Daybọchị ọma onye ọ bụla!
Ọ bụ eziokwu na n'ụlọ ọrụ anyị, anyị na-agbanwe nwayọ nwayọ gaa na chips Mikrotik n'ime afọ abụọ gara aga. E wuru isi nodes na CCR1072, ebe isi njikọ kọmputa dị na ngwaọrụ dị mfe. N'ezie, anyị na-enyekwa njikọta netwọk site na ọwara IPSEC; na nke a, ntọala dị mfe ma dị mfe, n'ihi ọtụtụ akụrụngwa dị n'ịntanetị. Agbanyeghị, njikọ ndị ahịa mkpanaka na-eweta ụfọdụ ihe ịma aka; wiki nke onye nrụpụta na-akọwa otu esi eji Shrew soft. Okwey onye ahịa (nhazi a yiri ka ọ na-akọwa onwe ya), nke a bụkwa onye ahịa nke 99% nke ndị ọrụ ohere ịnweta ozi dị anya na-eji, 1% fọdụrụ bụ m. Enweghị m ike ịkwụsị itinye nbanye na paswọọdụ m oge ọ bụla, achọrọ m ahụmịhe poteto dị jụụ, nke dị mma karịa yana njikọ dị mma na netwọk ọrụ. Enweghị m ike ịchọta ntuziaka ọ bụla maka ịhazi Mikrotik maka ọnọdụ ebe ọ dịghị ọbụna n'azụ adreesị nkeonwe, kama n'azụ nke e depụtara kpamkpam na ndepụta ojii, yana ikekwe ọbụna na ọtụtụ NAT na netwọk ahụ. Ya mere, aghaghị m ime ihe ọhụrụ, ana m atụ aro ka ị lelee nsonaazụ ya.
Dị:
- CCR1072 dị ka isi ngwaọrụ. ụdị 6.44.1
- CAP ac dị ka ebe njikọ ụlọ. ụdị 6.44.1
Isi ihe dị na ntọala ahụ bụ na PC na Mikrotik ga-adị n'otu netwọkụ nwere otu adreesị, nke isi 1072 nyere.
Ka anyị gaa n'ihu na ntọala:
1. N'ezie, anyị na-agbanye Fasttrack, ma ebe ọ bụ na fasttrack adabaghị na vpn, anyị ga-ebipụ okporo ụzọ ya.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Na-agbakwụnye na-ebuga netwọk site / gaa n'ụlọ na ọrụ
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Mepụta nkọwa njikọ onye ọrụ
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Mepụta atụmatụ IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Mepụta amụma IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Mepụta profaịlụ IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Mepụta ndị ọgbọ IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Ugbu a maka ụfọdụ anwansi dị mfe. Ebe ọ bụ na achọghị m ịgbanwe ntọala na ngwaọrụ niile dị na netwọkụ ụlọ m, m ga-etinyerịrị DHCP n'otu netwọkụ ahụ, mana ọ bụ ihe ezi uche dị na ya na Mikrotik anaghị ekwe ka kpọgidere ọdọ mmiri karịrị otu adreesị n'otu akwa. , yabụ ahụrụ m ebe mgbaba, ya bụ maka laptọọpụ, naanị m mebere DHCP Lease na usoro ntuziaka, ebe ọ bụ na netmask, gateway & dns nwekwara ọnụọgụ nhọrọ na DHCP, ejiri m aka kọwaa ha.
1.DHCP Nhọrọ
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP mgbazinye
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
N'otu oge ahụ, ịtọ ntọala 1072 bụ ihe ndabere, naanị mgbe ị na-enye onye ahịa adreesị IP na ntọala ahụ, a na-egosi na a ga-enye ya adreesị IP nke ejiri aka abanye, ọ bụghị site na ọdọ mmiri. Maka ndị ahịa PC oge niile, subnet bụ otu ihe nhazi Wiki 192.168.55.0/24.
Ntọala dị otú ahụ na-enye gị ohere ịghara ijikọ na PC site na ngwanrọ nke atọ, na ọwara n'onwe ya na-ebuli ya site na rawụta ka ọ dị mkpa. Ibu nke onye ahịa CAP ac fọrọ nke nta ka ọ dị ntakịrị, 8-11% na ọsọ 9-10MB / s na ọwara.
Emebere ntọala niile site na Winbox, n'agbanyeghị na otu ihe ịga nke ọma enwere ike ime ya site na njikwa.
isi: www.habr.com
