找回密码
 注册

QQ登录

只需一步,快速开始

搜索
查看: 3470|回复: 8

[策略设置] 三个通宵没搞定,请高手帮我看看端口策略路由

[复制链接]
发表于 2007-8-9 20:49:40 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?注册

×
50台机的网吧,使用了两条3M的ADSL接入,之前使用的是双网关的方式上网.游戏使用192.168.0.200视频聊天网页使用192.168.0.1,上网的人手工进行网关的切换.
现在做法:
A线接到一台TP-LINK R410路由器拨号得到固定IP的192.168.2.242网关,
B线拉到一台TP-LINK R460路由器拨号得到固定IP的192.168.1.1网关
WAN-1游戏线路接到R460上,设置IP为192.168.1.250
WAN-2聊天线路接到R410上,设置IP为192.168.2.250
LAN接到局域网上,设置IP为192.168.0.1
请大家帮我看看ros策略上是不是有问题,我WAN-2聊天线路流量很小,而WAN-1游戏线路流量很大,上传(TX)有300左右,玩游戏的人说卡得不能动.请问是不是我在分流方面有问题?
# feb/07/2003 03:17:42 by routeros 2.9.27
# software id = LHXI-DMT
#
/ interface ethernet
set lan name="lan" mtu=1500 mac-address=00:02:B3:36:03:C6 arp=enabled \
    disable-running-check=yes auto-negotiation=yes full-duplex=yes \
    cable-settings=default speed=100Mbps comment="" disabled=no
set wan-adsl name="wan-adsl" mtu=1480 mac-address=00:90:27:E4:06:02 \
    arp=enabled disable-running-check=yes auto-negotiation=yes full-duplex=yes \
    cable-settings=default speed=100Mbps comment="" disabled=no
set wan-cnc name="wan-cnc" mtu=1480 mac-address=00:02:B3:28:AD:E4 arp=enabled \
    disable-running-check=yes auto-negotiation=yes full-duplex=yes \
    cable-settings=default speed=100Mbps comment="" disabled=no
/ interface wireless security-profiles
set default name="default" mode=none authentication-types="" \
    unicast-ciphers="" group-ciphers="" wpa-pre-shared-key="" \
    wpa2-pre-shared-key="" eap-methods=passthrough tls-mode=no-certificates \
    tls-certificate=none static-algo-0=none static-key-0="" static-algo-1=none \
    static-key-1="" static-algo-2=none static-key-2="" static-algo-3=none \
    static-key-3="" static-transmit-key=key-0 static-sta-private-algo=none \
    static-sta-private-key="" radius-mac-authentication=no group-key-update=5m
/ interface wireless align
set frame-size=300 active-mode=yes receive-all=no \
    audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 ssid-all=no \
    frames-per-second=25 audio-min=-100 audio-max=-20
/ interface wireless snooper
set multiple-channels=yes channel-time=200ms receive-errors=no
/ interface wireless sniffer
set multiple-channels=no channel-time=200ms only-headers=no receive-errors=no \
    memory-limit=10 file-name="" file-limit=10 streaming-enabled=no \
    streaming-server=0.0.0.0 streaming-max-rate=0
/ interface l2tp-server server
set enabled=no max-mtu=1460 max-mru=1460 \
    authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
/ interface pptp-server server
set enabled=no max-mtu=1460 max-mru=1460 authentication=mschap1,mschap2 \
    keepalive-timeout=30 default-profile=default-encryption
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id="" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=yes
set ftp port=21 address=0.0.0.0/0 disabled=no
set www port=80 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=yes
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
/ ip arp
add address=192.168.3.189 mac-address=00:19:E0:00:AE:01 interface=lan \
    comment="" disabled=no
add address=192.168.2.1 mac-address=00:0A:EB:B7:A8:44 interface=wan-cnc \
    comment="" disabled=no
add address=192.168.3.156 mac-address=00:E0:4C:3A:EB:0F interface=lan \
    comment="" disabled=no
add address=192.168.1.1 mac-address=00:19:E0:C7:31:5E interface=wan-adsl \
    comment="" disabled=no
add address=192.168.3.155 mac-address=00:0A:EB:F8:F8:35 interface=lan \
    comment="" disabled=no
add address=192.168.3.163 mac-address=00:50:EB:08:B3:96 interface=lan \
    comment="" disabled=no
add address=192.168.3.157 mac-address=00:E0:E41:26:EE interface=lan \
    comment="" disabled=no
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
/ ip dns
set primary-dns=61.235.70.98 secondary-dns=211.98.2.4 allow-remote-requests=no \
    cache-size=2048KiB cache-max-ttl=1w
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
    inactive-flow-timeout=15s
/ ip address
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 \
    interface=lan comment="" disabled=no
add address=192.168.1.100/24 network=192.168.1.0 broadcast=192.168.1.255 \
    interface=wan-adsl comment="" disabled=no
add address=192.168.2.100/24 network=192.168.2.0 broadcast=192.168.2.255 \
    interface=wan-cnc comment="" disabled=no
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
    maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
    disabled=no
/ ip neighbor discovery
set lan discover=yes
set wan-adsl discover=yes
set wan-cnc discover=yes
/ ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 check-gateway=ping scope=255 \
    target-scope=10 routing-mark=route-QQ-WEB comment="TIE" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1 check-gateway=ping scope=255 \
    target-scope=10 comment="CNC" disabled=no
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-routing \
    new-routing-mark=route-QQ-WEB passthrough=yes comment="QQ,WEB分流" \
    disabled=no
add chain=prerouting protocol=udp dst-port=80 action=mark-routing \
    new-routing-mark=route-QQ-WEB passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=443 action=mark-routing \
    new-routing-mark=route-QQ-WEB passthrough=yes comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=8000 action=mark-routing \
    new-routing-mark=route-QQ-WEB passthrough=yes comment="" disabled=no
add chain=prerouting protocol=udp dst-port=8000 action=mark-routing \
    new-routing-mark=route-QQ-WEB passthrough=yes comment="" disabled=no
add chain=forward out-interface=wan-adsl protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=1440 comment="adsl change mss" disabled=no
add chain=forward out-interface=wan-cnc protocol=tcp tcp-flags=syn \
    action=change-mss new-mss=1440 comment="cnc change mss" disabled=no
/ ip firewall nat
add chain=srcnat out-interface=wan-adsl action=masquerade comment="" \
    disabled=no
add chain=srcnat out-interface=wan-cnc action=masquerade comment="" \
    disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
    udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
    tcp-syncookie=no
/ ip firewall filter
add chain=forward protocol=tcp dst-port=16881 action=drop comment="No \
    BitSpirit" disabled=no
add chain=forward protocol=tcp dst-port=4661-4662 action=drop comment="No \
    Emule" disabled=no
add chain=forward protocol=tcp dst-port=4242 action=drop comment="" \
    disabled=no
add chain=forward dst-address=62.241.53.15 action=drop comment="" disabled=no
add chain=forward src-address=192.168.3.0/24 p2p=all-p2p action=drop \
    comment="No P2P" disabled=no
