命令行:
/ ip firewall mangle
1、保證訪問局域網IP的時候不被PCC了。
add chain=prerouting dst-address=10.1.1.0/24 action=accept in-interface=ether1
add chain=prerouting dst-address=10.2.2.0/24 action=accept in-interface=ether1
2、保證上網流量從哪進就從哪出,所以必須比如對從wan口進來的流量進行標識。為避免上下流量出錯connection-mark=no-mark不可少!
add chain=prerouting in-interface=wlan1 connection-mark=no-mark action=mark-connection new-connection-mark=1
add chain=prerouting in-interface=wlan2 connection-mark=no-mark action=mark-connection new-connection-mark=2
3、對於從局域網進的連接,目的地址為非局域網IP的流量進行連接標記,每個1/2。為避免上下流量出錯connection-mark=no-mark不可少!
add chain=prerouting in-interface=ether1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=1
add chain=prerouting in-interface=ether1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=2
4、對於之前進行連接的標識進行,分別標識不同的路由標記。這里注意in-interface=ether1不可少,因為之前的連接標記為雙向的,有進有出,這里如果沒有in-interface配置,out流量也會被PCC!
add chain=prerouting connection-mark=1 in-interface=ether1 action=mark-routing new-routing-mark=1
add chain=prerouting connection-mark=2 in-interface=ether1 action=mark-routing new-routing-mark=2
5、保證上網流量從哪進就從哪出,所以必須比如對從wan口出去的流量進行標識。
add chain=output connection-mark=1 action=mark-routing new-routing-mark=1
add chain=output connection-mark=2 action=mark-routing new-routing-mark=2
6、對不同的路由標記走不同的外網網關出去,后面兩個為備用網關
/ ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.88 routing-mark=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.2.2.88 routing-mark=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.1.1.88 distance=2
add dst-address=0.0.0.0/0 gateway=10.2.2.88 distance=3
7、對兩條外網進行偽裝
/ ip firewall nat
add chain=srcnat out-interface=wlan1 action=masquerade
add chain=srcnat out-interface=wlan2 action=masquerade
