工作原理,先标记两条进口流量,再将从内到外的流量分成两份并标记,然后pcc会把流量等分处理。
把两个流量标记指向两条路由,最后把出去的流量线路,标记相应的路由。
官方教程链接https://wiki.mikrotik.com/wiki/Manual:PCC
拓扑图如图所示
快速入门
从网关路由器导出配置:
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection \
new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection \
new-connection-mark=ISP2_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing \
new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing \
new-routing-mark=to_ISP2
add chain=output connection-mark=ISP1_conn action=mark-routing new-routing-mark=to_ISP1
add chain=output connection-mark=ISP2_conn action=mark-routing new-routing-mark=to_ISP2
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
解释
让我们假设这个配置:
IP地址
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=LAN
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=ISP1
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=ISP2
路由器有两个上行 (ISP) 接口,地址分别为 10.111.0.2/24 和 10.112.0.2/24,如果是pppoe拨号的话,这两条会默认生成。LAN 接口的 IP 地址为 192.168.0.1/24。
策略路由
/ ip firewall mangle
add chain=prerouting dst-address=10.111.0.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=10.112.0.0/24 action=accept in-interface=LAN
使用策略路由,可以强制所有流量到特定网关,即使流量从连接的网络发往主机(其他网关)。这样就会产生路由环路,无法与这些主机进行通信。为避免这种情况,我们需要允许对连接网络的流量使用默认路由表。
个人理解这条没有必要
add chain=prerouting in-interface=ISP1 connection-mark=no-mark action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=ISP2 connection-mark=no-mark action=mark-connection new-connection-mark=ISP2_conn
首先,有必要管理从外部发起的连接 - 回复必须通过相同的接口(来自相同的公共 IP)请求离开。我们将标记所有新的传入连接,以记住接口是什么。
入口流量人话就是1口进来的标记为ISP1_conn,2口进来的标记为ISP2_conn(这个名字可以自定义)
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/0 action=mark-connection new-connection-mark=ISP1_conn
add chain=prerouting in-interface=LAN connection-mark=no-mark dst-address-type=!local \
per-connection-classifier=both-addresses:2/1 action=mark-connection new-connection-mark=ISP2_conn
Action mark-routing 只能用于 mangle chain output和prerouting,但 mangle chain prerouting正在捕获所有流向路由器本身的流量。为避免这种情况,我们将使用dst-address-type=!local。(排除本地)在新 PCC 的帮助下,我们将根据源地址和目标地址将流量分为两组。
从内网出去的流量不包括本地,根据线路比重分成几份 也就是pcc设置both-addresses:2/0(这里是分成两份,第一份从0开始)也要被标记ISP_conn
add chain=prerouting connection-mark=ISP1_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP1
add chain=prerouting connection-mark=ISP2_conn in-interface=LAN action=mark-routing new-routing-mark=to_ISP2
然后我们需要用适当的标记来标记来自这些连接的所有数据包。由于只有流向 Internet 的流量才需要策略路由,因此请不要忘记指定接口内选项。
从内到外的流量,如果被标记为ISP_conn,就会走相应的线路,即路由to_ISP
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 routing-mark=to_ISP1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 routing-mark=to_ISP2 check-gateway=ping
为每个路由标记创建一条路由
add dst-address=0.0.0.0/0 gateway=10.111.0.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=10.112.0.1 distance=2 check-gateway=ping
要启用故障转移,有必要让路由在其他路由因网关故障而变得不活动时立即跳入。(只有在检查网关选项处于活动状态时才会发生这种情况)
网络地址转换
/ ip firewall nat
add chain=srcnat out-interface=ISP1 action=masquerade
add chain=srcnat out-interface=ISP2 action=masquerade
由于已经做出路由决策,我们只需要为所有传出数据包修复 src-addresses 的规则。如果此数据包将通过 wlan1 离开,它将被 NAT 到 10.112.0.2,如果通过 wlan2 则 NAT 到 10.111.0.2