نمایش نتایج: از شماره 1 تا 4 از مجموع 4
سپاس ها 1سپاس

موضوع: کار نکردن رول های Nat بعد از پیاده سازی لود بالانس

  
  1. #1
    نام حقيقي: Maff

    عضو عادی شناسه تصویری maff21
    تاریخ عضویت
    Sep 2012
    محل سکونت
    ESF
    نوشته
    458
    سپاسگزاری شده
    190
    سپاسگزاری کرده
    210

    Exclamation کار نکردن رول های Nat بعد از پیاده سازی لود بالانس

    دوستان سلام
    یه روتر مدل crs125 دارم که پورت اول و دوم به isp 1 , isp 2 با pppoe وصل شده باقی پورت ها هم توی بریج هست و به صورت vpn به کاربرا اینترنت میده یه عمل دیگه هم انجام میده که کاربرا از طریق آدرس کلود میکروتیک یا همون ddns مخصوص میکروتیک وارد شبکه ی داخلی میشن و یک سری آدرس آی پی رو ازش استفاده میکنن این آدرس ها رو من nat کردم یعنی گفتم مثال اگر آدرس 192.168.89.1(رنج Vpn) رو زد بره به ip 192.168.1.1 (رنج داخلی) و خوب هم کار میکنه
    منتهی من اومدم توسط کد زیر لود بالانس رو پیاده کردم

    کد:
      admin@Indoor Router] > ip firewall mangle add chain=input in-interface=isp1 action=mark-connection new-connection-mark=isp1_conn
    
    admin@Indoor Router] > ip firewall mangle add chain=input in-interface=isp2 action=mark-connection new-connection-mark=isp2_conn
    
    admin@Indoor Router] > ip firewall mangle add chain=output connection-mark=isp1_conn action=mark-routing new-routing-mark=to_isp1
    
    admin@Indoor Router] > ip firewall mangle add chain=output connection-mark=isp2_conn action=mark-routing new-routing-mark=to_isp2
    
    admin@Indoor Router] > ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=allppp per-connection-classifier=both-addresses­-and-ports:2/0 action=mark-connection new-connection-mark=isp1_conn passthrough=yes
    
    admin@Indoor Router] > ip firewall mangle add chain=prerouting dst-address-type=!local in-interface=allppp per-connection-classifier=both-addresses­-and-ports:2/1 action=mark-connection new-connection-mark=isp2_conn passthrough=yes
    
    admin@Indoor Router] > ip firewall mangle add chain=prerouting connection-mark=isp1_conn in-interface=allppp action=mark-routing new-routing-mark=to_isp1
    
    admin@Indoor Router] > ip firewall mangle add chain=prerouting connection-mark=isp2_conn in-interface=allppp action=mark-routing new-routing-mark=to_isp2
    
    admin@Indoor Router] > ip firewall nat add chain=srcnat action=masquerade
    
    admin@Indoor Router] > ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_isp1 check-gateway=ping
    
    admin@Indoor Router] > ip route add dst-address=0.0.0.0/0 gateway=172.16.1.1 routing-mark=to_isp2 check-gateway=ping


    توی شبکه ی داخلی اوکی جواب میده و خط هارو خود باهم حمع میکنه منتهی دیگه عملیات nat انجام نمیشه نمیدونم چرا
    آیا این به این مساله مربوط میشه که in-interface روی allppp تنظیم شده و کانکشن های اینترنت هم روی pppoe هست؟ باید چیکار کنم؟



    موضوعات مشابه:
    ویرایش توسط maff21 : 2018-09-04 در ساعت 04:41 PM

  2. #2
    نام حقيقي: Armin Rezaeimehr

    مدیر عمومی شناسه تصویری EVERAL
    تاریخ عضویت
    Jul 2009
    محل سکونت
    Tehran
    نوشته
    695
    سپاسگزاری شده
    572
    سپاسگزاری کرده
    594
    نوشته های وبلاگ
    7
    سلام
    Nat Configurtaion و Load Balancing رو می تونید انجام بدید؛ Sampel Config رو در زیر ببینید:
    Configuration export from the gateway router:
    کد:
    / ip address
    add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
    add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
    add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
    
