我有一个MikroTik RouterOS 6.23设备,我的networking如下:
Router | |-- bridge1_LAN (wlan1 + ether1) (192.168.0.210) -- LAN (192.168.0.0/24) | Here is where computers are. Those include some servers and some users. | Users should be able to navigate always, and servers should | be reachable online always. | |-- ether2_ADSL (192.168.2.2) -- ADSL router (192.168.2.1) -- WAN | Users should navigate through here because there is no traffic limit. | Incoming traffic should work exactly as with ether3_3G, as a temporary | backup solution in case it fails. | |-- ether3_3G (192.168.3.2) -- 3G router (192.168.3.1) -- WAN This connection has a traffic limit, but faster upload rate, so it's mainly for incoming traffic. In case ether2_ADSL fails, this should be used as a temporary backup connection for outgoing traffic. 现在,相关configuration:
/ip firewall mangle # This rule is disabled because, when enabled, users cannot browse Internet add action=mark-routing chain=prerouting connection-mark=no-mark disabled=yes \ in-interface=ether2_ADSL new-routing-mark=to_ether2_ADSL passthrough=no # This marks all traffic coming from ether3_3G to get out through there too add action=mark-routing chain=prerouting in-interface=ether3_3G \ new-routing-mark=to_ether3_3G passthrough=no /ip firewall nat add action=masquerade chain=srcnat out-interface=ether2_ADSL add action=masquerade chain=srcnat out-interface=ether3_3G # This is just an example web server listening in port 8069, for testing purposes add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \ in-interface=ether2_ADSL protocol=tcp to-addresses=192.168.0.156 \ to-ports=8069 add action=dst-nat chain=dstnat comment="Test server" dst-port=8069 \ in-interface=ether3_3G protocol=tcp to-addresses=192.168.0.156 \ to-ports=8069 /ip route # Outgoing traffic by routing-mark add check-gateway=ping distance=10 gateway=192.168.3.1 routing-mark=\ to_ether3_3G add check-gateway=ping distance=10 gateway=192.168.2.1 routing-mark=\ to_ether2_ADSL # Outgoing traffic by default add check-gateway=ping distance=20 gateway=192.168.2.1 add check-gateway=ping distance=30 gateway=192.168.3.1
使用此configuration,只有当ether2_ADSL失败时,所有stream量才由ether3_3G 发出 ,而在其他情况下(大部分时间)则由ether2_ADSL发出 。
现在的问题是传入连接只能通过ether2_ADSL工作。 来自ether3_3G的连接始终处于syn received状态。
在我看来,来自ether3_3G的传入连接到达目标服务器,但响应通过ether2_ADSL传出 ,这就是为什么TCP握手永远不会完成的原因。 事实上,如果我物理拔出ether2_ADSL电缆,那么从/从ether3_3G的所有连接开始工作正常。
我该如何解决这个问题?
您将需要标记来自ether3_3G的连接,以便您可以将答复标记为通过ether3_3G路由回来。
这是一个示例configuration(未经testing)
/ip firewall mangle add action=mark-connection chain=prerouting comment="Mark connection so packets from 3G get returned to 3G properly" disabled=no in-interface=ether3_3G new-connection-mark=3g-packets passthrough=no add action=mark-routing chain=prerouting connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no add action=mark-routing chain=output connection-mark=3g-packets disabled=no new-routing-mark=3g-packets passthrough=no /ip route add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=3g-packets
第一条规则将在来自ether3_3G接口的任何数据包上设置一个connection-mark 。
第二条和第三条规则将基于该连接标记“回复”回复,然后在这些连接上放置routing-mark 。
第二个规则是基本上转发的数据包,第三个规则是路由器本身将发送的回复(例如ping)
最后,最后的静态路由将通过ether3_3G接口将数据包路由到相应的路由标记。