[研究所] MikroTik RouterOS 學習 (持續更新) (第444頁)

gfx
個人積分：1603分
文章編號：58752416

1603分

4431樓

2015-12-31 16:16

jchcc wrote:
不好意思請教一下小...(恕刪)

修正:
/interface pppoe-client
add comment="PPPOE\\BC\\B7\\B1\\B5\\B3]\\A9w" disabled=no interface=ether1-wan \
max-mru=1480 max-mtu=1480 name=pppoe-out-ip password=password \
use-peer-dns=yes user=account@ip.hinet.net

add add-default-route=yes comment="PPPOE\\BC\\B7\\B1\\B5\\B3]\\A9w" disabled=no \
interface=ether1-wan max-mru=1480 max-mtu=1480 name=pppoe-out1 password=\
password use-peer-dns=yes user=account@hinet.net

/ip firewall nat
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=\
192.168.88.236 src-address=192.168.88.0/24

add action=dst-nat chain=dstnat dst-address=122.117.116.73 dst-port=5000-5001 \
protocol=tcp to-addresses=192.168.88.236

add action=masquerade chain=srcnat out-interface=pppoe-out-ip

add action=masquerade chain=srcnat out-interface=pppoe-out1

/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=pppoe-out-ip \
new-connection-mark=pppoe-out-ip_conn

add action=mark-routing chain=output connection-mark=pppoe-out-ip_conn \
new-routing-mark=NAS passthrough=no

add action=mark-routing chain=prerouting connection-mark=pppoe-out-ip_conn \
new-routing-mark=NAS src-address=192.168.88.236 passthrough=no

add action=mark-routing chain=prerouting comment=NAS new-routing-mark=NAS \
passthrough=no src-address=192.168.88.236

/ip route
add distance=1 gateway=pppoe-out-ip routing-mark=NAS

jchcc

jchcc
個人積分：12分
文章編號：58753231

12分

4432樓

2015-12-31 17:25

gfx wrote:
修正:/interface...(恕刪)

OK了
原來是標記沒做好
感謝協助

小欷o

小欷o
個人積分：1分
文章編號：58765088

1分

4433樓

2016-01-02 10:39

gfx wrote:
在命令視窗輸入:/ip...(恕刪)

