¹ÌÅ©·Îƽ 3wan 6lan ´À³¤Á¡

   Á¶È¸ 3525   Ãßõ 0    

자기소개
    닉네임 : 스타치스
    회원권한 : 2
    포인트 : 961
    회원가입일 : 2009-03-12 (4,622 일)
    최종접속일 : 2021-11-05 14:03:24

결론부터 말씀드리면

느낀점 : 머리가 아파





안녕하세요.

가입 후 첫 게시글을 작성하는 저는 눈팅족입니다. 죄송합니다.


저는 개발자입니다. 저는 제 일을 좋아합니다.

그래서 집에 LAB 환경을 구축하여 지낸 지가 오랜 시간이 흘렀습니다.


최근 인터넷 환경이 너무 지저분하여 정리하기로 마음먹고 미크로틱을 구매했습니다.


구성하면서 참고한 자료입니다.

1. https://www.2cpu.co.kr/lec/1136?&sfl=mb_id%2C1&stx=mikrotik

2. https://www.2cpu.co.kr/network/4540

댓글로 감사하다는 인사드리지 못해 죄송합니다.

여기에 대신 감사하다고 전해 드리고 싶습니다.

감사합니다!


제 환경은 3wan 6lan 입니다.

mangle 규칙은 지금도 제 머리를 망치로 내리치는 기분입니다.

제가 원하는 바가 정확히 무엇인지 모르겠지만.??

의도대로 동작은 합니다.

좀 더 깔끔하고 직관적으로 수정할 수 있을지 잠재된 문제는 없는지 궁금합니다.

따라 하기 수준인 제 스크립트를 보시고 고수님의 거침없는 조언이 간절히 필요합니다.

도와주십시오. 감사합니다                                                                    


-- 스크립트

# nov/05/2021 14:32:43 by RouterOS 7.1rc5

# software id = 2PE1-JZS7

#

# model = RB750Gr3

# serial number = XXXXXXXXXXXX



/interface bridge add name=bridgeMgnt

/interface bridge add ingress-filtering=no name=bridgePac1 pvid=110 vlan-filtering=yes


/interface ethernet set [ find default-name=ether1 ] name=ether1WanPac1

/interface ethernet set [ find default-name=ether2 ] name=ether2WanPac2

/interface ethernet set [ find default-name=ether3 ] mtu=560 name=ether3WanPac3

/interface ethernet set [ find default-name=ether4 ] name=ether4LanMgmt

/interface ethernet set [ find default-name=ether5 ] name=ether5LanPac1


/interface vlan add interface=bridgePac1 name=briVlan110 vlan-id=110

/interface vlan add interface=bridgePac1 name=briVlan120 vlan-id=120

/interface vlan add interface=bridgePac1 name=briVlan130 vlan-id=130

/interface vlan add interface=bridgePac1 name=briVlan210 vlan-id=210

/interface vlan add interface=bridgePac1 name=briVlan220 vlan-id=220


/interface list add name=listWanAlll

/interface list add name=listLanAlll



/ip pool add name=dhcpPoolMgmt100 ranges=10.18.18.11-10.18.18.254

/ip pool add name=dhcpPoolVlan110 ranges=10.18.111.11-10.18.111.254

/ip pool add name=dhcpPoolVlan120 ranges=10.18.121.11-10.18.121.254

/ip pool add name=dhcpPoolVlan130 ranges=10.18.131.11-10.18.131.254

/ip pool add name=dhcpPoolVlan210 ranges=10.18.211.11-10.18.211.254

/ip pool add name=dhcpPoolVlan220 ranges=10.18.221.11-10.18.221.254


/ip dhcp-server add address-pool=dhcpPoolMgmt100 interface=bridgeMgnt name=dhcpServerMgmt100

/ip dhcp-server add address-pool=dhcpPoolVlan110 interface=briVlan110 name=dhcpServerVlan110

/ip dhcp-server add address-pool=dhcpPoolVlan120 interface=briVlan120 name=dhcpServerVlan120

/ip dhcp-server add address-pool=dhcpPoolVlan130 interface=briVlan130 name=dhcpServerVlan130

/ip dhcp-server add address-pool=dhcpPoolVlan210 interface=briVlan210 name=dhcpServerVlan210

