Ina kwana kowa!
Abin da ya faru shi ne a kamfaninmu, mun fara canzawa zuwa kwakwalwan Mikrotik a hankali a cikin shekaru biyu da suka gabata. An gina manyan na'urori akan CCR1072, yayin da wuraren haɗin kwamfuta na gida suna kan na'urori masu sauƙi. Tabbas, muna kuma bayar da haɗin hanyar sadarwa ta hanyar ramukan IPSEC; a wannan yanayin, saitin yana da sauƙi kuma mai sauƙi, godiya ga yawan albarkatun da ake da su akan layi. Duk da haka, haɗin abokin ciniki na wayar hannu yana haifar da wasu ƙalubale; wiki na masana'anta ya bayyana yadda ake amfani da Shrew soft. VPN abokin ciniki (wannan saitin yana kama da bayanin kansa), kuma wannan shine abokin ciniki da kashi 99% na masu amfani da damar shiga daga nesa ke amfani da shi, kuma sauran kashi 1% ni ne. Kawai ban iya damuwa da shigar da shiga da kalmar sirri ta ba a kowane lokaci, kuma ina son samun ƙwarewar dankalin turawa mai annashuwa da kwanciyar hankali tare da haɗin kai mai sauƙi zuwa hanyoyin sadarwa na aiki. Ban sami wata umarni don saita Mikrotik don yanayin da ba ma a bayan adireshin sirri ba, amma a bayan wanda aka saka cikin jerin sunayen baƙi gaba ɗaya, kuma wataƙila ma tare da NAT da yawa akan hanyar sadarwa. Don haka dole ne in yi gyare-gyare, kuma ina ba da shawarar ku duba sakamakon.
Akwai:
- CCR1072 a matsayin babban na'ura. Shafin 6.44.1
- CAP ac azaman wurin haɗin gida. Shafin 6.44.1
Babban fasalin saitin shine cewa PC da Mikrotik dole ne su kasance akan hanyar sadarwa iri ɗaya tare da adireshin iri ɗaya, wanda babban 1072 ke bayarwa.
Mu ci gaba zuwa saitunan:
1. Tabbas muna kunna Fasttrack, amma tunda Fasttrack bai dace da vpn ba, dole ne mu yanke zirga-zirga.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ƙara tura hanyar sadarwa daga / zuwa gida da aiki
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Ƙirƙiri bayanin haɗin mai amfani
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Ƙirƙiri wani tsari na IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Ƙirƙiri Manufar IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Ƙirƙiri bayanin martaba na IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Ƙirƙiri abokin IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Yanzu ga wasu sauki sihiri. Tun da gaske ba na so in canza saitunan akan duk na'urorin da ke kan hanyar sadarwa ta gida, dole ne in rataya DHCP a kan hanyar sadarwa guda ɗaya, amma yana da kyau cewa Mikrotik ba ya ƙyale ka ka rataya wuraren adireshin fiye da ɗaya akan gada ɗaya. , don haka na sami wurin aiki, wato na kwamfutar tafi-da-gidanka, kawai na ƙirƙiri DHCP Lease tare da sigogi na hannu, kuma tun da netmask, gateway & dns suma suna da lambobin zaɓi a DHCP, na ƙayyade su da hannu.
1.DHCP Zabuka
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP haya
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
A lokaci guda, saitin 1072 shine ainihin asali, kawai lokacin ba da adireshin IP ga abokin ciniki a cikin saitunan ana nuna cewa adireshin IP da aka shigar da hannu, ba daga tafkin ba, yakamata a ba shi. Ga abokan cinikin PC na yau da kullun, rukunin yanar gizo iri ɗaya ne da tsarin Wiki 192.168.55.0/24.
Irin wannan saitin yana ba ka damar haɗawa da PC ta hanyar software na ɓangare na uku, kuma ramin da kansa yana haɓaka ta hanyar mai ba da hanya tsakanin hanyoyin sadarwa idan an buƙata. Nauyin CAP ac na abokin ciniki kusan kadan ne, 8-11% a saurin 9-10MB / s a cikin rami.
An yi duk saitunan ta hanyar Winbox, kodayake tare da nasara iri ɗaya ana iya yin ta ta hanyar na'ura wasan bidiyo.
source: www.habr.com
