Bonus dies omnium!
Accidit ut in societate nostra, per biennium proximum, paulatim ad microplacas Mikrotik transiremus. Nodi principales in CCR1072 constructi sunt, dum puncta connexionis computatralis localis in machinis simplicioribus sunt. Scilicet, integrationem retium per cuniculos IPSEC etiam offerimus; hoc in casu, configuratio satis simplex et directa est, propter abundantiam opum in interreti praesto. Attamen, connexiones clientium mobilium quasdam difficultates praebent; wiki fabricatoris explicat quomodo Shrew soft uti. VPN cliens (haec configuratio per se patet), et hic est cliens quem 99% usorum accessus remoti adhibent, et reliquus 1% ego sum. Simpliciter non curabam inscriptionem meam et tesseram omni tempore inserere, et experientiam quietiorem, commodiorem et otiosiorem cum commodis conexionibus ad retia laboris volebam. Nullas instructiones invenire potui ad Mikrotik configurandum in casibus ubi non post inscriptionem privatam, sed post inscriptionem omnino secretam locatur, et fortasse etiam cum multis NAT in rete. Itaque ex tempore facere debui, et suadeo ut eventus inspicias.
Praesto:
- CCR1072 as main device. version 6.44.1
- CAP AC AS domus nexus punctus. version 6.44.1
Praecipuum eius loci notum est quod PC et Mikrotik in eadem retia esse debent cum inscriptione eadem, quae a principali 1072 edita est.
Ad occasus transeamus:
1. Nempe ad Fasttrackum convertimur, sed quia fasttrack cum vpn non compatitur, negotium eius incidimus.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Add network procuret a / in domum et opus
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. crea a user nexum descriptionem
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. crea in IPEC CONSILIUM
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. crea in IPEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. crea in IPEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. crea in IPEC pari
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Nunc aliquam purus ut venenatis aliquam. Cum revera non vis occasus in omnibus machinis in domum meam retis mutare, debebam aliquo modo DHCP in retis pendere, sed consentaneum est quod Mikrotik non plus quam unam piscinam in uno ponte electronicam suspendere sinit; ita invenimus quemdam, nempe pro laptop, DHCP Leas modo creavi cum parametris manualibus, et quoniam retemask, porta & dns etiam numeros in DHCP habent optionis, eas manually nominavi.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP ultrices accumsan
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Eodem tempore, ponens 1072, est fere fundamentalis, solum cum emissa IP oratio ad clientem in uncinis indicatur quod IP oratio manually ingressus, non ex lacu, ei dari debet. Pro clientibus regularibus PC subnet idem est ac configurationis Wiki 192.168.55.0/24.
Talis occasus permittit ne ad PC per programmatum tertiarum partium coniungere te, et ipsum cuniculum itineris necessarii elevatur. Onus clientis CAP ac fere minimum est, 8-11% ad celeritatem 9-10MB / s in cuniculo.
Omnes ordines per Winbox facta sunt, licet eodem successu per consolem fieri possit.
Source: www.habr.com
