我主要的疑問還是感覺外面的連線沒有辦法很順暢的進到nas(但51413已做NAT),
以致於上傳的流量都很低,連入應該是看nat沒錯吧?
不過這邊還是補上mangle的規則,目前標示出來BT流量結果與nas上看到的大概一致!
/ip firewall mangle
add action=mark-routing chain=prerouting comment="=\\AFS\\A9wIP\\A8\\AB\\A4\\A3\\A6PPPPOE=" new-routing-mark=pppoe_S passthrough=no \
src-address=192.168.2.20-192.168.2.39
add action=mark-routing chain=prerouting new-routing-mark=pppoe_F_NAS passthrough=no src-address=192.168.2.6
add action=mark-connection chain=prerouting comment="=NAS BT \\AB\\CA\\A5]-\\A4U\\B8\\FC=" dst-port=!5000-5006,9091,80,443,21,55536-55539 \
in-interface=pppoe-out_F_NAS new-connection-mark=CONN_IN_p2p protocol=tcp
add action=mark-connection chain=prerouting dst-port=!5000-5006,9091,80,443,21,55536-55539 in-interface=pppoe-out_F_NAS \
new-connection-mark=CONN_IN_p2p protocol=udp
add action=mark-packet chain=prerouting connection-mark=CONN_IN_p2p new-packet-mark=PG_IN_p2p passthrough=no
add action=mark-connection chain=postrouting comment="=NAS BT \\AB\\CA\\A5]-\\A4W\\B6\\C7=" new-connection-mark=CONN_OUT_p2p \
out-interface=pppoe-out_F_NAS protocol=udp src-address=192.168.2.6 src-port=51413
add action=mark-connection chain=postrouting new-connection-mark=CONN_OUT_p2p out-interface=pppoe-out_F_NAS protocol=tcp \
src-address=192.168.2.6 src-port=51413
add action=mark-packet chain=postrouting connection-mark=CONN_OUT_p2p new-packet-mark=PG_OUT_p2p passthrough=no
add action=mark-connection chain=prerouting comment="=NAS \\A4@\\AF\\EB\\AB\\CA\\A5]=" dst-port=5000-5006,9091,80,443,21,55536-55539 \
in-interface=pppoe-out_F_NAS new-connection-mark=CONN_IN_NAS protocol=tcp
add action=mark-packet chain=prerouting connection-mark=CONN_IN_NAS new-packet-mark=PG_IN_NAS passthrough=no
add action=mark-connection chain=postrouting new-connection-mark=CONN_OUT_NAS out-interface=pppoe-out_F_NAS protocol=tcp src-port=\
5000-5006,9091,80,443,21,55536-55539
add action=mark-packet chain=postrouting connection-mark=CONN_OUT_NAS new-packet-mark=PG_OUT_NAS passthrough=no
gfx wrote:
您手機搜尋安裝Pin...(恕刪)
確實ping不到,之前有提過類似的問題,
心想ping不到就算了,暫時先擱著,
我一共建立的3個pppoe,
主要上網用的pppoe可以通,nas跟走撥接固定ip的ping不到,
但之前有用虛擬機器連外網查詢對外ip,出現的確實是照routing規劃所對應的固定ip pppoe的ip,
和我自己一般上網用的電腦抓到的ip不一樣,
/ip firewall mangle
add action=mark-routing chain=prerouting comment="=\\AFS\\A9wIP\\A8\\AB\\A4\\A3\\A6PPPPOE=" new-routing-mark=RM_pppoe_S passthrough=no \
src-address=192.168.2.20-192.168.2.39
add action=mark-routing chain=prerouting new-routing-mark=RM_pppoe_F_NAS passthrough=no src-address=192.168.2.6
/ip firewall nat
add action=masquerade chain=srcnat comment="PPPoE NAT \\B3v\\B5\\A7" out-interface=pppoe-out_F_NAS src-address-list=NAS
add action=masquerade chain=srcnat out-interface=pppoe-out_S src-address-list=Static_PPPOE
add action=masquerade chain=srcnat out-interface=pppoe-out_F src-address=192.168.2.0/24
/ip route
add check-gateway=ping distance=1 gateway=pppoe-out_S routing-mark=RM_pppoe_S
add check-gateway=ping distance=1 gateway=pppoe-out_F_NAS routing-mark=RM_pppoe_F_NAS
add check-gateway=ping distance=1 gateway=pppoe-out_F
這是我關於指定不同設備走不同pppoe出去的設定,
既然設備對外ip顯示正確,會ping不到的話如gfx大說的Policy Routing沒規劃好,
還請指正小弟所遺漏的部分,謝謝!
deanma wrote:小弟先對Policy Routing做回應.
