Routing
如何從他們在 RouterOS 中輸入的同一網關進行連接應答?
我有一台 MikroTik RouterOS 6.23 設備,我的網路如下:
Router | |-- bridge1_LAN (wlan1 + ether1) (192.168.0.210) -- LAN (192.168.0.0/24) | Here is where computers are. Those include some servers and some users. | Users should be able to navigate always, and servers should | be reachable online always. | |-- ether2_ADSL (192.168.2.2) -- ADSL router (192.168.2.1) -- WAN | Users should navigate through here because there is no traffic limit. | Incoming traffic should work exactly as with ether3_3G, as a temporary | backup solution in case it fails. | |-- ether3_3G (192.168.3.2) -- 3G router (192.168.3.1) -- WAN This connection has a traffic limit, but faster upload rate, so it's mainly for incoming traffic. In case ether2_ADSL fails, this should be used as a temporary backup connection for outgoing traffic.現在,相關配置:
/ip firewall mangle # This rule is disabled because, when enabled, users cannot browse Internet add action=mark-routing chain=prerouting connection-mark=no-mark disabled=yes \ in-interface=ether2_ADSL new-routing-mark=to_ether2_ADSL passthrough=no # This marks all traffic coming from ether3_3G to get out through there too add action=mark-routing chain=prerouting in-interface=ether3_3G \ new-routing-mark=to_ether3_3G passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=ether2_ADSL add action=masquerade chain=srcnat out-interface=ether3_3G # This is just an example web server listening in port 8069, for testing purposes add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \ in-interface=ether2_ADSL protocol=tcp to-addresses=192.168.0.156 \ to-ports=8069 add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \ in-interface=ether3_3G protocol=tcp to-addresses=192.168.0.156 \ to-ports=8069 /ip route # Outgoing traffic by routing-mark add check-gateway=ping distance=10 gateway=192.168.3.1 routing-mark=\ to_ether3_3G add check-gateway=ping distance=10 gateway=192.168.2.1 routing-mark=\ to_ether2_ADSL # Outgoing traffic by default add check-gateway=ping distance=20 gateway=192.168.2.1 add check-gateway=ping distance=30 gateway=192.168.3.1使用此配置,所有流量僅在ether2_ADSL失敗時由ether3_3G輸出,否則由**ether2_ADSL 輸出(大部分時間)。
現在的問題是傳入連接只能通過ether2_ADSL工作。從ether3_3G傳入的連接總是卡在
syn received狀態。在我看來,來自ether3_3G的傳入連接到達目標伺服器,但響應通過ether2_ADSL 發出,這就是 TCP 握手從未完成的原因。事實上,如果我從物理上拔下ether2_ADSL電纜,那麼所有與 ether3_3G 的連接都開始正常工作。
我該如何解決?
您需要標記來自 ether3_3G 的連接,以便您可以標記要通過 ether3_3G 路由回的回复。
這是一個範例配置(未測試)
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection so packets from 3G get returned to 3G properly" disabled=no in-interface=ether3_3G new-connection-mark=3g-packets passthrough=no add action=mark-routing chain=prerouting connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no add action=mark-routing chain=output connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=3g-packets第一條規則將
connection-mark在從 ether3_3G 介面到達的任何數據包上放置一個。第二條和第三條規則將根據該連接標記“擷取”回复,然後
routing-mark在這些連接上放置 a。第二條規則適用於本質上被轉發的數據包,第三條規則適用於路由器本身將發送的回复(例如 ping)
最後,最後的靜態路由將通過 ether3_3G 介面使用適當的路由標記路由數據包。