Firewall

Mikrotik Yük Dengeleme

Ağ geçidi yönlendiricisinden yapılandırma:

/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2

/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24  action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24  action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
    new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ 
    new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \
    per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn 
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local \ 
    per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ 
    new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
    new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1     
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

/ ip firewall nat 
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

Açıklamalar;

/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN

add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1

add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2

Yöneltici, 10.111.0.2/24 ve 10.112.0.2/24 adresleriyle  (ISS) arayüzüne sahiptir. LAN arayüzü 192.168.0.1/24 IP adresine sahiptir.

Policy routing

/ ip firewall mangle

add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN

add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN

Politika yönlendirmesinde, trafik, ana ağa (bu ağ geçidi dışında) bağlı ağlardan gelse bile, belirli bir ağ geçidine zorlamak mümkündür. Bu şekilde yönlendirme döngüsü oluşturulacak ve bu ana bilgisayarlarla iletişim kurulamaz. Bu durumu önlemek için, bağlı ağlara trafik için varsayılan yönlendirme tablosunun kullanılmasına izin vermemiz gerekir.

dd chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \ new-connection-mark=ISP1_conn

add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \ new-connection-mark=ISP2_conn

Öncelikle dışardan başlatılan bağlantının yönetilmesi gerekiyor.

add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \ per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn

add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \ per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn

Trafiği  source ve destination adreslerine göre ikiye ayıracağız.

add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \ new-routing-mark=to_ISP1

add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \ new-routing-mark=to_ISP2

add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1

add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

 İp yönlendirmesi yalnızca Internet’e giden trafik için gerekli olduğundan, arayüz içi seçeneği belirtmeyi unutmayın.

/ ip route add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping

Yönlendirme için bir rota oluşturun.

add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

NAT

/ ip güvenlik duvarı nat

add chain = srcnat dış arabirim = ISP1 eylem = masquerade

add zinciri = srcnat dış arabirim = ISP2 eylem = masquerade

Click to comment

You must be logged in to post a comment Login

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

popüler yazılar

To Top
%d blogcu bunu beğendi: