Página 2 de 4 PrimeiroPrimeiro 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. Alguém poderia me ajudar com a montagem dessa regra?

    Hoje minhas regras estão assim:

    Código :
     1   chain=input action=mark-connection new-connection-mark=conn_na passthrough=yes connection-state=new in-interface=Link1 
     2   chain=input action=mark-connection new-connection-mark=conn_nb passthrough=yes connection-state=new in-interface=Link2 
     3   chain=output action=mark-routing new-routing-mark=to_ra passthrough=no connection-mark=conn_na 
     4   chain=output action=mark-routing new-routing-mark=to_rb passthrough=no connection-mark=conn_nb 
     5   chain=prerouting action=mark-connection new-connection-mark=conn_ma0 passthrough=yes dst-address-type=!local in-interface=Clientes 
         per-connection-classifier=both-addresses:2/0 
     6   chain=prerouting action=mark-connection new-connection-mark=conn_mb1 passthrough=yes dst-address-type=!local in-interface=Clientes 
         per-connection-classifier=both-addresses:2/1 
     7   chain=prerouting action=mark-routing new-routing-mark=to_nra passthrough=no in-interface=Clientes connection-mark=conn_ma0 
     8   chain=prerouting action=mark-routing new-routing-mark=to_nrb passthrough=no in-interface=Clientes connection-mark=conn_mb1

  2. Por favor pessoal, alguém poderia me ajudar com essa regra para não ter mais problema com sites de bancos usando balanceamento com PCC?

    As regras que uso atualmente estão no post acima. Agradeço que puder contribuir.



  3. Fala Gustavo, blz
    Vou postar as minhas regras que utilizo aki, nao tenho problemas com bancos/sites seguros ... pelo menos nunca ninguem reclamou. Segue o exemplo para 2 links, adapte ai conforme suas nescessidades.
    Legenda:
    192.168.0.0/24 = rede clientes
    200.200.200.0/29 = faixa de IPs link 1
    201.201.201.0/29 = faixa de IPs link 2
    200.200.200.1 = gateway link 1
    201.201.201.1 = gateway link 2
    Lan1 = nome da interface que atende os clientes
    Wan1 = nome da interface que esta conectado o link1
    Wan2 = nome da interface que esta conectado o link 2


    Código :
    /ip firewall address-list
    add address=192.168.0.0/24 comment="" disabled=no list=local
    add address=200.200.200.0/29 comment="" disabled=no list=wans
    add address=201.201.201.0/29 comment="" disabled=no list=wans
     
    /ip firewall nat
    add action=masquerade chain=srcnat comment=NAT disabled=no out-interface=Wan1
    add action=masquerade chain=srcnat comment="" disabled=no out-interface=Wan2
     
    /ip firewall mangle
    add action=mark-connection chain=input comment="Mark Incoming (to router itself) connections so their reply packets get routed to the interface the connections came in" connection-state=new \
        disabled=no in-interface=Wan1 new-connection-mark=wan1_conn passthrough=yes
    add action=mark-connection chain=input comment="" connection-state=new disabled=no in-interface=Wan2 new-connection-mark=wan2_conn passthrough=yes
    add action=accept chain=output comment="Prevent Outgoing connections to clients' IP addresses from being mangled and routed by PCC" disabled=no dst-address-list=local
    add action=accept chain=output comment="Prevent proper to gateway connections from hitting the PCC mangles and being re-assigned to other gateway" connection-state=new disabled=no dst-address-list=\
        wans
    add action=mark-routing chain=output comment="Set Outgoing (from the router itself) routes" connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes
    add action=mark-routing chain=output comment="" connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes
    add action=accept chain=prerouting comment="Accept rules - Prevent local connections from being marked and sent to the Internet gateways where they would be dropped since the addresses wont match" \
        disabled=no dst-address-list=local src-address-list=local
    add action=accept chain=prerouting comment="" disabled=no dst-address-list=wans src-address-list=local
    add action=accept chain=prerouting comment="" disabled=no dst-address-list=local src-address-list=wans
    add action=mark-routing chain=prerouting comment="HTTPS fixed route (main routing table)" disabled=no dst-port=443 new-routing-mark=main \
        passthrough=no protocol=tcp src-address-list=local
    add action=mark-connection chain=prerouting comment="Mark connections from clients ip addresses w PCC balance before they get routed so they can be assigned routing rules later and get routed" \
        connection-state=new disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses:2/0 src-address-list=local
    add action=mark-connection chain=prerouting comment="" connection-state=new disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=\
        both-addresses:2/1 src-address-list=local
    add action=mark-routing chain=prerouting comment="" connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address-list=local
    add action=mark-routing chain=prerouting comment="" connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address-list=local
     
    /ip route
    add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.200.200.1
    add comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=201.201.201.1
    add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=200.200.200.1 routing-mark=to_wan1
    add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=201.201.201.1 routing-mark=to_wan2
    Espero ter colaborado
    ATT.
    Gabriel Siena
    Última edição por gsiena; 14-12-2009 às 14:46.

  4. #9
    Não Registrado
    Amigo se você seguiu o tutorial do Luciano fica fácil, segue abaixo a solução para os seus problemas:

    /ip firewall address-list
    add address=200.155.80.0/20 comment="" disabled=no list=sem_balance

    Obs.: Este é o IP para o site do Bradesco, se você tiver problemas com outros sites é fácil copie a regra e mude o IP.

    Att.
    Alessandro - TI



  5. Amigo se você seguiu o tutorial de configuração do Luciano é fácil, segue abaixo a solução para os seus problemas:

    /ip firewall address-list
    add address=200.155.80.0/20 comment="" disabled=no list=sem_balance

    Obs.: Esta regra está com o IP principal do Bradesco, o mesmo irá resolver os seus problema com relação ao site desse banco, e caso você tenha problemas com outras páginas é simples copie a regra e altere somente para o IP.

    Att.
    Alessandro - TI






Tópicos Similares

  1. Problema PCC com ip em rede paralela
    Por fmcjunior no fórum Redes
    Respostas: 4
    Último Post: 15-10-2014, 16:04
  2. Respostas: 2
    Último Post: 28-07-2013, 08:58
  3. Load Balance Com Problemas Em Bancos
    Por klemensonleal no fórum Redes
    Respostas: 3
    Último Post: 31-05-2007, 03:16
  4. Problemas em Conexão com o FTP.
    Por Danielvb no fórum Servidores de Rede
    Respostas: 6
    Último Post: 14-03-2003, 01:02
  5. Problemas em Conexão com o FTP.
    Por Danielvb no fórum Servidores de Rede
    Respostas: 6
    Último Post: 27-11-2002, 08:50

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L