RouterOS Dual Wan

由 datahunter 在三, 04/09/2019 - 00:27 發表

前言

ISP

WTT: FIX IP (DHCP) [GW: 192.168.88.1]
HKBN: FIX IP (Static IP) [GW: 192.168.10.1]

Diagram

         /ISP_1(DHCP)[88.101]
8.1 --- R
         \ISP_2(Fix)[10.101]

Route selection

Routes with smaller distance value are given preference.

Connected routes: 0
Static routes: 1
...
Disable routes: 255

Part 1: Dual Wan FailOver

說明: 主力用 ISP_1(DHCP), ISP_2(Fix) 作為 Spare

Step1: 為 NIC 改合適的名稱

/interface ethernet
set [ find default-name=ether1 ] comment=WTT   name=ISP_1
set [ find default-name=ether2 ] comment=HKBN  name=ISP_2
set [ find default-name=ether5 ] arp=proxy-arp name=LAN

Step2: 把 Port 歸類到 list

# WAN

/interface list
add name=WAN

/interface list member
add interface=ISP_1 list=WAN
add interface=ISP_2 list=WAN

Step3: 為 NIC 設定 IP

LAN

/ip address
add address=192.168.8.1/24 interface=LAN network=192.168.8.0

ISP1 (DHCP)

/ip dhcp-client
add default-route-distance=254 interface=ISP_1

ISP2 (Static IP)

/ip address
add address=192.168.10.101/24 interface=ISP_2 network=192.168.10.0

Step4: Route

/ip route
add distance=12 gateway=192.168.10.1

Remark: 兩條 line (沒有 dhcp line)

如果兩條 line 都是 fix ip 那 route failover 會簡單好多

/ip route add gateway=192.168.10.1 check-gateway=ping
/ip route add gateway=192.168.88.1 distance=2

The first gateway will begin as it's distance is smaller (default 1); the check-gateway will make sure it's up;

Step5: Default 應該有的 Filter Rule

/ip firewall filter

add action=fasttrack-connection chain=forward

add action=accept chain=input protocol=icmp comment="#### allow ping #####" 

add action=accept chain=forward connection-state=established,related comment="#### First ####" 
add action=drop   chain=forward connection-state=invalid
add action=accept chain=input   connection-state=established,related
add action=drop   chain=input   connection-state=invalid

add action=accept chain=input   in-interface=LAN comment="#### LAN ####"
add action=accept chain=forward in-interface=LAN

add action=drop chain=input   in-interface-list=WAN comment="#### LAST ####" 
add action=drop chain=forward in-interface-list=WAN

Step6: ISP_1 FailOver to ISP_2 rule (因為它是 DHCP, 所以要用 '/routing filter' 設定 'check-gateway' )

/routing filter
add action=accept chain=dynamic-in distance=254 set-check-gateway=ping \
    set-distance=11

到目前為止 Diagram

         /ISP_1(DHCP)[88.101]  # route distance: 254->11
8.1 --- R
         \ISP_2(Fix)[10.101]   # route distance: 12

Step7: 設定上網 NAT

# LAN Subnet

/ip firewall address-list
add address=192.168.8.0/24 list=LAN

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address-list=LAN comment="Internet NAT"

Step8: DNAT

/ip firewall filter
add action=accept chain=forward comment=NAT dst-port=55555 protocol=tcp

/ip firewall nat
add action=dst-nat chain=dstnat dst-port=55555 protocol=tcp to-addresses=\
    192.168.8.2 to-ports=55555

Part2: Dual Wan DNAT

[1] 額外加兩條 Route

/ip route
add check-gateway=ping distance=1 gateway=192.168.88.1 routing-mark=ISP1_Route
add check-gateway=ping distance=1 gateway=192.168.10.1 routing-mark=ISP2_Route

[2] 用來略過 [3~N] 的 rule (防 loop 死)

/ip firewall address-list
add address=192.168.88.0/24 list=Connected
add address=192.168.10.0/24 list=Connected
add address=192.168.8.0/24  list=Connected

