Aloha maikaʻi kākou āpau!
ʻOiaʻiʻo nō, ma kā mākou hui, ua hoʻololi mālie mākou i nā ʻāpana Mikrotik i nā makahiki ʻelua i hala. Ua kūkulu ʻia nā kikowaena nui ma CCR1072, ʻoiai aia nā wahi pili kamepiula kūloko ma nā polokalamu maʻalahi. ʻOiaʻiʻo, hāʻawi pū mākou i ka hoʻohui pūnaewele ma o nā tunnels IPSEC; i kēia hihia, maʻalahi a pololei ka hoʻonohonoho ʻana, mahalo i ka nui o nā kumuwaiwai i loaʻa ma ka pūnaewele. Eia nō naʻe, hōʻike nā pilina kelepona i kekahi mau pilikia; wehewehe ka wiki a ka mea hana pehea e hoʻohana ai iā Shrew soft. VPN mea kūʻai aku (me he mea lā ua wehewehe ponoʻī kēia hoʻonohonoho), a ʻo kēia ka mea kūʻai aku i hoʻohana ʻia e 99% o nā mea hoʻohana komo mamao, a ʻo ke koena 1% ʻo wau. ʻAʻole hiki iaʻu ke hoʻopilikia i ke komo ʻana i kaʻu inoa inoa a me ka ʻōlelo huna i kēlā me kēia manawa, a makemake au i kahi ʻike ʻoi aku ka mālie a ʻoluʻolu hoʻi me nā pilina kūpono i nā pūnaewele hana. ʻAʻole hiki iaʻu ke loaʻa i kekahi mau kuhikuhi no ka hoʻonohonoho ʻana iā Mikrotik no nā kūlana kahi i waiho ʻole ʻia ai ma hope o kahi helu wahi pilikino, akā ma hope o kahi i papa inoa ʻeleʻele loa, a malia paha me nā NAT he nui ma ka pūnaewele. No laila pono wau e hoʻomaʻamaʻa, a ke paipai aku nei au iā ʻoe e nānā i nā hopena.
Loaʻa:
- CCR1072 e like me ka mea nui. mana 6.44.1
- ʻO CAP ac ma ke ʻano he wahi pili home. mana 6.44.1
ʻO ka hiʻohiʻona nui o ka hoʻonohonoho ʻana ʻo ia ka PC a me Mikrotik ma ka pūnaewele like me ka ʻōlelo hoʻokahi, i hoʻopuka ʻia e ka 1072 nui.
E neʻe kākou i nā hoʻonohonoho:
1. ʻOiaʻiʻo, hoʻohuli mākou i ka Fasttrack, akā no ka mea ʻaʻole kūpono ʻo fasttrack me vpn, pono mākou e ʻoki i kāna huakaʻi.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Hoʻohui i ka hoʻouna ʻana i ka pūnaewele mai / i ka home a me ka hana
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. E hana i kahi wehewehe pili mea hoʻohana
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. E hana i ka IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Hana i kahi Kulekele IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. E hana i kahi moʻolelo IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. E hana i kahi hoa IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
I kēia manawa no kahi kilokilo maʻalahi. No ka mea ʻaʻole wau i makemake e hoʻololi i nā hoʻonohonoho ma nā polokalamu āpau ma kaʻu pūnaewele home, pono wau e kau i ka DHCP ma ka pūnaewele hoʻokahi, akā kūpono ia ʻaʻole ʻae ʻo Mikrotik iā ʻoe e kau ʻoi aku ma mua o hoʻokahi kolamu helu helu ma kahi alahaka. , no laila ua loaʻa iaʻu kahi workaround, ʻo ia hoʻi no kahi pona, ua hana wau i ka DHCP Lease me nā ʻāpana manual, a no ka loaʻa ʻana o ka netmask, gateway & dns i nā helu koho ma DHCP, ua kuhikuhi wau iā lākou me ka lima.
1.DHCP Koho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP hoʻolimalima
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
I ka manawa like, ʻo ka hoʻonohonoho ʻana i ka 1072 he mea maʻamau, aia wale nō ke hāʻawi ʻana i kahi leka uila IP i kahi mea kūʻai aku i nā hoʻonohonoho i hōʻike ʻia e hāʻawi ʻia ka IP IP me ka lima, ʻaʻole mai ka loko wai. No nā mea kūʻai PC maʻamau, ua like ka subnet me ka hoʻonohonoho Wiki 192.168.55.0/24.
ʻO ia ʻano hoʻonohonoho e ʻae iā ʻoe ʻaʻole e hoʻopili i ka PC ma o nā polokalamu ʻaoʻao ʻekolu, a hoʻāla ʻia ka tunnel ponoʻī e ke alalai e like me ka mea e pono ai. ʻO ka ukana o ka mea kūʻai aku ʻo CAP ac he mea liʻiliʻi loa ia, 8-11% ma ka wikiwiki o 9-10MB / s i ka tunnel.
Ua hana ʻia nā hoʻonohonoho āpau ma o Winbox, ʻoiai me ka kūleʻa like hiki ke hana ʻia ma o ka console.
Source: www.habr.com
