구글에 검색해도 PCC 구성에 NAS 구성하는 해외 글 찾기가 어려워서
결국 여기다 질문을 올려봅니다.
일단 제가 구성 하려는 목적은
미크로틱 PCC 2WAN 구성으로 로드 벨런싱 되면서
NAS를 외부에서 접속 가능하게 하려고 합니다.
현재 세팅으로 PCC 로드벨런싱은 잘 되고 있는데
NAS 외부 접속만 안되고 있습니다.
사용중인 라우터는 CCR2116 입니다
다만
/ip/route 의
ISP2 주소쪽에 Distance 값을 2로 우선순위를 낮추면 NAS는 ISP1 주소를 통해
외부에서 접속이 되고, 당연하겠지만 PCC 로드벨런싱이 되지 않고 ISP1에 부하가 집중됩니다...
비활성화 된 세팅을 제외하고 세팅 값을 올려봅니다
(일부 IP주소와 포트 번호는 실제 사용하는 세팅과 다른 시놀로지 기본 포트 또는 임의의 포트번호로 되어 있습니다.)
그리고 비활성화된 사용하지 않는 세팅은 생략해서 세팅 번호 순서가 비어 있는 게 있을 수 있습니다.
/ip/firewall/nat
6 ;;; PCC to NAS
chain=srcnat action=masquerade connection-mark=NAS_conn
out-interface=ISP1 log=no log-prefix=""
7 ;;; Loop Back
chain=srcnat action=masquerade src-address=192.168.***.0/24 log=no
log-prefix=""
8 ;;; ISP1 Synology 2400 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=2400
protocol=udp dst-address=180.***.***.*** dst-port=2400 log=no
log-prefix=""
9 ;;; ISP2 Synology 2400 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=2400
protocol=udp dst-address=210.***.***.*** dst-port=2400 log=no
log-prefix=""
10 ;;; ISP1 Synology 5001 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5001
protocol=tcp dst-address=180.***.***.*** dst-port=5001 log=no
log-prefix=""
11 ;;; ISP2 Synology 5001 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5001
protocol=tcp dst-address=210.***.***.*** dst-port=5001 log=no
log-prefix=""
12 ;;; ISP1 Synology 5002 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5002
protocol=tcp dst-address=180.***.***.*** dst-port=5002 log=no
log-prefix=""
13 ;;; ISP2 Synology 5002 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5002
protocol=tcp dst-address=210.***.***.*** dst-port=5002 log=no
log-prefix=""
14 ;;; ISP1 Synology 5004 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5004
protocol=tcp dst-address=180.***.***.*** dst-port=5004 log=no
log-prefix=""
15 ;;; ISP2 Synology 5004 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5004
protocol=tcp dst-address=210.***.***.*** dst-port=5004 log=no
log-prefix=""
16 ;;; ISP1 Synology 20000 -> 5001 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5001
protocol=tcp dst-address=180.***.***.*** dst-port=20000 log=no
log-prefix=""
17 ;;; ISP2 Synology 20000 -> 5001 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5001
protocol=tcp dst-address=210.***.***.*** dst-port=20000 log=no
log-prefix=""
18 ;;; ISP1 Synology 45500 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=45500
protocol=tcp dst-address=180.***.***.*** dst-port=45500 log=no
log-prefix=""
19 ;;; ISP2 Synology 45500 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=45500
protocol=tcp dst-address=210.***.***.*** dst-port=45500 log=no
log-prefix=""
20 ;;; ISP1 Synology 45550 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=45550
protocol=tcp dst-address=180.***.***.*** dst-port=45550 log=no
log-prefix=""
21 ;;; ISP2 Synology 45550 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=45550
protocol=tcp dst-address=210.***.***.*** dst-port=45550 log=no
log-prefix=""
44 ;;; ISP1 Synology 55500 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=55500
protocol=tcp dst-address=180.***.***.*** dst-port=55500 log=no
log-prefix=""
23 ;;; ISP2 Synology 55500 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=55500
protocol=tcp dst-address=210.***.***.*** dst-port=55500 log=no
log-prefix=""
24 ;;; ISP1 Synology 5524 FTP Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=44
protocol=tcp dst-address=180.***.***.*** dst-port=5524 log=no
log-prefix=""
25 ;;; ISP2 Synology 5524 FTP Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=44
protocol=tcp dst-address=210.***.***.*** dst-port=5524 log=no
log-prefix=""
28 ;;; ISP2 Synology 2400 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=2400
protocol=udp dst-address=210.***.***.*** dst-port=2400 log=no
log-prefix=""
29 ;;; ISP1 Synology 9001-9004 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=9001-9004
protocol=udp dst-address=180.***.***.*** dst-port=9001-9004 log=no
log-prefix=""
30 ;;; ISP2 Synology 9001 - 9004 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=9001-9004
protocol=udp dst-address=210.***.***.*** dst-port=9001-9004 log=no
log-prefix=""
31 ;;; ISP1 Synology 25050 -> 5006 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5006
protocol=tcp dst-address=180.***.***.*** dst-port=25050 log=no
log-prefix=""
32 ;;; ISP2 Synology 25050 -> 5006 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=5006
protocol=tcp dst-address=210.***.***.*** dst-port=25050 log=no
log-prefix=""
33 ;;; ISP1 Synology 6050 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=6050
protocol=tcp dst-address=180.***.***.*** dst-port=6050 log=no
log-prefix=""
34 ;;; ISP2 Synology 6050 Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=6050
