Bonus dies omnium!
Ita factum est ut in societate nostra per biennium lente commutationes microticas fuimus. Nodi principales in CCR1072 aedificantur, et nexus localis puncta pro computatoribus in machinis simpliciora sunt. Scilicet, etiam coniunctio reticulorum per IPSEC cuniculum, hoc in casu, est admodum simplex et non difficultatum causat, cum multae materiae in retiacula sint. Sed certae sunt difficultates cum mobili nexu clientium, wiki fabrica fabricantis suggerit uti clienti VPN Sorex molli (omnia cum hoc occasu perspicua esse videntur) et hic client est qui utitur 99% remotis accessus utentium; et 1% is me, iustus nimis piger factus sum quemque modo intra login et tesseram in clientelam et locum pigrum in lecto et nexu opportuno ad retiacula operandum volui. Instructiones non inveni de Mikrotik configurandi condiciones, cum ne post electronicam quidem griseam est, sed omnino post unum nigrum et fortasse etiam plures NATs in aeneis. Itaque extemporalem habui, ideoque eventum spectare propono.
Praesto:
- CCR1072 as main device. version 6.44.1
- CAP AC AS domus nexus punctus. version 6.44.1
Praecipuum eius loci notum est quod PC et Mikrotik in eadem retia esse debent cum inscriptione eadem, quae a principali 1072 edita est.
Ad occasus transeamus:
1. Nempe ad Fasttrackum convertimur, sed quia fasttrack cum vpn non compatitur, negotium eius incidimus.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Add network procuret a / in domum et opus
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. crea a user nexum descriptionem
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. crea in IPEC CONSILIUM
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. crea in IPEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. crea in IPEC profile
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. crea in IPEC pari
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Nunc aliquam purus ut venenatis aliquam. Cum revera non vis occasus in omnibus machinis in domum meam retis mutare, debebam aliquo modo DHCP in retis pendere, sed consentaneum est quod Mikrotik non plus quam unam piscinam in uno ponte electronicam suspendere sinit; ita invenimus quemdam, nempe pro laptop, DHCP Leas modo creavi cum parametris manualibus, et quoniam retemask, porta & dns etiam numeros in DHCP habent optionis, eas manually nominavi.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP ultrices accumsan
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Eodem tempore, ponens 1072, est fere fundamentalis, solum cum emissa IP oratio ad clientem in uncinis indicatur quod IP oratio manually ingressus, non ex lacu, ei dari debet. Pro clientibus regularibus PC subnet idem est ac configurationis Wiki 192.168.55.0/24.
Talis occasus permittit ne ad PC per programmatum tertiarum partium coniungere te, et ipsum cuniculum itineris necessarii elevatur. Onus clientis CAP ac fere minimum est, 8-11% ad celeritatem 9-10MB / s in cuniculo.
Omnes ordines per Winbox facta sunt, licet eodem successu per consolem fieri possit.
Source: www.habr.com