/ip dhcp-server add address-pool=dhcpPoolVlan220 interface=briVlan220 name=dhcpServerVlan220


/port set 0 name=serial0

/routing bgp template set default disabled=no output.network=bgp-networks

/routing ospf instance add name=default-v2

/routing ospf area add disabled=yes instance=default-v2 name=backbone-v2


/routing table add fib name=""

/routing table add fib name=routingTableWan01

/routing table add fib name=routingTableWan02

/routing table add fib name=routingTableWan03


/interface bridge port add bridge=bridgeMgnt ingress-filtering=no interface=ether4LanMgmt

/interface bridge port add bridge=bridgePac1 ingress-filtering=no interface=ether5LanPac1 pvid=110


/ip neighbor discovery-settings set discover-interface-list=listLanAlll


/ipv6 settings set disable-ipv6=yes


/interface bridge vlan add bridge=bridgePac1 tagged=bridgePac1,ether5LanPac1 vlan-ids=110

/interface bridge vlan add bridge=bridgePac1 tagged=bridgePac1,ether5LanPac1 vlan-ids=120

/interface bridge vlan add bridge=bridgePac1 tagged=bridgePac1,ether5LanPac1 vlan-ids=130

/interface bridge vlan add bridge=bridgePac1 tagged=bridgePac1,ether5LanPac1 vlan-ids=210

/interface bridge vlan add bridge=bridgePac1 tagged=bridgePac1,ether5LanPac1 vlan-ids=220


/interface list member add interface=ether1WanPac1 list=listWanAlll

/interface list member add interface=ether2WanPac2 list=listWanAlll

/interface list member add interface=ether3WanPac3 list=listWanAlll


/interface list member add interface=bridgeMgnt list=listLanAlll

/interface list member add interface=bridgePac1 list=listLanAlll

/interface list member add interface=briVlan110 list=listLanAlll

/interface list member add interface=briVlan120 list=listLanAlll

/interface list member add interface=briVlan130 list=listLanAlll

/interface list member add interface=briVlan210 list=listLanAlll

/interface list member add interface=briVlan220 list=listLanAlll


/ip address add address=10.18.18.1/23 interface=bridgeMgnt network=10.18.18.0

/ip address add address=10.18.110.1/23 interface=briVlan110 network=10.18.110.0

/ip address add address=10.18.120.1/23 interface=briVlan120 network=10.18.120.0

/ip address add address=10.18.130.1/23 interface=briVlan130 network=10.18.130.0

/ip address add address=10.18.210.1/23 interface=briVlan210 network=10.18.210.0

/ip address add address=10.18.220.1/23 interface=briVlan220 network=10.18.220.0


/ip dhcp-client add interface=ether1WanPac1

/ip dhcp-client add interface=ether2WanPac2

/ip dhcp-client add interface=ether3WanPac3


/ip dhcp-server network add address=10.18.18.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.18.1

/ip dhcp-server network add address=10.18.110.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.110.1

/ip dhcp-server network add address=10.18.120.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.120.1

/ip dhcp-server network add address=10.18.130.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.130.1

/ip dhcp-server network add address=10.18.210.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.210.1

/ip dhcp-server network add address=10.18.220.0/23 dns-server=1.1.1.1,8.8.8.8 gateway=10.18.220.1


