Yaj*_*ajo 5 nat routing load-balancing mikrotik routeros
我有一个 MikroTik RouterOS 6.23 设备,我的网络如下:
Router
|
|-- bridge1_LAN (wlan1 + ether1) (192.168.0.210) -- LAN (192.168.0.0/24)
| Here is where computers are. Those include some servers and some users.
| Users should be able to navigate always, and servers should
| be reachable online always.
|
|-- ether2_ADSL (192.168.2.2) -- ADSL router (192.168.2.1) -- WAN
| Users should navigate through here because there is no traffic limit.
| Incoming traffic should work exactly as with ether3_3G, as a temporary
| backup solution in case it fails.
|
|-- ether3_3G (192.168.3.2) -- 3G router (192.168.3.1) -- WAN
This connection has a traffic limit, but faster upload rate, so it's
mainly for incoming traffic. In case ether2_ADSL fails, this should be
used as a temporary backup connection for outgoing traffic.
现在,相关配置:
/ip firewall mangle
# This rule is disabled because, when enabled, users cannot browse Internet
add action=mark-routing chain=prerouting connection-mark=no-mark disabled=yes \
in-interface=ether2_ADSL new-routing-mark=to_ether2_ADSL passthrough=no
# This marks all traffic coming from ether3_3G to get out through there too
add action=mark-routing chain=prerouting in-interface=ether3_3G \
new-routing-mark=to_ether3_3G passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether2_ADSL
add action=masquerade chain=srcnat out-interface=ether3_3G
# This is just an example web server listening in port 8069, for testing purposes
add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \
in-interface=ether2_ADSL protocol=tcp to-addresses=192.168.0.156 \
to-ports=8069
add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \
in-interface=ether3_3G protocol=tcp to-addresses=192.168.0.156 \
to-ports=8069
/ip route
# Outgoing traffic by routing-mark
add check-gateway=ping distance=10 gateway=192.168.3.1 routing-mark=\
to_ether3_3G
add check-gateway=ping distance=10 gateway=192.168.2.1 routing-mark=\
to_ether2_ADSL
# Outgoing traffic by default
add check-gateway=ping distance=20 gateway=192.168.2.1
add check-gateway=ping distance=30 gateway=192.168.3.1
有了这个配置,所有流量超出由ether3_3G只有ether2_ADSL失败,并ether2_ADSL否则(大部分时间)。
现在的问题是传入连接只能通过ether2_ADSL工作。从ether3_3G传入的连接总是停留在syn received状态。
在我看来,来自ether3_3G 的传入连接到达目标服务器,但响应通过ether2_ADSL 发出,这就是 TCP 握手永远不会完成的原因。事实上,如果我物理拔掉ether2_ADSL电缆,那么所有到/来自ether3_3G 的连接都可以正常工作。
我该如何解决?
您需要标记来自 ether3_3G 的连接,以便您可以标记要通过 ether3_3G 返回的回复。
这是一个示例配置(未测试)
/ip firewall mangle
add action=mark-connection chain=prerouting comment="Mark connection so packets from 3G get returned to 3G properly" disabled=no in-interface=ether3_3G new-connection-mark=3g-packets passthrough=no
add action=mark-routing chain=prerouting connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no
add action=mark-routing chain=output connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=3g-packets
第一条规则将connection-mark在来自 ether3_3G 接口的任何数据包上放置一个。
第二条和第三条规则将根据该连接标记“捕获”回复,然后routing-mark在这些连接上放置 a 。
第二条规则适用于基本上要转发的数据包,第三条规则适用于路由器本身将发送的回复(例如 ping)
最后,静态路由将通过 ether3_3G 接口路由带有适当路由标记的数据包。