داوود کاظمی نیا

وب شخصی داوود کاظمی نیا

داوود کاظمی نیا

وب شخصی داوود کاظمی نیا

PBR PTP IPIP

داوود کاظمی نیا | چهارشنبه, ۵ دی ۱۳۹۷، ۰۸:۴۰ ق.ظ


PBR PTP IPIP

Policy Base Routing on IPIP tunnel with PTP Addressing. 

In this article you can know how to configure IPIP tunnel, PTP addressing at the end using Policy base Routing (PBR) on Tunnel IPIP). 

Theory about (PBR) 

In computer networking, policy-based routing (PBR) is a technique used to make routing decisions based on policies set by the network administrator.
When a router receives a packet it normally decides where to forward it based on the destination address in thepacket, which is then used to look up an entry in a routing table. However, in some cases, there may be a need to forward the packet based on other criteria. For example, a network administrator might want to forward a packet based on the source address, not the destination address. This should not be confused with source routing.
Policy-based routing may also be based on the size of the packet, the protocol of the payload, or other information available in a packet header or payload. This permits routing of packets originating from different sources to different networks even when the destinations are the same and can be useful when interconnecting several private networks.
In this Example I Want Shown how to configure IPIP Tunnel with PTP addressing and at the end using PBR to bypass filtered Sites form DCI.
In my country some website are filtered by DCI so I used PBR to forward my Client's request to another MikroTik in other country.(for example USA)
For This Reason I Want When Request Was For Facebook And YouTube Website an so,The Packets Goes through IPIP Tunnel And Other Normal Connection Goes through Country Internet Connection. 
Diagram:
IPIP-PBR-PTP-Moghadam-Asghari.jpg 
For this Scenario we need configure both side ip addresses, configure IPIP tunnel and at the end mark client's request to forward through IPIP Tunnel.
Step one addressing 
On the MikroTik 540G(filtered): 
add ip address Code

ip address add address=192.168.20.1/24 interface="Ether 2 LAN" disabled=no
ip address add address=46.1.1.1 interface="Ether 1 Public" disable=no


On the MikroTik 540G Free Internet(no Filtered)
add ip address code:

ip address add address=10.10.10.2/32 interface="Ether 1 Public" disable=no


Step two Configure IPIP tunnel: 
On the MikroTik 540G(filtered): 
add IPIP Tunnel Code :

interface ipip add name=IPIP local-address=46.1.1.1 remote-address=109.200.5.181 disabled=no


On the MikroTik 540G Free Internet(no filtered):

add IPIP Tunnel Code :

interface ipip add name=IPIP local-address=109.200.5.181 remote-address=46.1.1.1 disabled=no


IPIP-interface.jpg 
Step three adds IP address for IPIP interfaces(PTP addressing): 
On the MikroTik 540G(filtered): 
add ip address Code: 

ip address add address=10.10.10.1 network=10.10.10.2 interface=ipip1 disabled=no


On the MikroTik 540G Free Internet(no filtered): 
add ip address code

ip address add address=10.10.10.2 network=10.10.10.1 interface=ipip1 disabled=no


P2P-addressing.jpg 
Step four mark Client's Packet with firewall mangle mark Routing. 
I have 2 clients so for best working I create one address list with name HASAN then put clients IP address there. 
add address list code : 

ip firewall address-list add address=192.168.20.55 list=HASAN
ip firewall address-list add address=192.168.20.54 list=HASAN


I should select my Network for Using PBR to Visit Facebook and YouTube Websites. we can use Content Field (Facebook or YouTube String), Or Use Destination Address of Facebook of YouTube Website (Nslookup), Or You Route Every Connection Trough This Connection. 
In this example I use destination address to mark packet so I create another address list then put destination address there. 
add address list code 

ip firewall address-list add address=31.13.64.23 list=Sites
ip firewall address-list add address=74.125.143.136 list=Sites


Then mark connection and set name IPIP PACKET we must select prerouting as chain. 
Prerouting.jpg 
then in the advanced menu select src , dst address list.(src address is client address and dst address is visited sites). 
Prerouting-2.jpg 
At the end select action then set name(mark routing) 
Prerouting-3.jpg 
mangle code : 

ip firewall mangle add chain=prerouting src-address-list=HASAN dst-address-list=Sites action=mark-routing new-routing-mark="IPIP PACKET"


Step five – Static Route 
In this Step we need add a static route for That Packets They Are Matched and Marked by Mangle and We Want Route Them to IPIP Connection. 
Static-route-ipip.jpg 
static route command: 

ip route add dst-address=0.0.0.0/0 gateway=ipip routing-mark="IPIP PACKET"



Step six – Nat For Our Users"" 
In this step we use nat for our Users. 
IPIP-NAT.jpg 
in the advanced menu select src address list (HASAN) 
SRC-nat-ipip.jpg 
Then action msaquerade 
SRC-nat-ipip2.jpg 
IP firewall SRC NAT code : 

ip firewall nat add chain=srcnat out-interface=ipip src-address-list=HASAN action=masquerade


Step Seven – Nat For IPIP Tunnel on another side (MikroTik 450G free internet) 
SRC-NAT-IPIP c2.jpg 
Then action msaquerade 
SRC-nat-ipip c3.jpg 
IP firewall SRC NAT code : 

ip firewall nat add src-address=10.10.10.2 action=masquerade


Summary Exploration : I Marked my packets Their Destination Is IP Or name of Facebook Website ( Filtered ) And Marked For Routing Decision , Then I Setup A IPIP Connection with P2P addressing To use Free Internet ( Without Filter ) And Then Add a New Route For All Packets They Want Use For Free Internet ( Without Filter ) , Then I Nat All Connections Want Goes To IPIP Connection . Notice: You Can Setup This Scenario With Many Way , But This Is A Simple Example . You Can Change Configuration To Advanced Configurations For PBR! (Mangle, Nat, Route) 
Helpful Links: 
Policy base Routing wrote by Reza Moghdam
http://wiki.mikrotik.com/wiki/Policy_Base_Routing
Mikrotik Wiki IPIP
http://wiki.mikrotik.com/wiki/Manual:Interface/IPIP


Hasan Asghari 
Mikrotik Trainer 
https://mikrotikuniversity.net










.

  • داوود کاظمی نیا

نظرات  (۰)

هیچ نظری هنوز ثبت نشده است

ارسال نظر

ارسال نظر آزاد است، اما اگر قبلا در بیان ثبت نام کرده اید می توانید ابتدا وارد شوید.
شما میتوانید از این تگهای html استفاده کنید:
<b> یا <strong>، <em> یا <i>، <u>، <strike> یا <s>، <sup>، <sub>، <blockquote>، <code>، <pre>، <hr>، <br>، <p>، <a href="" title="">، <span style="">، <div align="">
تجدید کد امنیتی