/ip firewall mangle
add action=accept chain=prerouting comment="Connected Network" \
    dst-address-list=Connected src-address-list=Connected

[3] Wan to ROS (INPUT Chain)

add chain=input in-interface=ISP_1 connection-mark=no-mark \
  action=mark-connection new-connection-mark=WAN1->ROS passthrough=yes \
add chain=output connection-mark=WAN1->ROS \
  action=mark-routing new-routing-mark=ISP1_Route passthrough=no

add chain=input in-interface=ISP_2 connection-mark=no-mark \
  action=mark-connection  new-connection-mark=WAN2->ROS passthrough=yes
add chain=output connection-mark=WAN2->ROS \
  action=mark-routing new-routing-mark=ISP2_Route passthrough=no

[4] Wan to Lan (For DNAT)

add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=ISP_1 new-connection-mark=WAN1->LAN passthrough=yes \
    comment=WAN->LAN 
add action=mark-connection chain=forward connection-mark=no-mark \
    in-interface=ISP_2 new-connection-mark=WAN2->LAN passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN1->LAN \
    in-interface=LAN new-routing-mark=ISP1_Route passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2->LAN \
    in-interface=LAN new-routing-mark=ISP2_Route passthrough=yes

Part3: Dual Wan Load Balancing

[1] 設定 Default Route 的地方

add action=mark-connection chain=prerouting connection-mark=no-mark \
    dst-address-list=!Connected dst-address-type=!local src-address-list=LAN \
    new-connection-mark=LAN->WAN passthrough=yes comment=LAN->WAN 

add action=mark-routing chain=prerouting connection-mark=LAN->WAN \
    new-routing-mark=ISP2_Route passthrough=yes src-address-list=LAN\
    comment="Load-Balancing-Rule"

[2] Lan to Wan Sticky Connections

add chain=prerouting connection-mark=LAN->WAN routing-mark=ISP1_Route \
    action=mark-connection new-connection-mark=Sticky_ISP1 passthrough=yes 
add chain=prerouting connection-mark=LAN->WAN routing-mark=ISP2_Route \
    action=mark-connection new-connection-mark=Sticky_ISP2 passthrough=yes

add chain=prerouting src-address-list=LAN connection-mark=Sticky_ISP1 \
    action=mark-routing new-routing-mark=ISP1_Route 
add chain=prerouting  src-address-list=LANconnection-mark=Sticky_ISP2 \
    action=mark-routing new-routing-mark=ISP2_Route

[3] ...

# Create Address-List to bypass load-balancing

/ ip firewall address-list
add list="ISP1_USER" address=192.168.8.91/32 comment=""
add list="ISP2_USER" address=192.168.8.92/32 comment=""

# to force traffic out to certain internet connections

/ ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark="ISP1_Route" src-address-list="ISP1_USER" passthrough=no
add chain=prerouting action=mark-routing new-routing-mark="ISP2_Route" src-address-list="ISP2_USER" passthrough=no
add chain=prerouting action=mark-routing new-routing-mark="WEB traffic" passthrough=no dst-port=80 protocol=tcp
add chain=prerouting action=mark-routing new-routing-mark="WEB traffic" passthrough=no dst-port=443 protocol=tcp
add chain=prerouting action=mark-routing new-routing-mark="MAIL traffic" passthrough=no dst-port=25 protocol=tcp
add chain=prerouting action=mark-routing new-routing-mark="MAIL traffic" passthrough=no dst-port=143 protocol=tcp
add chain=prerouting action=mark-routing new-routing-mark="MAIL traffic" passthrough=no dst-port=110 protocol=tcp
add chain=prerouting action=mark-routing new-routing-mark="Unknown traffic" passthrough=no

/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="ISP1_Route"
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="ISP2_Route"
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="WEB traffic"
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="MAIL traffic"
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="Unknown traffic"

瀏覽次數： 2076

夢想家

RouterOS Dual Wan

前言

Route selection

Part 1: Dual Wan FailOver

Part2: Dual Wan DNAT

Part3: Dual Wan Load Balancing