关于ROS映射的问题.
2.9.27 AD + 光纤以前还可以做映射,现在做映射,发现映射不出去!
请问下一般什么原因会导致映射不出去呢? 1.不知道你双线做了什么策略,一般是因为做了双线之后进出的数据包所走的线路不一致所走导致。
2. 因为没提供具体情况,所以不能提供解决方案,不过总的思路是跟踪从外网进来的数据包,做好标记,然后确保从原来进来的线路返回即可。
3.现实的网络拓扑千变万化,但是万变不离其宗。最终还是能用简单的思路来解决。 楼上的高手啊 你好歹发个截图,什么的吧,让大家猜啊?有时候问问题很也显示人的水平。 不好意思,首先谢谢各位.
大家看这个配置有没有什么问题?
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1400 \
comment="更改MSS1440" disabled=no
add chain=prerouting src-address=192.168.0.0/24 dst-address-list=QQserver \
action=add-src-to-address-list address-list=dispc address-list-timeout=2m \
comment="發現QQ登陸自動斷線30分鍾." disabled=no
add chain=prerouting src-address=192.168.0.0/24 dst-address-list=qqgame \
action=add-src-to-address-list address-list=dispc address-list-timeout=2m \
comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=add-dst-to-address-list \
address-list=mail address-list-timeout=2m comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=add-dst-to-address-list \
address-list=mail address-list-timeout=2m comment="" disabled=no
add chain=prerouting in-interface=adsl action=mark-packet \
new-packet-mark=all-mark passthrough=yes comment="PCQ限速" disabled=no
add chain=prerouting src-address=192.168.0.1-192.168.10.255 \
action=mark-routing new-routing-mark=3 passthrough=yes comment="IP分流\
上走ADSL下走光纤" disabled=no
add chain=prerouting src-address=192.168.250.1-192.168.250.255 \
action=mark-routing new-routing-mark=1 passthrough=yes comment="" \
disabled=no
/ ip firewall nat
add chain=srcnat action=masquerade comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=50s tcp-syn-received-timeout=30s \
tcp-established-timeout=1h tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=yes
/ ip firewall filter
add chain=forward dst-address=59.148.180.30 protocol=tcp dst-port=80 \
src-address-list=lanaddr action=accept \
comment="只允许登陆ipaper18邮箱网站" disabled=no
add chain=forward dst-address=59.148.180.26 protocol=tcp dst-port=80 \
src-address-list=lanaddr action=accept comment="" disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=lanaddr \
action=drop comment="" disabled=no
add chain=forward protocol=tcp src-address-list=!dispc action=accept \
comment="禁止QQ登陆,除邮箱外。" disabled=no
add chain=forward protocol=tcp dst-port=25 src-address-list=dispc \
action=accept comment="" disabled=no
add chain=forward protocol=tcp dst-port=110 src-address-list=dispc \
action=accept comment="" disabled=no
add chain=forward protocol=tcp src-address-list=dispc dst-address-list=mail \
action=accept comment="" disabled=no
add chain=forward src-address-list=dispc dst-address-list=!mail action=drop \
comment="" disabled=no
/ ip firewall address-list
add list=QQserver address=219.133.0.0/16 comment="" disabled=no
add list=QQserver address=58.61.32.0/24 comment="" disabled=no
add list=QQserver address=58.60.14.0/24 comment="" disabled=no
add list=QQserver address=218.6.2.0/24 comment="" disabled=no
add list=QQserver address=58.60.9.0/24 comment="" disabled=no
add list=QQserver address=58.60.15.0/24 comment="" disabled=no
add list=QQserver address=58.161.164.0/22 comment="" disabled=no
add list=QQserver address=58.251.60.0/24 comment="" disabled=no
add list=QQserver address=58.251.61.0/24 comment="" disabled=no
add list=QQserver address=58.251.62.0/24 comment="" disabled=no
add list=QQserver address=58.251.63.0/24 comment="" disabled=no
add list=qqgame address=61.172.204.148-61.172.204.215 comment="" disabled=no
add list=qqgame address=218.18.95.153 comment="" disabled=no
add list=qqgame address=60.28.232.12 comment="" disabled=no
add list=qqgame address=219.133.41.152 comment="" disabled=no
add list=qqgame address=210.22.23.197 comment="" disabled=no
add list=qqgame address=202.205.3.202 comment="" disabled=no
