3 min read

RouterOS 快速生成PCC策略脚本

RouterOS 快速生成PCC策略脚本

PCC概念

  PCC 全称 per connection classifier ,是 RouterOS 从 v3.24 版本后提供的功能,允许你将流量按照:源地址,源端口,目的地址,目的端口等规则进行分流,从而实现网络负载均衡功能。大概原理是查看 IP 包头 通过特定 Hash 算法进行比较并根据设置的规则捕获数据包。

  通过 PCC负载,可避免出现多个网关的问题,通过 RouterOS 强大的数据包标记功能 (IP/Firewall/Mangle) ,可以将流量自动分流为多组并创建动态路由表。

作为一个懒人重症者,只能写一简单粗暴的生成脚本去应付(水平有限)。

  • ros-pcc-rule.sh
#!/usr/bin/env bash
# filename: ros-pcc-rule.sh

lan_network=192.168.200.0/24
wan_int_lists=(
        pppoe-out1
        pppoe-out2
        pppoe-out3
)

num=0
wlan_count=${#wan_int_lists[@]}


echo -en "/ip firewall address-list\n  add list=lan-network address=$lan_network\n"

echo -en "/ip firewall mangle\n"
# 标记公网流量
for wan in ${wan_int_lists[@]}
do
    echo "  add chain=prerouting comment=pcc-rule-$wan connection-mark=no-mark dst-address-type=!local action=mark-connection per-connection-classifier=both-addresses:${wlan_count}/${num} src-address-list=lan-network new-connection-mark=${wan}_conn"
    echo "  add chain=prerouting connection-mark=no-mark action=mark-connection in-interface=${wan} new-connection-mark=${wan}_conn"
    echo "  add chain=output action=mark-routing connection-mark=${wan}_conn new-routing-mark=to_${wan}"
    echo "  add chain=prerouting action=mark-routing src-address-list=lan-network connection-mark=${wan}_conn new-routing-mark=to_${wan}"
    ((num ++))
done

# 为出口创建规则创建路由表
echo -en '\n/ip route\n'
for wan in ${wan_int_lists[@]}
do
    echo "  add dst-address=0.0.0.0/0 gateway=${wan} distance=1 routing-mark=to_${wan} check-gateway=ping"
done

# SNAT规则
echo -en '\n/ip firewall nat\n'
for wan in ${wan_int_lists[@]}
do
    echo " add chain=srcnat out-interface=$wan action=masquerade"
done

以上范例生成脚本如下:

/ip firewall address-list
  add list=lan-network address=192.168.200.0/24
/ip firewall mangle
  add chain=prerouting comment=pcc-rule-pppoe-out1 connection-mark=no-mark dst-address-type=!local action=mark-connection per-connection-classifier=both-addresses:3/0 src-address-list=lan-network new-connection-mark=pppoe-out1_conn
  add chain=prerouting connection-mark=no-mark action=mark-connection in-interface=pppoe-out1 new-connection-mark=pppoe-out1_conn
  add chain=output action=mark-routing connection-mark=pppoe-out1_conn new-routing-mark=to_pppoe-out1
  add chain=prerouting action=mark-routing src-address-list=lan-network connection-mark=pppoe-out1_conn new-routing-mark=to_pppoe-out1
  add chain=prerouting comment=pcc-rule-pppoe-out2 connection-mark=no-mark dst-address-type=!local action=mark-connection per-connection-classifier=both-addresses:3/1 src-address-list=lan-network new-connection-mark=pppoe-out2_conn
  add chain=prerouting connection-mark=no-mark action=mark-connection in-interface=pppoe-out2 new-connection-mark=pppoe-out2_conn
  add chain=output action=mark-routing connection-mark=pppoe-out2_conn new-routing-mark=to_pppoe-out2
  add chain=prerouting action=mark-routing src-address-list=lan-network connection-mark=pppoe-out2_conn new-routing-mark=to_pppoe-out2
  add chain=prerouting comment=pcc-rule-pppoe-out3 connection-mark=no-mark dst-address-type=!local action=mark-connection per-connection-classifier=both-addresses:3/2 src-address-list=lan-network new-connection-mark=pppoe-out3_conn
  add chain=prerouting connection-mark=no-mark action=mark-connection in-interface=pppoe-out3 new-connection-mark=pppoe-out3_conn
  add chain=output action=mark-routing connection-mark=pppoe-out3_conn new-routing-mark=to_pppoe-out3
  add chain=prerouting action=mark-routing src-address-list=lan-network connection-mark=pppoe-out3_conn new-routing-mark=to_pppoe-out3

/ip route
  add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 routing-mark=to_pppoe-out1 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=pppoe-out2 distance=1 routing-mark=to_pppoe-out2 check-gateway=ping
  add dst-address=0.0.0.0/0 gateway=pppoe-out3 distance=1 routing-mark=to_pppoe-out3 check-gateway=ping

/ip firewall nat
 add chain=srcnat out-interface=pppoe-out1 action=masquerade
 add chain=srcnat out-interface=pppoe-out2 action=masquerade
 add chain=srcnat out-interface=pppoe-out3 action=masquerade

适用于v6版本

更多