Tsiku labwino nonse!
Zangochitika kuti pakampani yathu, takhala tikusintha pang'onopang'ono kupita ku ma chip a Mikrotik m'zaka ziwiri zapitazi. Ma node akuluakulu amamangidwa pa CCR1072, pomwe malo olumikizira makompyuta am'deralo amakhala pazida zosavuta. Zachidziwikire, timaperekanso kuphatikiza ma netiweki kudzera mu ma tunnel a IPSEC; pankhaniyi, kukhazikitsa ndikosavuta komanso kosavuta, chifukwa cha kuchuluka kwa zinthu zomwe zikupezeka pa intaneti. Komabe, kulumikizana kwa makasitomala am'manja kumabweretsa zovuta zina; wiki ya wopanga imafotokoza momwe mungagwiritsire ntchito Shrew soft. VPN kasitomala (makonzedwe awa akuoneka omveka bwino), ndipo uyu ndi kasitomala amene amagwiritsidwa ntchito ndi 99% ya ogwiritsa ntchito intaneti yakutali, ndipo 1% yotsalayo ndi ine. Sindingathe kuvutikira kulemba dzina langa lolowera ndi mawu achinsinsi nthawi zonse, ndipo ndimafuna kukhala ndi nthawi yomasuka komanso yomasuka yokhala ndi maukonde ogwirira ntchito. Sindinapeze malangizo aliwonse okonzera Mikrotik pazochitika zomwe sizili ngakhale kumbuyo kwa adilesi yachinsinsi, koma kumbuyo kwa yomwe yaletsedwa kwathunthu, ndipo mwina ngakhale ndi ma NAT angapo pa netiweki. Chifukwa chake ndinayenera kupanga zinthu mwachisawawa, ndipo ndikukulangizani kuti muwone zotsatira zake.
Zilipo:
- CCR1072 ngati chipangizo chachikulu. Mtundu wa 6.44.1
- CAP ac ngati malo olumikizirana kunyumba. Mtundu wa 6.44.1
Chofunikira chachikulu pakukhazikitsa ndikuti PC ndi Mikrotik ziyenera kukhala pamaneti omwewo ndi ma adilesi omwewo, omwe amaperekedwa ndi main 1072.
Tiyeni tipitirire ku zoikamo:
1. Inde timayatsa Fasttrack, koma popeza fasttrack sagwirizana ndi vpn, tiyenera kuchepetsa magalimoto ake.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Kuonjezera kutumiza kwa netiweki kuchokera / kupita kunyumba ndi kuntchito
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Pangani malongosoledwe a kulumikizana kwa ogwiritsa ntchito
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Pangani Proposal ya IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Pangani ndondomeko ya IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Pangani mbiri ya IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Pangani anzanu a IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Tsopano zamatsenga osavuta. Popeza sindinkafuna kusintha makonda pazida zonse zapanyumba yanga, ndimayenera kupachika DHCP pamaneti omwewo, koma ndizomveka kuti Mikrotik sakulolani kupachika dziwe la maadiresi oposa amodzi pa mlatho umodzi, kotero ndidapeza njira yogwirira ntchito, yomwe ndi laputopu, ndangopanga DHCP Lease yokhala ndi magawo amanja, ndipo popeza netmask, gateway & dns alinso ndi manambala osankha mu DHCP, ndidawafotokozera pamanja.
1.DHCP Zosankha
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP kubwereketsa
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Nthawi yomweyo, kukhazikitsa 1072 ndikofunikira, pokhapokha popereka adilesi ya IP kwa kasitomala pazokonda zimawonetsedwa kuti adilesi ya IP idalowa pamanja, osati kuchokera padziwe, iyenera kuperekedwa kwa iye. Kwa makasitomala a PC nthawi zonse, subnet ndi yofanana ndi kasinthidwe ka Wiki 192.168.55.0/24.
Kukonzekera kotereku kumakupatsani mwayi kuti musalumikizane ndi PC kudzera pa pulogalamu yachitatu, ndipo ngalandeyo imakwezedwa ndi rauta ngati pakufunika. Katundu wa kasitomala CAP ac pafupifupi zochepa, 8-11% pa liwiro la 9-10MB / s mu ngalande.
Zokonda zonse zidapangidwa kudzera pa Winbox, ngakhale ndikuchita bwino komweko zitha kuchitika kudzera pa console.
Source: www.habr.com
