ROS环境版本:RouterOS 7.6
带宽接入:
电信:1000M(双拨)
联通:1000M
1、配置过程:
1.1、建立brideg桥接lan口,以及虚拟机接口vrrp用于pppoe拨号
请根据自身环境情况,对如下操作进行调整,本环境中,电信口位于eth1,联通口位于eth2,创建brideg桥接接口并绑定为eth3,给brideg口分配个IP地址,比如192.168.10.254作为ros地址。
1.1.1、创建vrrp接口
/interface vrrp add name=CT1-1vrrp1 interface=eth1 vrid=1 /interface vrrp add name=CT2-vrrp2 interface=eth1 vrid=2 /interface vrrp add name=CU1-vrrp3 interface=eth2 vrid=3
1.1.2、创建brideg接口
建立名为bridge1的桥接口 interface bridge add name=”bridge1” disable=no 将eth4加入到这个新建的桥中 interface bridge port add interface=ether4 bridge=bridge1 设置桥的IP地址,如192.168.10.254 ip address add address 192.168.10.254/24 interface=bridge1
1.1.3、给vrrp以及对应接口分配IP地址,否则vrrp无法上线
/ip address add address=192.168.1.2/24 interface=eth1 /ip address add address=192.168.2.2/24 interface=eth2 /ip address add address=192.168.1.3/24 interface=vrrp1 /ip address add address=192.168.1.4/24 interface=vrrp2 /ip address add address=192.168.2.3/24 interface=vrrp3
1.2、建立pppoe拨号
/interface pppoe-client add name=pppoe-CT1 max-mtu=1480 max-mru=1480 interface=vrrp1 user=宽带帐号 password=宽带密码 add-default-route=no disable=no /interface pppoe-client add name=pppoe-CT2 max-mtu=1480 max-mru=1480 interface=vrrp2 user=宽带帐号 password=宽带密码 add-default-route=no disable=no /interface pppoe-client add name=pppoe-CU1 max-mtu=1480 max-mru=1480 interface=vrrp3 user=宽带帐号 password=宽带密码 add-default-route=no disable=no
2、防火墙基础防护配置
下面第五行"src-address=192.168.10.0/24",这个是我内网的网段,表示该ip段可以连入ros,进行设置。根据自己情况改。
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop Invalid connections" add chain=input connection-state=established action=accept comment="Allow Established connections" add chain=input protocol=icmp action=accept comment="Allow ICMP" add chain=input src-address=192.168.10.0/24 action=accept in-interface=bridge1 add chain=input action=drop comment="Drop everything else" add chain=output action=accept comment="accept everything" add chain=forward connection-state=invalid action=drop comment="Drop Invalid connections" add chain=forward connection-state=established action=accept comment="Allow Established connections" add chain=forward connection-state=related action=accept comment="allow related connections" add chain=forward protocol=tcp action=jump jump-target=tcp add chain=forward protocol=udp action=jump jump-target=udp add chain=forward protocol=icmp action=jump jump-target=icmp add chain=input protocol=tcp psd=21,3s,3,1 action=drop comment="Port scanners" add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=drop comment="NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=drop comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=drop comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=drop comment="FIN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=drop comment="ALL/ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=drop comment="NMAP NULL scan"
4、建立snat伪装
/ip firewall nat add chain=srcnat out-interface=pppoe-CT1 action=masquerade add chain=srcnat out-interface=pppoe-CT2 action=masquerade add chain=srcnat out-interface=pppoe-CU1 action=masquerade
5、设置路由表
/routing table add fib name=CT1 add fib name=CT2 add fib name=CU1
6、PCC带宽负载均衡
下载文件
https://github.com/zealic/autorosvpn(该源国内地址表已经较老,目前暂未找到合适最新的地址表)
导入到winbox的Files里
运行如下,把ip段导入ros firewall的address lists里,供下面标记时使用。(防止重复导入,前两行是删除现有的电信段与联通段)
