Zuva rakanaka munhu wese!
Zvakangoitika kuti mukambani yedu mumakore maviri apfuura tanga tichichinja zvishoma nezvishoma kune microtics. Manodhi makuru akavakirwa paCCR1072, uye nzvimbo dzekubatanidza dzemakomputa pamidziyo dziri nyore. Ehezve, pane zvakare musanganiswa wemanetiweki kuburikidza neIPSEC mugero, mune iyi kesi, iyo setup iri nyore uye haikonzeri matambudziko, nekuti pane zvakawanda zvezvinhu pane network. Asi kune mamwe matambudziko nekubatana kwenhare kwevatengi, wiki yemugadziri inokuudza mashandisiro eShrew nyoro VPN mutengi (zvese zvinoita senge zvakajeka negadziriro iyi) uye ndiye mutengi uyu anoshandiswa ne99% yevashandisi vekusvika kure. , uye 1% ndini, ndaingove nehusimbe hwega hwega ndichingoisa login nepassword mutengi uye ndaida nzvimbo ine usimbe pasofa uye nyore kubatana kune network yebasa. Ini handina kuwana mirairo yekumisikidza Mikrotik yemamiriro ezvinhu kana isiri kuseri kwegrey kero, asi zvachose kuseri kweye dema uye pamwe kunyange akati wandei NATs pane network. Naizvozvo, ndaifanira kuvandudza, uye saka ini ndinopa zano kutarisa mhedzisiro.
Inowanikwa:
- CCR1072 sechinhu chikuru. shanduro 6.44.1
- CAP ac senzvimbo yekubatanidza imba. shanduro 6.44.1
Chinhu chikuru chekugadzika ndechekuti PC neMikrotik dzinofanirwa kunge dziri panetiweki imwechete ine kero imwechete, iyo inopihwa neiyo main 1072.
Ngatienderere mberi kune zvigadziriso:
1. Zvechokwadi tinoshandura Fasttrack, asi sezvo fasttrack isingaenderani nevpn, tinofanira kutema traffic yayo.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Kuwedzera network kutumira kubva / kuenda kumba uye kubasa
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Gadzira tsananguro yekubatanidza mushandisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Gadzira IPSEC Proposal
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Gadzira IPSEC Policy
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Gadzira purogiramu yeIPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Gadzira IPSEC peer
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Iye zvino kune mamwe mashiripiti akareruka. Sezvo ini ndanga ndisingadi chaizvo kushandura marongero pamidziyo yese pane network yangu yekumba, ndaifanira kusungirira DHCP pane imwechete network, asi zvine musoro kuti Mikrotik haikubvumidze kuti urembedze anopfuura imwe kero dziva pane rimwe bhiriji. , saka ndakawana workaround, iyo yelaptop, ini ndichangogadzira DHCP Lease ine manual parameters, uye sezvo netmask, gateway & dns vanewo nhamba dzesarudzo muDHCP, ndakazvitsanangura nemaoko.
1.DHCP Sarudzo
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP lease
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Panguva imwecheteyo, kuisa 1072 kunonyanya kukosha, chete kana uchipa IP kero kune mutengi muzvirongwa zvinoratidzwa kuti IP kero yakapinda nemaoko, uye kwete kubva padziva, inofanira kupiwa kwaari. Kune vatengi vePC nguva dzose, iyo subnet yakafanana neiyo Wiki kumisikidza 192.168.55.0/24.
Kurongeka kwakadaro kunokubvumira kuti usabatana nePC kuburikidza nepurogiramu yechitatu, uye tunnel pachayo inosimudzwa ne router sezvinodiwa. Kuremerwa kwemutengi CAP ac kunenge kushoma, 8-11% nekumhanya kwe9-10MB / s mugero.
Zvese zvigadziriso zvakaitwa kuburikidza neWinbox, kunyangwe nekubudirira kumwe chete kunogona kuitwa kuburikidza nekoni.
Source: www.habr.com