关于ROS映射的问题．

kevin121

2.9.27　AD　+　光纤

以前还可以做映射，现在做映射，发现映射不出去！

请问下一般什么原因会导致映射不出去呢？

zhjchina

1.不知道你双线做了什么策略，一般是因为做了双线之后进出的数据包所走的线路不一致所走导致。
2. 因为没提供具体情况，所以不能提供解决方案，不过总的思路是跟踪从外网进来的数据包，做好标记，然后确保从原来进来的线路返回即可。
3.现实的网络拓扑千变万化，但是万变不离其宗。最终还是能用简单的思路来解决。

ypw

楼上的高手啊

zooyo

你好歹发个截图，什么的吧，让大家猜啊？有时候问问题很也显示人的水平。

kevin121

不好意思，首先谢谢各位．

大家看这个配置有没有什么问题？
/ ip firewall mangle
add chain=forward protocol=tcp tcp-flags=syn action=change-mss new-mss=1400 \
    comment="更改MSS1440" disabled=no
add chain=prerouting src-address=192.168.0.0/24 dst-address-list=QQserver \
    action=add-src-to-address-list address-list=dispc address-list-timeout=2m \
    comment="發現QQ登陸自動斷線30分鍾." disabled=no
add chain=prerouting src-address=192.168.0.0/24 dst-address-list=qqgame \
    action=add-src-to-address-list address-list=dispc address-list-timeout=2m \
    comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=110 action=add-dst-to-address-list \
    address-list=mail address-list-timeout=2m comment="" disabled=no
add chain=prerouting protocol=tcp dst-port=25 action=add-dst-to-address-list \
    address-list=mail address-list-timeout=2m comment="" disabled=no
add chain=prerouting in-interface=adsl action=mark-packet \
    new-packet-mark=all-mark passthrough=yes comment="PCQ限速" disabled=no
add chain=prerouting src-address=192.168.0.1-192.168.10.255 \
    action=mark-routing new-routing-mark=3 passthrough=yes comment="IP分流  \
    上走ADSL  下走光纤" disabled=no
add chain=prerouting src-address=192.168.250.1-192.168.250.255 \
    action=mark-routing new-routing-mark=1 passthrough=yes comment="" \
    disabled=no
/ ip firewall nat
add chain=srcnat action=masquerade comment="" disabled=no
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=50s tcp-syn-received-timeout=30s \
    tcp-established-timeout=1h tcp-fin-wait-timeout=10s \
    tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
    tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
    udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
    tcp-syncookie=yes
/ ip firewall filter
add chain=forward dst-address=59.148.180.30 protocol=tcp dst-port=80 \
    src-address-list=lanaddr action=accept \
    comment="只允许登陆ipaper18邮箱网站" disabled=no
add chain=forward dst-address=59.148.180.26 protocol=tcp dst-port=80 \
    src-address-list=lanaddr action=accept comment="" disabled=no
add chain=forward protocol=tcp dst-port=80 src-address-list=lanaddr \
    action=drop comment="" disabled=no
add chain=forward protocol=tcp src-address-list=!dispc action=accept \
    comment="禁止QQ登陆，除邮箱外。" disabled=no
add chain=forward protocol=tcp dst-port=25 src-address-list=dispc \
    action=accept comment="" disabled=no
add chain=forward protocol=tcp dst-port=110 src-address-list=dispc \
    action=accept comment="" disabled=no
add chain=forward protocol=tcp src-address-list=dispc dst-address-list=mail \
    action=accept comment="" disabled=no
add chain=forward src-address-list=dispc dst-address-list=!mail action=drop \
    comment="" disabled=no
/ ip firewall address-list
add list=QQserver address=219.133.0.0/16 comment="" disabled=no
add list=QQserver address=58.61.32.0/24 comment="" disabled=no
add list=QQserver address=58.60.14.0/24 comment="" disabled=no
add list=QQserver address=218.6.2.0/24 comment="" disabled=no
add list=QQserver address=58.60.9.0/24 comment="" disabled=no
add list=QQserver address=58.60.15.0/24 comment="" disabled=no
add list=QQserver address=58.161.164.0/22 comment="" disabled=no
add list=QQserver address=58.251.60.0/24 comment="" disabled=no
add list=QQserver address=58.251.61.0/24 comment="" disabled=no
add list=QQserver address=58.251.62.0/24 comment="" disabled=no
add list=QQserver address=58.251.63.0/24 comment="" disabled=no
add list=qqgame address=61.172.204.148-61.172.204.215 comment="" disabled=no
add list=qqgame address=218.18.95.153 comment="" disabled=no
add list=qqgame address=60.28.232.12 comment="" disabled=no
add list=qqgame address=219.133.41.152 comment="" disabled=no
add list=qqgame address=210.22.23.197 comment="" disabled=no
add list=qqgame address=202.205.3.202 comment="" disabled=no
add list=qqgame address=202.104.241.19 comment="" disabled=no
add list=qqgame address=121.14.77.57-121.14.77.126 comment="" disabled=no
add list=qqgame address=172.16.13.2 comment="" disabled=no
add list=qqgame address=218.17.209.23 comment="" disabled=no
add list=qqgame address=58.61.166.136 comment="" disabled=no
add list=qqgame address=58.60.11.141-58.60.11.212 comment="" disabled=no
add list=lanaddr address=192.168.0.10 comment="" disabled=no
add list=lanaddr address=192.168.0.11 comment="" disabled=no
add list=lanaddr address=192.168.0.12 comment="" disabled=no
add list=lanaddr address=192.168.0.13 comment="" disabled=no
add list=lanaddr address=192.168.0.14 comment="" disabled=no
add list=lanaddr address=192.168.0.15 comment="" disabled=no
add list=lanaddr address=192.168.0.16 comment="" disabled=no
add list=lanaddr address=192.168.0.17 comment="" disabled=no
add list=lanaddr address=192.168.0.18 comment="" disabled=no
add list=lanaddr address=192.168.0.19 comment="" disabled=no
add list=lanaddr address=192.168.0.20 comment="" disabled=no
add list=lanaddr address=192.168.0.21 comment="" disabled=no
add list=lanaddr address=192.168.0.22 comment="" disabled=no
add list=lanaddr address=192.168.0.23 comment="" disabled=no
add list=lanaddr address=192.168.0.24 comment="" disabled=no
add list=lanaddr address=192.168.0.25 comment="" disabled=no
add list=lanaddr address=192.168.0.26 comment="" disabled=no
add list=lanaddr address=192.168.0.27 comment="" disabled=no
add list=lanaddr address=192.168.0.28 comment="" disabled=no
add list=lanaddr address=192.168.0.29 comment="" disabled=no
add list=lanaddr address=192.168.0.30 comment="" disabled=no
add list=lanaddr address=192.168.0.31 comment="" disabled=no
add list=lanaddr address=192.168.0.32 comment="" disabled=no
add list=lanaddr address=192.168.0.33 comment="" disabled=no
add list=lanaddr address=192.168.0.34 comment="" disabled=no
add list=lanaddr address=192.168.0.35 comment="" disabled=no
add list=lanaddr address=192.168.0.36 comment="" disabled=no
add list=lanaddr address=192.168.0.37 comment="" disabled=no
add list=lanaddr address=192.168.0.38 comment="" disabled=no
add list=lanaddr address=192.168.0.39 comment="" disabled=no
add list=lanaddr address=192.168.0.40 comment="" disabled=no
add list=lanaddr address=192.168.0.41 comment="" disabled=no
add list=lanaddr address=192.168.0.42 comment="" disabled=no
add list=lanaddr address=192.168.0.43 comment="" disabled=no
add list=lanaddr address=192.168.0.44 comment="" disabled=no
add list=lanaddr address=192.168.0.45 comment="" disabled=no
add list=lanaddr address=192.168.0.46 comment="" disabled=no
add list=lanaddr address=192.168.0.47 comment="" disabled=no
add list=lanaddr address=192.168.0.48 comment="" disabled=no
add list=lanaddr address=192.168.0.49 comment="" disabled=no
add list=lanaddr address=192.168.0.50 comment="" disabled=no
add list=lanaddr address=192.168.0.51 comment="" disabled=no
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=no
set quake3 disabled=no
set gre disabled=no
set pptp disabled=no

