ROS环境版本：RouterOS 7.6

带宽接入：

电信：1000M（双拨）

联通：1000M

1、配置过程：

1.1、建立brideg桥接lan口，以及虚拟机接口vrrp用于pppoe拨号

请根据自身环境情况，对如下操作进行调整，本环境中，电信口位于eth1，联通口位于eth2，创建brideg桥接接口并绑定为eth3，给brideg口分配个IP地址，比如192.168.10.254作为ros地址。

1.1.1、创建vrrp接口

/interface vrrp add name=CT1-1vrrp1 interface=eth1 vrid=1
/interface vrrp add name=CT2-vrrp2 interface=eth1 vrid=2
/interface vrrp add name=CU1-vrrp3 interface=eth2 vrid=3

1.1.2、创建brideg接口

建立名为bridge1的桥接口
interface bridge add name=”bridge1” disable=no
将eth4加入到这个新建的桥中
interface bridge port add interface=ether4 bridge=bridge1
设置桥的IP地址，如192.168.10.254
ip address add address 192.168.10.254/24 interface=bridge1

1.1.3、给vrrp以及对应接口分配IP地址，否则vrrp无法上线

/ip address add address=192.168.1.2/24 interface=eth1
/ip address add address=192.168.2.2/24 interface=eth2
/ip address add address=192.168.1.3/24 interface=vrrp1
/ip address add address=192.168.1.4/24 interface=vrrp2
/ip address add address=192.168.2.3/24 interface=vrrp3

1.2、建立pppoe拨号

/interface pppoe-client add name=pppoe-CT1 max-mtu=1480 max-mru=1480 interface=vrrp1 user=宽带帐号 password=宽带密码 add-default-route=no disable=no
/interface pppoe-client add name=pppoe-CT2 max-mtu=1480 max-mru=1480 interface=vrrp2 user=宽带帐号 password=宽带密码 add-default-route=no disable=no
/interface pppoe-client add name=pppoe-CU1 max-mtu=1480 max-mru=1480 interface=vrrp3 user=宽带帐号 password=宽带密码 add-default-route=no disable=no

2、防火墙基础防护配置

下面第五行"src-address=192.168.10.0/24"，这个是我内网的网段，表示该ip段可以连入ros，进行设置。根据自己情况改。

/ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid connections"  
add chain=input connection-state=established action=accept comment="Allow Established connections"  
add chain=input protocol=icmp action=accept comment="Allow ICMP"  
add chain=input src-address=192.168.10.0/24 action=accept in-interface=bridge1
add chain=input action=drop comment="Drop everything else"

add chain=output action=accept comment="accept everything"

add chain=forward connection-state=invalid action=drop comment="Drop Invalid connections"
add chain=forward connection-state=established action=accept comment="Allow Established connections"
add chain=forward connection-state=related action=accept comment="allow related connections"

add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp

add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="Port scanners"
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=drop comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=drop comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=drop comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=drop comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=drop comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=drop comment="NMAP NULL scan"

4、建立snat伪装

/ip firewall nat
add chain=srcnat out-interface=pppoe-CT1 action=masquerade
add chain=srcnat out-interface=pppoe-CT2 action=masquerade
add chain=srcnat out-interface=pppoe-CU1 action=masquerade

5、设置路由表

/routing table
add fib name=CT1
add fib name=CT2
add fib name=CU1

6、PCC带宽负载均衡

下载文件

https://github.com/zealic/autorosvpn（该源国内地址表已经较老，目前暂未找到合适最新的地址表）

chnroutes-chinanet.rsc

chnroutes-cnc.rsc

导入到winbox的Files里

运行如下，把ip段导入ros firewall的address lists里，供下面标记时使用。（防止重复导入，前两行是删除现有的电信段与联通段）

/ip firewall address-list remove [find list="chnroutes-chinanet"]
/ip firewall address-list remove [find list="chnroutes-cnc"]
/import chnroutes-chinanet.rsc
/import chnroutes-chinacnc.rsc

6.1排除内网通讯

/ip firewall address-list
add address=192.168.10.0/24 list=local comment=local

/ip firewall mangle
add chain=prerouting src-address-list=local dst-address-list=local action=accept comment="local"

6.2源进标记

/ip firewall mangle
add chain=prerouting connection-mark=no-mark in-interface=pppoe-CT1 action=mark-connection new-connection-mark=CT_conn1 passthrough=yes
add chain=prerouting connection-mark=no-mark in-interface=pppoe-CT2 action=mark-connection new-connection-mark=CT_conn2 passthrough=yes
add chain=prerouting connection-mark=no-mark in-interface=pppoe-CU1 action=mark-connection new-connection-mark=CU_conn1 passthrough=yes

6.3、PCC标记

国内不同运营商指定出口，因为电信双拨，双拨的还得PCC聚合下，至于叠不叠带宽，各地随缘了。联通就单拨就直接标记一下就行了。

/ip firewall mangle
add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/0 dst-address-type=!local dst-address-list=chnroutes-chinanet action=mark-connection new-connection-mark=CT_conn1 passthrough=yes comment="PCC spec"
add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/1 dst-address-type=!local dst-address-list=chnroutes-chinanet action=mark-connection new-connection-mark=CT_conn2 passthrough=yes
add chain=prerouting connection-mark=no-mark in-interface=bridge1 dst-address-type=!local dst-address-list=chnroutes-chinacnc action=mark-connection new-connection-mark=CU_conn1 passthrough=yes

ros防火墙规则自上而下顺序匹配，上面没匹配到的，就接下来整体3线聚合。

/ip firewall mangle
add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/0 dst-address-type=!local action=mark-connection new-connection-mark=CT_conn1 passthrough=yes comment=PCC
add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/1 dst-address-type=!local action=mark-connection new-connection-mark=CT_conn2 passthrough=yes
add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/2 dst-address-type=!local action=mark-connection new-connection-mark=CU_conn1 passthrough=yes

6.4、让流量根据上面线路标记选择路由

/ip firewall mangle
add chain=prerouting connection-mark=CT_conn1 in-interface=bridge1 action=mark-routing new-routing-mark=CT1 passthrough=yes comment="dynamic pbr"
add chain=prerouting connection-mark=CT_conn2 in-interface=bridge1 action=mark-routing new-routing-mark=CT2 passthrough=yes
add chain=prerouting connection-mark=CU_conn1 in-interface=bridge1 action=mark-routing new-routing-mark=CU1 passthrough=yes

add chain=output connection-mark=CT_conn1 action=mark-routing new-routing-mark=CT1 passthrough=yes comment=out
add chain=output connection-mark=CT_conn2 action=mark-routing new-routing-mark=CT2 passthrough=yes
add chain=output connection-mark=CU_conn1 action=mark-routing new-routing-mark=CU1 passthrough=yes

6.5、设置默认路由

/ip route
add dst-address=0.0.0.0/0 gateway=pppoe-CT1 check-gateway=none distance=1
add dst-address=0.0.0.0/0 gateway=pppoe-CT2 check-gateway=none distance=2
add dst-address=0.0.0.0/0 gateway=pppoe-CU1 check-gateway=none distance=3
add dst-address=0.0.0.0/0 gateway=pppoe-CT1 check-gateway=none distance=1 routing-table=CT1
add dst-address=0.0.0.0/0 gateway=pppoe-CT2 check-gateway=none distance=1 routing-table=CT2
add dst-address=0.0.0.0/0 gateway=pppoe-CU1 check-gateway=none distance=1 routing-table=CU1

 

本文参考博客：https://jacyl4.github.io/posts/ros_ct_cmcc/