Ina kwana kowa!
Haka ya faru cewa a cikin kamfaninmu a cikin shekaru biyu da suka gabata mun kasance sannu a hankali canzawa zuwa microtics. An gina manyan nodes akan CCR1072, kuma wuraren haɗin gida don kwamfutoci akan na'urori sun fi sauƙi. Tabbas, akwai kuma haɗin hanyoyin sadarwa ta hanyar ramin IPSEC, a wannan yanayin, saitin yana da sauƙi kuma baya haifar da matsala, tunda akwai abubuwa da yawa akan hanyar sadarwa. Amma akwai wasu matsaloli tare da haɗin wayar hannu na abokan ciniki, wiki na masana'anta yana gaya muku yadda ake amfani da abokin ciniki na Shrew soft VPN (duk abin da alama a bayyane yake tare da wannan saitin) kuma wannan abokin ciniki ne wanda kashi 99% na masu amfani da nesa ke amfani da shi. , kuma 1% shine ni, Na kasance mai kasala ne kawai kowanne kawai shigar da sunan mai amfani da kalmar sirri a cikin abokin ciniki kuma ina son wuri maras kyau akan kujera da haɗin da ya dace don sadarwar aiki. Ban sami wani umarni don daidaitawa Mikrotik don yanayi ba lokacin da ba ma bayan adireshin launin toka ba, amma gaba ɗaya a bayan baƙar fata kuma watakila ma da yawa NATs akan hanyar sadarwa. Saboda haka, dole ne in inganta, sabili da haka na ba da shawarar duba sakamakon.
Akwai:
- CCR1072 a matsayin babban na'ura. Shafin 6.44.1
- CAP ac azaman wurin haɗin gida. Shafin 6.44.1
Babban fasalin saitin shine cewa PC da Mikrotik dole ne su kasance akan hanyar sadarwa iri ɗaya tare da adireshin iri ɗaya, wanda babban 1072 ke bayarwa.
Mu ci gaba zuwa saitunan:
1. Tabbas muna kunna Fasttrack, amma tunda Fasttrack bai dace da vpn ba, dole ne mu yanke zirga-zirga.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ƙara tura hanyar sadarwa daga / zuwa gida da aiki
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Ƙirƙiri bayanin haɗin mai amfani
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Ƙirƙiri wani tsari na IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Ƙirƙiri Manufar IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Ƙirƙiri bayanin martaba na IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Ƙirƙiri abokin IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Yanzu ga wasu sauki sihiri. Tun da gaske ba na so in canza saitunan akan duk na'urorin da ke kan hanyar sadarwa ta gida, dole ne in rataya DHCP a kan hanyar sadarwa guda ɗaya, amma yana da kyau cewa Mikrotik ba ya ƙyale ka ka rataya wuraren adireshin fiye da ɗaya akan gada ɗaya. , don haka na sami wurin aiki, wato na kwamfutar tafi-da-gidanka, kawai na ƙirƙiri DHCP Lease tare da sigogi na hannu, kuma tun da netmask, gateway & dns suma suna da lambobin zaɓi a DHCP, na ƙayyade su da hannu.
1.DHCP Zabuka
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP haya
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
A lokaci guda, saitin 1072 shine ainihin asali, kawai lokacin ba da adireshin IP ga abokin ciniki a cikin saitunan ana nuna cewa adireshin IP da aka shigar da hannu, ba daga tafkin ba, yakamata a ba shi. Ga abokan cinikin PC na yau da kullun, rukunin yanar gizo iri ɗaya ne da tsarin Wiki 192.168.55.0/24.
Irin wannan saitin yana ba ka damar haɗawa da PC ta hanyar software na ɓangare na uku, kuma ramin da kansa yana haɓaka ta hanyar mai ba da hanya tsakanin hanyoyin sadarwa idan an buƙata. Nauyin CAP ac na abokin ciniki kusan kadan ne, 8-11% a saurin 9-10MB / s a cikin rami.
An yi duk saitunan ta hanyar Winbox, kodayake tare da nasara iri ɗaya ana iya yin ta ta hanyar na'ura wasan bidiyo.
source: www.habr.com