Aloha maikaʻi kākou āpau!
ʻO ia wale nō i loko o kā mākou hui i nā makahiki ʻelua i hala aku nei ua hoʻololi mālie mākou i microtics. Kūkulu ʻia nā nodes nui ma CCR1072, a ʻoi aku ka maʻalahi o nā wahi pili kūloko no nā kamepiula ma nā polokalamu. ʻOiaʻiʻo, aia kekahi hui pū ʻana o nā pūnaewele ma o ka IPSEC tunnel, i kēia hihia, maʻalahi ka hoʻonohonoho ʻana a ʻaʻole pilikia, no ka mea he nui nā mea ma ka pūnaewele. Akā aia kekahi mau pilikia me ka pili kelepona o nā mea kūʻai aku, haʻi ka wiki o ka mea hana iā ʻoe pehea e hoʻohana ai i ka mea kūʻai aku ʻo Shrew soft VPN (me he mea lā ua maopopo nā mea āpau me kēia hoʻonohonoho) a ʻo ia ka mea kūʻai aku i hoʻohana ʻia e 99% o nā mea hoʻohana mamao. , a ʻo 1% wau, ua palaualelo wale wau i kēlā me kēia e hoʻokomo i ka login a me ka ʻōlelo huna i ka mea kūʻai aku a makemake wau i kahi wahi palaualelo ma ka moena a me ka pili pono i nā pūnaewele hana. ʻAʻole i loaʻa iaʻu nā ʻōlelo aʻoaʻo no ka hoʻonohonoho ʻana iā Mikrotik no nā kūlana inā ʻaʻole ia ma hope o kahi helu hina, akā ma hope o kahi ʻeleʻele a i ʻole kekahi mau NAT ma ka pūnaewele. No laila, pono wau e hoʻoponopono, a no laila ke manaʻo nei au e nānā i ka hopena.
Loaʻa:
- CCR1072 e like me ka mea nui. mana 6.44.1
- ʻO CAP ac ma ke ʻano he wahi pili home. mana 6.44.1
ʻO ka hiʻohiʻona nui o ka hoʻonohonoho ʻana ʻo ia ka PC a me Mikrotik ma ka pūnaewele like me ka ʻōlelo hoʻokahi, i hoʻopuka ʻia e ka 1072 nui.
E neʻe kākou i nā hoʻonohonoho:
1. ʻOiaʻiʻo, hoʻohuli mākou i ka Fasttrack, akā no ka mea ʻaʻole kūpono ʻo fasttrack me vpn, pono mākou e ʻoki i kāna huakaʻi.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Hoʻohui i ka hoʻouna ʻana i ka pūnaewele mai / i ka home a me ka hana
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. E hana i kahi wehewehe pili mea hoʻohana
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. E hana i ka IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Hana i kahi Kulekele IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. E hana i kahi moʻolelo IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. E hana i kahi hoa IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
I kēia manawa no kahi kilokilo maʻalahi. No ka mea ʻaʻole wau i makemake e hoʻololi i nā hoʻonohonoho ma nā polokalamu āpau ma kaʻu pūnaewele home, pono wau e kau i ka DHCP ma ka pūnaewele hoʻokahi, akā kūpono ia ʻaʻole ʻae ʻo Mikrotik iā ʻoe e kau ʻoi aku ma mua o hoʻokahi kolamu helu helu ma kahi alahaka. , no laila ua loaʻa iaʻu kahi workaround, ʻo ia hoʻi no kahi pona, ua hana wau i ka DHCP Lease me nā ʻāpana manual, a no ka loaʻa ʻana o ka netmask, gateway & dns i nā helu koho ma DHCP, ua kuhikuhi wau iā lākou me ka lima.
1.DHCP Koho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP hoʻolimalima
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
I ka manawa like, ʻo ka hoʻonohonoho ʻana i ka 1072 he mea maʻamau, aia wale nō ke hāʻawi ʻana i kahi leka uila IP i kahi mea kūʻai aku i nā hoʻonohonoho i hōʻike ʻia e hāʻawi ʻia ka IP IP me ka lima, ʻaʻole mai ka loko wai. No nā mea kūʻai PC maʻamau, ua like ka subnet me ka hoʻonohonoho Wiki 192.168.55.0/24.
ʻO ia ʻano hoʻonohonoho e ʻae iā ʻoe ʻaʻole e hoʻopili i ka PC ma o nā polokalamu ʻaoʻao ʻekolu, a hoʻāla ʻia ka tunnel ponoʻī e ke alalai e like me ka mea e pono ai. ʻO ka ukana o ka mea kūʻai aku ʻo CAP ac he mea liʻiliʻi loa ia, 8-11% ma ka wikiwiki o 9-10MB / s i ka tunnel.
Ua hana ʻia nā hoʻonohonoho āpau ma o Winbox, ʻoiai me ka kūleʻa like hiki ke hana ʻia ma o ka console.
Source: www.habr.com