/ip dns set allow-remote-requests=yes


/ip dns static add address=1.1.1.1 name=cloudflare-dns1.com

/ip dns static add address=1.0.0.1 name=cloudflare-dns2.com

/ip dns static add address=1.1.1.2 name=cloudflare-dns3.com

/ip dns static add address=1.0.0.2 name=cloudflare-dns4.com

/ip dns static add address=8.8.8.8 name=google1.com

/ip dns static add address=8.8.4.4 name=google2.com

/ip dns static add address=61.41.153.2 name=uplus1.co.kr

/ip dns static add address=1.214.68.2 name=uplus2.co.kr

/ip dns static add address=164.124.101.2 name=uplus3.co.kr

/ip dns static add address=203.248.252.2 name=uplus4.co.kr

/ip dns static add address=210.220.163.82 name=skbroadband1.com

/ip dns static add address=219.250.36.130 name=skbroadband2.com

/ip dns static add address=168.126.63.1 name=dms.kornet1.net

/ip dns static add address=168.126.63.2 name=dms.kornet2.net


/ip firewall address-list add address=10.18.18.0/23 list=addListbridgeMgnt

/ip firewall address-list add address=10.18.110.0/23 list=addListbriVlan110

/ip firewall address-list add address=10.18.120.0/23 list=addListbriVlan120

/ip firewall address-list add address=10.18.130.0/23 list=addListbriVlan130

/ip firewall address-list add address=10.18.210.0/23 list=addListbriVlan210

/ip firewall address-list add address=10.18.220.0/23 list=addListbriVlan220


/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbridgeMgnt src-address-list=addListbriVlan110

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan120 src-address-list=addListbriVlan110

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan130 src-address-list=addListbriVlan110

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan210 src-address-list=addListbriVlan110

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan220 src-address-list=addListbriVlan110

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbridgeMgnt src-address-list=addListbriVlan120

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan110 src-address-list=addListbriVlan120

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan130 src-address-list=addListbriVlan120

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan210 src-address-list=addListbriVlan120

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan220 src-address-list=addListbriVlan120

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbridgeMgnt src-address-list=addListbriVlan130

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan110 src-address-list=addListbriVlan130

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan120 src-address-list=addListbriVlan130

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan210 src-address-list=addListbriVlan130

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan220 src-address-list=addListbriVlan130

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbridgeMgnt src-address-list=addListbriVlan210

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan110 src-address-list=addListbriVlan210

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan120 src-address-list=addListbriVlan210

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan130 src-address-list=addListbriVlan210

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan220 src-address-list=addListbriVlan210

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbridgeMgnt src-address-list=addListbriVlan220

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan110 src-address-list=addListbriVlan220

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan120 src-address-list=addListbriVlan220

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan130 src-address-list=addListbriVlan220

/ip firewall filter add action=drop chain=input disabled=yes dst-address-list=addListbriVlan210 src-address-list=addListbriVlan220


/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp

/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1

/ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from listLanAlll" in-interface-list=!listLanAlll

/ip firewall filter add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec

/ip firewall filter add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec

/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes

/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked

/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

/ip firewall filter add action=drop chain=forward comment="defconf: drop all from listWanAlll not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=listWanAlll



# 여기부터 제 머리는 요동을 칩니다...

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.18.0/23 in-interface=bridgeMgnt

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.110.0/23 in-interface=briVlan110

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.120.0/23 in-interface=briVlan120

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.130.0/23 in-interface=briVlan130

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.210.0/23 in-interface=briVlan210

/ip firewall mangle add action=accept chain=prerouting dst-address=10.18.220.0/23 in-interface=briVlan220


/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether1WanPac1 new-connection-mark=markWAN1Conn passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether2WanPac2 new-connection-mark=markWAN2Conn passthrough=yes

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface=ether3WanPac3 new-connection-mark=markWAN3Conn passthrough=yes


/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN1Conn nth=6,1 passthrough=yes src-address=10.18.18.0/23

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN1Conn nth=6,2 passthrough=yes src-address=10.18.110.0/23

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN2Conn nth=6,3 passthrough=yes src-address=10.18.120.0/23

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN2Conn nth=6,4 passthrough=yes src-address=10.18.130.0/23

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN3Conn nth=6,5 passthrough=yes src-address=10.18.210.0/23

/ip firewall mangle add action=mark-connection chain=prerouting connection-state=new new-connection-mark=markWAN3Conn nth=6,6 passthrough=yes src-address=10.18.220.0/23


/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=bridgeMgnt new-connection-mark=markWAN1Conn passthrough=yes per-connection-classifier=both-addresses:6/0

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=briVlan110 new-connection-mark=markWAN1Conn passthrough=yes per-connection-classifier=both-addresses:6/1

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=briVlan120 new-connection-mark=markWAN2Conn passthrough=yes per-connection-classifier=both-addresses:6/2

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=briVlan130 new-connection-mark=markWAN2Conn passthrough=yes per-connection-classifier=both-addresses:6/3

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=briVlan210 new-connection-mark=markWAN3Conn passthrough=yes per-connection-classifier=both-addresses:6/4