確實ping不到,之...(恕刪)
假設您使用的是Synology NAS ,所以小弟修正後的Policy Routing是:
https://dl.dropboxusercontent.com/u/34743921/deanma.txt
幾個觀察重點:
1.無論內/外網裝置 ,都要能Ping得到Router的兩個PPPoE-ip.
2.無論VPN-Client是使用RouterOS任一個PPPoE-ip當地址,皆能連接VPN-Server.
3.內/外網無論是使用RouterOS任一個PPPoE-ip當地址,皆要能進NAS頁面.
4.外網使用PPPoE-ip當網址,會轉至NAS ;內網使用PPPoE-ip當網址,則會轉至RouterOS-web.
gfx wrote:
小弟先對Policy...(恕刪)
多謝gfx大的回覆,在加上
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=pppoe-out_F new-connection-mark=pppoe-out_F_conn
add action=mark-routing chain=output connection-mark=pppoe-out_F_conn new-routing-mark=RM_pppoe_F passthrough=no
確實外網就可以ping到nas的外部ip,
先前提到的VPN連入後ping不到nas的問題也一併解決了,
其他部分的設定還有待消化,
不過倒是想要先請教下列幾個設定的用意是?
add chain=prerouting dst-address=192.168.2.0/24 src-address=192.168.2.0/24
是指內網間傳送bypass不做處理?
add chain=prerouting dst-address-type=local src-address=192.168.2.0/24
看到很多設定都有附帶dst-address-type=local,不是很瞭解它的真正用意
/ip firewall address
add list=DNS-Server address=168.95.192.1
add list=DNS-Server address=168.95.1.1
add list=DNS-Server address=8.8.8.8
add list=DNS-Server address=8.8.4.4
/ip firewall nat
add chain=dstnat comment="DNS\\A6\\F8\\AAA\\BE\\B9" src-address-list=DNS-Server
這組對應設定的作用?
DNS Server都在外部,設定NAT用意是?
以上,謝謝!
deanma wrote:為了讓區域網路 與本地(local)間的資料交換不會因Policy Routing,誤送到公用網路去.
不過倒是想要先請教下列幾個設定的用意是?
add chain=prerouting dst-address=192.168.2.0/24 src-address=192.168.2.0/24
add chain=prerouting dst-address-type=local src-address=192.168.2.0/24
192.168.2.0/24只有您的區網 ,但更正確的方式則應該改採address-list
即讓含 區網網段 ,VPN網段 與本地(local)間的資料交換只留在彼此之間,與公用網路無關.
看到很多設定都有附帶dst-address-type=local,不是很瞭解它的真正用意/ip address清單裡的address全都算local(本地),
所以兩個PPPoE-ip與Gateway-ip(192.168.2.1)都包含在"local清單"內
再思考src-address與dst-address關係,您就懂了.
/ip firewall address因為您有台NAS,
add list=DNS-Server address=168.95.192.1
add list=DNS-Server address=168.95.1.1
add list=DNS-Server address=8.8.8.8
add list=DNS-Server address=8.8.4.4
/ip firewall nat
add chain=dstnat comment="DNS\\A6\\F8\\AAA\\BE\\B9" src-address-list=DNS-Server
為了BT傳輸所以我用DMZ的方式將pppoe-out_F封包全轉送到192.168.2.6
add action=dst-nat chain=dstnat comment="NAS" dst-address-type=local in-interface=pppoe-out_F to-addresses=192.168.2.6
但這樣做所有從pppoe-out_F回應的封包也都改轉送到192.168.2.6 ,
造成靠pppoe-out_F連線的電腦無法正常接收遠端伺服器回應,使致網路中斷
為了要解決原本回應給192.168.2.X的封包卻轉到192.168.2.6 的問題,
所以小弟用上了一堆例外,
不只是DNS,還有VPN ,WWW ,電子信箱...還有其它,便是這個原因.
只要事先排除,DMZ就無法將原始不屬於它的連線轉去192.168.2.6了
因為是例外,所以排除要擺在NAS DMZ設置之前,就這樣
主路由:RB2011UAS-2HnD/192.168.99.1
metarouter: openwrt/192.168.99.2 (在 192.168.99.2 本地,攔截 udp/53 轉發到 udp/5353 然後送出 dns query)
試過下面設定但是不 work:
/ip firewall nat chain=dstnat action=dst-nat to-addresses=192.168.99.2 to-ports=53 protocol=udp dst-port=53
也試過這樣:
/ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect
/ip dns set servers=192.168.99.2
/ip dns set allow-remote-requests=yes
/ip dns static add name=router address=192.168.99.1
但也不 work
我想做的是:
主路由上的 LAN (& wireless) client 的 DNS request 都能夠攔截下來然後轉到 192.168.99.2 udp/53,最後由 192.168.99.2 送出 DNS query.
不知道有哪位 ROS 高手寫過類似的腳本?
謝謝!
內文搜尋
從 APP 打開
X