Tsiku labwino nonse!
Zinangochitika kuti mu kampani yathu zaka ziwiri zapitazi takhala tikusintha pang'onopang'ono ku microtics. Ma node akuluakulu amamangidwa pa CCR1072, ndipo malo olumikizirana apakompyuta pazida ndi osavuta. Zachidziwikire, palinso kuphatikiza kwa maukonde kudzera mumsewu wa IPSEC, pakadali pano, kukhazikitsa ndikosavuta ndipo sikumayambitsa zovuta, chifukwa pali zida zambiri pamaneti. Koma pali zovuta zina ndi kulumikizana kwa mafoni a makasitomala, wiki ya wopanga ikuwonetsa momwe angagwiritsire ntchito kasitomala wa Shrew soft VPN (zonse zikuwoneka zomveka bwino ndi izi) ndipo ndi kasitomala uyu yemwe amagwiritsidwa ntchito ndi 99% ya ogwiritsa ntchito kutali, ndipo 1% ndi ine, ndinangokhala waulesi kwambiri aliyense ingolowetsani malowedwe ndi mawu achinsinsi mu kasitomala ndipo ndimafuna malo aulesi pampando ndi kulumikizana kwabwino kwa maukonde antchito. Sindinapeze malangizo okonzekera Mikrotik pazochitika pamene sizili kumbuyo kwa adilesi ya imvi, koma kumbuyo kwakuda ndipo mwina NAT angapo pa intaneti. Chifukwa chake, ndidayenera kuwongolera, chifukwa chake ndikupempha kuti ndiwone zotsatira zake.
Zilipo:
- CCR1072 ngati chipangizo chachikulu. Mtundu wa 6.44.1
- CAP ac ngati malo olumikizirana kunyumba. Mtundu wa 6.44.1
Chofunikira chachikulu pakukhazikitsa ndikuti PC ndi Mikrotik ziyenera kukhala pamaneti omwewo ndi ma adilesi omwewo, omwe amaperekedwa ndi main 1072.
Tiyeni tipitirire ku zoikamo:
1. Inde timayatsa Fasttrack, koma popeza fasttrack sagwirizana ndi vpn, tiyenera kuchepetsa magalimoto ake.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Kuonjezera kutumiza kwa netiweki kuchokera / kupita kunyumba ndi kuntchito
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Pangani malongosoledwe a kulumikizana kwa ogwiritsa ntchito
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Pangani Proposal ya IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Pangani ndondomeko ya IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Pangani mbiri ya IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Pangani anzanu a IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Tsopano zamatsenga osavuta. Popeza sindinkafuna kusintha makonda pazida zonse zapanyumba yanga, ndimayenera kupachika DHCP pamaneti omwewo, koma ndizomveka kuti Mikrotik sakulolani kupachika dziwe la maadiresi oposa amodzi pa mlatho umodzi, kotero ndidapeza njira yogwirira ntchito, yomwe ndi laputopu, ndangopanga DHCP Lease yokhala ndi magawo amanja, ndipo popeza netmask, gateway & dns alinso ndi manambala osankha mu DHCP, ndidawafotokozera pamanja.
1.DHCP Zosankha
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP kubwereketsa
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Nthawi yomweyo, kukhazikitsa 1072 ndikofunikira, pokhapokha popereka adilesi ya IP kwa kasitomala pazokonda zimawonetsedwa kuti adilesi ya IP idalowa pamanja, osati kuchokera padziwe, iyenera kuperekedwa kwa iye. Kwa makasitomala a PC nthawi zonse, subnet ndi yofanana ndi kasinthidwe ka Wiki 192.168.55.0/24.
Kukonzekera kotereku kumakupatsani mwayi kuti musalumikizane ndi PC kudzera pa pulogalamu yachitatu, ndipo ngalandeyo imakwezedwa ndi rauta ngati pakufunika. Katundu wa kasitomala CAP ac pafupifupi zochepa, 8-11% pa liwiro la 9-10MB / s mu ngalande.
Zokonda zonse zidapangidwa kudzera pa Winbox, ngakhale ndikuchita bwino komweko zitha kuchitika kudzera pa console.
Source: www.habr.com