设为首页收藏本站不良信息举报Q:2000617

ROS软路由论坛 ROSABC.com 网络方案网络工程交流

 找回密码
 会员注册

QQ登录

只需一步,快速开始

ROS软路由论坛 ROSABC.com 网络方案网络工程交流 »论坛 »软路由论坛 软路由论坛 VPN能拨上号,ping不通内网PC
返回列表 发新帖
查看: 2943|回复: 5

[求助] VPN能拨上号,ping不通内网PC

[复制链接]
fhqthdxk
发表于 2017-9-7 06:48:32 | 显示全部楼层 |阅读模式

马上注册成为ROSABC会员,随时发帖回复。

您需要 登录 才可以下载或查看,没有账号?会员注册

x
网络环境:
LAN1为192.168.1.0网段
LAN2为192.168.10.0网段

WAN1为固定IP
WAN2为固定IP
WAN3为固定IP
WAN1-3都为固定IP,但是同网关

ros 建L2TP,两个用户,两个网段,一个用户用192.168.8.0网段,一个用户用192.168.11.0网段。

以前用PCC的方式三个WAN叠加,效果不是太好用NTH叠加,效果也是太好,这两种主要体现在局域网内ping外网时偶尔发生超时现象,

后来我改成内网分流,走指定WAN,便没有再发生超时现象了,但是VPN出问题了,主要表现在能拨上号,但只能ping 通ros ,ping不通内网PC,各位大侠帮帮忙,帮我看看。


A币获取各种方法及积分规则
回复

举报

fhqthdxk
 楼主| 发表于 2017-9-7 06:49:29 | 显示全部楼层
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=lanlist
add address=192.168.8.210-192.168.8.240 list=vpnlist
add address=192.168.11.210-192.168.11.240 list=vpnlist
add address=192.168.10.2-192.168.10.254 list=lanlist
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out1 nth=3,1 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out1 \
    new-routing-mark=router_1 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan1-eth1 \
    new-connection-mark=out1 passthrough=yes
add action=mark-routing chain=output connection-mark=out1 new-routing-mark=\
    router_1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out2 nth=3,2 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out2 \
    new-routing-mark=router_2 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan2-eth2 \
    new-connection-mark=out2 passthrough=yes
add action=mark-routing chain=output connection-mark=out2 new-routing-mark=\
    router_2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out3 nth=3,3 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out3 \
    new-routing-mark=router_3 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan3-eth5 \
    new-connection-mark=out3 passthrough=yes
add action=mark-routing chain=output connection-mark=out3 new-routing-mark=\
    router_3 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat  out-interface=wan1-eth1 \
    src-address-list=lanlist to-addresses=124.228.253.A
add action=src-nat chain=srcnat  out-interface=wan2-eth2 \
    src-address-list=lanlist to-addresses=124.228.253.B
add action=src-nat chain=srcnat out-interface=wan3-eth5 \
    src-address-list=lanlist to-addresses=124.228.253.C
/ip route
add distance=1 gateway=wan1-eth1 routing-mark=router_1
add distance=1 gateway=wan2-eth2 routing-mark=router_2
add distance=1 gateway=wan3-eth5 routing-mark=router_3
add check-gateway=ping  distance=1 \
    gateway=124.228.253.1%wan1-eth1
add check-gateway=ping distance=2 \
    gateway=124.228.253.1%wan2-eth2
add check-gateway=ping  distance=3 \
    gateway=124.228.253.1%wan3-eth5
回复 支持 反对