不好意思gfx大 .. 先前因為設備在家中 ~ 然後亂搞之後連不回去
現在終於拿到設備了 (感動
再麻煩請您過目一下 ~ 謝謝

/ip firewall filter
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\ABD\\AAk\\B3s\\B1\\B5" \
connection-state=invalid
add action=drop chain=input comment=\
"\B1\B4\B4\FA\A8\C3\A5\E1\B1\F3\B0\F0\B1\BD\B4y\B3s\B1\B5" protocol=tcp \
psd=21,3s,3,1
add action=tarpit chain=input comment="\\C0\\A3\\A8\\EEDDoS" connection-limit=3,32 \
protocol=tcp src-address-list=black_list
add action=add-src-to-address-list address-list=black_list \
address-list-timeout=1d chain=input comment="\\B1\\B4\\B4\\FADDoS" \
connection-limit=10,32 protocol=tcp
add action=drop chain=input comment="\\A5\\E1\\B1\\BC\\ABD\\A5\\BB\\A6a\\BC\\C6\\BE\\DA" \
dst-address-type=!local
add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\ABD\\B3\\E6\\BC\\BD\\BC\\C6\\BE\\DA" \
src-address-type=!unicast
add action=jump chain=input comment="\\B8\\F5\\C2\\E0\\A8\\ECICMP" jump-target=ICMP \
protocol=icmp
add action=jump chain=input comment="\\B8\\F5\\C2\\E0\\A8\\EC\\AFf\\ACr\\AA\\ED" \
jump-target=virus protocol=tcp
add chain=ICMP comment="Ping\\A6^\\C0\\B3\\AD\\AD\\A8\\EE\\A8C\\AC\\ED5\\AD\\D3\\AB\\CA\\A5]" \
icmp-options=0 limit=5,5 protocol=icmp
add chain=ICMP comment="Traceroute \\AD\\AD\\A8\\EE\\A8C\\AC\\ED5\\AD\\D3\\AB\\CA\\A5]" \
icmp-options=3:3 limit=5,5 protocol=icmp
add chain=ICMP comment=\
"MTU\BDu\B8\F4\B1\B4\B4\FA\AD\AD\A8\EE\A8C\AC\ED5\AD\D3\AB\CA\A5]" \
icmp-options=3:4 limit=5,5 protocol=icmp
add chain=ICMP comment="Ping\\BD\\D0\\A8D\\AD\\AD\\A8\\EE\\A8C\\AC\\ED5\\AD\\D3\\AB\\CA\\A5]" \
icmp-options=8 limit=5,5 protocol=icmp
add chain=ICMP comment="Trace TTL \\AD\\AD\\A8\\EE\\A8C\\AC\\ED5\\AD\\D3\\AB\\CA\\A5]" \
icmp-options=11 limit=5,5 protocol=icmp
add action=drop chain=ICMP comment="\\A5\\E1\\B1\\F3\\A9\\D2\\A6\\B3ICMP\\BC\\C6\\BE\\DA" \
protocol=icmp
add chain=forward comment="\\B1\\B5\\A8\\FC\\A4w\\B3s\\B1\\B5\\AA\\BA\\BC\\C6\\BE\\DA" \
connection-state=established
add chain=forward comment="\\B1\\B5\\A6\\AC\\AC\\DB\\C3\\F6\\BC\\C6\\BE\\DA" \
connection-state=related
add action=drop chain=forward comment="\\A5\\E1\\B1\\F3\\ABD\\AAk\\BC\\C6\\BE\\DA" \
connection-state=invalid
add action=drop chain=forward comment=\
"\A5\E1\B1\F3\ABD\B3\E6\BC\BD\BC\C6\BE\DA" src-address-type=!unicast
add action=jump chain=forward comment="\\B8\\F5\\C2\\E0\\A8\\ECICMP" jump-target=ICMP \
protocol=icmp
add action=jump chain=forward comment="\\B8\\F5\\C2\\E0\\A8\\EC\\AFf\\ACr\\AA\\ED" \
jump-target=virus
add action=drop chain=virus comment=DeepThroat.Trojan-1 dst-port=41 protocol=\
tcp
add action=drop chain=virus comment=Worm.NetSky.Y@mm dst-port=82 protocol=tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-1 dst-port=113 \
protocol=tcp
add action=drop chain=virus comment=W33.Korgo.A/B/C/D/E/F-2 dst-port=2041 \
protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-2 dst-port=3150 protocol=\
tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-3 dst-port=3067 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.IRC.Aladdinz.R-1 dst-port=3422 \
protocol=tcp
add action=drop chain=virus comment=W32.Korgo.A/B/C/D/E/F-4 dst-port=6667 \
protocol=tcp
add action=drop chain=virus comment=Worm.NetSky.S/T/U@mm dst-port=6789 \
protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-1 dst-port=8787 \
protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-2 dst-port=8879 \
protocol=tcp
add action=drop chain=virus comment=W32.Dabber.A/B-2 dst-port=8967 protocol=tcp
add action=drop chain=virus comment=W32.Dabber.A/B-3 dst-port=9999 protocol=tcp
add action=drop chain=virus comment=Block.NetBus.Trojan-2 dst-port=20034 \
protocol=tcp
add action=drop chain=virus comment=GirlFriend.Trojan-1 dst-port=21554 \
protocol=tcp
add action=drop chain=virus comment=Back.Orifice.2000.Trojan-3 dst-port=31666 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.IRC.Aladdinz.R-2 dst-port=43958 \
protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-3 dst-port=999 protocol=\
