRUSICH distance=1 gateway=8.8.8.8 routing-mark=ISP1PCCRUSICH
    add comment=ISP2PCCNBN distance=10 gateway=8.8.4.4 routing-mark=ISP1PCCRUSICH
    add comment=ISP3PCCMTC distance=20 gateway=4.2.2.1 routing-mark=ISP1PCCRUSICH
    add check-gateway=ping comment=ISP2PCCNBN distance=1 gateway=8.8.4.4 routing-mark=ISP2PCCNBN
    add comment=ISP1PCCRUSICH distance=10 gateway=8.8.8.8 routing-mark=ISP2PCCNBN
    add comment=ISP3PCCMTC distance=20 gateway=4.2.2.1 routing-mark=ISP2PCCNBN
    add check-gateway=ping comment=ISP3PCCMTC distance=1 gateway=4.2.2.1 routing-mark=ISP3PCCMTC
    add comment=ISP1PCCRUSICH distance=10 gateway=8.8.8.8 routing-mark=ISP3PCCMTC
    add comment=ISP2PCCNBN distance=20 gateway=8.8.4.4 routing-mark=ISP3PCCMTC
    add comment=MTC2 distance=1 dst-address=4.2.2.1/32 gateway=(3)Белый ИП scope=10
    add comment=MTC1 disabled=yes distance=1 dst-address=4.2.2.1/32 gateway=(3)Белый ИП scope=10
    add comment=PCCrekursive distance=1 dst-address=8.8.4.4/32 gateway=(1)Белый ИП scope=10
    add comment=PCCrekursive distance=1 dst-address=8.8.8.8/32 gateway=(2)Белый ИП scope=10
    add distance=1 dst-address=10.18.10.0/24 gateway=Mir
    add distance=1 dst-address=172.16.18.2/32 gateway=*8E
    add distance=1 dst-address=192.168.8.0/24 gateway=sasha

    /ip route rule все выключены
    add action=lookup-only-in-table disabled=yes src-address=Белый ИП table=ISP3PCCMTC
    add action=lookup-only-in-table disabled=yes src-address=Белый ИП table=ISP2PCCNBN
    add action=lookup-only-in-table disabled=yes src-address=Белый ИП table=ISP1PCCRUSICH

    /ip route print
    Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
    # DST-ADDRESS PREF-SRC GATEWAY DISTANCE
    0 A S ;;; ISP1PCCRUSICH
    0.0.0.0/0 8.8.8.8 1
    1 S ;;; ISP2PCCNBN
    0.0.0.0/0 8.8.4.4 10
    2 S ;;; ISP3PCCMTC
    0.0.0.0/0 4.2.2.1 20
    3 A S ;;; ISP2PCCNBN
    0.0.0.0/0 8.8.4.4 1
    4 S ;;; ISP1PCCRUSICH
    0.0.0.0/0 8.8.8.8 10
    5 S ;;; ISP3PCCMTC
    0.0.0.0/0 4.2.2.1 20
    6 S 10.18.0.0/24 Mir 1
    7 A S ;;; ISP3PCCMTC
    0.0.0.0/0 4.2.2.1 1
    8 S ;;; ISP1PCCRUSICH
    0.0.0.0/0 8.8.8.8 10
    9 S ;;; ISP2PCCNBN
    0.0.0.0/0 8.8.4.4 20
    10 X S 0.0.0.0/0 Белый ИП 1
    11 X S 0.0.0.0/0 Белый ИП 1
    12 X S 0.0.0.0/0 Белый ИП 1
    13 A S 0.0.0.0/0 Белый ИП Br-Loopback 254
    14 A S ;;; MTC2
    4.2.2.1/32 Белый ИП 1
    15 X S ;;; MTC1
    4.2.2.1/32 Белый ИП 1
    16 A S ;;; PCCrekursive
    8.8.4.4/32 Белый ИП 1
    17 A S ;;; PCCrekursive
    8.8.8.8/32 Белый ИП 1
    18 ADC 10.5.27.0/24 10.5.27.1 bridge1 0
    19 ADC Белый ИП Белый ИП RUSICH 0
    20 ADC Белый ИП Белый ИП MTS-PPPOE 0
    21 S 172.16.18.2/32 *8E 1
    22 ADC Белый ИП Белый ИП NBN 0
    23 ADC 192.168.1.0/24 192.168.1.1 bridge-server 0
    24 S 192.168.8.0/24 sasha 1
    25 ADC 192.168.10.0/24 192.168.10.1 bridge-
     
