原帖找不到了 转了个二手货 留着备用

1、设置pppoe拨号上网,建立pppoe_out,取消默认网关、默认DNS;
/interface pppoe-client –> pppoe_out(联通互联网)
2、建立pppoe-out到VPN-server的专用route通道;
/ip route 
add dst-address=x.x.x.x/32 gateway=pppoe_out
3、设置pptp连接,建立pptp_out,取消默认网关、默认DNS;
/interface pptp-client –> pptp_out(linode-pptp)
4、设置被墙IP address-list,建立GFWed(要包含被干扰的境外DNS的ip);
/ip firewall 
add address-list –> GFWed
5、标记防火墙规则,建立路由标记to_pppoe和to_pptp;
/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no in-interface=LAN new-routing-mark=to_pppoe passthrough=yes dst-address-list=!GFWed
add action=mark-routing chain=prerouting disabled=no in-interface=LAN new-routing-mark=to_pptp passthrough=yes dst-address-list=GFWed
6、设置路由分流规则,依据路由标记to_pppoe和to_pptp进行路由;
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_out routing-mark=to_pppoe scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pptp_out routing-mark=to_pptp scope=30 target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe_out,pptp_out scope=30 target-scope=10
7、设置防火墙,根据规则进行地址伪装。
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe_out
add action=masquerade chain=srcnat disabled=no out-interface=pptp_out
8、traceroute测试。测试8.8.8.8/8.8.4.4或是GFWed列表里面的ip是否能够通过vpn;测试202.102.134.68/202.102.152.3等其他国内ip不通过vpn。
/tools traceroute
=======================以上针对被墙IP进行分流处理===========================

9、设置被墙域名分析规则,建立layer-7分析结果标记to_google_DNS;
/ip firewall layer7-protocol
add name=to_google_DNS regexp=”google.com|twitter.com|youtube.com|ytimg.com|blogger.com|blogspot.com|wordpress.com|feeds.feedburner.com|twimg.com|facebook.com|fbcdn.net|evernote.com|appspot.com|blogspot.com|blogcdn.com|ggpht.com|googleusercontent.com|feedly.com|flickr.com|wikimedia.org|wikipedia.com|nytimes.com|bbc.uk.co|6park.com|t66y.com|chinagfw.org|boxun.com|t.co|j.mp|img.ly|is.gd|ff.im” comment=”Redirect GFWed based DNS requests to google DNS”
10、设置防火墙标记规则,建立标记to_google,注意UDP、TCP两种协议的53端口;
/ip firewall mangle
add action=mark-routing chain=prerouting dst-port=53 in-interface=LAN layer7-protocol=to_google_DNS new-routing-mark=to_google protocol=udp comment=”dns mangling to google dns”
add action=mark-routing chain=prerouting dst-port=53 in-interface=LAN layer7-protocol=to_google_DNS new-routing-mark=to_google protocol=tcp comment=”dns mangling to google dns”
11、设置防火墙,根据规则to_google,进行地址伪装,注意UDP、TCP两种协议的53端口;
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no to-addresses=8.8.8.8 to-ports=53
add action=dst-nat chain=dstnat disabled=no to-addresses=8.8.8.8 to-ports=53
12、设置国内DNS;(202.102.134.68,202.102.152.3,202.102.154.3,202.102.128.68)
/ip DNS

13、traceroute测试。测试 twitter.com等被墙域名解析是否正确,route通道是否通过vpn通道;测试 www.sina.com等国内网站域名解析是否正常,route通道是否不经过vpn。

/tools traceroute
===================以上针对被污染域名进行分流解析处理========================
一切正常的话,就可以透明、经济的上网了。(内网客户端,可以dhcp,自动选择dns)
日常维护,只需维护两张表。一张是名为to_google_DNS的被墙/被投毒的域名表,一张是名为GFWed的ip地址表。