tcp
add action=drop chain=virus comment=DeepThroat.Trojan-4 dst-port=6670 protocol=\
tcp
add action=drop chain=virus comment=DeepThroat.Trojan-5 dst-port=6771 protocol=\
tcp
add action=drop chain=virus comment=DeepThroat.Trojan-6 dst-port=60000 \
protocol=tcp
add action=drop chain=virus comment=DeepThroat.Trojan-7 dst-port=2140 protocol=\
tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-1 dst-port=10067 \
protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-2 dst-port=10167 \
protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-3 dst-port=3700 \
protocol=tcp
add action=drop chain=virus comment=Portal.of.Doom.Trojan-4 dst-port=9872-9875 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-1 dst-port=6883 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-2 dst-port=26274 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-3 dst-port=4444 \
protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-4 dst-port=47262 \
protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-1 dst-port=3791 protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-2 dst-port=3801 protocol=tcp
add action=drop chain=virus comment=Eclypse.Trojan-3 dst-port=65390 protocol=\
tcp
add action=drop chain=virus comment=Y3K.RAT.Trojan-1 dst-port=5880-5882 \
protocol=tcp
add action=drop chain=virus comment=Y3K.RAT.Trojan-2 dst-port=5888-5889 \
protocol=tcp
add action=drop chain=virus comment=NetSphere.Trojan-1 dst-port=30100-30103 \
protocol=tcp
add action=drop chain=virus comment=NetSphere.Trojan-2 dst-port=30133 protocol=\
tcp
add action=drop chain=virus comment=NetMonitor.Trojan-1 dst-port=7300-7301 \
protocol=tcp
add action=drop chain=virus comment=NetMonitor.Trojan-2 dst-port=7306-7308 \
protocol=tcp
add action=drop chain=virus comment=FireHotcker.Trojan-1 dst-port=79 protocol=\
tcp
add action=drop chain=virus comment=FireHotcker.Trojan-2 dst-port=5031 \
protocol=tcp
add action=drop chain=virus comment=FireHotcker.Trojan-3 dst-port=5321 \
protocol=tcp
add action=drop chain=virus comment=TheThing.Trojan-1 dst-port=6400 protocol=\
tcp
add action=drop chain=virus comment=TheThing.Trojan-2 dst-port=7777 protocol=\
tcp
add action=drop chain=virus comment=GateCrasher.Trojan-1 dst-port=1047 \
protocol=tcp
add action=drop chain=virus comment=GateCrasher.Trojan-2 dst-port=6969-6970 \
protocol=tcp
add action=drop chain=virus comment=SubSeven-1 dst-port=2774 protocol=tcp
add action=drop chain=virus comment=SubSeven-2 dst-port=27374 protocol=tcp
add action=drop chain=virus comment=SubSeven-3 dst-port=1243 protocol=tcp
add action=drop chain=virus comment=SubSeven-4 dst-port=1234 protocol=tcp
add action=drop chain=virus comment=SubSeven-5 dst-port=6711-6713 protocol=tcp
add action=drop chain=virus comment=SubSeven-7 dst-port=16959 protocol=tcp
add action=drop chain=virus comment=Moonpie.Trojan-1 dst-port=25685-25686 \
protocol=tcp
add action=drop chain=virus comment=Moonpie.Trojan-2 dst-port=25982 protocol=\
tcp
add action=drop chain=virus comment=NetSpy.Trojan-3 dst-port=31337-31339 \
protocol=tcp
add action=drop chain=virus comment=Trojan dst-port=8102 protocol=tcp
add action=drop chain=virus comment=WAY.Trojan dst-port=8011 protocol=tcp
add action=drop chain=virus comment=Trojan.BingHe dst-port=7626 protocol=tcp
add action=drop chain=virus comment=Trojan.NianSeHoYian dst-port=19191 \
protocol=tcp
add action=drop chain=virus comment=NetBull.Trojan dst-port=23444-23445 \
protocol=tcp
add action=drop chain=virus comment=WinCrash.Trojan-1 dst-port=2583 protocol=\
tcp
add action=drop chain=virus comment=WinCrash.Trojan-2 dst-port=3024 protocol=\
tcp
add action=drop chain=virus comment=WinCrash.Trojan-3 dst-port=4092 protocol=\
tcp
add action=drop chain=virus comment=WinCrash.Trojan-4 dst-port=5714 protocol=\
tcp
add action=drop chain=virus comment=Doly1.0/1.35/1.5trojan-1 dst-port=1010-1012 \
protocol=tcp
add action=drop chain=virus comment=Doly1.0/1.35/1.5trojan-2 dst-port=1015 \
