Daybọchị ọma onye ọ bụla!
Ọ dị nnọọ mere na na ụlọ ọrụ anyị n'ime afọ abụọ gara aga, anyị ji nwayọọ nwayọọ na-atụgharị na microtics. A na-ewu ọnụ ọnụ ndị isi na CCR1072, na ebe njikọ mpaghara maka kọmputa na ngwaọrụ dị mfe. N'ezie, e nwekwara njikọ nke netwọk site na ọwara IPSEC, na nke a, ntọlite dị nnọọ mfe na ọ dịghị akpata nsogbu ọ bụla, ebe ọ bụ na e nwere ọtụtụ ihe na netwọk. Mana enwere ụfọdụ ihe isi ike na njikọ ekwentị nke ndị ahịa, wiki onye nrụpụta na-agwa gị otu esi eji onye ahịa Shrew soft VPN (ihe niile yiri ka edobere ya na ntọala a) yana onye ahịa a na-eji 99% nke ndị ọrụ ohere dịpụrụ adịpụ. , na 1% bụ m, M dị nnọọ umengwụ onye ọ bụla dị nnọọ tinye nbanye na paswọọdụ na ahịa na m chọrọ a umengwụ ọnọdụ na ihe ndina na adaba njikọ na-arụ ọrụ netwọk. Achọghị m ntuziaka maka ịhazi Mikrotik maka ọnọdụ mgbe ọ na-abụghị n'azụ adreesị isi awọ, mana kpamkpam n'azụ nwa ojii na ikekwe ọbụna ọtụtụ NAT na netwọkụ. Ya mere, m ga-emeziwanye, ya mere m na-atụ aro ka m lelee nsonaazụ ya.
Dị:
- CCR1072 dị ka isi ngwaọrụ. ụdị 6.44.1
- CAP ac dị ka ebe njikọ ụlọ. ụdị 6.44.1
Isi ihe dị na ntọala ahụ bụ na PC na Mikrotik ga-adị n'otu netwọkụ nwere otu adreesị, nke isi 1072 nyere.
Ka anyị gaa n'ihu na ntọala:
1. N'ezie, anyị na-agbanye Fasttrack, ma ebe ọ bụ na fasttrack adabaghị na vpn, anyị ga-ebipụ okporo ụzọ ya.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Na-agbakwụnye na-ebuga netwọk site / gaa n'ụlọ na ọrụ
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Mepụta nkọwa njikọ onye ọrụ
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Mepụta atụmatụ IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Mepụta amụma IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Mepụta profaịlụ IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Mepụta ndị ọgbọ IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Ugbu a maka ụfọdụ anwansi dị mfe. Ebe ọ bụ na achọghị m ịgbanwe ntọala na ngwaọrụ niile dị na netwọkụ ụlọ m, m ga-etinyerịrị DHCP n'otu netwọkụ ahụ, mana ọ bụ ihe ezi uche dị na ya na Mikrotik anaghị ekwe ka kpọgidere ọdọ mmiri karịrị otu adreesị n'otu akwa. , yabụ ahụrụ m ebe mgbaba, ya bụ maka laptọọpụ, naanị m mebere DHCP Lease na usoro ntuziaka, ebe ọ bụ na netmask, gateway & dns nwekwara ọnụọgụ nhọrọ na DHCP, ejiri m aka kọwaa ha.
1.DHCP Nhọrọ
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP mgbazinye
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
N'otu oge ahụ, ịtọ ntọala 1072 bụ ihe ndabere, naanị mgbe ị na-enye onye ahịa adreesị IP na ntọala ahụ, a na-egosi na a ga-enye ya adreesị IP nke ejiri aka abanye, ọ bụghị site na ọdọ mmiri. Maka ndị ahịa PC oge niile, subnet bụ otu ihe nhazi Wiki 192.168.55.0/24.
Ntọala dị otú ahụ na-enye gị ohere ịghara ijikọ na PC site na ngwanrọ nke atọ, na ọwara n'onwe ya na-ebuli ya site na rawụta ka ọ dị mkpa. Ibu nke onye ahịa CAP ac fọrọ nke nta ka ọ dị ntakịrị, 8-11% na ọsọ 9-10MB / s na ọwara.
Emebere ntọala niile site na Winbox, n'agbanyeghị na otu ihe ịga nke ọma enwere ike ime ya site na njikwa.
isi: www.habr.com