WAN0 为专线,拥有固定IP,WAN1 为PPOE拨号。已经开启“保存接口上一跳”
双WAN口策略为主备,WAN0为主,WAN1为辅。
具体问题描述:
1:可以通过WAN0 的固定IP 访问mer 5200网页, WAN0给局域网服务器做了端口映射,也可以通过WAN0固定IP+端口访问。
2:如果切换单WAN口模式,(WAN0为单WAN口)局域网所有设备上不了网,在路由器测试页面,WAN0口可以ping通外网。
3:如果切换单WAN口模式,(WAN1为单WAN口) 设备上网正常。
4:如果保持主备模式,写策略路由无效,静态路由也无效。
#
version 7.1.064, Release 6749P2102
#
sysname H3C
#
clock timezone Beijing add 08:00:00
clock protocol ntp
#
undo resource-monitor output syslog snmp-notification netconf-event
#
qos carl 1 source-ip-address object-group 16段 per-address
qos carl 2 destination-ip-address object-group 16段 per-address
qos carl 3 source-ip-address object-group 17段 per-address
qos carl 4 destination-ip-address object-group 17段 per-address
#
security-zone intra-zone default permit
#
track 1022 nqa entry ge0/1 1 reaction 1
#
track 1023 nqa entry ge0/0 1 reaction 1
#
dialer-group 2 rule ip permit
#
undo nat alg dns
nat alg h323
undo nat alg icmp-error
undo nat alg rtsp
nat alg tftp
#
dhcp enable
dhcp server always-broadcast
#
password-recovery enable
#
vlan 1
#
object-group ip address 16段
description 192.168.16.1-192.168.16.254
0 network range 192.168.16.1 192.168.16.255
0 network exclude 192.168.16.253
#
object-group ip address 17段
description 192.168.17.2-192.168.17.254
0 network range 192.168.17.2 192.168.17.255
0 network exclude 192.168.17.252
#
object-group ip address connlimitObjGrp_29161
0 network range 192.168.16.1 192.168.16.255
#
object-group ip address connlimitObjGrp_45885
0 network range 192.168.17.2 192.168.17.255
#
dhcp server ip-pool lan1
gateway-list 192.168.17.1
network 192.168.16.0 mask 255.255.254.0
address range 192.168.16.16 192.168.17.200
dns-list 180.76.76.76 114.114.114.114
expired day 0 hour 5
forbidden-ip-range 192.168.16.212 192.168.16.212
forbidden-ip-range 192.168.16.240 192.168.16.241
forbidden-ip-range 192.168.16.253 192.168.17.2
#
nqa entry ge0/0 1
type icmp-echo
destination ip 180.76.76.76
frequency 10000
out interface GigabitEthernet0/0
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa entry ge0/1 1
type icmp-echo
destination ip 180.76.76.76
frequency 10000
out interface Dialer1
probe timeout 1000
reaction 1 checked-element probe-fail threshold-type consecutive 5 action-type trigger-only
#
nqa schedule ge0/0 1 start-time now lifetime forever
nqa schedule ge0/1 1 start-time now lifetime forever
#
controller Cellular0/0
#
interface Dialer0
mtu 1492
#
interface Dialer1
mtu 1492
ppp chap password cipher BBBBBBBBBBBBBB不给显示BBBBBBBBBBBBBBB
ppp chap user BBBBBBBBBBBBBB不给显示BBBBBBBBBBBBBBB
ppp ipcp dns admit-any
ppp ipcp dns request
ppp pap local-user BBBBBBBBBBBBBB不给显示BBBBBBBBBBBBBBB password cipher BBBBBBBBBBBBBB不给显示BBBBBBBBBBBBBBB
dialer bundle enable
dialer-group 2
dialer timer idle 0
dialer timer autodial 5
ip address ppp-negotiate
tcp mss 1280
ip last-hop hold
nat outbound
attack-defense apply policy AtkInterface17415
#
interface NULL0
#
interface Vlan-interface1
description LAN-interface
ip address 192.168.17.1 255.255.254.0
tcp mss 1280
#
interface GigabitEthernet0/0
port link-mode route
description Double_Line1
bandwidth 70000
combo enable copper
ip address 223.X.X.X 255.255.255.252
dns server 180.76.76.76
dns server 114.114.114.114
tcp mss 1280
ip last-hop hold
packet-filter name WebPing3 inbound
qos reserved-bandwidth pct 100
qos lr outbound cir 70000 cbs 4375000 ebs 0
qos car inbound carl 2 cir 32500 cbs 2031250 ebs 0 green pass red discard yellow pass
qos car inbound carl 4 cir 32500 cbs 2031250 ebs 0 green pass red discard yellow pass
qos car outbound carl 1 cir 37500 cbs 2343750 ebs 0 green pass red discard yellow pass
qos car outbound carl 3 cir 37500 cbs 2343750 ebs 0 green pass red discard yellow pass
nat outbound
nat server protocol tcp global current-interface 2190 inside 192.168.16.253 80 description AC