protocol=tcp
add action=drop chain=virus comment=TransScout.Trojan-1 dst-port=2004-2005 \
protocol=tcp
add action=drop chain=virus comment=TransScout.Trojan-2 dst-port=9878 protocol=\
tcp
add action=drop chain=virus comment=Backdoor.YAI..Trojan-1 dst-port=2773 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI.Trojan-2 dst-port=7215 \
protocol=tcp
add action=drop chain=virus comment=Backdoor.YAI.Trojan-3 dst-port=54283 \
protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-1 dst-port=1003 protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-2 dst-port=5598 protocol=tcp
add action=drop chain=virus comment=BackDoorTrojan-3 dst-port=5698 protocol=tcp
add action=drop chain=virus comment=SchainwindlerTrojan-2 dst-port=31554 \
protocol=tcp
add action=drop chain=virus comment=Shaft.DDoS.Trojan-1 dst-port=18753 \
protocol=tcp
add action=drop chain=virus comment=Shaft.DDoS.Trojan-2 dst-port=20432 \
protocol=tcp
add action=drop chain=virus comment=Devil.DDoS.Trojan dst-port=65000 protocol=\
tcp
add action=drop chain=virus comment=LatinusTrojan-1 dst-port=11831 protocol=tcp
add action=drop chain=virus comment=LatinusTrojan-2 dst-port=29559 protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-1 dst-port=1784 protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-2 dst-port=3586 protocol=tcp
add action=drop chain=virus comment=Snid.X2Trojan-3 dst-port=7609 protocol=tcp
add action=drop chain=virus comment=BionetTrojan-1 dst-port=12348-12349 \
protocol=tcp
add action=drop chain=virus comment=BionetTrojan-2 dst-port=12478 protocol=tcp
add action=drop chain=virus comment=BionetTrojan-3 dst-port=57922 protocol=tcp
add action=drop chain=virus comment=Worm.Novarg.a.Mydoom.a1. dst-port=3127 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.a.Bagle.a. dst-port=6777 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.b dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.c-g/j-l dst-port=2745 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.p/q/r/n dst-port=2556 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBEagle.m-2 dst-port=20742 protocol=\
tcp
add action=drop chain=virus comment=Worm.BBeagle.s/t/u/v dst-port=4751 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.aa/ab/w/x-z-2 dst-port=2535 \
protocol=tcp
add action=drop chain=virus comment=Worm.LovGate.r.RpcExploit dst-port=5238 \
protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.a dst-port=1068 protocol=tcp
add action=drop chain=virus comment=Worm.Sasser.b/c/f dst-port=5554 protocol=\
tcp
add action=drop chain=virus comment=Worm.Sasser.b/c/f dst-port=9996 protocol=\
tcp
add action=drop chain=virus comment=Worm.Sasser.d dst-port=9995 protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.a/b/c/d dst-port=10168 \
protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.v.QQ dst-port=20808 protocol=\
tcp
add action=drop chain=virus comment=Worm.Lovgate.f/g dst-port=1092 protocol=tcp
add action=drop chain=virus comment=Worm.Lovgate.f/g dst-port=20168 protocol=\
tcp
add action=drop chain=virus comment=ndm.requester dst-port=1363-1364 protocol=\
tcp
add action=drop chain=virus comment=screen.cast dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichainlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Backdoor.Optixprotocol dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Worm.BBeagle.b dst-port=8888 protocol=tcp
add action=drop chain=virus comment=Delta.Source.Trojan-7 dst-port=44444 \
protocol=udp
add action=drop chain=virus comment=Worm.Sobig.f-3 dst-port=8998 protocol=udp
add action=drop chain=virus comment=Worm.Sobig.f-1 dst-port=123 protocol=udp
add action=drop chain=virus comment=Worm.Novarg.a.Mydoom.a2. dst-port=3198 \
protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=139 protocol=\
tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135 protocol=\
tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=\
tcp