    / ip firewall mangle
    add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
    add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
    add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
        new-connection-mark=ISP1_conn
    add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
        new-connection-mark=ISP2_conn
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
        per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
        per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
    add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
        new-routing-mark=to_ISP1
    add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
        new-routing-mark=to_ISP2
    add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
    add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
    
    / ip route
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
    
    / ip firewall nat 
    add chain=srcnat out-interface=ISP1 action=masquerade
    add chain=srcnat out-interface=ISP2 action=masquerade
    IP Address
    کد:
    / ip address 
    add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
    add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
    add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
    The router has two upstream (ISP) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has IP address of 192.168.0.1/24.

    Policy Routing
    کد:
    / ip firewall mangle
    add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
    add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
    With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks.
    کد:
    add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
        new-connection-mark=ISP1_conn
    add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
        new-connection-mark=ISP2_conn
    First it is necessary to manage connection initiated from outside - replies must leave via same interface (from same Public IP) request came. We will mark all new incoming connections, to remember what was the interface.
    کد:
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
        per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
        per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
    Action mark-routing can be used only in mangle chain output and prerouting, but mangle chain prerouting is capturing all traffic that is going to the router itself. To avoid this we will use dst-address-type=!local. And with the help of the new PCC we will divide traffic into two groups based on source and destination addressees.
    کد:
    add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
        new-routing-mark=to_ISP1
    add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
        new-routing-mark=to_ISP2
    add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
    add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
    Then we need to mark all packets from those connections with a proper mark. As policy routing is required only for traffic going to the Internet, do not forget to specify in-interface option.
    کد:
    / ip route
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
    Create a route for each routing-mark
    کد:
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

    To enable failover, it is necessary to have routes that will jump in as soon as others will become inactive on gateway failure. (and that will happen only if check-gateway option is active)

    NAT

    کد:
    / ip firewall nat 
    add chain=srcnat out-interface=ISP1 action=masquerade
    add chain=srcnat out-interface=ISP2 action=masquerade
    As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. If this packet will leave via
    wlan1 it will be NATed to 10.112.0.2, if via wlan2 then NATed to 10.111.0.2


    maff21 سپاسگزاری کرده است.
    !It's possible to change your life at any time

  3. #3
    نام حقيقي: Maff

    عضو عادی شناسه تصویری maff21
    تاریخ عضویت
    Sep 2012
    محل سکونت
    ESF
    نوشته
    458
    سپاسگزاری شده
    190
    سپاسگزاری کرده
    210
    نقل قول نوشته اصلی توسط EVERAL نمایش پست ها
    سلام
    Nat Configurtaion و Load Balancing رو می تونید انجام بدید؛ Sampel Config رو در زیر ببینید:
    Configuration export from the gateway router:
    کد:
    / ip address
    add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
    add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
    add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
    
    / ip firewall mangle
    add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
    add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
    add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
        new-connection-mark=ISP1_conn
    add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
        new-connection-mark=ISP2_conn
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
        per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
        per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
    add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
        new-routing-mark=to_ISP1
    add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
        new-routing-mark=to_ISP2
    add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
    add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
    
    / ip route
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
    
    / ip firewall nat 
    add chain=srcnat out-interface=ISP1 action=masquerade
    add chain=srcnat out-interface=ISP2 action=masquerade
    IP Address
    کد:
    / ip address 
    add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
    add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
    add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
    The router has two upstream (ISP) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has IP address of 192.168.0.1/24.

