拨号光纤如何实现DMZ？有三块网卡wan lan dmz

lsdeng · 发表于 2011-11-22 21:50:10

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

您需要登录才可以下载或查看，没有账号？注册

×

拨号光纤如何实现DMZ？有三块网卡wan lan dmz

恳请高手指点！

zhjchina · 发表于 2011-11-22 23:00:11

将dmz网卡 netmap到wan口的第二个ip即可

lsdeng · 发表于 2011-11-22 23:04:23

zhjchina 发表于 2011-11-22 23:00

登录/注册后可看大图

将dmz网卡 netmap到wan口的第二个ip即可

第二个ip是指哪个ip 自己定义一个吗？

lsdeng · 发表于 2012-8-8 11:07:31

如何实现？

greney · 发表于 2012-8-10 14:32:05

/ip address
add address=192.168.0.1/24 interface=LAN
add address=172.16.0.1/24 interface=DMZ
add address=10.111.0.2/24 interface=ISP1
add address=10.112.0.2/24 interface=ISP2

/ip firewall address-list
add list=local-networks address=10.111.0.0/24
add list=local-networks address=10.112.0.0/24
add list=local-networks address=192.168.0.0/24
add list=local-networks address=172.16.0.0/24

/ip firewall mangle
add chain=prerouting src-address-list=local-networks dst-address-list=local-networks action=accept
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=LAN connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting  in-interface=DMZ connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting  in-interface=DMZ connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
add chain=prerouting connection-mark=ISP1_conn in-interface=DMZ action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=DMZ action=mark-routing new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2

/ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade

这是官方的PCC DMZ脚本不知是否有效需要的用用吧

lsdeng · 发表于 2012-8-16 22:48:28

greney 发表于 2012-8-10 14:32

登录/注册后可看大图

/ip address
add address=192.168.0.1/24 interface=LAN
add address=172.16.0.1/24 interface=DMZ

谢谢指点！我测试一下

账号		自动登录	找回密码
密码			注册

[策略设置] 拨号光纤如何实现DMZ？有三块网卡wan lan dmz

马上注册，结交更多好友，享用更多功能，让你轻松玩转社区。

点评