gfx

gfx
個人積分：1603分
文章編號：58765707

1603分

4434樓

2016-01-02 12:07

小欷o wrote:
不好意思gfx大 ...(恕刪)

建議您將firewall filter項目全刪光,依您設的幾乎連入的封包全擋光光.
防護是要做沒錯,但這樣做太over了...

gfx

gfx
個人積分：1603分
文章編號：58768555

1603分

4435樓

2016-01-02 18:13

小欷o wrote:

建立firewall filter很簡單,只須留需保留的封包,其它未知的皆封鎖就好.
我給您個圖解:

藍字是允許的網路.
紅字是使Router為伺服器(如:PPTP/SSTP/L2TP/OVPN)
黑字是封鎖,沒被藍/紅定義的皆封鎖.

定義藍字的,小弟有設:
tcp port:80,443,8080 (一般網路)
tcp port:25,587 (e-mail)
udp port:123 (Time伺服器)
udp port:53 (DNS)
若還需開放其它的連接port,可參考TCP/UDP端口列表

定義紅字的,小弟有設:
tcp port:1723 (PPTP)
gre port (PPTP)
tcp port:443 (預設SSTP,可更改)
udp port:1701,500,4500 (L2TP/IPSec)
tcp port:1194 (預設OVPN,可更改)
tcp port:8291 (Winbox)
icmp port (加入可使遠端ping您的wan-ip,若不允許請勿加)

小欷o

小欷o
個人積分：1分
文章編號：58773301

1分

4436樓

2016-01-03 10:09

gfx wrote:
建立firewall...(恕刪)

謝謝G大指導 ..
已經有個大概雛形

/ip firewall filter
add chain=input comment="\\A4\\B9\\B3\\\\\\B0\\CF\\B0\\EC\\BA\\F4\\B8\\F4" src-address-list=\
All-Lan
add action=drop chain=input comment="Anti-DoS Attack" connection-limit=10,32 \
protocol=tcp src-port=!80
add action=drop chain=input comment="port scanners" protocol=tcp \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add chain=input comment="\\A4\\B9\\B3\\\\VPN" dst-port=1723 protocol=tcp
add chain=input protocol=gre
add chain=input protocol=tcp src-port=1723
add chain=input comment="\\A4\\B9\\B3\\\\DNS" src-address-list=DNS-Server
add chain=input comment="\\A4\\B9\\B3\\\\Winbox\\B3s\\BDu" dst-port=8291,8728 \
protocol=tcp
add chain=input comment="\\A4\\B9\\B3\\\\\\B6l\\A5\\F3\\A6\\F8\\AAA\\BE\\B9" protocol=tcp \
src-port=25,587
add chain=input comment="\\A4\\B9\\B3\\\\WWW\\A6\\F8\\AAA\\BE\\B9" protocol=tcp src-port=\
80,443,8080
add chain=input comment="\\A4\\B9\\B3\\\\\\AE\\C9\\B6\\A1\\A6\\F8\\AAA\\BE\\B9" dst-port=123 \
protocol=udp src-port=123
add action=drop chain=input comment=\
"\A5\E1\B1\F3\A5\BC\A9w\B8q\AA\BA\AB\CA\A5]"

