4 min read

RouterOS 快速生成PCC策略脚本

RouterOS 快速生成PCC策略脚本

PCC概念

  PCC 全称 per connection classifier ,是 RouterOS 从 v3.24 版本后提供的功能,允许你将流量按照:源地址,源端口,目的地址,目的端口等规则进行分流,从而实现网络负载均衡功能。大概原理是查看 IP 包头 通过特定 Hash 算法进行比较并根据设置的规则捕获数据包。

  通过 PCC负载,可避免出现多个网关的问题,通过 RouterOS 强大的数据包标记功能 (IP/Firewall/Mangle) ,可以将流量自动分流为多组并创建动态路由表。

时有人咨询PCC策略脚本,作为一个懒人重症者,只能写一简单粗暴的生成脚本去应付(水平有限)。

  • ros-pcc-rule.sh
#!/usr/bin/env bash
# filename: ros-pcc-rule.sh

lan_int_name=bridge1
wan_int_lists=(
        isp-cu-01
        isp-cu-02
        isp-cu-03
        isp-cu-04
        isp-cu-05
)

num=0
wlan_count=${#wan_int_lists[@]}

echo -en "/ ip firewall mangle\n"
# 标记公网流量
for wan in ${wan_int_lists[@]}
do
        echo "  add chain=prerouting in-interface=$wan connection-mark=no-mark action=mark-connection new-connection-mark=${wan}_conn"
done
echo ''

# 创建 PCC 规则
for wan in ${wan_int_lists[@]}
do
        echo "  add chain=prerouting in-interface=$lan_int_name connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:${wlan_count}/${num} action=mark-connection new-connection-mark=${wan}_conn"
        ((num ++))
done
echo ''

# 根据标记创建动态策略路由
for wan in ${wan_int_lists[@]}
do
        echo "  add chain=prerouting connection-mark=${wan}_conn in-interface=${lan_int_name} action=mark-routing new-routing-mark=to_${wan}"
done
echo ''

# 标记创建动态策略路由
for wan in ${wan_int_lists[@]}
do
        echo "  add chain=output connection-mark=${wan}_conn action=mark-routing new-routing-mark=to_${wan}"
done

# 为出口创建规则创建路由表
echo -en '\n/ip route\n'
for wan in ${wan_int_lists[@]}
do
        echo "  add dst-address=0.0.0.0/0 gateway=${wan} distance=1 routing-mark=to_${wan} check-gateway=ping"
done

# SNAT规则
echo -en '\n/ip firewall nat\n'
for wan in ${wan_int_lists[@]}
do
        echo " add chain=srcnat out-interface=$wan action=masquerade"
done

以上范例生成脚本如下:

/ ip firewall mangle
  add chain=prerouting in-interface=isp-cu-01 connection-mark=no-mark action=mark-connection new-connection-mark=isp-cu-01_conn
  add chain=prerouting in-interface=isp-cu-02 connection-mark=no-mark action=mark-connection new-connection-mark=isp-cu-02_conn
  add chain=prerouting in-interface=isp-cu-03 connection-mark=no-mark action=mark-connection new-connection-mark=isp-cu-03_conn
  add chain=prerouting in-interface=isp-cu-04 connection-mark=no-mark action=mark-connection new-connection-mark=isp-cu-04_conn
  add chain=prerouting in-interface=isp-cu-05 connection-mark=no-mark action=mark-connection new-connection-mark=isp-cu-05_conn

  add chain=prerouting in-interface=bridge1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/0 action=mark-connection new-connection-mark=isp-cu-01_conn
  add chain=prerouting in-interface=bridge1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/1 action=mark-connection new-connection-mark=isp-cu-02_conn
  add chain=prerouting in-interface=bridge1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/2 action=mark-connection new-connection-mark=isp-cu-03_conn
  add chain=prerouting in-interface=bridge1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/3 action=mark-connection new-connection-mark=isp-cu-04_conn
  add chain=prerouting in-interface=bridge1 connection-mark=no-mark dst-address-type=!local per-connection-classifier=both-addresses:5/4 action=mark-connection new-connection-mark=isp-cu-05_conn

  add chain=prerouting connection-mark=isp-cu-01_conn in-interface=bridge1 action=mark-routing new-routing-mark=to_isp-cu-01
  add chain=prerouting connection-mark=isp-cu-02_conn in-interface=bridge1 action=mark-routing new-routing-mark=to_isp-cu-02
  add chain=prerouting connection-mark=isp-cu-03_conn in-interface=bridge1 action=mark-routing new-routing-mark=to_isp-cu-03
  add chain=prerouting connection-mark=isp-cu-04_conn in-interface=bridge1 action=mark-routing new-routing-mark=to_isp-cu-04
  add chain=prerouting connection-mark=isp-cu-05_conn in-interface=bridge1 action=mark-routing new-routing-mark=to_isp-cu-05

  add chain=output connection-mark=isp-cu-01_conn action=mark-routing new-routing-mark=to_isp-cu-01
  add chain=output connection-mark=isp-cu-02_conn action=mark-routing new-routing-mark=to_isp-cu-02
  add chain=output connection-mark=isp-cu-03_conn action=mark-routing new-routing-mark=to_isp-cu-03
  add chain=output connection-mark=isp-cu-04_conn action=mark-routing new-routing-mark=to_isp-cu-04
  add chain=output connection-mark=isp-cu-05_conn action=mark-routing new-routing-mark=to_isp-cu-05

/ip route
  add dst-address=0.0.0.0/0 gateway=isp-cu-01 distance=1 routing-mark=to_isp-cu-01 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=isp-cu-02 distance=1 routing-mark=to_isp-cu-02 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=isp-cu-03 distance=1 routing-mark=to_isp-cu-03 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=isp-cu-04 distance=1 routing-mark=to_isp-cu-04 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=isp-cu-05 distance=1 routing-mark=to_isp-cu-05 check-gateway=ping

/ip firewall nat
 add chain=srcnat out-interface=isp-cu-01 action=masquerade
 add chain=srcnat out-interface=isp-cu-02 action=masquerade
 add chain=srcnat out-interface=isp-cu-03 action=masquerade
 add chain=srcnat out-interface=isp-cu-04 action=masquerade
 add chain=srcnat out-interface=isp-cu-05 action=masquerade

更多