Добрый день. Сделал конфигурацию на 2 WAN интерфейса, цель была получать доступ с обоих ip адресов. Далее хочу для торентов объединить каналы и включать иногда правила по объединению. Можете проверить конфигурацию и сказать корректно ли я настроил все? На данный момент доступ с 2-х ip работает. /interface bridge add name=bridge /interface ethernet set [ find default-name=ether4 ] master-port=ether3 set [ find default-name=ether5 ] master-port=ether3 /ip neighbor discovery set ether1 discover=no set ether2 discover=no /interface list add name=WAN add name=LAN /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 /ip dhcp-server add address-pool=dhcp authoritative=after-2sec-delay disabled=no interface=bridge lease-time=3d10m name=DHCP-LAN /interface bridge port add bridge=bridge interface=ether3 /interface list member add interface=ether1 list=WAN add interface=ether2 list=WAN add interface=bridge list=LAN /ip address add address=192.168.88.1/24 interface=bridge network=92.168.88.0 add address=1.1.1.2/30 interface=ether1 network=1.1.1.0 add address=2.2.2.2/30 interface=eoip-rostelecom network=2.2.2.0 /ip dhcp-server network add address=192.168.88.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=8.8.8.8 /ip firewall address-list add address=0.0.0.0/8 list=BOGON add address=10.0.0.0/8 list=BOGON add address=100.64.0.0/10 list=BOGON add address=127.0.0.0/8 list=BOGON add address=169.254.0.0/16 list=BOGON add address=172.16.0.0/12 list=BOGON add address=192.0.0.0/24 list=BOGON add address=192.0.2.0/24 list=BOGON add address=192.168.0.0/16 list=BOGON add address=198.18.0.0/15 list=BOGON add address=198.51.100.0/24 list=BOGON add address=203.0.113.0/24 list=BOGON add address=224.0.0.0/4 list=BOGON add address=240.0.0.0/4 list=BOGON add address=192.168.88.0/24 list=lan /ip firewall filter add action=accept chain=input connection-state=established,related add action=drop chain=input connection-state=invalid add action=reject chain=input dst-port=53,123 in-interface-list=WAN protocol=udp reject-with=icmp-port-unreachable add action=reject chain=input dst-port=53,123 in-interface-list=WAN protocol=tcp reject-with=icmp-port-unreachable add action=accept chain=input protocol=icmp add action=accept chain=input dst-port=8292 protocol=tcp add action=accept chain=input protocol=tcp add action=accept chain=input protocol=udp add action=drop chain=input in-interface-list=WAN src-address-list=BOGON add action=drop chain=input src-address=!192.168.88.1 add action=accept chain=forward comment="Allow established connections" connection-state=established,related,untracked add action=accept chain=forward comment="Allow UDP" protocol=udp add action=accept chain=forward comment="Allow UDP" protocol=tcp add action=accept chain=forward comment="Allow ICMP Ping" log=yes log-prefix=ping protocol=icmp add action=accept chain=forward comment="Allow all for LAN" add action=drop chain=forward add action=drop chain=forward src-address=0.0.0.0/8 add action=drop chain=forward dst-address=0.0.0.0/8 add action=drop chain=forward src-address=127.0.0.0/8 add action=drop chain=forward dst-address=127.0.0.0/8 add action=drop chain=forward src-address=224.0.0.0/3 add action=drop chain=forward dst-address=224.0.0.0/3 add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN add action=drop chain=forward comment="Allow established connections" connection-state=invalid log-prefix=Drop /ip firewall mangle add action=mark-connection chain=forward comment=isp1 in-interface=ether1 new-connection-mark=to_isp1 passthrough=yes add action=mark-routing chain=prerouting comment=isp1 connection-mark=to_isp1 dst-address-list=!lan new-routing-mark=route_isp1 passthrough=yes src-address-list=lan add action=mark-connection chain=input comment=isp1 in-interface=ether1 new-connection-mark=in_wan_isp1 passthrough=yes add action=mark-routing chain=output comment=isp1 connection-mark=in_wan_isp1 new-routing-mark=ISP1 passthrough=yes src-address=1.1.1.2 add