另外想問的就是有點不懂... 這種設定方法應該是白名單對吧 ?
那怎麼設定完之後遊戲或是其他通訊軟體如RC、SK都還可以使用
我沒有要封鎖的意思.. 只是前幾周有看到您把防火牆條件拍出來
我當時就很納悶這樣不就很多東西無法使用了嗎 ?
還是說規則第一條就是關鍵 ? 允許所有區域網路使用
所以才會讓RC或其他軟體可以使用
謝謝您 ~

Mason.Lyu

Mason.Lyu
個人積分：664分
文章編號：58773838

664分

4437樓

2016-01-03 11:13

小欷o wrote:
那怎麼設定完之後遊戲或是其他通訊軟體如RC、SK都還可以使用
我沒有要封鎖的意思.. 只是前幾周有看到您把防火牆條件拍出來
我當時就很納悶這樣不就很多東西無法使用了嗎 ?

因為你沒有理解 chain 的定義

chain=input 指的是「對內」連線，對內到哪？對內到 RouterOS 本身
chain=output 指的是「對外」連線，由哪對外？由RouterOS本身對外
chain=forward 指的是「轉送」連線，何謂轉送？由RouterOS後端的網路設備「穿越」RouterOS到外網

你如果把chain=forward都封掉試看看，什麼通訊軟體就全掛了

chengjc

chengjc
個人積分：211分
文章編號：58787372

211分

4438樓

2016-01-04 16:10

請教前輩一些問題，
小弟的routeros有pppoe1（對應ether wan1）跟pppoe2（對應ether wan2）使用中，
常常發現firewall的connections常常數量好幾千，
但是小弟當時並沒有上網，
想說可能是webproxy被當做跳板了，
於是，小弟照著網路上的方法將所有連入webproxy port的全部檔下，
但是問題來了，他要選擇輸入的介面，
這個部分我一直搞不太懂，
到底是要選擇pppoe1，pppoe2，wan1，wan2，all ppp，all ethernet哪一個？？

我一直搞不太懂，pppoe1跟ethernet wan1這兩個有什麼不同？？

gfx

gfx
個人積分：1603分
文章編號：58788697

1603分

4439樓

2016-01-04 17:49

小欷o wrote:
謝謝G大指導 .....(恕刪)

#4415-#4418有您要的解答.
http://www.mobile01.com/topicdetail.php?f=110&t=3205444&p=442#58712529
重點在於chain是用input(分享器_A路徑) ,還是forward(區域網路_B路徑).

B路徑除非你有透過NAT,將封包往區網電腦送,
不然通常以防護A路徑(分享器)為主.

若您B路徑要想做到更細緻的防護,您就得熟識每台電腦與伺服器所需要TCP/UDP封包.
若不小心封鎖到,電腦或伺服器連線就有可能中斷.

所以對於往路由器(A路徑)的封包,因使用的PORT不多,應採"白名單";
對於往區網電腦(B路徑),因電腦功能多,使用的PORT不固定,則採"黑名單"會比較恰當.

ivan0826

ivan0826
個人積分：0分
文章編號：58789580

0分

4440樓

2016-01-04 19:28

你好，我想請教一下我現在跟官方的方式做pcc loadbalance，我的都是電訊公司給給的dynamic ip，但用一個gateway,可能這樣的情況導致我的loadbalance跑不了，fail over就可以

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3

add chain=prerouting dst-address-type=!local in-interface=Bridge per-connection-classifier=both-addresses--and-ports:3/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Bridge per-connection-classifier=both-addresses--and-ports:3/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Bridge per-connection-classifier=both-addresses--and-ports:3/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Bridge action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Bridge action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Bridge action=mark-routing new-routing-mark=to_WAN3

/ip route
add dst-address=0.0.0.0/0 gateway=WAN1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=WAN2 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=WAN3 routing-mark=to_WAN3 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=WAN1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=WAN2 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=WAN3 distance=3 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

請問有什麼解決方案