本帖最後由 gfx86674 於 2018-2-20 15:01 編輯
假設:
ISP1與ISP2都有提供Public地址供遠端連接,並啟用cloud供VPN橋接
CN:192.168.100.254/24 / xxx1234.sn.mynetname.net
HK:192.168.200.254/24 / xxx5678.sn.mynetname.net
CN:
ether6-8:直接翻牆至Hong Kong
192.168.100.0/24連接CN外的地址,透過policy routing改由ISP2連接
192.168.100.201-192.168.100.250有連外國需求,
綁HK_DNS-Server,免除被DNS被污染風險.
HK:
ether6-8:直接翻牆至China
192.168.200.0/24連接是CN地址,透過policy routing改由ISP1連接
192.168.100.0/24 <=> 192.168.200.0/24 電腦群組彼此可互連- #CN:
- /ip cloud
- set ddns-enabled=yes
- /interface eoip
- add allow-fast-path=no mac-address=02:F1:04:27:75:96 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx1234.sn.mynetname.net remote-address=xxx5678.sn.mynetname.net
- /interface bridge
- add name=bridge1 vlan-filtering=no
- /interface bridge port
- add bridge=bridge1 interface=eoip-tunnel1
- add bridge=bridge1 interface=sfp1 pvid=100
- add bridge=bridge1 interface=ether2 pvid=100
- add bridge=bridge1 interface=ether3 pvid=100
- add bridge=bridge1 interface=ether4 pvid=100
- add bridge=bridge1 interface=ether5 pvid=100
- add bridge=bridge1 interface=ether6 pvid=200
- add bridge=bridge1 interface=ether7 pvid=200
- add bridge=bridge1 interface=ether8 pvid=200
- /interface bridge vlan
- add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=100
- add bridge=bridge1 tagged=eoip-tunnel1,bridge1 untagged=ether6,ether7,ether8 vlan-ids=200
- /interface vlan
- add interface=bridge1 name=vlan200 vlan-id=200
- /ip address
- add address=192.168.100.254/24 interface=sfp1 network=192.168.100.0
- add address=192.168.200.1/24 interface=vlan200
- /interface bridge set bridge1 vlan-filtering=yes
- /ip firewall nat
- set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24 !src-address
- add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=192.168.200.254
- /ip firewall mangle
- add action=accept chain=prerouting dst-address=192.168.200.0/24
- add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24
- /ip route
- add distance=1 gateway=192.168.200.254 routing-mark=vpn
複製代碼- #HK:
- /ip cloud
- set ddns-enabled=yes
- /ip dns
- set allow-remote-requests=yes
- /interface eoip
- add allow-fast-path=no mac-address=02:F1:04:27:76:95 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx5678.sn.mynetname.net remote-address=xxx1234.sn.mynetname.net
- /interface bridge
- add name=bridge1 vlan-filtering=no
- /interface bridge port
- add bridge=bridge1 interface=eoip-tunnel1
- add bridge=bridge1 interface=sfp1 pvid=200
- add bridge=bridge1 interface=ether2 pvid=200
- add bridge=bridge1 interface=ether3 pvid=200
- add bridge=bridge1 interface=ether4 pvid=200
- add bridge=bridge1 interface=ether5 pvid=200
- add bridge=bridge1 interface=ether6 pvid=100
- add bridge=bridge1 interface=ether7 pvid=100
- add bridge=bridge1 interface=ether8 pvid=100
- /interface bridge vlan
- add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=200
- add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=100
- /ip address
- add address=192.168.200.254/24 interface=sfp1 network=192.168.200.0
- /interface bridge set bridge1 vlan-filtering=yes
- /ip firewall nat
- set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24 !src-address
- /ip firewall mangle
- add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24
- /ip route
- add distance=1 gateway=192.168.200.1 dst-address=192.168.100.0/24
- add distance=1 gateway=192.168.200.1 routing-mark=vpn
複製代碼 |