action=mark-connection chain=forward comment=isp2 in-interface=ether2 new-connection-mark=to_isp2 passthrough=yes add action=mark-routing chain=prerouting comment=isp2 connection-mark=to_isp2 dst-address-list=!lan new-routing-mark=route_isp2 passthrough=yes src-address-list=lan add action=mark-connection chain=input comment=isp2 in-interface=ether2 new-connection-mark=in_wan_isp2 passthrough=yes add action=mark-routing chain=output comment=isp2 connection-mark=in_wan_isp2 new-routing-mark=ISP2 passthrough=yes src-address=2.2.2.2 /ip firewall nat add action=src-nat chain=srcnat comment=isp1 out-interface=ether1 to-addresses=1.1.1.2 add action=src-nat chain=srcnat comment=isp2 out-interface=ether2 to-addresses=2.2.2.2 /ip route add distance=1 gateway=1.1.1.1 routing-mark=ISP1 add distance=2 gateway=2.2.2.1 routing-mark=ISP2 add distance=1 gateway=1.1.1.1 add distance=2 gateway=2.2.2.1 /ip service set telnet address=192.168.88.0/24 set ftp disabled=yes set www address=192.168.88.0/24 port=8099 set ssh address=192.168.88.0/24 set api disabled=yes set winbox port=8292 set api-ssl disabled=yes /system clock set time-zone-autodetect=no time-zone-name=Europe/Moscow /system identity set name=Ilya /tool mac-server set [ find default=yes ] disabled=yes add interface=bridge И как луше реализовать объединение 2-х каналов, чтобы быстрее качать торенты?
По сути меня интересуют правильно ли я написал часть mangle, nat, route. Правильно ли я делаю что в каждом правиле включаю Passthrough? Уместно ли использовать srcnat вместо маскарадинга? /ip firewall address-list add address=192.168.88.0/24 list=lan /ip firewall mangle add action=mark-connection chain=forward comment=isp1 in-interface=ether1 new-connection-mark=to_isp1 passthrough=yes add action=mark-routing chain=prerouting comment=isp1 connection-mark=to_isp1 dst-address-list=!lan new-routing-mark=route_isp1 passthrough=yes src-address-list=lan add action=mark-connection chain=input comment=isp1 in-interface=ether1 new-connection-mark=in_wan_isp1 passthrough=yes add action=mark-routing chain=output comment=isp1 connection-mark=in_wan_isp1 new-routing-mark=ISP1 passthrough=yes src-address=1.1.1.2 add action=mark-connection chain=forward comment=isp2 in-interface=ether2 new-connection-mark=to_isp2 passthrough=yes add action=mark-routing chain=prerouting comment=isp2 connection-mark=to_isp2 dst-address-list=!lan new-routing-mark=route_isp2 passthrough=yes src-address-list=lan add action=mark-connection chain=input comment=isp2 in-interface=ether2 new-connection-mark=in_wan_isp2 passthrough=yes add action=mark-routing chain=output comment=isp2 connection-mark=in_wan_isp2 new-routing-mark=ISP2 passthrough=yes src-address=2.2.2.2 /ip firewall nat add action=src-nat chain=srcnat comment=isp1 out-interface=ether1 to-addresses=1.1.1.2 add action=src-nat chain=srcnat comment=isp2 out-interface=ether2 to-addresses=2.2.2.2 /ip route add distance=1 gateway=1.1.1.1 routing-mark=ISP1 add distance=2 gateway=2.2.2.1 routing-mark=ISP2 add distance=1 gateway=1.1.1.1 add distance=2 gateway=2.2.2.1
Я бы добавил еще к: /ip route rule add action=lookup-only-in-table src-address=1.1.1.1 table=WAN1 add action=lookup-only-in-table src-address=2.2.2.2 table=WAN2 Все остальное вроде хорошо.
Это для того чтобы трафик с этих таблиц маршрутизации уходил именно по нужному интерфейсу? А как лучше склейку каналов осуществлять, если 1 канал 100 mb/s а второй 250 mb/s? ECMP: /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=mixed /ip route add dst-address=0.0.0.0/0 gateway=1.1.1.1,2.2.2.1,2.2.2.1 routing-mark=mixed PCC: /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=ISP1 per-connection-classifier=src-address-and-port:3/0 /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=ISP2 per-connection-classifier=src-address-and-port:3/1 /ip firewall mangle add src-address=192.168.88.0/24 action=mark-routing chain=prerouting new-routing-mark=lISP2 per-connection-classifier=src-address-and-port:3/2