gfx wrote:
Winbox遠端可...(恕刪)
現在後方還有其他設備,不太方便。
AKSN74 wrote:
那這樣可能要看更詳...(恕刪)
我從Log撈了一點資料,發現奇怪的點
192.168.100.199是VPN Client,192.168.100.241是後端電腦,從VPN Client送ping到後端電腦的packet出口錯了,
走到default route出口去了,而且被srcnat轉成public IP了、難怪回不來。
我有Mangle mark routing,但是routing table裡面192.168.100.0/24的distance是0、default route distance是1,理論上不應該走default route才對。
My Blog -> 白髮.青春 http://www.blogger.idv.tw/
AKSN74 wrote:
那這樣可能要看更詳...(恕刪)
補充一點資料。我在firewall input chain Log沒有看到從VPN Client送到RG450G的ping封包,也就是封包到firewall之前就不知道去哪了。
從RB450G上面terminal可以反過來ping VPN clinet的Local IP(192.168.100.xxx)。
所以RB450G -> VPN Client的routing table是正確,但反過來就不對。
My Blog -> 白髮.青春 http://www.blogger.idv.tw/
AKSN74 wrote:
其實我沒有特別去改Routing...(恕刪)
0 R name="ether1-gateway" default-name="ether6" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1522 mac-address=00:0C:42:XX:XX:XX fast-path=no
last-link-up-time=may/31/2015 09:11:23 link-downs=0
1 R name="ether2-gateway" default-name="ether2" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1520 max-l2mtu=1520 mac-address=00:0C:42:XX:XX:XX fast-path=no
last-link-up-time=may/31/2015 09:11:24 link-downs=0
2 R name="ether3-master-local" default-name="ether3" type="ether" mtu=1500
actual-mtu=1500 l2mtu=1520 max-l2mtu=1520 mac-address=00:0C:42:XX:XX:XX
fast-path=no last-link-down-time=may/31/2015 11:08:23
last-link-up-time=may/31/2015 11:08:27 link-downs=2
3 S name="ether4-slave-local" default-name="ether4" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1520 max-l2mtu=1520 mac-address=00:0C:42:XX:XX:XX fast-path=no link-downs=0
4 S name="ether5-slave-local" default-name="ether5" type="ether" mtu=1500 actual-mtu=1500
l2mtu=1520 max-l2mtu=1520 mac-address=00:0C:42:XX:XX:XX fast-path=no link-downs=0
5 DR name="<pptp-WilliamTaiMac>" type="pptp-in" mtu=1450 actual-mtu=1450 fast-path=no
last-link-up-time=may/31/2015 10:00:38 link-downs=0
6 R name="Hinet_Dyn" type="pppoe-out" mtu=1480 actual-mtu=1480 fast-path=no
last-link-down-time=may/31/2015 09:11:25 last-link-up-time=may/31/2015 09:11:25
link-downs=2
7 R name="Hinet_Static" type="pppoe-out" mtu=1480 actual-mtu=1480 fast-path=no
last-link-down-time=may/31/2015 09:12:19 last-link-up-time=may/31/2015 09:12:19
link-downs=2
Bridge的部分是空白的。
My Blog -> 白髮.青春 http://www.blogger.idv.tw/
AKSN74 wrote:
其實我沒有特別去改Routing...(恕刪)
# NAME MTU MAC-ADDRESS ARP MASTER-PORT SWITCH
0 R ether1-gateway 1500 00:0C:42:XX:XX:XX enabled none
1 R ether2-gateway 1500 00:0C:42:XX:XX:XX enabled none switch1
2 R ether3-mast... 1500 00:0C:42:XX:XX:XX proxy-arp none switch1
3 S ether4-slav... 1500 00:0C:42:XX:XX:XX enabled ether3-master-local switch1
4 S ether5-slav... 1500 00:0C:42:XX:XX:XX enabled ether3-master-local switch1
My Blog -> 白髮.青春 http://www.blogger.idv.tw/
WilliamTai wrote:多WAN設置VPN-Server時,最常遇到的錯誤情況即路由及NAT的問題.
補充一點資料。我在firewall...(恕刪)
若您的路由正常,任一個WAN都要可以當VPN的連線地址.
如果這個基本都不達,那設置即是失敗的.
下面的設置是必要的,一列都不能少,順序也不能錯. 您看缺了那些設置.
綠框框進的都得設置dst-address-type=local
PPPoE-IP自動更新腳本 ,以PPPoE1為例:
:local publicip1 [/ip address get [find interface="pppoe-out1"] address]
:set publicip1 [:pick $publicip1 0 [:find $publicip1 "/"]]
:set publicip1 [:toip $publicip1]
:local pppoe1 [/ip firewall address-list get [find list="PPPoE1"] address]
:if ($publicip1!=$pppoe1) do={/ip firewall address-list set [find list="PPPoE1"] address=$publicip1}
WilliamTai wrote:chain=prerouting dst-address-type=local src-address-list=All-Lan
第二張圖關於Mangle rule的部分不太懂,那一條Mangle rule Gerneral分頁設定內容是什麼?
為何需要script update PPPoE list?您的PPPoE有可能是浮動ip ,所以用腳本去比對address-list的ip.
不一樣的話把清單舊PPPoE1-ip更新掉.
Mangle標記說明:
0-2: 設定不被標記內的用戶
4: 連線目的地為PPPoE1者,標記為pppoe1_conn
6: 當pppoe1_conn的目的為Router ,回覆時Router從PPPoE1接口送出封包
7: 當pppoe1_conn的目的為網內的Server ,回覆時Server從PPPoE1接口送出封包
12: 當Router用PPPoE1當來源(src)主動向外連接時,從PPPoE1接口送出封包.
內文搜尋
從 APP 打開
X