У кого есть актуальная схема потока IP/пакетов, включающая правила потока Hotspot? Та, что в руководстве, устаревшая и, похоже, чего-то не хватает. Я пытаюсь настроить политическую маршрутизацию для веб- и DNS-трафика, который работает на том же MT-боксе, что и сервер Hotspot. Проблема в том, что мои правила перенаправления и правила Hotspot мешают друг другу, и трафик просто "умирает". Если у кого есть идеи, как лучше подкорректировать правила, буду признателен. Смотрите мои текущие правила mangle ниже:
Вот мои правила NAT, включая Hotspot:
0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872
3 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872
4 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect to-ports=64873
5 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect to-ports=64875
6 D chain=hotspot protocol=tcp hotspot=!auth action=jump jump-target=hs-unaut>
7 D chain=hotspot protocol=tcp hotspot=auth action=jump jump-target=hs-auth
8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874
9 D chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874
10 D chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874
11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875
12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
15 ;;; masquerade hotspot network
chain=srcnat src-address=10.250.253.0/24 action=masquerade
Вот мои правила mangle:
/ ip firewall mangle
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-connection \
new-connection-mark=main-c1 passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=main-c1 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-packet \
new-packet-mark=main-p2 passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=log log-prefix="c2:" \
comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c3 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c3 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c4 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c4 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=icmp action=mark-connection \
new-connection-mark=main-c5 passthrough=yes comment="" disabled=yes
add chain=output src-address=10.250.253.0/24 dst-address=!10.250.253.0/24 \
protocol=tcp dst-port=0-1030 connection-state=new src-address-list=local \
hotspot=!local-dst action=mark-connection new-connection-mark=main-c1a \
passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c1a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=0-1030 src-address-list=local \
action=mark-packet new-packet-mark=main-p2a passthrough=yes comment="" \
disabled=no
add chain=output packet-mark=main-p2a action=mark-routing \
new-routing-mark=main-r passthrough=yes comment="" disabled=no
add chain=output packet-mark=main-p2a action=log log-prefix="c2a:" comment="" \
disabled=no
add chain=output protocol=tcp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c3a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c3a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c4a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c4a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=icmp action=mark-connection \
new-connection-mark=main-c5a passthrough=yes comment="" disabled=yes
add chain=output connection-mark=main-c5a action=mark-packet \
new-packet-mark=main-p5a passthrough=yes comment="" disabled=yes
add chain=output packet-mark=main-p5a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=yes
Цель - направлять веб-/DNS-/Hotspot-/FTP-/Telnet и т.д. трафик через один шлюз, а весь остальной трафик (p2p) - через шлюз по умолчанию. В этот бокс приходят два интернет-соединения на ether1 и ether2. Каждый раз, когда включен Hotspot, я вижу спорадический трафик, выходящий через один, и входящий через другой, или, если 'стандартное' соединение умирает, трафик никуда не идет, когда он должен использовать резервный шлюз.
Вот мои правила NAT, включая Hotspot:
0 D chain=dstnat hotspot=from-client action=jump jump-target=hotspot
1 D chain=hotspot action=jump jump-target=pre-hotspot
2 D chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872
3 D chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872
4 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect to-ports=64873
5 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect to-ports=64875
6 D chain=hotspot protocol=tcp hotspot=!auth action=jump jump-target=hs-unaut>
7 D chain=hotspot protocol=tcp hotspot=auth action=jump jump-target=hs-auth
8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874
9 D chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874
10 D chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874
11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875
12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874
14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp
15 ;;; masquerade hotspot network
chain=srcnat src-address=10.250.253.0/24 action=masquerade
Вот мои правила mangle:
/ ip firewall mangle
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-connection \
new-connection-mark=main-c1 passthrough=yes comment="" disabled=no
add chain=prerouting connection-mark=main-c1 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=0-1030 \
connection-state=new hotspot=auth action=mark-packet \
new-packet-mark=main-p2 passthrough=yes comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting packet-mark=main-p2 action=log log-prefix="c2:" \
comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=tcp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c3 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c3 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=udp dst-port=1812-1813 \
action=mark-connection new-connection-mark=main-c4 passthrough=yes \
comment="" disabled=no
add chain=prerouting connection-mark=main-c4 action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=prerouting in-interface=wlan1 protocol=icmp action=mark-connection \
new-connection-mark=main-c5 passthrough=yes comment="" disabled=yes
add chain=output src-address=10.250.253.0/24 dst-address=!10.250.253.0/24 \
protocol=tcp dst-port=0-1030 connection-state=new src-address-list=local \
hotspot=!local-dst action=mark-connection new-connection-mark=main-c1a \
passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c1a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=0-1030 src-address-list=local \
action=mark-packet new-packet-mark=main-p2a passthrough=yes comment="" \
disabled=no
add chain=output packet-mark=main-p2a action=mark-routing \
new-routing-mark=main-r passthrough=yes comment="" disabled=no
add chain=output packet-mark=main-p2a action=log log-prefix="c2a:" comment="" \
disabled=no
add chain=output protocol=tcp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c3a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c3a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=udp dst-port=1812-1813 action=mark-connection \
new-connection-mark=main-c4a passthrough=yes comment="" disabled=no
add chain=output connection-mark=main-c4a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=no
add chain=output protocol=icmp action=mark-connection \
new-connection-mark=main-c5a passthrough=yes comment="" disabled=yes
add chain=output connection-mark=main-c5a action=mark-packet \
new-packet-mark=main-p5a passthrough=yes comment="" disabled=yes
add chain=output packet-mark=main-p5a action=mark-routing \
new-routing-mark=main-r passthrough=no comment="" disabled=yes
Цель - направлять веб-/DNS-/Hotspot-/FTP-/Telnet и т.д. трафик через один шлюз, а весь остальной трафик (p2p) - через шлюз по умолчанию. В этот бокс приходят два интернет-соединения на ether1 и ether2. Каждый раз, когда включен Hotspot, я вижу спорадический трафик, выходящий через один, и входящий через другой, или, если 'стандартное' соединение умирает, трафик никуда не идет, когда он должен использовать резервный шлюз.