举报

fhqthdxk
 楼主| 发表于 2017-9-7 06:51:01 | 显示全部楼层
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=lanlist
add address=192.168.8.210-192.168.8.240 list=vpnlist
add address=192.168.11.210-192.168.11.240 list=vpnlist
add address=192.168.10.2-192.168.10.254 list=lanlist
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out1 nth=3,1 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out1 \
    new-routing-mark=router_1 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan1-eth1 \
    new-connection-mark=out1 passthrough=yes
add action=mark-routing chain=output connection-mark=out1 new-routing-mark=\
    router_1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out2 nth=3,2 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out2 \
    new-routing-mark=router_2 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan2-eth2 \
    new-connection-mark=out2 passthrough=yes
add action=mark-routing chain=output connection-mark=out2 new-routing-mark=\
    router_2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out3 nth=3,3 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out3 \
    new-routing-mark=router_3 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan3-eth5 \
    new-connection-mark=out3 passthrough=yes
add action=mark-routing chain=output connection-mark=out3 new-routing-mark=\
    router_3 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat  out-interface=wan1-eth1 \
    src-address-list=lanlist to-addresses=124.228.253.A
add action=src-nat chain=srcnat  out-interface=wan2-eth2 \
    src-address-list=lanlist to-addresses=124.228.253.B
add action=src-nat chain=srcnat out-interface=wan3-eth5 \
    src-address-list=lanlist to-addresses=124.228.253.C
/ip route
add distance=1 gateway=wan1-eth1 routing-mark=router_1
add distance=1 gateway=wan2-eth2 routing-mark=router_2
add distance=1 gateway=wan3-eth5 routing-mark=router_3
add check-gateway=ping  distance=1 \
    gateway=124.228.253.1%wan1-eth1
add check-gateway=ping distance=2 \
    gateway=124.228.253.1%wan2-eth2
add check-gateway=ping  distance=3 \
    gateway=124.228.253.1%wan3-eth5


这个是NTH方式,VPN没有问题,只是ping外网时偶尔发生超时现象。

回复 支持 反对

举报

fhqthdxk
 楼主| 发表于 2017-9-7 06:53:27 | 显示全部楼层
/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=lanlist
add address=192.168.8.210-192.168.8.240 list=vpnlist
add address=192.168.11.210-192.168.11.240 list=vpnlist
add address=192.168.10.2-192.168.10.254 list=lanlist

/ip firewall mangle
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_1 passthrough=no src-address=\
    192.168.1.100-192.168.1.160
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_2 passthrough=no src-address=\
    192.168.1.2-192.168.1.99
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_2 passthrough=no src-address=\
    192.168.1.161-192.168.1.254
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_3 passthrough=no src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1-eth1 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=wan2-eth2 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=wan3-eth5 to-addresses=\
    0.0.0.0

/ip route
add check-gateway=ping distance=1 gateway=124.228.253.1%wan1-eth1 \
    routing-mark=ip_router_1
add check-gateway=ping distance=1 gateway=124.228.253.1%wan2-eth2 \
    routing-mark=ip_router_2
add check-gateway=ping distance=1 gateway=124.228.253.1%wan3-eth5 \
    routing-mark=ip_router_3
add check-gateway=ping distance=1 gateway=wan1-eth1
add check-gateway=ping distance=2 gateway=wan2-eth2
add check-gateway=ping distance=3 gateway=wan3-eth5

