Первый раз настраиваю Микротик. Есть опыт настройки серверов на Линуксе. Сетевые технологии белее-менее понимаю
Задача.
В офис заходит 2 провайдера.
ISP1 - хороший канал. 156.35.200.6/30
ISP2 - так себе канал. 5.200.26.192/24
Надо сделать разделение трафика. ISP2 - пускаем только для портов: 80,443,110,25 ISP1 - весь остальной трафик.
Делал по мануалу, который был предназначен для RouterOS v6 , но у меня уже RouterOS 7.14.2.
Получился такой конфиг, проверьте, пожалуйста:
Код: Выделить всё
# 2024-04-10 14:39:45 by RouterOS 7.14.2
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=28:1A:18:C4:75:07 auto-mac=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ISP1
set [ find default-name=ether2 ] name=ISP2
/interface list
add name=WAN
add name=LAN
/routing table
add disabled=no fib name=rout_ISP1
add disabled=no fib name=rout_ISP2
add disabled=no fib name=lan_out_ISP2
add disabled=no fib name=lan_out_ISP1
/interface bridge port
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=ISP1 list=WAN
add interface=bridge1 list=LAN
/ip address
add address=192.168.0.21/24 comment=LocalNet interface=bridge1 network=\
192.168.0.0
add address=5.200.26.192/24 comment="ISP2" interface=ISP2 network=\
5.200.26.0
add address=156.35.200.6/30 comment="ISP1" interface=ISP1 network=\
156.35.200.4
/ip dhcp-client
add disabled=yes interface=ISP1
/ip dns
set allow-remote-requests=yes cache-size=6048KiB servers=77.88.8.7,77.88.8.3
/ip firewall filter
add action=accept chain=forward comment=\
"Razreshaem UGE ustanovlennie soedinenia" connection-state=\
established,related
add action=accept chain=input comment=\
"Razreshaem UGE ustanovlennie soedinenia" connection-state=\
established,related
add action=accept chain=forward comment="Razreshaem Local net" \
in-interface-list=LAN
add action=accept chain=input comment="Razreshaem Local net" \
in-interface-list=LAN
add action=drop chain=input in-interface-list=WAN
add action=drop chain=forward connection-nat-state=!dstnat in-interface-list=\
WAN
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
/ip firewall mangle
add action=mark-connection chain=input comment=\
"Metka na kagdoe soedinenie iz vne k ISP1" in-interface=ISP1 \
new-connection-mark=cin_ISP1 passthrough=yes
add action=mark-connection chain=input comment=\
"Metka na kagdoe soedinenie iz vne k ISP2" in-interface=ISP2 \
new-connection-mark=cin_ISP2 passthrough=yes
add action=mark-routing chain=output comment=\
"Na kakoi interfeis prishlo, s takogo interfeisa i ushlo. Dla ISP1" \
connection-mark=cin_ISP1 new-routing-mark=rout_ISP1 passthrough=no
add action=mark-routing chain=output comment=\
"Na kakoi interfeis prishlo, s takogo interfeisa i ushlo. Dla ISP2" \
connection-mark=cin_ISP2 new-routing-mark=rout_ISP2 passthrough=no
add action=mark-routing chain=prerouting comment=\
"Esli dest-port iz spiska, to ispolzuem ISP2" dst-port=80,443,110,25 \
new-routing-mark=lan_out_ISP2 passthrough=no protocol=tcp
add action=mark-routing chain=prerouting comment=\
"Ostalnoi trafik cherez ISP1" new-routing-mark=lan_out_ISP1 passthrough=\
no
/ip firewall nat
add action=src-nat chain=srcnat out-interface-list=WAN to-addresses=\
156.35.200.6
add action=dst-nat chain=dstnat comment="Site. Port 80" dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.0.7
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=156.35.200.5 \
pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
156.35.200.6 routing-table=rout_ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
5.200.26.192 routing-table=rout_ISP2 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=5.200.26.192 \
routing-table=rout_ISP1 suppress-hw-offload=no
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=156.35.200.6 \
routing-table=rout_ISP2 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
156.35.200.6 routing-table=lan_out_ISP1 suppress-hw-offload=no
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
5.200.26.192 routing-table=lan_out_ISP2 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=5.200.26.192 routing-table=\
lan_out_ISP1 suppress-hw-offload=no
add disabled=no dst-address=0.0.0.0/0 gateway=156.35.200.6 routing-table=\
lan_out_ISP2 suppress-hw-offload=no
/system note
set show-at-login=no