最近在做接入4条拨号线路的PCC汇聚,需要将4条线路的TCP/UDP端口映射到内网,由于映射端口较多,dstnat的重复操作非常多,首先是动态获取的公网IP地址,需要设置dst-address写入公网IP,并用脚本判断IP是否变动,然后修改dstnat的dst-address的IP地址,

提示:PCC多线路映射确保mangle的input和output策略已经正确配置,这里省略不在说明(请参考http://www.irouteros.com/?p=687)。

然后改用in-interface=pppoe-out的方式,来实现端口映射,无需配置脚本定期检查,具体配置如下:

映射4条拨号线路的TCP/UDP 12389端口(当然还有其他,这里举例一个端口),一共写了8条规则:

/ip firewall nat

add action=dst-nat chain=dstnat comment=p1 in-interface=pppoe-out1 dst-port=12389 protocol=tcp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p2 in-interface=pppoe-out2 dst-port=12389 protocol=tcp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p3 in-interface=pppoe-out3 dst-port=12389 protocol=tcp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p4 in-interface=pppoe-out4 dst-port=12389 protocol=tcp to-addresses=192.168.88.8 to-ports=12389

 

add action=dst-nat chain=dstnat comment=p1 in-interface=pppoe-out1 dst-port=12389 protocol=udp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p4 in-interface=pppoe-out2 dst-port=12389 protocol=udp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p3 in-interface=pppoe-out3 dst-port=12389 protocol=udp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p1 in-interface=pppoe-out4 dst-port=12389 protocol=udp to-addresses=192.168.88.8 to-ports=12389

 

但以上的配置仍然较多,为了简化规则数量,选择使用interface list完成这个操作,

首先创建接口列表名称,取名PPPoE

/interface list

add name=PPPoE

 

将4个pppoe-out拨号接口接入到PPPoE列表:

/interface list member

add interface=pppoe-out1 list=PPPoE

add interface=pppoe-out2 list=PPPoE

add interface=pppoe-out3 list=PPPoE

add interface=pppoe-out4 list=PPPoE

 

然后规则,将8条规则,简化为2条,配置如下:

/ip firewall nat

add action=dst-nat chain=dstnat comment=p1 dst-port=12389 in-interface-list=PPPoE protocol=tcp to-addresses=192.168.88.8 to-ports=12389

add action=dst-nat chain=dstnat comment=p1 dst-port=12389 in-interface-list=PPPoE protocol=udp to-addresses=192.168.88.8 to-ports=12389