这个是内网分流,走指定的WAN出口,ping外网没有发生超时现象了,但是VPN拨上号后只能ping ROS ,ping不通内网PC。

帮忙看看。其它都一致

回复 支持 反对

举报

fhqthdxk
 楼主| 发表于 2017-9-7 06:54:43 | 显示全部楼层
本帖最后由 fhqthdxk 于 2017-9-7 06:58 编辑

/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=lanlist
add address=192.168.8.210-192.168.8.240 list=vpnlist
add address=192.168.11.210-192.168.11.240 list=vpnlist
add address=192.168.10.2-192.168.10.254 list=lanlist
/ip firewall mangle
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out1 nth=3,1 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out1 \
    new-routing-mark=router_1 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan1-eth1 \
    new-connection-mark=out1 passthrough=yes
add action=mark-routing chain=output connection-mark=out1 new-routing-mark=\
    router_1 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out2 nth=3,2 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out2 \
    new-routing-mark=router_2 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan2-eth2 \
    new-connection-mark=out2 passthrough=yes
add action=mark-routing chain=output connection-mark=out2 new-routing-mark=\
    router_2 passthrough=yes
add action=mark-connection chain=prerouting connection-state=\
    new dst-address-type=!local new-connection-mark=out3 nth=3,3 passthrough=\
    yes src-address-list=lanlist
add action=mark-routing chain=prerouting connection-mark=out3 \
    new-routing-mark=router_3 passthrough=yes src-address-list=lanlist
add action=mark-connection chain=input in-interface=wan3-eth5 \
    new-connection-mark=out3 passthrough=yes
add action=mark-routing chain=output connection-mark=out3 new-routing-mark=\
    router_3 passthrough=yes
/ip firewall nat
add action=src-nat chain=srcnat  out-interface=wan1-eth1 \
    src-address-list=lanlist to-addresses=124.228.253.A
add action=src-nat chain=srcnat  out-interface=wan2-eth2 \
    src-address-list=lanlist to-addresses=124.228.253.B
add action=src-nat chain=srcnat out-interface=wan3-eth5 \
    src-address-list=lanlist to-addresses=124.228.253.C
/ip route
add distance=1 gateway=wan1-eth1 routing-mark=router_1
add distance=1 gateway=wan2-eth2 routing-mark=router_2
add distance=1 gateway=wan3-eth5 routing-mark=router_3
add check-gateway=ping  distance=1 \
    gateway=124.228.253.1%wan1-eth1
add check-gateway=ping distance=2 \
    gateway=124.228.253.1%wan2-eth2
add check-gateway=ping  distance=3 \
    gateway=124.228.253.1%wan3-eth5

这个配置VPN没有问题,可以ping通内网PC,只是内网ping外网时偶尔发生短暂超时现象



/ip firewall address-list
add address=192.168.1.2-192.168.1.254 list=lanlist
add address=192.168.8.210-192.168.8.240 list=vpnlist
add address=192.168.11.210-192.168.11.240 list=vpnlist
add address=192.168.10.2-192.168.10.254 list=lanlist

/ip firewall mangle
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_1 passthrough=no src-address=\
    192.168.1.100-192.168.1.160
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_2 passthrough=no src-address=\
    192.168.1.2-192.168.1.99
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_2 passthrough=no src-address=\
    192.168.1.161-192.168.1.254
add action=mark-routing chain=prerouting
    new-routing-mark=ip_router_3 passthrough=no src-address=192.168.10.0/24
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan1-eth1 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=wan2-eth2 to-addresses=\
    0.0.0.0
add action=masquerade chain=srcnat out-interface=wan3-eth5 to-addresses=\
    0.0.0.0

/ip route
add check-gateway=ping distance=1 gateway=124.228.253.1%wan1-eth1 \
    routing-mark=ip_router_1
add check-gateway=ping distance=1 gateway=124.228.253.1%wan2-eth2 \
    routing-mark=ip_router_2
add check-gateway=ping distance=1 gateway=124.228.253.1%wan3-eth5 \
    routing-mark=ip_router_3
add check-gateway=ping distance=1 gateway=wan1-eth1
add check-gateway=ping distance=2 gateway=wan2-eth2
add check-gateway=ping distance=3 gateway=wan3-eth5


这个是后面改的,改成内网IP分流,走指定的WAN出口,,但是VPN却问题了,能拨上号,却ping不通内网PC。

回复 支持 反对

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 会员注册

本版积分规则

不良信息举报Q:2000617

软路由

不良信息举报Q:2000617|Archiver|ROS软路由论坛 ROSABC.com 网络方案网络工程交流

GMT+8, 2025-8-5 13:57 , Processed in 0.167097 second(s), 21 queries .

Powered by Discuz! X3.4

Copyright © 2001-2021, Tencent Cloud.

快速回复 返回顶部 返回列表