add list=qqgame address=202.104.241.19 comment="" disabled=no
add list=qqgame address=121.14.77.57-121.14.77.126 comment="" disabled=no
add list=qqgame address=172.16.13.2 comment="" disabled=no
add list=qqgame address=218.17.209.23 comment="" disabled=no
add list=qqgame address=58.61.166.136 comment="" disabled=no
add list=qqgame address=58.60.11.141-58.60.11.212 comment="" disabled=no
add list=lanaddr address=192.168.0.10 comment="" disabled=no
add list=lanaddr address=192.168.0.11 comment="" disabled=no
add list=lanaddr address=192.168.0.12 comment="" disabled=no
add list=lanaddr address=192.168.0.13 comment="" disabled=no
add list=lanaddr address=192.168.0.14 comment="" disabled=no
add list=lanaddr address=192.168.0.15 comment="" disabled=no
add list=lanaddr address=192.168.0.16 comment="" disabled=no
add list=lanaddr address=192.168.0.17 comment="" disabled=no
add list=lanaddr address=192.168.0.18 comment="" disabled=no
add list=lanaddr address=192.168.0.19 comment="" disabled=no
add list=lanaddr address=192.168.0.20 comment="" disabled=no
add list=lanaddr address=192.168.0.21 comment="" disabled=no
add list=lanaddr address=192.168.0.22 comment="" disabled=no
add list=lanaddr address=192.168.0.23 comment="" disabled=no
add list=lanaddr address=192.168.0.24 comment="" disabled=no
add list=lanaddr address=192.168.0.25 comment="" disabled=no
add list=lanaddr address=192.168.0.26 comment="" disabled=no
add list=lanaddr address=192.168.0.27 comment="" disabled=no
add list=lanaddr address=192.168.0.28 comment="" disabled=no
add list=lanaddr address=192.168.0.29 comment="" disabled=no
add list=lanaddr address=192.168.0.30 comment="" disabled=no
add list=lanaddr address=192.168.0.31 comment="" disabled=no
add list=lanaddr address=192.168.0.32 comment="" disabled=no
add list=lanaddr address=192.168.0.33 comment="" disabled=no
add list=lanaddr address=192.168.0.34 comment="" disabled=no
add list=lanaddr address=192.168.0.35 comment="" disabled=no
add list=lanaddr address=192.168.0.36 comment="" disabled=no
add list=lanaddr address=192.168.0.37 comment="" disabled=no
add list=lanaddr address=192.168.0.38 comment="" disabled=no
add list=lanaddr address=192.168.0.39 comment="" disabled=no
add list=lanaddr address=192.168.0.40 comment="" disabled=no
add list=lanaddr address=192.168.0.41 comment="" disabled=no
add list=lanaddr address=192.168.0.42 comment="" disabled=no
add list=lanaddr address=192.168.0.43 comment="" disabled=no
add list=lanaddr address=192.168.0.44 comment="" disabled=no
add list=lanaddr address=192.168.0.45 comment="" disabled=no
add list=lanaddr address=192.168.0.46 comment="" disabled=no
add list=lanaddr address=192.168.0.47 comment="" disabled=no
add list=lanaddr address=192.168.0.48 comment="" disabled=no
add list=lanaddr address=192.168.0.49 comment="" disabled=no
add list=lanaddr address=192.168.0.50 comment="" disabled=no
add list=lanaddr address=192.168.0.51 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set gre disabled=no
set pptp disabled=no 本帖最后由 zooyo 于 2011-3-5 01:27 编辑
是光纤进来还是AD进来?谁是默认线路?你发这么大一堆也没发到点子上啊。 看的 偶晕脑胀。。。上图直接 你有用到25110port表示你有建立Emailserver 在內網,給你幾個思路吧!
1.email主機须要固定IP的,你那个光纤是固定IP吗?如果是建议你 PCC + 策略路由的方式运用吧,因为email 主机须要使用 DNS解析域名,这样别人寄来的信件才会走你的固定IP近来,如果不是固定IP,你使用动态IP+DDNS解析域名,那你的主机会被当做垃圾邮件的制造者,大家的邮件主机几乎都不会接受你的信件!
2.看你的/ ip firewall address-list 配置我猜你的应该是 ROS 2927的,因为你的QQ拦截都是封锁IP地址,3.0的都是直接用 L7 封锁QQ所以你没法使用 PCC只能用 NTH,但是NTH不建议架设email主机的,建议换版本吧,3.24以上有PCC
3.可以参考我先前发布的范例PCC+策略分流 http://bbs.routerclub.com/forum.php?mod=viewthread&tid=45309
wanken 发表于 2011-3-5 10:34 static/image/common/back.gif
你有用到25110port表示你有建立Emailserver 在內網,給你幾個思路吧!
1.email主機须要固定IP的 ...
谢谢回答,这两天有点忙,没来看。
嗯。我也打算升级的。 不错不错:(:(
页:
[1]