Zoo hnub rau txhua!
Nws tsuas yog tshwm sim hais tias hauv peb lub tuam txhab dhau ob xyoos dhau los peb tau maj mam hloov mus rau microtics. Cov nodes tseem ceeb yog tsim los ntawm CCR1072, thiab cov ntsiab lus txuas hauv zos rau cov khoos phis tawj ntawm cov khoom siv tau yooj yim dua. Tau kawg, kuj tseem muaj kev sib txuas ntawm kev sib txuas ntawm IPSEC qhov, qhov no, kev teeb tsa yooj yim heev thiab tsis ua rau muaj teeb meem, vim tias muaj ntau cov ntaub ntawv hauv lub network. Tab sis muaj qee qhov teeb meem nrog kev sib txuas ntawm lub xov tooj ntawm cov neeg siv khoom, cov chaw tsim khoom wiki qhia koj yuav ua li cas siv Shrew soft VPN tus neeg siv khoom (txhua yam zoo li pom tseeb nrog qhov teeb tsa no) thiab nws yog tus neeg siv khoom no uas tau siv los ntawm 99% ntawm cov neeg siv khoom siv chaw taws teeb. , thiab 1% yog kuv, Kuv tsuas yog tub nkeeg dhau lawm txhua tus tsuas yog nkag mus rau tus ID nkag mus thiab lo lus zais hauv tus neeg siv khoom thiab kuv xav tau qhov chaw tub nkeeg ntawm lub rooj zaum thiab kev sib txuas yooj yim rau kev sib txuas ua haujlwm. Kuv tsis pom cov lus qhia rau kev teeb tsa Mikrotik rau cov xwm txheej thaum nws tsis yog tom qab qhov chaw nyob grey, tab sis tag nrho qab ib qho dub thiab tej zaum txawm tias ntau NATs ntawm lub network. Yog li ntawd, kuv yuav tsum tau improvise, thiab yog li ntawd kuv thov mus saib qhov tshwm sim.
Muaj:
- CCR1072 ua lub ntsiab ntaus ntawv. v 6.44.1
- CAP ac yog qhov chaw txuas hauv tsev. v 6.44.1
Lub ntsiab feature ntawm qhov chaw yog lub PC thiab Mikrotik yuav tsum nyob rau tib lub network nrog tib qhov chaw nyob, uas yog muab los ntawm lub ntsiab 1072.
Cia peb mus rau qhov chaw:
1. Tau kawg peb qhib Fasttrack, tab sis txij li fasttrack tsis sib xws nrog vpn, peb yuav tsum txiav nws cov tsheb khiav.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ntxiv kev xa mus rau network los ntawm / mus rau tsev thiab chaw ua haujlwm
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Tsim ib tus neeg siv kev sib txuas lus piav qhia
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Tsim ib Daim Ntawv Pom Zoo IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Tsim ib txoj cai IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Tsim ib qho IPSEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Tsim ib qho IPSEC cov phooj ywg
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Tam sim no rau qee yam khawv koob yooj yim. Txij li thaum kuv tsis xav hloov qhov chaw ntawm txhua yam khoom siv hauv kuv lub tsev network, kuv yuav tsum tau qee yam dai DHCP ntawm tib lub network, tab sis nws yog qhov tsim nyog uas Mikrotik tsis tso cai rau koj dai ntau tshaj ib qho chaw nyob ntawm ib tus choj. , yog li kuv pom ib qho kev daws teeb meem, uas yog rau lub laptop, kuv nyuam qhuav tsim DHCP Lease nrog phau ntawv tsis muaj, thiab txij li netmask, rooj vag & dns kuj muaj cov lej xaiv hauv DHCP, kuv tau teev lawv manually.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2. DHCP daim ntawv xauj tsev
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Nyob rau tib lub sijhawm, kev teeb tsa 1072 yog qhov ua tau yooj yim, tsuas yog thaum muab qhov chaw nyob IP rau tus neeg siv khoom hauv qhov chaw nws tau qhia tias tus IP chaw nyob nkag los ntawm tus kheej, thiab tsis yog los ntawm lub pas dej, yuav tsum muab rau nws. Rau cov neeg siv PC niaj hnub, lub subnet yog tib yam li Wiki configuration 192.168.55.0/24.
Xws li qhov chaw tso cai rau koj tsis txhob txuas mus rau PC los ntawm lwm tus neeg software, thiab lub qhov av nws tus kheej tau tsa los ntawm router raws li xav tau. Kev thauj khoom ntawm tus neeg siv khoom CAP ac yuav luag tsawg, 8-11% ntawm qhov ceev ntawm 9-10MB / s hauv qhov.
Txhua qhov teeb tsa tau ua los ntawm Winbox, txawm hais tias nrog tib txoj kev vam meej nws tuaj yeem ua tiav los ntawm console.
Tau qhov twg los: www.hab.com