Zoo hnub rau txhua!
Nws tsuas yog tshwm sim tias ntawm peb lub tuam txhab, peb tau maj mam hloov mus rau Mikrotik chips dhau ob xyoos dhau los. Cov nodes tseem ceeb yog tsim los ntawm CCR1072, thaum cov chaw sib txuas hauv computer hauv zos yog nyob rau ntawm cov khoom siv yooj yim dua. Tau kawg, peb kuj muab kev sib koom ua ke network ntawm IPSEC tunnels; hauv qhov no, kev teeb tsa yooj yim heev thiab ncaj nraim, ua tsaug rau ntau yam kev pab muaj nyob hauv online. Txawm li cas los xij, kev sib txuas ntawm cov neeg siv khoom mobile muaj qee qhov teeb meem; lub wiki ntawm tus tsim khoom piav qhia yuav ua li cas siv Shrew soft. VPN tus neeg siv khoom (qhov kev teeb tsa no zoo li piav qhia tus kheej), thiab qhov no yog tus neeg siv khoom siv los ntawm 99% ntawm cov neeg siv nkag mus rau hauv chaw deb, thiab 1% seem yog kuv. Kuv tsuas yog tsis tuaj yeem txhawj xeeb nkag mus rau kuv tus ID nkag mus thiab password txhua zaus, thiab kuv xav tau kev paub so kom txaus, xis nyob dua nrog kev sib txuas yooj yim rau cov tes hauj lwm ua haujlwm. Kuv nrhiav tsis tau cov lus qhia rau kev teeb tsa Mikrotik rau cov xwm txheej uas nws nyob tsis txawm tias tom qab qhov chaw nyob ntiag tug, tab sis tom qab ib qho blacklist tag nrho, thiab tej zaum txawm tias muaj ntau NATs ntawm lub network. Yog li kuv yuav tsum tau improvise, thiab kuv xav kom koj saib cov txiaj ntsig.
Muaj:
- CCR1072 ua lub ntsiab ntaus ntawv. v 6.44.1
- CAP ac yog qhov chaw txuas hauv tsev. v 6.44.1
Lub ntsiab feature ntawm qhov chaw yog lub PC thiab Mikrotik yuav tsum nyob rau tib lub network nrog tib qhov chaw nyob, uas yog muab los ntawm lub ntsiab 1072.
Cia peb mus rau qhov chaw:
1. Tau kawg peb qhib Fasttrack, tab sis txij li fasttrack tsis sib xws nrog vpn, peb yuav tsum txiav nws cov tsheb khiav.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ntxiv kev xa mus rau network los ntawm / mus rau tsev thiab chaw ua haujlwm
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Tsim ib tus neeg siv kev sib txuas lus piav qhia
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Tsim ib Daim Ntawv Pom Zoo IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Tsim ib txoj cai IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Tsim ib qho IPSEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Tsim ib qho IPSEC cov phooj ywg
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Tam sim no rau qee yam khawv koob yooj yim. Txij li thaum kuv tsis xav hloov qhov chaw ntawm txhua yam khoom siv hauv kuv lub tsev network, kuv yuav tsum tau qee yam dai DHCP ntawm tib lub network, tab sis nws yog qhov tsim nyog uas Mikrotik tsis tso cai rau koj dai ntau tshaj ib qho chaw nyob ntawm ib tus choj. , yog li kuv pom ib qho kev daws teeb meem, uas yog rau lub laptop, kuv nyuam qhuav tsim DHCP Lease nrog phau ntawv tsis muaj, thiab txij li netmask, rooj vag & dns kuj muaj cov lej xaiv hauv DHCP, kuv tau teev lawv manually.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2. DHCP daim ntawv xauj tsev
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Nyob rau tib lub sijhawm, kev teeb tsa 1072 yog qhov ua tau yooj yim, tsuas yog thaum muab qhov chaw nyob IP rau tus neeg siv khoom hauv qhov chaw nws tau qhia tias tus IP chaw nyob nkag los ntawm tus kheej, thiab tsis yog los ntawm lub pas dej, yuav tsum muab rau nws. Rau cov neeg siv PC niaj hnub, lub subnet yog tib yam li Wiki configuration 192.168.55.0/24.
Xws li qhov chaw tso cai rau koj tsis txhob txuas mus rau PC los ntawm lwm tus neeg software, thiab lub qhov av nws tus kheej tau tsa los ntawm router raws li xav tau. Kev thauj khoom ntawm tus neeg siv khoom CAP ac yuav luag tsawg, 8-11% ntawm qhov ceev ntawm 9-10MB / s hauv qhov.
Txhua qhov teeb tsa tau ua los ntawm Winbox, txawm hais tias nrog tib txoj kev vam meej nws tuaj yeem ua tiav los ntawm console.
Tau qhov twg los: www.hab.com
