Cloud Hosted Routerの設定を行う(2)

こんにちは。あやかです。
今回は、検証環境の構成に合わせてCHRの設定を行っていきたいと思います。

1.PPPoE Clientの設定
今回の検証環境ではCHRをPPPoE Clientとして使用します。
そのため、PPPoE Client Interfaceの追加を行います。

[ayaka@CORERB01] > /interface pppoe-client add name=pppoe-out_plala interface=ether1 user=xxxxx@plala.or.jp password=xxxxxxxx use-peer-dns=yes add-default-route=yes default-route-distance=1 keepalive-timeout=10 disabled=no
[ayaka@CORERB01] > /interface pppoe-client print
Flags: X - disabled, I - invalid, R - running
 0  R name="pppoe-out_plala" max-mtu=auto max-mru=auto mrru=disabled interface=ether1 user="xxxxx@plala.or.jp" password="xxxxxxxx" profile=default keepalive-timeout=10 service-name="" ac-name=""
      add-default-route=yes default-route-distance=1 dial-on-demand=no use-peer-dns=yes allow=pap,chap,mschap1,mschap2
[ayaka@CORERB01] >
[ayaka@CORERB01] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.1.161/24   192.168.1.0     ether1
 1 D 114.xxx.xxx.152/32  125.xxx.xxx.129 pppoe-plala1
[ayaka@CORERB01] >

2.Firewallの設定
初期構築時点でのFirewallの設定を行います。
ルールについては、みなさまの環境に合わせて適宜見直してください。
このルールのポイントは以下の3点です。
・PPPoE ClientのInterface Nameが運用中に変更になる可能性を考慮してInterface Listを使用していること。
・Address Listを利用してまとめられるルールをまとめていること。
・establishedとrelatedにfasttrackを適用していること。

[ayaka@CORERB01] > /interface list add comment="PPPoE client" name=pppoe-out-all
[ayaka@CORERB01] > /interface list member add interface=pppoe-out_plala list=pppoe-out-all
[ayaka@CORERB01] >
[ayaka@CORERB01] > /ip firewall address-list add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=224.0.0.0/4 comment=Multicast list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
[ayaka@CORERB01] > /ip firewall address-list add address=[お行儀の悪いIPアドレス] list=deny_from_accsess
[ayaka@CORERB01] >
[ayaka@CORERB01] > /ip firewall filter add action=fasttrack-connection chain=forward comment="Established, Related(fasttrack)" connection-state=established,related
[ayaka@CORERB01] > /ip firewall filter add action=drop chain=input comment="Deny aggressive communications" src-address-list=deny_from_accsess
[ayaka@CORERB01] > /ip firewall filter add action=accept chain=forward comment="Established, Related" connection-state=established,related
[ayaka@CORERB01] > /ip firewall filter add action=accept chain=input comment="Established, Related" connection-state=established,related
[ayaka@CORERB01] > /ip firewall filter add action=drop chain=forward comment=Invalid connection-state=invalid
[ayaka@CORERB01] > /ip firewall filter add action=accept chain=input comment="accept ICMP" in-interface-list=pppoe-out-all protocol=icmp
[ayaka@CORERB01] > /ip firewall filter add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface-list=pppoe-out-all src-address-list=not_in_internet
[ayaka@CORERB01] > /ip firewall filter add action=drop chain=input comment="all drop from internet" in-interface-list=pppoe-out-all
[ayaka@CORERB01] >

3.VRRPの有効化
今回の検証環境では、CORERB01/02のルーター2台構成としています。
CHRにはルーターの冗長化方式としてVRRPが搭載されていますので、それを利用します。
RouteOSでVRRPを有効化するには、各物理Interfaeに対応するVRRP Interfaceを追加して共有IPアドレスを付与します。
CORERB01をActiveとしたいためVRRPのPriorityを200としました。