zooyo

是光纤进来还是AD进来？谁是默认线路？你发这么大一堆也没发到点子上啊。

47771885

看的 偶晕脑胀。。。上图直接

wanken

你有用到  25  110  port  表示你有建立Email  server 在內網，給你幾個思路吧！
1.email主機须要固定IP的，你那个光纤是固定IP吗？如果是建议你 PCC + 策略路由的方式运用吧，因为email 主机须要使用 DNS解析域名，这样别人寄来的信件才会走你的固定IP近来，如果不是固定IP，你使用动态IP+DDNS解析域名，那你的主机会被当做垃圾邮件的制造者，大家的邮件主机几乎都不会接受你的信件！
2.看你的/ ip firewall address-list   配置我猜你的应该是 ROS 2927的，因为你的QQ拦截都是封锁IP地址，3.0的都是直接用 L7 封锁QQ所以你没法使用 PCC只能用 NTH，但是NTH不建议架设email主机的，建议换版本吧,3.24以上有PCC
3.可以参考我先前发布的范例  PCC+策略分流 http://bbs.routerclub.com/forum.php?mod=viewthread&tid=45309

kevin121

wanken 发表于 2011-3-5 10:34

                               
登录/注册后可看大图

你有用到  25  110  port  表示你有建立Email  server 在內網，給你幾個思路吧！
1.email主機须要固定IP的 ...

谢谢回答，这两天有点忙，没来看。

嗯。我也打算升级的。

winfastfxfx

不错不错