    Policy Routing
    کد:
    / ip firewall mangle
    add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
    add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
    With policy routing it is possible to force all traffic to the specific gateway, even if traffic is destined to the host (other that gateway) from the connected networks. This way routing loop will be generated and communications with those hosts will be impossible. To avoid this situation we need to allow usage of default routing table for traffic to connected networks.
    کد:
    add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
        new-connection-mark=ISP1_conn
    add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
        new-connection-mark=ISP2_conn
    First it is necessary to manage connection initiated from outside - replies must leave via same interface (from same Public IP) request came. We will mark all new incoming connections, to remember what was the interface.
    کد:
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
        per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
    add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
        per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
    Action mark-routing can be used only in mangle chain output and prerouting, but mangle chain prerouting is capturing all traffic that is going to the router itself. To avoid this we will use dst-address-type=!local. And with the help of the new PCC we will divide traffic into two groups based on source and destination addressees.
    کد:
    add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
        new-routing-mark=to_ISP1
    add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
        new-routing-mark=to_ISP2
    add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
    add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
    Then we need to mark all packets from those connections with a proper mark. As policy routing is required only for traffic going to the Internet, do not forget to specify in-interface option.
    کد:
    / ip route
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
    Create a route for each routing-mark
    کد:
    add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
    add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

    To enable failover, it is necessary to have routes that will jump in as soon as others will become inactive on gateway failure. (and that will happen only if check-gateway option is active)

    NAT

    کد:
    / ip firewall nat 
    add chain=srcnat out-interface=ISP1 action=masquerade
    add chain=srcnat out-interface=ISP2 action=masquerade
    As routing decision is already made we just need rules that will fix src-addresses for all outgoing packets. If this packet will leave via
    wlan1 it will be NATed to 10.112.0.2, if via wlan2 then NATed to 10.111.0.2
    سلام خیلی ممنون یعنی با این روش مشکل nat که کار نمیکنه حل میشه؟
    و یک سوال دیگه ظاهرا این نوع کانفیگ زمانی استفاده میشه که کانکشن های pppoe روی مودم باشن نه روی روتر درسته؟


    ویرایش توسط maff21 : 2018-09-16 در ساعت 04:06 PM

  4. #4
    نام حقيقي: ali

    عضو عادی
    تاریخ عضویت
    Jun 2010
    محل سکونت
    mashhad
    نوشته
    605
    سپاسگزاری شده
    481
    سپاسگزاری کرده
    57
    هیچ تفاوتی نمیکنه .
    شما میتونید کانکشن pppoe رو روی مودم تنظیم کنید بعد در روتر یا به وسیله DHCP Client از مودم ip دریافت کنید و یا اینکه DHCP مودم رو خاموش کنید و به پورت متصل به مودم یک آی پی دستی در رنج مودم بدین تا ارتباط برقرار بشه و پینگ مودم رو از داخل روتر داشته باشید.
    در حالت دیگر که PPPoE رو داخل روتر برقرار میکنید ، یک اینترفیس اضافه برای اتصال به اینترنت در داخل روتر ایجاد خواهد شد .

    در رول های NAT شما فقط باید در خط های پشت سر هم بگوید که هر داده ای قصد خروج از اینرفیس هر کدام از مودم ها را داشت ، با استفاده از NAT امکان برقراری ارتباط میسر شود .
    برای هر اینترفیس خروجی به اینترنت میبایست یک رول نوشته شود ، در اینجا هیچ تقسیم بندی انجام نمیشود فقط داده ها در زمان خروج به صورت استاندارد و مناسب برای برقراری ارتباط با اینترنت قالب بندی میشود و تمام .


    تمام کار شما برای لود بالانس باید در بخش منگل و علامت گذاری داده و همینطور در بخش روت و یا همان مسیریابی انجام بگیرد.

    - - - ادامه - - -

    NAT Rolls
    chain : srcnat - Out interface : internet-interface - action : masquerade



کلمات کلیدی در جستجوها:

هیچ کلمه ای ثبت نشده است.

برچسب برای این موضوع

مجوز های ارسال و ویرایش

  • شما نمی توانید موضوع جدید ارسال کنید
  • شما نمی توانید به پست ها پاسخ دهید
  • شما نمی توانید فایل پیوست ضمیمه کنید
  • شما نمی توانید پست های خود را ویرایش کنید
  •