add chain=forward protocol=udp dst-port=13000-14000 action=drop comment="No \
    QQLive" disabled=no
add chain=forward protocol=tcp dst-port=4661-4662 action=drop comment="No \
    Emule" disabled=no
add chain=forward protocol=tcp dst-port=4242 action=drop comment="" \
    disabled=no
add chain=forward dst-address=62.241.53.15 action=drop comment="" disabled=no
add chain=forward protocol=tcp dst-port=16881 action=drop comment="No \
    BitSpirit" disabled=no
add chain=forward protocol=tcp dst-port=8008 action=drop comment="No PPlive \
    TV" disabled=no
add chain=forward protocol=udp dst-port=4004 action=drop comment="" \
    disabled=no
add chain=forward dst-address=218.108.237.11 action=drop comment="" \
    disabled=no
add chain=forward content=www.vagaa.com action=reject \
    reject-with=icmp-network-unreachable comment="No VaGaa" disabled=no
add chain=forward content=vagaa.com action=reject \
    reject-with=icmp-network-unreachable comment="" disabled=no
add chain=forward protocol=tcp dst-port=40750 action=drop comment="" \
    disabled=no
add chain=forward protocol=udp dst-port=40750 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=2004 action=drop comment="" \
    disabled=no
add chain=forward protocol=udp dst-port=2004 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=2005 action=drop comment="" \
    disabled=no
add chain=forward protocol=udp dst-port=2005 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=16521 action=drop comment="" \
    disabled=no
add chain=forward protocol=udp dst-port=16521 action=drop comment="" \
    disabled=no
add chain=forward protocol=tcp dst-port=135-139 action=drop comment="No 3B" \
    disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
    html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
    smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
    split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
    status-autorefresh=1m shared-users=1 transparent-proxy=yes \
    open-status-page=always advertise=no
/ ip dhcp-server config
set store-leases-disk=5m
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
    lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" \
    transparent-proxy=no parent-proxy=0.0.0.0:0 \
    cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
    max-cache-size=none max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
    disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
    disabled=no
/ system logging
add topics=info prefix="" action=memory disabled=no
add topics=error prefix="" action=memory disabled=no
add topics=warning prefix="" action=memory disabled=no
add topics=critical prefix="" action=echo disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
    check-interval=1d user=""
/ system script
add name="集体绑定ARP" source=":foreach a in=\[/ip arp find dynamic=yes \] \
    do=\[/ip arp add copy-from=\$a\]" \
    policy=ftp,reboot,read,write,policy,test,winbox,password
add name="dxup" source="/ip route set \[/ip route find comment=TIE\] \
    gateway=192.168.1.1;
\n\n/ip route set \[/ip route find comment=TIE\] \
    disable=no;" policy=ftp,reboot,read,write,policy,test,winbox,password
add name="CNCup" source="/ip route set \[/ip route find comment=CNC\] \
    gateway=192.168.2.1;
\n\n/ip route set \[/ip route find comment=CNC\] \
    disable=no;" policy=ftp,reboot,read,write,policy,test,winbox,password
add name="dxdown" source="/ip route set \[/ip route find comment=TIE\] \
    gateway=192.168.2.1" \
    policy=ftp,reboot,read,write,policy,test,winbox,password
add name="CNCdown" source="/ip route set \[/ip route find comment=CNC\] \
    gateway=192.168.1.1" \
    policy=ftp,reboot,read,write,policy,test,winbox,password
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
    00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
    no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="MikroTik"
/ system note
set show-at-login=yes note=""
/ system gps
set enabled=no set-system-time=yes
/ system lcd
set enabled=no type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set lan display-time=5s disabled=yes
set wan-adsl display-time=5s disabled=yes
set wan-cnc display-time=5s disabled=yes
/ system ntp server
set enabled=no broadcast=no multicast=no manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ system routerboard bios
set
/ system health
set state-after-reboot=enabled
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
    flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
    flow-control=hardware
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
    use-encryption=default only-one=default change-tcp-mss=yes comment=""
set default-encryption name="default-encryption" use-compression=default \
    use-vj-compression=default use-encryption=yes only-one=default \
    change-tcp-mss=yes comment=""
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
    sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
    red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
    sfq-allot=1514
add name="default-small" kind=pfifo pfifo-limit=10
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
    disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
    tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
    ,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
    x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ driver
/ snmp
set enabled=no c location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 \
    streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes \
    filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \
    filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool netwatch
add host=192.168.1.1 timeout=1s interval=5s up-script=dxup down-script=dxdown \
    comment="TIE" disabled=no
add host=192.168.2.1 timeout=1s interval=5s up-script=CNCup \
    down-script=CNCdown comment="CNC" disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
    redistribute-static=no redistribute-rip=no redistribute-bgp=no \
    metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
    metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
    authentication=none prefix-list-import="" prefix-list-export="" \
    disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no \
    redistribute-connected=no redistribute-rip=no redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
    redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
    metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
routeros
发表于 2007-8-9 22:20:45 | 显示全部楼层
我已经头晕,请楼下的回答!
routeros
回复

