Loab Balance + OVPN

Обсуждение ПО и его настройки
Ответить
MrMydaq
Сообщения: 1
Зарегистрирован: 17 апр 2019, 11:56

17 апр 2019, 12:58

Всем привет. Начинаю осваивать Mikrotik и ,вроде, пока все получалось, но 1 момент никак не могу решить. OVPN + Load Balance.
Load Balance на 2х Lte провайдерах работает замечательно, а вот VPN завести никак не получается. Буду благодарен за любую помощь.
 /ip firewall address-list
add address=0.0.0.0/8 list=BOGONS
add address=10.0.0.0/8 list=BOGONS
add address=100.64.0.0/10 list=BOGONS
add address=127.0.0.0/8 list=BOGONS
add address=169.254.0.0/16 list=BOGONS
add address=172.16.0.0/12 list=BOGONS
add address=192.0.0.0/24 list=BOGONS
add address=192.0.2.0/24 list=BOGONS
add address=192.168.0.0/16 list=BOGONS
add address=198.18.0.0/15 list=BOGONS
add address=198.51.100.0/24 list=BOGONS
add address=203.0.113.0/24 list=BOGONS
add address=224.0.0.0/3 list=BOGONS
 /ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input dst-port=443 protocol=tcp
add action=accept chain=input dst-port=1194 protocol=tcp
add action=accept chain=input dst-port=6036 protocol=tcp
add action=accept chain=input in-interface=all-ppp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
disabled=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward in-interface=all-ppp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
 /ip firewall mangle
add action=mark-connection chain=input disabled=yes in-interface=ether10 new-connection-mark=in_ether10 passthrough=yes
add action=mark-connection chain=input disabled=yes in-interface=lte new-connection-mark=in_lte passthrough=yes
add action=mark-routing chain=output connection-mark=in_ether10 disabled=yes new-routing-mark=out_ether10 \
out-interface=ether10 passthrough=no
add action=mark-routing chain=output connection-mark=in_lte disabled=yes new-routing-mark=out_lte out-interface=lte \
passthrough=no
add action=mark-connection chain=prerouting disabled=yes in-interface=ether10 new-connection-mark=forward_ether10 \
passthrough=yes
add action=mark-connection chain=prerouting disabled=yes in-interface=lte new-connection-mark=forward_lte passthrough=\
yes
add action=mark-routing chain=prerouting disabled=yes dst-address-type="" new-routing-mark=out_ether10 passthrough=yes \
per-connection-classifier=src-address-and-port:2/0 src-address=192.168.1.0/24
add action=mark-routing chain=prerouting disabled=yes dst-address-type="" new-routing-mark=out_lte passthrough=yes \
per-connection-classifier=src-address-and-port:2/1 src-address=192.168.1.0/24
add action=mark-routing chain=prerouting connection-mark=forward_ether10 disabled=yes in-interface=!ether10 \
new-routing-mark=out_ether10 passthrough=no
add action=mark-routing chain=prerouting connection-mark=forward_lte disabled=yes in-interface=!lte new-routing-mark=\
out_lte passthrough=no
add action=mark-routing chain=output disabled=yes dst-address-list=!BOGONS new-routing-mark=out_ether10 passthrough=yes \
src-address=192.168.88.1
add action=mark-routing chain=output disabled=yes dst-address-list=!BOGONS new-routing-mark=out_lte passthrough=yes \
src-address=192.168.8.1
 /ip firewall nat
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface=all-ppp
 /ip route
add check-gateway=ping disabled=yes distance=1 gateway=192.168.88.1 routing-mark=out_ether10
add check-gateway=ping disabled=yes distance=1 gateway=192.168.8.1 routing-mark=out_lte
add check-gateway=ping distance=10 gateway=8.8.8.8 target-scope=30
add check-gateway=ping distance=20 gateway=8.8.4.4 target-scope=30
add disabled=yes distance=1 dst-address=8.8.4.4/32 gateway=192.168.8.1
add disabled=yes distance=1 dst-address=8.8.8.8/32 gateway=192.168.88.1
 /ip route rule
add action=lookup-only-in-table routing-mark=out_ether10 table=out_ether10
add action=lookup-only-in-table routing-mark=out_lte table=out_lte


Ответить