CODE
/ ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 \ interface=local comment="added by setup" disabled=no add address=221.0.X.218/29 network=221.0.X.216 broadcast=221.0.X.223 \ interface=CNC comment="Connect to CNC WAN" disabled=no add address=221.0.X.219/29 network=221.0.X.216 broadcast=221.0.X.223 \ interface=CNC comment="" disabled=no add address=221.0.X.220/29 network=221.0.X.216 broadcast=221.0.X.223 \ interface=CNC comment="" disabled=no add address=221.0.X.221/29 network=221.0.X.216 broadcast=221.0.X.223 \ interface=CNC comment="" disabled=no add address=221.0.X.222/29 network=221.0.X.216 broadcast=221.0.X.223 \ interface=CNC comment="" disabled=no
CODE
/ ip route add dst-address=0.0.0.0/0 preferred-source=0.0.0.0 gateway=221.0.X.217 \ distance=1 comment="" disabled=no
CODE
/ ip firewall dst-nat add dst-address=221.0.X.222/32 action=nat to-dst-address=192.168.0.2 \ comment="" disabled=no
CODE
/ ip firewall src-nat add src-address=192.168.0.2/32 action=nat to-src-address=221.0.X.222 \ comment="" disabled=no add src-address=192.168.0.0/24 out-interface=CNC action=nat \ to-src-address=221.0.X.218-221.0.X.221 comment="NAT \ everything leaving the external interface" disabled=no 我试过好使啊,就是这么配的. 删除旧内容 说来惭愧,终于发现问题了。我公司的网络是一个超大的 Intranet ,通过路由器连接到上海中心机房。为了工作的正常开展,我将默认网关设置了公司的 gateway。上 internet 都是使用 MikroTik 的 Proxy 功能。MikroTik 的 D-NAT 的工作原理应该是这样:外部的请求被 MT 接收,按照设定好的 D-NAT 转发给目标 IP ,此时发送的是 (from 请求者的 IP)to (LAN 的保留 IP)。LAN 上的 Server 接到 SYN Send 信息后会给予 SYN received 应答,但这个应该是按照本地机的默认网关返回的,因为我没将默认网关设置成 MT ,SYN received 被送到了我的 Intranet ,MT 未收到应答就断开外部的服务请求了。唉,如果我知道我公司的 IP 段就好了(暴多,且是真实的 IP),做个策略路由就没这么多罗嗦事了。 顶一下,让大家都看看,或许会有点小帮助
页:
[1]