/ip firewall address-list remove [find list="chnroutes-chinanet"] /ip firewall address-list remove [find list="chnroutes-cnc"] /import chnroutes-chinanet.rsc /import chnroutes-chinacnc.rsc
6.1排除内网通讯
/ip firewall address-list add address=192.168.10.0/24 list=local comment=local /ip firewall mangle add chain=prerouting src-address-list=local dst-address-list=local action=accept comment="local"
6.2源进标记
/ip firewall mangle add chain=prerouting connection-mark=no-mark in-interface=pppoe-CT1 action=mark-connection new-connection-mark=CT_conn1 passthrough=yes add chain=prerouting connection-mark=no-mark in-interface=pppoe-CT2 action=mark-connection new-connection-mark=CT_conn2 passthrough=yes add chain=prerouting connection-mark=no-mark in-interface=pppoe-CU1 action=mark-connection new-connection-mark=CU_conn1 passthrough=yes
6.3、PCC标记
国内不同运营商指定出口,因为电信双拨,双拨的还得PCC聚合下,至于叠不叠带宽,各地随缘了。联通就单拨就直接标记一下就行了。
/ip firewall mangle add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/0 dst-address-type=!local dst-address-list=chnroutes-chinanet action=mark-connection new-connection-mark=CT_conn1 passthrough=yes comment="PCC spec" add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:2/1 dst-address-type=!local dst-address-list=chnroutes-chinanet action=mark-connection new-connection-mark=CT_conn2 passthrough=yes add chain=prerouting connection-mark=no-mark in-interface=bridge1 dst-address-type=!local dst-address-list=chnroutes-chinacnc action=mark-connection new-connection-mark=CU_conn1 passthrough=yes
ros防火墙规则自上而下顺序匹配,上面没匹配到的,就接下来整体3线聚合。
/ip firewall mangle add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/0 dst-address-type=!local action=mark-connection new-connection-mark=CT_conn1 passthrough=yes comment=PCC add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/1 dst-address-type=!local action=mark-connection new-connection-mark=CT_conn2 passthrough=yes add chain=prerouting connection-mark=no-mark in-interface=bridge1 per-connection-classifier=both-addresses-and-ports:3/2 dst-address-type=!local action=mark-connection new-connection-mark=CU_conn1 passthrough=yes
6.4、让流量根据上面线路标记选择路由
/ip firewall mangle add chain=prerouting connection-mark=CT_conn1 in-interface=bridge1 action=mark-routing new-routing-mark=CT1 passthrough=yes comment="dynamic pbr" add chain=prerouting connection-mark=CT_conn2 in-interface=bridge1 action=mark-routing new-routing-mark=CT2 passthrough=yes add chain=prerouting connection-mark=CU_conn1 in-interface=bridge1 action=mark-routing new-routing-mark=CU1 passthrough=yes add chain=output connection-mark=CT_conn1 action=mark-routing new-routing-mark=CT1 passthrough=yes comment=out add chain=output connection-mark=CT_conn2 action=mark-routing new-routing-mark=CT2 passthrough=yes add chain=output connection-mark=CU_conn1 action=mark-routing new-routing-mark=CU1 passthrough=yes
6.5、设置默认路由
/ip route add dst-address=0.0.0.0/0 gateway=pppoe-CT1 check-gateway=none distance=1 add dst-address=0.0.0.0/0 gateway=pppoe-CT2 check-gateway=none distance=2 add dst-address=0.0.0.0/0 gateway=pppoe-CU1 check-gateway=none distance=3 add dst-address=0.0.0.0/0 gateway=pppoe-CT1 check-gateway=none distance=1 routing-table=CT1 add dst-address=0.0.0.0/0 gateway=pppoe-CT2 check-gateway=none distance=1 routing-table=CT2 add dst-address=0.0.0.0/0 gateway=pppoe-CU1 check-gateway=none distance=1 routing-table=CU1
本文参考博客:https://jacyl4.github.io/posts/ros_ct_cmcc/