[ayaka@CORERB01] > /interface vrrp add interface=ether2 name=vrrp_ether2 priority=200 vrid=2
[ayaka@CORERB01] > /interface vrrp add interface=ether3 name=vrrp_ether3 priority=200 vrid=3
[ayaka@CORERB01] > /interface vrrp add interface=ether4 name=vrrp_ether4 priority=200 vrid=4
[ayaka@CORERB01] > /interface vrrp add interface=ether5 name=vrrp_ether5 priority=200 vrid=5
[ayaka@CORERB01] >
[ayaka@CORERB01] > /ip address add address=192.168.2.254/24 interface=vrrp_ether2 network=192.168.2.0
[ayaka@CORERB01] > /ip address add address=172.16.10.254/24 interface=vrrp_ether3 network=172.16.10.0
[ayaka@CORERB01] > /ip address add address=172.16.20.254/24 interface=vrrp_ether4 network=172.16.20.0
[ayaka@CORERB01] > /ip address add address=172.16.30.254/24 interface=vrrp_ether5 network=172.16.30.0
[ayaka@CORERB01] > /ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         INTERFACE
 0   192.168.1.161/24   192.168.1.0     ether1
 1   192.168.2.253/24   192.168.2.0     ether2
 2   172.16.10.253/24   172.16.10.0     ether3
 3   172.16.20.253/24   172.16.20.0     ether4
 4   172.16.30.253/24   172.16.30.0     ether5
 5 D 114.xxx.xxx.94/32   125.xxx.xxx.129 pppoe-out_plala
 6   192.168.2.254/24   192.168.2.0     vrrp_ether2
 7   172.16.10.254/24   172.16.10.0     vrrp_ether3
 8   172.16.20.254/24   172.16.20.0     vrrp_ether4
 9   172.16.30.254/24   172.16.30.0     vrrp_ether5
[ayaka@CORERB01] >

CORERB02側は次の設定を投入しました。

[ayaka@CORERB02] > /interface vrrp add interface=ether2 name=vrrp_ether2 vrid=2
[ayaka@CORERB02] > /interface vrrp add interface=ether3 name=vrrp_ether3 vrid=3
[ayaka@CORERB02] > /interface vrrp add interface=ether4 name=vrrp_ether4 vrid=4
[ayaka@CORERB02] > /interface vrrp add interface=ether5 name=vrrp_ether5 vrid=5
[ayaka@CORERB02] >
[ayaka@CORERB02] > /ip address add address=192.168.1.162/24 interface=ether1 network=192.168.1.0
[ayaka@CORERB02] > /ip address add address=192.168.2.252/24 interface=ether2 network=192.168.2.0
[ayaka@CORERB02] > /ip address add address=172.16.10.252/24 interface=ether3 network=172.16.10.0
[ayaka@CORERB02] > /ip address add address=172.16.20.252/24 interface=ether4 network=172.16.20.0
[ayaka@CORERB02] > /ip address add address=172.16.30.252/24 interface=ether5 network=172.16.30.0
[ayaka@CORERB02] > /ip address add address=192.168.2.254/24 interface=vrrp_ether2 network=192.168.2.0
[ayaka@CORERB02] > /ip address add address=172.16.10.254/24 interface=vrrp_ether3 network=172.16.10.0
[ayaka@CORERB02] > /ip address add address=172.16.20.254/24 interface=vrrp_ether4 network=172.16.20.0
[ayaka@CORERB02] > /ip address add address=172.16.30.254/24 interface=vrrp_ether5 network=172.16.30.0
[ayaka@CORERB02] >

しかし、ここでちょっとハマったことが。うまくVRRPが動いてくれません。
ESXiの仮想スイッチで無差別モードを構成していないことが原因でした。
無差別モードを許可したところ、以下の通りVRRPが動き出しました。

[ayaka@CORERB01] > /interface vrrp print
Flags: X - disabled, I - invalid, R - running, M - master, B - backup
 #     NAME                                                               INTERFACE                                                               MAC-ADDRESS       VRID PRIORITY INTERVAL             VERSION V3-PROTOCOL
 0  RM vrrp_ether2                                                        ether2                                                                  00:00:5E:00:01:02    2      100 1s                   3       ipv4
 1  RM vrrp_ether3                                                        ether3                                                                  00:00:5E:00:01:03    3      100 1s                   3       ipv4
 2  RM vrrp_ether4                                                        ether4                                                                  00:00:5E:00:01:04    4      100 1s                   3       ipv4
 3  RM vrrp_ether5                                                        ether5                                                                  00:00:5E:00:01:05    5      100 1s                   3       ipv4
[ayaka@CORERB01] >

4.IP Masquerade(NAPT)の有効化
特定のセグメントからインターネットへ向けての通信に対してIP Masqueradeを適用します。

[ayaka@CORERB01] > /ip firewall nat add action=masquerade chain=srcnat out-interface-list=pppoe-out-all src-address=192.168.64.0/24
[ayaka@CORERB01] > /ip firewall nat add action=masquerade chain=srcnat out-interface-list=pppoe-out-all src-address=172.16.30.0/24
[ayaka@CORERB01] >

5.Port Forwardの有効化
DMZ Networkの先にSSTPを受け付けるルーターがいるため、必要なポートをそちらにForwardするように設定します。

[ayaka@CORERB01] > /ip firewall nat add action=dst-nat chain=dstnat dst-port=20443 in-interface-list=pppoe-out-all protocol=tcp to-addresses=192.168.2.1 to-ports=20443
[ayaka@CORERB01] >

以上で今の時点で必要な設定はおわりました。
今後は構築の都度、必要な設定を行っていきたいと思います。