Balanceo Avanzado PCC 2 WAN Con Failover Profesional v6.2

Bienvenido a este entrenamiento
Por: jesus garcia

www.wispnet.com.ve
***NOTA***
1 # Aseg�rese de cambiar los nombres de las interfaces y las direcciones IP de
acuerdo a su red,
2 # En la secci�n DNS, utilizar las direcciones IP DNS de tu ISP o DNS google
8.8.8.8 y 8.8.4.4
3 # Puede utilizar diferentes direcciones de host IP para la vigilancia,
preferiblemente servidores confiables de su ISP primaria como DNS u otro.
Puede utilizar otros sitios web IPS tambi�n.
Las interfaces deben estar Renombradas en el RB tal Cual en Mayusculas asi:

WAN1
WAN2
LAN
***Recuerda Modificar tus IP de tu proveedor.
/ip address
add address=192.168.5.2/24 interface=WAN1 network=192.168.5.0
add address=192.168.6.2/24 interface=WAN2 network=192.168.6.0
add address=192.168.26.1/30 interface=LAN network=192.168.26.0
/ip firewall nat

add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2
/ip firewall mangle

add action=mark-connection chain=input in-interface=WAN1 new-connection-
mark=WAN1_conn
add action=mark-connection chain=input in-interface=WAN2 new-connection-
mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-
mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-
mark=to_WAN2
add chain=prerouting dst-address=192.168.5.0/24 in-interface=LAN
add chain=prerouting dst-address=192.168.6.0/24 in-interface=LAN
add action=mark-connection chain=prerouting dst-address-type=!local in-
interface=LAN new-connection-mark=WAN1_conn per-connection-classifier=both-
addresses:2/0
addresses:2/1
**NOTA IMPORTANTE
***INICIO: both-addresses-and-ports
/ip firewall mangle

addresses-and-ports:2/0
addresses-and-ports:2/1
interface=LAN new-
***FIN
/ip firewall mangle

add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=LAN
new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=LAN
new-routing-mark=to_WAN2
***Importante***
/ip route
add check-gateway=ping distance=1 gateway=8.8.8.8 routing-mark=to_WAN1
add check-gateway=ping distance=2 gateway=8.8.4.4 routing-mark=to_WAN2
add distance=1 gateway=10.0.0.1 routing-mark=to_WAN1
add distance=2 gateway=10.0.0.2 routing-mark=to_WAN2
add distance=1 gateway=10.0.0.1
add distance=2 gateway=10.0.0.2
add distance=1 dst-address=8.8.8.8/32 gateway=192.168.5.1 scope=10
add distance=1 dst-address=8.8.4.4/32 gateway=192.168.6.1 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.1/32 gateway=8.8.8.8 scope=10
add check-gateway=ping distance=1 dst-address=10.0.0.2/32 gateway=8.8.4.4 scope=10
Proteger Mikrotik de ataques SSH/Ftp
ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

comment="Bloquear Ataques FTP"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-

limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login

incorrect" address-list=ftp_blacklist address-list-timeout=3h
/ip firewall filter
add chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

comment="Proteccion VSC contra ataques via SSH"
add chain=input action=add-src-to-address-list connection-state=new protocol=tcp

src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d
dst-port=22

src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=1m dst-
port=22

src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-
port=22

address-list=ssh_stage1 address-list-timeout=1m dst-port=22
Fuente para failover: http://wiki.mikrotik.com/wiki/Manual:Using_scope_and_target-

scope_attributes
Trafico Por Proveedor WAN1

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Https port 443 trafico
separado by WAN1" disabled=yes dst-port=443 in-interface=LAN new-connection-
mark=Https protocol=tcp
add action=mark-routing chain=prerouting connection-mark=Https disabled=yes in-
interface=LAN new-routing-mark=to_WAN1 passthrough=no
add action=mark-connection chain=prerouting comment="http port 80 Trafico separado
by WAN1" disabled=yes dst-port=80 in-interface=LAN new-connection-mark=http
protocol=tcp
add action=mark-routing chain=prerouting connection-mark=http disabled=yes in-
interface=LAN new-routing-mark=to_WAN1 passthrough=no
Trafico Por Proveedor WAN2

/ip firewall mangle
add action=mark-connection chain=prerouting comment="Https port 443 trafico
separado by WAN2" dst-port=443 in-interface=LAN new-connection-mark=Https
protocol=tcp
add action=mark-routing chain=prerouting connection-mark=Https in-interface=LAN
new-routing-mark=to_WAN2 passthrough=no
add action=mark-connection chain=prerouting comment="http port 80 Trafico separado
by WAN2" dst-port=80 in-interface=LAN new-connection-mark=http protocol=tcp
add action=mark-routing chain=prerouting connection-mark=http in-interface=LAN new-
routing-mark=to_WAN2 passthrough=no
************************
##Difinici�n##
both-addresses = ambas-direcciones IP
both-addresses: La petici�n de origen y destino IP entre el mismo cliente y el
servidor siempre ser� la misma, por lo que todo el tr�fico
entre un cliente espec�fico y un servidor espec�fico (por ejemplo, su computadora
port�til y servidor 67.89.2.5) siempre que coincida con el
mismo matcher PCC , y siempre ser� puesto en el mismo enlace.
both-addresses = ambas-direcciones IP ,se refiere a src-address y dst-address

Como el clasificador. Aunque esto va a cambiar aleatoriamente cosas la teor�a m�s y
le dar� la asignaci�n m�s justa de ancho de banda,
pero tambi�n hay una buena probabilidad de que se rompa ciertas cosas como los
sitios web bancarios y algunos foros.
Esto se debe a las peticiones muchas veces un HTTP generar�n varias conexiones, por
lo que existe la posibilidad de
que algunas solicitudes podr�n salir una ruta diferente a la inicial, y que se
romper�n los sitios web seguros.
Mas informaci�n: http://wiki.mikrotik.com/wiki/How_PCC_works_%28beginner%29
************************

Balanceo Avanzado PCC 2 WAN Con Failover Profesional v6.2

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Balanceo Avanzado PCC 2 WAN Con Failover Profesional v6.2

Transféré par

Droits d'auteur :

Formats disponibles

Bienvenido a este entrenamiento

Por: jesus garcia

Las interfaces deben estar Renombradas en el RB tal Cual en Mayusculas asi:

***Recuerda Modificar tus IP de tu proveedor.

/ip firewall nat

/ip firewall mangle

/ip firewall mangle

/ip firewall mangle

Proteger Mikrotik de ataques SSH/Ftp

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login

/ip firewall filter

add chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22

add chain=input action=add-src-to-address-list connection-state=new protocol=tcp

add chain=input action=add-src-to-address-list connection-state=new protocol=tcp

add chain=input action=add-src-to-address-list connection-state=new protocol=tcp

add chain=input action=add-src-to-address-list connection-state=new protocol=tcp

Fuente para failover: http://wiki.mikrotik.com/wiki/Manual:Using_scope_and_target-

Trafico Por Proveedor WAN1

Trafico Por Proveedor WAN2

both-addresses = ambas-direcciones IP ,se refiere a src-address y dst-address

Vous aimerez peut-être aussi