Ma kēia alakaʻi i kēlā me kēia ʻanuʻu, e haʻi wau iā ʻoe pehea e hoʻonohonoho ai iā Mikrotik i wehe koke ʻia nā pūnaewele pāpā ʻia ma o kēia VPN a hiki iā ʻoe ke pale i ka hula me nā pahu kani: hoʻonohonoho i hoʻokahi a hana nā mea āpau.
Ua koho au iā SoftEther ma ke ʻano he VPN: maʻalahi ka hoʻonohonoho ʻana e like me a e like me ka wikiwiki. Ma ka ʻaoʻao kikowaena VPN, hiki iaʻu ke hoʻohana iā Secure NAT; ʻaʻohe mea i hana ʻia.
Ua noʻonoʻo wau iā RRAS ma ke ʻano he ʻokoʻa, akā ʻaʻole ʻike ʻo Mikrotik pehea e hana ai me ia. Hoʻokumuʻia ka pilina, hana ka VPN, akā hikiʻole iā Mikrotik ke mālama i ka pilina me kaʻole o ka hoʻohui hou a me nā hewa i loko o ka log.
Ua hoʻokō ʻia ka hoʻonohonoho me ka hoʻohana ʻana i ka laʻana o RB3011UiAS-RM ma ka firmware version 6.46.11.
I kēia manawa, ma ke ʻano, he aha a me ke kumu.
1. E hoʻokumu i kahi pilina VPN
ʻOiaʻiʻo, ua koho ʻia ʻo SoftEther, L2TP me kahi kī i hoʻokaʻawale ʻia ma ke ʻano he hopena VPN. Ua lawa kēia pae o ka palekana no kekahi, no ka mea, ʻo ke alalai a me kāna mea nona ka ʻike i ke kī.
E hele i ka ʻāpana interfaces. ʻO ka mea mua, hoʻohui mākou i kahi kikowaena hou, a laila e hoʻokomo i ka ip, login, password a me ka māhele kī i loko o ka interface. Kaomi ok.
ʻO ke kauoha like:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
E hana ʻo SoftEther me ka ʻole o ka hoʻololi ʻana i nā manaʻo ipsec a me nā ʻaoʻao ipsec, ʻaʻole mākou e noʻonoʻo e hoʻonohonoho iā lākou, akā haʻalele ka mea kākau i nā kiʻi kiʻi o kāna ʻaoʻao, ʻoiai inā.
No RRAS ma IPsec Proposals, e hoʻololi wale i ka PFS Group i ʻole.
I kēia manawa pono ʻoe e kū ma hope o ka NAT o kēia kikowaena VPN. No ka hana ʻana i kēia, pono mākou e hele i IP> Firewall> NAT.
Ma ʻaneʻi mākou e hiki ai i ka masquerade no kahi kikoʻī a i ʻole nā pili PPP āpau. Hoʻopili ʻia ke alalai o ka mea kākau i ʻekolu VPN i ka manawa hoʻokahi, no laila ua hana wau i kēia:
ʻO ke kauoha like:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Hoʻohui i nā lula iā Mangle
ʻO ka mea mua aʻu e makemake ai, ʻoiaʻiʻo, ʻo ia ka pale ʻana i nā mea a pau i waiwai nui a pale ʻole, ʻo ia hoʻi ʻo DNS a me HTTP traffic. E hoʻomaka kākou me HTTP.
E hele i IP → Firewall → Mangle a hana i ka lula hou.
Ma ka rula, Chain, koho Prerouting.
Inā loaʻa kahi Smart SFP a i ʻole kahi alalai ʻē aʻe i mua o ke alalai, a makemake ʻoe e hoʻopili iā ia ma o ka pūnaewele pūnaewele, ma ka kahua Dst. Pono ʻoe e hoʻokomo i kāna IP address a i ʻole subnet a kau i kahi hōʻailona maikaʻi ʻole i ʻole e pili iā Mangle i ka helu a i kēia subnet. Loaʻa i ka mea kākau kahi SFP GPON ONU ma ke ʻano alahaka, no laila ua mālama ka mea kākau i ka hiki ke hoʻopili i kāna kikowaena pūnaewele.
Ma ka maʻamau, e hoʻohana ʻo Mangle i kāna lula i nā mokuʻāina NAT a pau, hiki ʻole kēia i ka hoʻouna ʻana i ke awa ma luna o kāu IP keʻokeʻo, no laila ma ka Mokuʻāina ʻo Connection NAT mākou e kau i kahi māka ma ka dstnat a me kahi hōʻailona maikaʻi ʻole. E ʻae kēia iā mākou e hoʻouna i nā kaʻa i waho ma luna o ka pūnaewele ma o ka VPN, akā e hoʻomau i nā awa ma o kā mākou IP keʻokeʻo.
A laila, ma ka ʻaoʻao Action, e koho i ka mākaʻikaʻi ʻana, e kāhea iā New Routing Mark i maopopo iā mākou i ka wā e hiki mai ana a neʻe aku.
ʻO ke kauoha like:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
I kēia manawa e neʻe kākou i ka pale DNS. I kēia hihia, pono ʻoe e hana i ʻelua mau lula. Hoʻokahi no ke alalai, ʻo kekahi no nā mea pili i ke alalai.
Inā ʻoe e hoʻohana i ka DNS i kūkulu ʻia i loko o ke alalai, ka mea a ka mea kākau e hana ai, pono e pale ʻia. No laila, no ka lula mua, e like me luna, koho mākou i ke kaulahao prerouting, no ka lua pono mākou e koho i ka puka.
ʻO Output ke kaapuni i hoʻohana ʻia e ke alalai ponoʻī e hana i nā noi me ka hoʻohana ʻana i kāna hana. Ua like nā mea a pau ma ʻaneʻi me HTTP, UDP protocol, port 53.
Nā kauoha like:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Ke kūkulu ʻana i kahi ala ma o VPN
E hele i IP → Nā ala a hana i nā ala hou.
Ke ala no ka hoʻokele ʻana i ka HTTP ma luna o VPN. Hōʻike mākou i ka inoa o kā mākou VPN a koho iā Routing Mark.
I kēia pae, ua ʻike mua ʻoe i ka pau ʻana o kāu mea hoʻohana .
ʻO ke kauoha like:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
E nānā like nā lula no ka pale DNS, e koho wale i ka lepili i makemake ʻia:
A laila ua manaʻo ʻoe i ka pau ʻana o ka hoʻolohe ʻana i kāu mau noi DNS. Nā kauoha like:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
ʻAe, i ka hopena, e wehe kākou iā Rutracker. Nona ka subnet holoʻokoʻa, no laila ua kuhikuhi ʻia ka subnet.
ʻO ia ka maʻalahi o ka hoʻihoʻi ʻana i kāu pūnaewele. Hui:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Ma ke ala like me ka tracker root, hiki iā ʻoe ke ala i nā kumuwaiwai ʻoihana a me nā pūnaewele ʻē aʻe.
Manaʻo ka mea kākau e mahalo ʻoe i ka ʻoluʻolu o ke komo ʻana i ka tracker root a me ka portal hui i ka manawa like me ka wehe ʻole ʻana i kou lole.
Source: www.habr.com