Mu bukhuli ndi sitepe, ndikuwuzani momwe mungakhazikitsire Mikrotik kuti malo oletsedwa atsegulidwe okha kudzera mu VPN iyi ndipo mukhoza kupewa kuvina ndi maseche: ikani kamodzi ndipo zonse zimagwira ntchito.
Ndinasankha SoftEther ngati VPN: ndizosavuta kukhazikitsa monga ndipo mwamsanga basi. Kumbali ya seva ya VPN, ndidathandizira Safe NAT; palibe zosintha zina zomwe zidapangidwa.
Ndinaona RRAS ngati njira ina, koma Mikrotik sadziwa momwe angagwiritsire ntchito. Kulumikizana kumakhazikitsidwa, VPN imagwira ntchito, koma Mikrotik sangathe kusunga chiyanjano popanda kugwirizanitsa nthawi zonse ndi zolakwika mu chipika.
Kukonzekera kunachitika pogwiritsa ntchito chitsanzo cha RB3011UiAS-RM pa firmware version 6.46.11.
Tsopano, mu dongosolo, chiyani ndi chifukwa.
1. Khazikitsani kulumikizana kwa VPN
Inde, SoftEther, L2TP yokhala ndi kiyi yogawana nawo kale, idasankhidwa ngati njira ya VPN. Mlingo wachitetezo uwu ndi wokwanira kwa aliyense, chifukwa ndi rauta yekha ndi mwini wake amadziwa chinsinsi.
Pitani ku gawo la ma interfaces. Choyamba, timawonjezera mawonekedwe atsopano, ndiyeno lowetsani ip, lolowera, mawu achinsinsi ndi kiyi yogawana mu mawonekedwe. Dinani chabwino.
Lamulo lomweli:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther idzagwira ntchito popanda kusintha malingaliro a ipsec ndi ma profiles a ipsec, sitikuganiza zowakhazikitsa, koma wolembayo adasiya zithunzi za mbiri yake, ngati zingatheke.
Kwa RRAS mu IPsec Proposals, ingosinthani PFS Gulu kukhala palibe.
Tsopano muyenera kuyimirira kumbuyo kwa NAT ya seva iyi ya VPN. Kuti tichite izi tifunika kupita ku IP> Firewall> NAT.
Apa timathandizira masquerade pamitundu ina kapena yonse ya PPP. Router ya wolembayo imalumikizidwa ndi ma VPN atatu nthawi imodzi, kotero ndidachita izi:
Lamulo lomweli:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Onjezani malamulo ku Mangle
Chinthu choyamba chimene ndikufuna, ndithudi, ndikuteteza zonse zomwe zili zofunika kwambiri komanso zopanda chitetezo, zomwe ndi DNS ndi HTTP traffic. Tiyeni tiyambe ndi HTTP.
Pitani ku IP β Firewall β Mangle ndikupanga lamulo latsopano.
Mu lamulo, Chain, sankhani Prerouting.
Ngati pali Smart SFP kapena rauta ina kutsogolo kwa rauta, ndipo mukufuna kulumikizana nayo kudzera pa intaneti, m'munda wa Dst. Adilesi yomwe muyenera kuyika adilesi yake ya IP kapena subnet ndikuyika chizindikiro choyipa kuti musagwiritse ntchito Mangle ku adilesi kapena ku subnet iyi. Wolembayo ali ndi SFP GPON ONU mumayendedwe a mlatho, kotero wolembayo adakhalabe ndi kuthekera kolumikizana ndi mawonekedwe ake a intaneti.
Mwachikhazikitso, Mangle adzagwiritsa ntchito lamulo lake ku Maiko onse a NAT, izi zipangitsa kutumiza kwa doko pa IP yanu yoyera kukhala kosatheka, kotero mu Connection NAT State timayika cholembera pa dstnat ndi chizindikiro choyipa. Izi zitilola kutumiza magalimoto otuluka pamaneti kudzera pa VPN, koma tumizani madoko kudzera pa IP yathu yoyera.
Kenako, pa Action tabu, sankhani njira yolembera, itchuleni kuti New Routing Mark kuti zidziwike kwa ife mtsogolomo ndikupita patsogolo.
Lamulo lomweli:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Tsopano tiyeni tipite ku chitetezo cha DNS. Pankhaniyi, muyenera kupanga malamulo awiri. Imodzi ya rauta, ina ya zida zolumikizidwa ndi rauta.
Ngati mugwiritsa ntchito DNS yomangidwa mu rauta, yomwe wolembayo amachita, iyeneranso kutetezedwa. Choncho, pa lamulo loyamba, monga pamwambapa, timasankha chain prerouting, chachiwiri tiyenera kusankha zotuluka.
Kutulutsa ndi dera lomwe rauta yokha imagwiritsa ntchito kupanga zopempha pogwiritsa ntchito magwiridwe ake. Chilichonse pano ndi chofanana ndi HTTP, UDP protocol, port 53.
Malamulo omwewo:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Kumanga njira kudzera pa VPN
Pitani ku IP β Njira ndikupanga njira zatsopano.
Njira yosinthira HTTP pa VPN. Tikuwonetsa dzina la mawonekedwe athu a VPN ndikusankha Routing Mark.
Pakadali pano, mwamva kale momwe operekera anu ayimitsira .
Lamulo lomweli:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Malamulo achitetezo a DNS adzawoneka chimodzimodzi, ingosankha chizindikiro chomwe mukufuna:
Kenako mudamva momwe zopempha zanu za DNS zidasiya kumvera. Malamulo omwewo:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Chabwino, pamapeto pake, tiyeni titsegule Rutracker. Subnet yonse ndi yake, kotero subnet imatchulidwa.
Umu ndi momwe zinalili zophweka kuti mubwezeretse intaneti yanu. Gulu:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Momwemonso momwemonso ndi tracker ya mizu, mutha kuyendetsa chuma chamakampani ndi masamba ena otsekedwa.
Wolembayo akuyembekeza kuti mudzayamikira mwayi wolowera mu tracker ya mizu ndi portal yamakampani nthawi yomweyo osavula sweti yanu.
Source: www.habr.com