Zuva rakanaka munhu wese!
Zvinongoitika kuti kukambani yedu, tave tichichinja zvishoma nezvishoma kushandisa machipisi eMikrotik mumakore maviri apfuura. Manodhi makuru akavakirwa paCCR1072, nepo nzvimbo dzekubatanidza makomputa dzemuno dziri pamidziyo iri nyore. Ehe, tinopawo kubatanidzwa kwenetiweki kuburikidza nematunnel eIPSEC; muchiitiko ichi, kugadzirisa kuri nyore uye kwakananga, nekuda kwekuwanda kwezviwanikwa zviripo online. Zvisinei, kubatana kwevatengi vefoni kune mamwe matambudziko; wiki yemugadziri inotsanangura mashandisirwo eShrew software. VPN mutengi (setup iyi inoita seinotsanangura yega), uye iyi ndiyo client inoshandiswa ne99% yevashandisi ve remote access, uye 1% yasara ndini. Ndaisagona kunetseka nekuisa login nepassword yangu nguva dzese, uye ndaida ruzivo rwakasununguka, rwakasununguka rwe couch potato nekubatana kuri nyore kune network dzebasa. Handina kuwana chero mirairo yekugadzirisa Mikrotik mumamiriro ezvinhu apo iri kwete kunyange kumashure kwekero yakavanzika, asi kumashure kweiyo yakarambidzwa zvachose, uye pamwe kunyangwe neNAT dzakawanda pa network. Saka ndaifanira kugadzira, uye ndinokurudzira kuti utarise mhedzisiro.
Inowanikwa:
- CCR1072 sechinhu chikuru. shanduro 6.44.1
- CAP ac senzvimbo yekubatanidza imba. shanduro 6.44.1
Chinhu chikuru chekugadzika ndechekuti PC neMikrotik dzinofanirwa kunge dziri panetiweki imwechete ine kero imwechete, iyo inopihwa neiyo main 1072.
Ngatienderere mberi kune zvigadziriso:
1. Zvechokwadi tinoshandura Fasttrack, asi sezvo fasttrack isingaenderani nevpn, tinofanira kutema traffic yayo.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Kuwedzera network kutumira kubva / kuenda kumba uye kubasa
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Gadzira tsananguro yekubatanidza mushandisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Gadzira IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Gadzira IPSEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Gadzira purogiramu yeIPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Gadzira IPSEC peer
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Iye zvino kune mamwe mashiripiti akareruka. Sezvo ini ndanga ndisingadi chaizvo kushandura marongero pamidziyo yese pane network yangu yekumba, ndaifanira kusungirira DHCP pane imwechete network, asi zvine musoro kuti Mikrotik haikubvumidze kuti urembedze anopfuura imwe kero dziva pane rimwe bhiriji. , saka ndakawana workaround, iyo yelaptop, ini ndichangogadzira DHCP Lease ine manual parameters, uye sezvo netmask, gateway & dns vanewo nhamba dzesarudzo muDHCP, ndakazvitsanangura nemaoko.
1.DHCP Sarudzo
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Panguva imwecheteyo, kuisa 1072 kunonyanya kukosha, chete kana uchipa IP kero kune mutengi muzvirongwa zvinoratidzwa kuti IP kero yakapinda nemaoko, uye kwete kubva padziva, inofanira kupiwa kwaari. Kune vatengi vePC nguva dzose, iyo subnet yakafanana neiyo Wiki kumisikidza 192.168.55.0/24.
Kurongeka kwakadaro kunokubvumira kuti usabatana nePC kuburikidza nepurogiramu yechitatu, uye tunnel pachayo inosimudzwa ne router sezvinodiwa. Kuremerwa kwemutengi CAP ac kunenge kushoma, 8-11% nekumhanya kwe9-10MB / s mugero.
Zvese zvigadziriso zvakaitwa kuburikidza neWinbox, kunyangwe nekubudirira kumwe chete kunogona kuitwa kuburikidza nekoni.
Source: www.habr.com
