A cikin wannan jagorar mataki-mataki, zan gaya muku yadda ake saita Mikrotik domin wuraren da aka haramta su buɗe ta atomatik ta wannan VPN kuma zaku iya guje wa rawa tare da tambourine: saita shi sau ɗaya kuma komai yana aiki.
Na zaɓi SoftEther a matsayin VPN na: yana da sauƙin saita kamar kuma kamar sauri. Na kunna Secure NAT a gefen uwar garken VPN, ba a yi wasu saitunan ba.
Na dauki RRAS a matsayin madadin, amma Mikrotik bai san yadda ake aiki da shi ba. An kafa haɗin, VPN yana aiki, amma Mikrotik ba zai iya kula da haɗin kai ba tare da sake haɗawa da kurakurai a cikin log ɗin.
An yi saitin akan misalin RB3011UiAS-RM akan sigar firmware 6.46.11.
Yanzu, cikin tsari, menene kuma me yasa.
1. Saita haɗin VPN
A matsayin mafita na VPN, ba shakka, SoftEther, L2TP tare da maɓallin da aka riga aka zaɓa an zaɓi. Wannan matakin tsaro ya ishe kowa, domin na'ura mai ba da hanya tsakanin hanyoyin sadarwa da mai shi ne kawai suka san mabuɗin.
Jeka sashin musaya. Da farko, muna ƙara sabon haɗin yanar gizo, sannan mu shigar da ip, login, kalmar sirri da maɓallin rabawa a cikin mahallin. Danna ok.
Umarni ɗaya:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther zai yi aiki ba tare da canza shawarwarin ipsec da bayanan martaba na ipsec ba, ba mu yi la'akari da tsarin su ba, amma marubucin ya bar hotunan bayanan martabarsa, kawai idan akwai.
Don RRAS a cikin shawarwari na IPsec, kawai canza ƙungiyar PFS zuwa babu.
Yanzu kuna buƙatar tsayawa a bayan NAT na wannan uwar garken VPN. Don yin wannan, muna buƙatar zuwa IP> Firewall> NAT.
Anan muna kunna masquerade don takamaiman, ko duka, mu'amalar PPP. An haɗa na'ura mai ba da hanya tsakanin hanyoyin sadarwa na marubucin zuwa VPN guda uku a lokaci ɗaya, don haka na yi haka:
Umarni ɗaya:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Ƙara Dokoki zuwa Mangle
Abu na farko da kuke so, ba shakka, shine kare duk abin da ya fi dacewa da rashin tsaro, wato DNS da HTTP zirga-zirga. Bari mu fara da HTTP.
Je zuwa IP → Firewall → Mangle kuma ƙirƙirar sabuwar doka.
A cikin ƙa'ida, Sarkar zaɓi Prerouting.
Idan akwai Smart SFP ko wani na'ura mai ba da hanya tsakanin hanyoyin sadarwa a gaban na'ura mai ba da hanya tsakanin hanyoyin sadarwa, kuma kuna son haɗa shi ta hanyar haɗin yanar gizo, a cikin Dst. Adireshin yana buƙatar shigar da adireshin IP ɗin sa ko rukunin yanar gizon sa kuma sanya wata alama mara kyau don kada a yi amfani da Mangle zuwa adireshin ko zuwa wannan rukunin yanar gizon. Marubucin yana da SFP GPON ONU a yanayin gada, don haka marubucin ya riƙe ikon haɗi zuwa gidan yanar gizon sa.
Ta hanyar tsoho, Mangle zai yi amfani da ƙa'idarsa ga duk jihohin NAT, wannan zai sa tura tashar jiragen ruwa akan farar IP ɗinku ba zai yiwu ba, don haka a cikin Connection NAT State, duba dstnat da alama mara kyau. Wannan zai ba mu damar aika zirga-zirgar zirga-zirga ta hanyar sadarwa ta hanyar VPN, amma har yanzu tura tashoshi ta hanyar farin IP ɗin mu.
Na gaba, a kan Action tab, zaɓi mark routing, suna New Routing Mark domin ya bayyana gare mu a nan gaba kuma ci gaba.
Umarni ɗaya:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Yanzu bari mu matsa zuwa ga tabbatar da DNS. A wannan yanayin, kuna buƙatar ƙirƙirar dokoki guda biyu. Daya don na'ura mai ba da hanya tsakanin hanyoyin sadarwa, ɗayan na na'urorin da aka haɗa da na'ura mai ba da hanya tsakanin hanyoyin sadarwa.
Idan kuna amfani da DNS da aka gina a cikin na'ura mai ba da hanya tsakanin hanyoyin sadarwa, wanda marubucin ya yi, dole ne kuma a kiyaye shi. Don haka, don ƙa'idar farko, kamar yadda yake sama, muna zaɓar sarkar prerouting, na biyu, muna buƙatar zaɓar fitarwa.
Fitarwa shine sarkar da na'ura mai ba da hanya tsakanin hanyoyin sadarwa da kanta ke amfani da ita don buƙatu ta amfani da aikin sa. Komai anan yayi kama da HTTP, UDP Protocol, Port 53.
Umurni iri ɗaya:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Gina hanya ta hanyar VPN
Je zuwa IP → Hanyoyi kuma ƙirƙirar sababbin hanyoyi.
Hanyar hanyar HTTP ta hanyar VPN. Ƙayyade sunan mu'amalar mu na VPN kuma zaɓi Alamar Tafiya.
A wannan mataki, kun riga kun ji yadda ma'aikacin ku ya tsaya .
Umarni ɗaya:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Dokokin don kariyar DNS za su yi kama da daidai, kawai zaɓi lakabin da ake so:
Anan kun ji yadda tambayoyin DNS ɗinku suka daina saurare. Umurni iri ɗaya:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
To, a ƙarshe, buše Rutracker. Gabaɗayan rukunin yanar gizon nasa ne, don haka an ƙayyade subnet ɗin.
Wannan shine yadda aka dawo da Intanet cikin sauƙi. Tawaga:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
A daidai wannan hanyar da tushen tracker, za ku iya tafiyar da albarkatun kamfanoni da sauran wuraren da aka toshe.
Marubucin yana fatan za ku yi godiya da dacewar samun damar tushen tracker da tashar kamfanoni a lokaci guda ba tare da cire rigar ku ba.
source: www.habr.com