  15. Илья Князев

    Илья Князев Администратор Команда форума

    У вас на входящем трафике нет маркировки соединения, поэтому в output не отрабатывает маркировка маршрута.
     
  16. djmirbel

    djmirbel Новый участник

    это в рутах или в мангле добавлять?
     
  17. Илья Князев

    Илья Князев Администратор Команда форума

  18. djmirbel

    djmirbel Новый участник


    на основе того сообщения и делал


    /ip firewall mangle
    add action=mark-connection chain=prerouting comment=MTCPCC dst-address=белый айпи in-interface=MTS-PPPOE new-connection-mark=cin_MTS passthrough=yes
    add action=mark-routing chain=output comment=MTCPCC connection-mark=cin_MTS new-routing-mark=ISP2PCCNBN passthrough=yes src-address=белый айпи
    add action=mark-routing chain=output comment=MTSPCC connection-mark=cin_MTS connection-state="" new-routing-mark=ISP3PCCMTC passthrough=yes
    add action=mark-routing chain=prerouting comment=MTCPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP3PCCMTC passthrough=yes per-connection-classifier=src-address-and-port:10/0
    add action=mark-connection chain=input comment=MTCPCC disabled=yes in-interface=MTS-PPPOE new-connection-mark=cin_MTS passthrough=yes
    add action=mark-connection chain=prerouting comment=NBNPCC dst-address=белый айпи in-interface=NBN new-connection-mark=cin_NBN passthrough=yes
    add action=mark-routing chain=output comment=NBNPCC connection-mark=cin_NBN new-routing-mark=ISP2PCCNBN passthrough=yes src-address=белый айпи
    add action=mark-routing chain=output comment=NBNPCC connection-mark=cin_NBN new-routing-mark=ISP3PCCMTC passthrough=yes
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-and-port:10/1
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-and-port:10/2
    add action=mark-routing chain=prerouting comment=NBNPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP2PCCNBN passthrough=yes per-connection-classifier=src-address-and-port:10/3
    add action=mark-connection chain=input comment=NBNPCC disabled=yes in-interface=NBN new-connection-mark=cin_NBN passthrough=yes
    add action=mark-connection chain=prerouting comment=RUSICHPCC dst-address=белый айпи in-interface=RUSICH new-connection-mark=cin_Rusich passthrough=yes
    add action=mark-routing chain=output comment=RUSICHPCC connection-mark=cin_Rusich new-routing-mark=ISP1PCCRUSICH passthrough=yes src-address=белый айпи
    add action=mark-routing chain=output comment=RUSICHPCC connection-mark=cin_Rusich connection-state="" new-routing-mark=ISP1PCCRUSICH passthrough=no
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/4
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/5
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/6
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/7
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/8
    add action=mark-routing chain=prerouting comment=RUSICHPCC dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=yes per-connection-classifier=\
    src-address-and-port:10/9
    add action=mark-connection chain=input comment=RUSICHPCC disabled=yes in-interface=RUSICH new-connection-mark=cin_Rusich passthrough=yes
    add action=mark-routing chain=prerouting connection-mark=no-mark disabled=yes dst-address-type=!local in-interface-list=bridgeALL new-routing-mark=ISP1PCCRUSICH passthrough=no src-address=10.5.27.169
     
  19. djmirbel

    djmirbel Новый участник

    все все получилось кроме одного. нету доступа к локальному серверу внутри сети хотя с наружи доступ работает
     
  20. Илья Князев

    Илья Князев Администратор Команда форума

    А изнутри сети вы подключаетесь к нему по внешнему адресу?
    Если да, hairpin nat вам поможет.