我有一台 EdgeRouter ER-8,其设置如下:3 个 WAN(eth0 是 ISP1,eth1 是 ISP2,eth2 是到另一个拥有自己 ISP 的校园的无线链路,它用于访问远程 LAN 并作为第三个和仅故障转移的上行链路);和 2 个本地 LAN(eth6-192.168.1.1/24;eth7-172.18.16.1/22)。
刚刚添加了 eth6 上的 LAN。一个独立的旧路由器发生故障,我们决定将该 LAN 集成到核心服务中。负载平衡已配置并按预期运行,适用于两个 LAN 上的客户端。PBR 已配置,但显然它仅适用于 eth7 上的客户端,而不适用于 eth6 上的第二个 LAN 上的客户端。
我创建了几个地址组,以强制第一个地址组上列出的 IP 始终使用 ISP1/eth0,而第二个地址组上列出的 IP 使用 ISP2/eth1。
如果我将 172.18.16.0/22 网络的 IP 添加到列表中,则一切正常。如果我添加 192.168.1.0/24 网络的 IP,这些客户端将继续恢复默认行为 (lb-group G)。
防火墙的规则 95 和 96 会进行破坏,但通过监控统计数据(show firewall modify statistics),我意识到来自 172... 网络的 IP(在地址组中)的请求确实符合这些规则,但来自 192... 网络的 IP(再次在完全相同的地址组中)的请求却没有。
我也通过watch -n 1 'curl api.ipify.org'在两个网络上的客户端上执行操作来验证这一点。172... 网络上的客户端显示相应 ISP 的 IP,而另一个网络上的客户端显示交替 IP(这意味着它们确实遵循了负载平衡参数)。
我遗漏了什么?肯定是有些东西我没有看到或者没有应用到 eth6 接口上。
任何帮助深表感谢。
这是我的配置:
firewall {
all-ping enable
broadcast-ping disable
group {
address-group OUT-WAN-ETH0 {
address 192.168.1.251
description "Out through eth0"
}
address-group OUT-WAN-ETH1 {
address 192.168.1.252
description "Out through eth1"
}
network-group Old_LAN {
description "Legacy networks"
network 192.168.1.0/24
}
network-group PRIVATE_NETS {
network 172.18.16.0/22
network 172.18.20.0/22
network 172.18.24.0/29
network 172.18.24.8/29
network 172.18.24.16/29
network 192.168.1.0/24
}
port-group servicios_proxy {
port 80
port 443
port 873
port 11194
port 22
}
}
ipv6-receive-redirects disable
ipv6-src-route disable
ip-src-route disable
log-martians disable
modify balance {
rule 10 {
action modify
description "do NOT load balance lan to lan"
destination {
group {
network-group PRIVATE_NETS
}
}
modify {
table main
}
}
rule 20 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth0
}
}
modify {
table main
}
}
rule 30 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth1
}
}
modify {
table main
}
}
rule 40 {
action modify
description "do NOT load balance destination public address"
destination {
group {
address-group ADDRv4_eth2
}
}
modify {
table main
}
}
rule 95 {
action modify
description "Output through WAN-eth0"
modify {
lb-group WAN-eth0
}
source {
group {
address-group OUT-WAN-ETH0
}
}
}
rule 96 {
action modify
description "Output through WAN-eth1"
modify {
lb-group WAN-eth1
}
source {
group {
address-group OUT-WAN-ETH1
}
}
}
rule 110 {
action modify
modify {
lb-group G
}
}
}
name WAN_IN {
default-action drop
description "WAN to internal"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 20 {
action accept
description v-proxy
destination {
address 192.168.1.253
group {
port-group servicios_proxy
}
}
log disable
protocol tcp_udp
}
rule 40 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name WAN_LOCAL {
default-action drop
description "WAN to router"
enable-default-log
rule 10 {
action accept
description "Allow established/related"
state {
established enable
related enable
}
}
rule 30 {
action drop
description "Drop invalid state"
state {
invalid enable
}
}
}
name Wireless_backhaul {
default-action drop
description ""
rule 10 {
action accept
description "Allow to Backhaul"
destination {
address 0.0.0.0/0
}
log disable
protocol all
state {
established enable
invalid disable
new enable
related enable
}
}
rule 20 {
action drop
description "Drop invalid state"
log disable
protocol all
state {
established disable
invalid enable
new disable
related disable
}
}
}
receive-redirects disable
send-redirects enable
source-validation disable
syn-cookies enable
}
interfaces {
ethernet eth0 {
address dhcp
description WAN1
dhcp-options {
default-route update
default-route-distance 3
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth1 {
address dhcp
description WAN2
dhcp-options {
default-route update
default-route-distance 3
name-server no-update
}
duplex auto
firewall {
in {
name WAN_IN
}
local {
name WAN_LOCAL
}
}
speed auto
}
ethernet eth2 {
address 172.18.24.1/29
description Wireless-SB448-In
duplex auto
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
speed auto
vif 2 {
address 172.18.24.10/29
description Wireless-SB448-out
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
}
vif 3 {
address 172.18.24.18/29
description Wireless-SB448-LAN
firewall {
in {
name Wireless_backhaul
}
local {
name Wireless_backhaul
}
out {
name Wireless_backhaul
}
}
}
}
ethernet eth6 {
address 192.168.1.1/24
description LAN-old
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
ethernet eth7 {
address 172.18.16.1/22
description LAN
duplex auto
firewall {
in {
modify balance
}
}
speed auto
}
loopback lo {
}
}
load-balance {
group G {
exclude-local-dns disable
flush-on-active enable
gateway-update-interval 1
interface eth0 {
route-test {
count {
failure 3
success 2
}
initial-delay 1
interval 2
type {
ping {
target 8.8.4.4
}
}
}
weight 100
}
interface eth1 {
route-test {
count {
failure 3
success 2
}
initial-delay 1
interval 2
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
interface eth2.2 {
failover-only
route-test {
count {
failure 3
success 5
}
initial-delay 1
interval 2
type {
ping {
target 172.18.24.9
}
}
}
weight 1
}
lb-local enable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
group WAN-eth0 {
exclude-local-dns enable
flush-on-active enable
gateway-update-interval 5
interface eth0 {
route-test {
initial-delay 1
interval 10
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
lb-local disable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
group WAN-eth1 {
exclude-local-dns enable
flush-on-active enable
gateway-update-interval 5
interface eth1 {
route-test {
initial-delay 1
interval 10
type {
ping {
target 8.8.8.8
}
}
}
weight 100
}
lb-local disable
lb-local-metric-change disable
sticky {
dest-addr enable
source-addr enable
}
}
}
protocols {
static {
route 0.0.0.0/0 {
next-hop 172.18.24.9 {
description "SB448"
distance 5
}
next-hop 192.168.2.254 {
description "ISP2"
distance 4
}
}
route 172.18.20.0/22 {
next-hop 172.18.24.17 {
description LAN-SB448
distance 2
}
}
}
}
services {... OMITTED ...}
system {... OMITTED ...}