protocol=tcp dst-address=210.***.***.*** dst-port=6050 log=no
log-prefix=""
35 ;;; ISP1 Synology Reverse Proxy Port
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=800
protocol=tcp dst-address=180.***.***.*** dst-port=800 log=no log-prefix=""
36 ;;; ISP2 Synology Reverse Proxy Port
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=800
protocol=tcp dst-address=210.***.***.*** dst-port=800 log=no
log-prefix=""
37 ;;; ISP1 Synology Http Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=80
protocol=tcp dst-address=180.***.***.*** dst-port=80 log=no log-prefix=""
38 ;;; ISP2 Synology Http Port Forwarding
chain=dstnat action=dst-nat to-addresses=192.168.***.32 to-ports=80
protocol=tcp dst-address=210.***.***.*** dst-port=80 log=no log-prefix=""
39 ;;; 180.***.***.*** ALL TCP Port
chain=dstnat action=dst-nat to-addresses=192.168.***.0/24 protocol=tcp
dst-address=180.***.***.*** log=no log-prefix=""
40 ;;; 210.***.***.*** ALL TCP Port
chain=dstnat action=dst-nat to-addresses=192.168.***.0/24 protocol=tcp
dst-address=210.***.***.*** log=no log-prefix=""
48 chain=srcnat action=masquerade out-interface=ISP1
/ip/firewall/mangle
3 chain=prerouting action=accept dst-address=180.***.***.***/24
in-interface=Local
4 chain=prerouting action=accept dst-address=210.***.***.***/24
in-interface=Local log=no log-prefix=""
5 chain=prerouting action=mark-connection new-connection-mark=ISP1_conn
connection-mark=no-mark in-interface=ISP1
6 chain=prerouting action=mark-connection new-connection-mark=ISP2_conn
connection-mark=no-mark in-interface=ISP2
7 chain=prerouting action=mark-connection new-connection-mark=ISP1_conn
passthrough=yes dst-address-type=!local connection-mark=no-mark
in-interface=Local per-connection-classifier=both-addresses:2/0 log=no
log-prefix=""
8 chain=prerouting action=mark-connection new-connection-mark=ISP2_conn
passthrough=yes dst-address-type=!local connection-mark=no-mark
in-interface=Local per-connection-classifier=both-addresses:2/1 log=no
log-prefix=""
9 chain=prerouting action=mark-connection new-connection-mark=NAS_conn
passthrough=yes dst-address=192.168.***.32
10 chain=prerouting action=mark-routing new-routing-mark=to_ISP1
passthrough=yes connection-mark=NAS_conn
11 chain=prerouting action=mark-routing new-routing-mark=to_ISP1
connection-mark=ISP1_conn in-interface=Local
12 chain=prerouting action=mark-routing new-routing-mark=to_ISP2
connection-mark=ISP2_conn in-interface=Local
13 chain=output action=mark-routing new-routing-mark=to_ISP1
connection-mark=ISP1_conn
14 chain=output action=mark-routing new-routing-mark=to_ISP2
connection-mark=ISP2_conn
PCC 2WAN 셋팅이 되면서 NAS 접속 가능하게 세팅 하는 방법 알려주시면 감사합니다.
아무리 찾아봐도 해당 세팅에 관한 내용을 찾을 수가 없네요...
정 안되면 영문으로 레딧에 질문글을 올려야 하나 고민중입니다... ㅜ,.ㅜ
(예를 들어서 ether1에서 오는 특정 프로토콜/포트 조합의 connection을 추적해서 ether1에 대한 라우팅 마크 부여, ether2에서 들어오는 특정 프로토콜/포트 조합의 connection을 추적해서 ether2에 대한 라우팅 마크 부여)
아직 미크로틱 라우터 셋팅 부분에서 초보다 보니 엉성한 부분이 많습니다..
혹시 예시로 커넥션 추적과 라우팅 테이블 추가 세팅이 아래와 같나요?
/ip/firewall/mangle
add chain=prerouting in-interface=ether1 protocol=tcp dst-port=8080 connection-mark=no-mark action=mark-connection new-connection-mark=ether1_conn
add chain=prerouting in-interface=ether2 protocol=udp dst-port=53 connection-mark=no-mark action=mark-connection new-connection-mark=ether2_conn
add chain=prerouting connection-mark=ether1_conn action=mark-routing new-routing-mark=ether1_route
add chain=prerouting connection-mark=ether2_conn action=mark-routing new-routing-mark=ether2_route
/ip/route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=ether1_route
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=ether2_route
말씀하신 내용이 잘 이해 되지 않아 챗gpt 에 물어봤더니 상세 설명과 위와 같은 예시를 보여줬는데
이 예시를 참고해서 세팅하는게 맞는지 확인차 물어봅니다 ^ ^
그러면 위 내용 추가 없이도 대부분은 되는데, NAS(특히 시놀로지)가 가끔 문제가 되는 듯 싶습니다.
9는 비활성, 아래 내용을 수정해서 추가 및 fast-track을 비활성 해보십시오.
PCC 구현시 fast-track이 켜져 있으면 PCC가 제대로 동작이 안될 수 있습니다.
이것으로 해결이 되었으면 좋겠네요.
/ip firewall mangle
add action=mark-connection chain=forward comment=\
"mark conn to port forwarding going in from wan1" connection-state=new \
in-interface=ether1 new-connection-mark=ether1_pfw passthrough=no
add action=mark-routing chain=prerouting comment=\
"mark routing to port forwarding going in from wan1" connection-mark=\
ether1_pfw in-interface=bridge1 new-routing-mark=to_wan1 passthrough=no
add action=mark-connection chain=forward comment=\
"mark conn to port forwarding going in from wan2" connection-state=new \
in-interface=ether2 new-connection-mark=ether2_pfw passthrough=no
add action=mark-routing chain=prerouting comment=\
"mark routing to port forwarding going in from wan2" connection-mark=\
ether2_pfw in-interface=bridge1 new-routing-mark=to_wan2 passthrough=no
이번 주말에 한번 시도 해봐야 겠네요 👍