attack-defense apply policy AtkInterface3
#
interface GigabitEthernet0/1
port link-mode route
description Double_Line2
pppoe-client dial-bundle-number 1
#
interface GigabitEthernet0/2
port link-mode bridge
#
interface GigabitEthernet0/3
port link-mode bridge
#
interface GigabitEthernet0/4
port link-mode bridge
#
interface GigabitEthernet0/5
port link-mode bridge
#
scheduler logfile size 16
#
line class console
user-role network-admin
#
line class tty
user-role network-operator
#
line class vty
user-role network-operator
#
line con 0
user-role network-admin
#
line vty 0 63
authentication-mode scheme
user-role network-operator
#
ip route-static 0.0.0.0 0 GigabitEthernet0/0 223.X.X.225 preference 100
ip route-static 0.0.0.0 0 Dialer1 track 1022
ip route-static 180.76.76.76 32 GigabitEthernet0/0 223.X.X.225 description NqaTrack
ip route-static 180.76.76.76 32 Dialer1 description NqaTrack
#
info-center source CFGLOG loghost level informational
#
performance-management
#
time-range 6-7 00:00 to 24:00 off-day
#
ntp-service enable
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
ntp-service unicast-server ***.***
#
acl basic name connlimitAcl_29161_ip
rule 65534 permit source object-group connlimitObjGrp_29161
#
acl basic name connlimitAcl_45885_ip
rule 65534 permit source object-group connlimitObjGrp_45885
#
acl advanced name WebPing3
rule 1 deny icmp icmp-type echo
#
acl advanced name connlimitAcl_29161_tcp
rule 65534 permit tcp source object-group connlimitObjGrp_29161
#
acl advanced name connlimitAcl_29161_udp
rule 65534 permit udp source object-group connlimitObjGrp_29161
#
acl advanced name connlimitAcl_45885_tcp
rule 65534 permit tcp source object-group connlimitObjGrp_45885
#
acl advanced name connlimitAcl_45885_udp
rule 65534 permit udp source object-group connlimitObjGrp_45885
#
acl mac 4999
#
password-control enable
undo password-control aging enable
undo password-control history enable
password-control length 6
password-control login-attempt 3 exceed lock-time 10
password-control update-interval 0
password-control login idle-time 0
#
domain system
#
domain default enable system
#
security-enhanced level 1
#
ssl version gm-tls1.1 disable
undo ssl renegotiation disable
undo ssl version ssl3.0 disable
undo ssl version tls1.0 disable
undo ssl version tls1.1 disable
undo ssl version tls1.2 disable
undo ssl version tls1.3 disable
#
connection-limit apply global policy 32
#
connection-limit policy 32
limit 1 acl name connlimitAcl_29161_ip per-source amount 3000 2999
limit 2 acl name connlimitAcl_29161_tcp per-source amount 1900 1899
limit 3 acl name connlimitAcl_29161_udp per-source amount 1900 1899
limit 4 acl name connlimitAcl_45885_ip per-source amount 3000 2999
limit 5 acl name connlimitAcl_45885_tcp per-source amount 1900 1899
limit 6 acl name connlimitAcl_45885_udp per-source amount 1900 1899
#
ip http port 10080
ip https port 10081
ip http enable
ip https enable
web idle-timeout 30
#
attack-defense policy AtkInterface3
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action logging drop
icmp-flood detect non-specific
icmp-flood action logging drop
signature detect land action drop logging
signature detect fraggle action drop logging
#
attack-defense policy AtkInterface17415
scan detect level high action logging block-source
syn-flood detect non-specific
syn-flood action logging drop
icmp-flood detect non-specific
icmp-flood action logging drop
signature detect land action drop logging
signature detect fraggle action drop logging
#
url-filter category custom severity 65535
#
return
(0)
亲~登录后才可以操作哦!
确定你的邮箱还未认证,请认证邮箱或绑定手机后进行当前操作
举报
×
侵犯我的权益
×
侵犯了我企业的权益
×
抄袭了我的内容
×
原文链接或出处
诽谤我
×
对根叔社区有害的内容
×
不规范转载
×
举报说明
暂无评论