求助 vrrp 分流

sjfff99

环境：1条pppoe进来 ，给了3个帐号 ，光猫出来1根线 接到24口普通交换机上 交换机上出2根线 一根接ros lan口。一个接wan口   做了vrrp 想实现1个帐号带 PC2台
  现在做好了在ip address 处可以看到三个外线的IP都获取到了， 客户机配制了IP后。上不了网。在ROS上ping 外网也是不通。
但是更改下 ip route   add comment=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=mian check-gateway=ping disabled=no distance=1  走主线 不走标记线路。上网什么的都正常可用
但是改回走标记。所有的机子就上不 了网
还有nat 处能不能做内网分流 add action=masquerade chain=srcnat comment=1 disabled=no out-interface=pppoe-out1 src address 192.168.1.1-192.168.1.5  分别做3个，行不行。？
在线等回复 QQ:1260647428
规则--------------------------------------
/interface vrrp
add name=vrrp1 disabled=no interface=WAN interval=1 vrid=1
add name=vrrp2 disabled=no interface=WAN interval=1 vrid=2
add name=vrrp3 disabled=no interface=WAN interval=1 vrid=3

/ip address
add address=11.11.11.1/24 disabled=no interface=WAN
add address=11.11.11.11/24 disabled=no interface=vrrp1
add address=11.11.11.12/24 disabled=no interface=vrrp2
add address=11.11.11.13/24 disabled=no interface=vrrp3

/interface pppoe-client
add name=pppoe-out1 interface=vrrp1 user=aaaa password=11111 disabled=no
add name=pppoe-out2 interface=vrrp2 user=bbbb password=22222 disabled=no
add name=pppoe-out3 interface=vrrp3 user=cccc password=33333 disabled=no

/ip firewall mangle

add action=mark-connection chain=input disabled=no in-interface=pppoe-out1 new-connection-mark=conn_pppoe-out1 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_pppoe-out1 disabled=no new-routing-mark=router_1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_pppoe-out1 disabled=no in-interface=LAN new-routing-mark=router_1 passthrough=yes


add action=mark-connection chain=input disabled=no in-interface=pppoe-out2 new-connection-mark=conn_pppoe-out2 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_pppoe-out2 disabled=no new-routing-mark=router_2 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_pppoe-out2 disabled=no in-interface=LAN new-routing-mark=router_2 passthrough=yes


add action=mark-connection chain=input disabled=no in-interface=pppoe-out3 new-connection-mark=conn_pppoe-out3 passthrough=yes
add action=mark-routing chain=output connection-mark=conn_pppoe-out3 disabled=no new-routing-mark=router_3 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=conn_pppoe-out3 disabled=no in-interface=LAN new-routing-mark=router_3 passthrough=yes

/ip route
add comment=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=router_1 check-gateway=ping disabled=no distance=1
add comment=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=router_2 check-gateway=ping disabled=no distance=1
add comment=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=router_3 check-gateway=ping disabled=no distance=1

/ip firewall nat
add action=masquerade chain=srcnat comment=1 disabled=no out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=2 disabled=no out-interface=pppoe-out2
add action=masquerade chain=srcnat comment=3 disabled=no out-interface=pppoe-out3

-----------------------------------------

cspm333

把vrrp的部份刪掉吧,不需要它.

/interface pppoe-client
add allow=pap interface=WAN max-mru=1492 max-mtu=1492 name=pppoe-out1 password=aaaa user=11111
add allow=pap interface=WAN max-mru=1492 max-mtu=1492 name=pppoe-out2 password=bbbb user=22222
add allow=pap interface=WAN max-mru=1492 max-mtu=1492 name=pppoe-out3 password=cccc user=33333

/ip firewall mangle
add action=accept chain=prerouting src-address=11.11.11.0/24 dst-address=11.11.11.0/24
add action=accept chain=prerouting src-address=11.11.11.0/24 dst-address-type=local
add action=accept chain=output dst-address=11.11.11.0/24
add action=mark-routing chain=prerouting new-routing-mark=route_1 \
  per-connection-classifier=src-address-and-port:3/0 src-address=11.11.11.0/24 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=route_2 \
  per-connection-classifier=src-address-and-port:3/1 src-address=11.11.11.0/24 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=route_3 \
  per-connection-classifier=src-address-and-port:3/2 src-address=11.11.11.0/24 passthrough=no
add action=mark-routing chain=output new-routing-mark=route_1 \
  per-connection-classifier=src-port:3/0 passthrough=no
add action=mark-routing chain=output new-routing-mark=route_2 \
  per-connection-classifier=src-port:3/1 passthrough=no
add action=mark-routing chain=output new-routing-mark=route_3 \
  per-connection-classifier=src-port:3/2 passthrough=no

/ip firewall nat
add action=masquerade chain=srcnat comment=1 out-interface=pppoe-out1
add action=masquerade chain=srcnat comment=2 out-interface=pppoe-out2
add action=masquerade chain=srcnat comment=3 out-interface=pppoe-out3

/ip route
add comment=0 dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=5
add comment=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=router_1 distance=4
add comment=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=router_2 distance=4
add comment=3 dst-address=0.0.0.0/0 gateway=pppoe-out3 routing-mark=router_3 distance=4


补充内容 (2016-4-22 08:47):
小弟誤以為您是做PCC ,若只是單純分流在mangle指定:
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=route_1 \
src-address=11.11.11.10-11.11.11.20 passthrough=no

补充内容 (2016-4-22 09:04):
不管您在/ip firewall mangle新增什麼,請將manle範例中前3行action=accept保留並且置頂.
這3行是確保內網連系時不會因標記 將內網封包誤送網際網路(極重要!!)

sjfff99

Vrrrp 才是主要的功能。你发的这个不成啊，一线多拨。全部加wan口。IP都获取不到。有联系方式没。

cspm333

                               
登录/注册后可看大图

小弟以為您是做pcc ,已在2樓補充說明.
除mangle外,其餘的不變.

cspm333

註:
您的router設置了3組pppoe ,您的這3組pppoe理應皆可當網際網路入口.
若只有pppoe1可進入內網 ,另2組則無法...基本上就是port forward沒做好.

也就是沒做到:
pppoe1進,pppoe1出
pppoe2進,pppoe2出
pppoe3進,pppoe3出

若發生pppoe1進出正常,但pppoe2與pppoe3卻無法正常進出.
即代表從pppoe2與pppoe3進入的封包沒標記好,
使得原本該從pppoe2與pppoe3返回的封包卻誤送pppoe1(default route),
讓傳遞發生異常...

cblhj

学习了....