使用道具 举报

发表于 2007-8-9 22:37:14 | 显示全部楼层
我已经头晕,请楼下的回答!
真会没事找事.
routeros
回复

使用道具 举报

发表于 2007-8-9 22:44:30 | 显示全部楼层
routeros
回复

使用道具 举报

发表于 2007-8-9 23:52:45 | 显示全部楼层
我已经头晕,请楼下的回答!
routeros
回复

使用道具 举报

发表于 2007-8-10 01:17:11 | 显示全部楼层
谁看都晕,楼主注意提问策略哦。
routeros
回复

使用道具 举报

发表于 2007-8-10 09:22:07 | 显示全部楼层
偶也晕了,请楼下的答
routeros
回复

使用道具 举报

发表于 2007-8-10 17:35:52 | 显示全部楼层
俺都吃了两颗头痛药了~~~~~~`
routeros
回复

使用道具 举报

发表于 2007-8-11 15:11:12 | 显示全部楼层
ip firewall nat和 ip route 思路 有问题 ,参考 Reference Manual.
routeros
回复

使用道具 举报

您需要登录后才可以回帖 登录 | 注册

本版积分规则

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-11-6 08:01 , Processed in 0.133228 second(s), 6 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2024 Discuz! Team.

快速回复 返回顶部 返回列表