/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark dst-address-type=!local in-interface=briVlan220 new-connection-mark=markWAN3Conn passthrough=yes per-connection-classifier=both-addresses:6/5


/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN1Conn new-routing-mark=routingTableWan01 passthrough=yes src-address=10.18.18.0/23

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN1Conn new-routing-mark=routingTableWan01 passthrough=yes src-address=10.18.110.0/23

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN2Conn new-routing-mark=routingTableWan02 passthrough=yes src-address=10.18.120.0/23

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN2Conn new-routing-mark=routingTableWan02 passthrough=yes src-address=10.18.130.0/23

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN3Conn new-routing-mark=routingTableWan03 passthrough=yes src-address=10.18.210.0/23

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN3Conn new-routing-mark=routingTableWan03 passthrough=yes src-address=10.18.220.0/23


/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN1Conn in-interface=bridgeMgnt new-routing-mark=routingTableWan01 passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN2Conn in-interface=briVlan110 new-routing-mark=routingTableWan02 passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN2Conn in-interface=briVlan120 new-routing-mark=routingTableWan02 passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN2Conn in-interface=briVlan130 new-routing-mark=routingTableWan02 passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN3Conn in-interface=briVlan210 new-routing-mark=routingTableWan03 passthrough=yes

/ip firewall mangle add action=mark-routing chain=prerouting connection-mark=markWAN3Conn in-interface=briVlan220 new-routing-mark=routingTableWan03 passthrough=yes


/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN1Conn new-routing-mark=routingTableWan01 passthrough=yes

/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN1Conn new-routing-mark=routingTableWan01 passthrough=yes

/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN2Conn new-routing-mark=routingTableWan02 passthrough=yes

/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN2Conn new-routing-mark=routingTableWan02 passthrough=yes

/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN3Conn new-routing-mark=routingTableWan03 passthrough=yes

/ip firewall mangle add action=mark-routing chain=output connection-mark=markWAN3Conn new-routing-mark=routingTableWan03 passthrough=yes


# 포트포워딩 & 헤어핀 나트

/ip firewall nat add action=dst-nat    chain=dstnat dst-port=45000 protocol=tcp to-addresses=10.18.18.181 to-ports=45000

/ip firewall nat add action=masquerade chain=srcnat dst-address=10.18.18.181 dst-port=45000 out-interface=bridgeMgnt protocol=tcp src-address=10.18.18.0/23


/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1WanPac1

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether1WanPac1

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2WanPac2

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether2WanPac2

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3WanPac3

/ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=ether3WanPac3


/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1%ether1WanPac1 routing-table=routingTableWan01

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1%ether2WanPac2 routing-table=routingTableWan02

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1%ether3WanPac3 routing-table=routingTableWan03


/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.0.1

/ip route add disabled=no dst-address=0.0.0.0/0 gateway=192.168.1.1


##-- 이하 생략





¹Ú¹®Çü 2021-11
¼öÀÔ¿øÀÌ ´ëÈïÁ¤º¸±â¼ú °ÍÀ¸·Î »ý°¢µÇ´Âµ¥ ±×ÂÊ¿¡¼­´Â ±â¼ú Áö¿ø ¾ÈµÇ³ª¿ä??


Á¦¸ñPage 31/105
2021-11   4894   UDION52
2021-11   3526   ½ºÅ¸Ä¡½º
2021-11   4761   Xecus
2021-11   3748   SDG6038
2021-10   3148   Å볪¹«
2021-10   5653   ±Ã±ÀÇѾÆÀÌ
2021-10   3820   ÄܽºÅºÆ¾
2021-10   3902   °³¹é¼ö28È£
2021-10   3574   Å°¸®¿¡
2021-10   3854   ¸ð¸Ê
2021-10   3963   °ø¹é±â
2021-10   3757   °ø¹é±â
2021-10   2883   ¹Ú¹®Çü
2021-10   3284   ¿À¡¾î12
2021-10   3507   °ø¹é±â
2021-10   3067   Wnahd
2021-10   3508   lovin09
2021-10   7472   È­Á¤Å¥»ï
2021-10   5803   µþ±á²¿¸¶
2021-10   5095   ¿ì·ç¸®·ç