Mhoroi mose. Ichi chinyorwa chakagadzirirwa avo vane zvakawanda zveMikrotik zvishandiso mupaki, uye vanoda kuita yakanyanya kubatana kuitira kuti vasabatana kune imwe neimwe mudziyo zvakasiyana. Muchikamu chino, ini ndichatsanangura chirongwa icho, zvinosuruvarisa, chisina kusvika mumamiriro ekurwa nekuda kwezvinhu zvevanhu. Muchidimbu: anopfuura 200 ma routers, kukurumidza kuseta uye kudzidziswa kwevashandi, kubatanidzwa nedunhu, kusefa network uye chaiwo mauto, kugona kuwedzera nyore mitemo kune ese maturusi, kutema matanda uye kuwana kutonga.
Izvo zvinotsanangurwa pazasi hazviite seyakagadzirira-yakagadzirwa kesi, asi ndinovimba zvichave zvinobatsira kwauri paunenge uchironga network yako uye kuderedza zvikanganiso. Zvichida mamwe mapoinzi uye sarudzo hazvizoite sedzakanaka kwauri - kana zvakadaro, nyora mune zvakataurwa. Kutsoropodza mune iyi nyaya kuchave chiitiko mune yakajairika piggy bank. Nokudaro, muverengi, tarisa mumashoko, zvichida munyori akaita chikanganiso chikuru - nharaunda ichabatsira.
Nhamba ye routers ndeye 200-300, yakapararira mumaguta akasiyana ane hutano hwakasiyana hweInternet connection. Izvo zvinodikanwa kuita kuti zvese zvive zvakanaka uye kutsanangurira ma admins emuno nenzira inosvikika kuti zvese zvichashanda sei.
Saka chirongwa chese chinotangira papi? Chokwadi, pamwe TK.
- Sangano rehurongwa hwetiweki hwematavi ese zvinoenderana nezvinodiwa nevatengi, network segmentation (kubva pa3 kusvika ku20 network mumapazi, zvichienderana nehuwandu hwemidziyo).
- Gadzirisa midziyo mubazi rega rega. Kutarisa iyo chaiyo bandwidth yemupi mumamiriro akasiyana ekushanda.
- Sangano rekuchengetedzwa kwemudziyo, kudzora kuchena, kuona kurwiswa ne auto-blacklisting kweimwe nguva yenguva, kurerutsa kwekushandisa kwakasiyana siyana nzira dzehunyanzvi dzinoshandiswa kurambidza kupinda kwekutonga uye kunyimwa sevhisi.
- Sangano rekuchengetedza vpn yekubatanidza netiweki kusefa zvinoenderana nezvinodiwa nevatengi. Kanenge 3 vpn yekubatanidza kubva kubazi rega rega kusvika pakati.
- Kubva pane pfungwa 1, 2. Sarudza nzira dzakanakisisa dzekuvaka kukanganisa-kushivirira vpn. Iyo dynamic routing tekinoroji, ine kururamisa kwakaringana, inogona kusarudzwa nekondirakiti.
- Sangano rekuisa pamberi petraffic nemaprotocol, zviteshi, mauto uye mamwe masevhisi anoshandiswa nemutengi. (VOIP, mauto ane masevhisi akakosha)
- Sangano rekutarisa uye kudhirowa kwezviitiko zve router kuitira mhinduro yevashandi vekutsigira tekinoroji.
Sezvatinonzwisisa, mune dzimwe nguva, iyo TOR inounganidzwa kubva kune zvinodiwa. Ndakagadzira izvi zvinodiwa pachangu, mushure mekuteerera kumatambudziko makuru. Akabvuma mukana wekuti mumwe munhu anogona kutora kuzadzikiswa kwemapoinzi aya.
Ndeapi maturusi achashandiswa kuzadzisa izvi zvinodiwa:
- ELK stack (mushure menguva yakati, zvakanzwisiswa kuti fluentd yaizoshandiswa panzvimbo yelogstash).
- Ansible. Kuti zvive nyore kutonga uye kugovana kwekuwana, isu tichashandisa AWX.
- GITLAB. Hapana chikonzero chekutsanangura apa. Iko pasina vhezheni kutonga kwema configs edu.
- PowerShell. Pachave nerunyoro runyoro rwekutanga chizvarwa cheiyo config.
- Doku wiki, yekunyora zvinyorwa uye zvinyorwa. Mune ino kesi, isu tinoshandisa habr.com.
- Kuongorora kuchaitwa kuburikidza ne zabbix. Pachave zvakare nedhiyagiramu yekubatanidza yekunzwisisa kwakawanda.
EFK setup points
Pamusoro pekutanga, ini ndichatsanangura chete ideology iyo iyo indexes ichavakwa. Kune dzakawanda
zvakanakisa zvinyorwa zvekumisikidza uye kugamuchira matanda kubva kumidziyo inoshandisa mikrotik.
Ndichataura pane dzimwe pfungwa:
1. Maererano nechirongwa, zvakakosha kufunga nezvekugamuchira matanda kubva kunzvimbo dzakasiyana uye pazvikepe zvakasiyana. Kuti tiite izvi, tichashandisa log aggregator. Isu tinoda zvakare kugadzira giraidhi yepasirese kune ese marouters ane kugona kugovera kuwana. Zvadaro tinogadzira indexes sezvinotevera:
heino chidimbu che config chine fluentd elasticsearch
logstash_format chokwadi
index_name mikrotiklogs.north
logstash_prefix mikrotiklogs.north
flush_interval 10s
mauto : 9200
Chikepe 9200
Nokudaro, tinogona kusanganisa ma routers uye chikamu maererano nechirongwa - mikrotiklogs.west, mikrotiklogs.south, mikrotiklogs.east. Nei zvichiita kuti zviome kudaro? Isu tinonzwisisa kuti tichave ne200 kana kupfuura michina. Usatevera zvese. Sezvo vhezheni 6.8 yeelasticsearch, zvigadziriso zvekuchengetedza zviripo kwatiri (pasina kutenga rezinesi), nekudaro, tinogona kugovera kodzero dzekuona pakati pevashandi vekutsigira tekinoroji kana vatariri venzvimbo.
Matafura, magirafu - pano iwe unongoda kubvumirana - kana kushandisa zvakafanana, kana munhu wese anozviita sezvazvinenge zvakamunakira.
2. Nokutema matanda. Kana tikagonesa kupinda mumitemo ye firewall, saka tinoita mazita pasina nzvimbo. Zvinogona kuoneka kuti nekushandisa yakapusa gadziriso mune yakatsetseka, tinogona kusefa iyo data uye kugadzira zviri nyore mapaneru. Mufananidzo uri pazasi ndiyo router yangu yekumba.
3. Maererano nenzvimbo yakagarwa uye matanda. Paavhareji, ne1000 mameseji paawa, matanda anotora 2-3 MB pazuva, izvo, iwe unoona, hazvina kudaro. elasticsearch shanduro 7.5.
ANSIBLE.AWX
Neraki isu, isu tine yakagadzirira-yakagadzirwa module ye routeros
Ndakanongedza nezve AWX, asi iyo mirairo iri pazasi ingori nezve inonzwisisika mune yayo yakachena chimiro - ndinofunga kune avo vakashanda neanonzwisisika, hapazove nematambudziko ekushandisa awx kuburikidza ne gui.
Kutaura chokwadi, ndisati ndatarisa mamwe madhairekitori kwavaishandisa ssh, uye munhu wese aive nematambudziko akasiyana nenguva yekupindura uye boka remamwe matambudziko. Ndinodzokorora, haina kusvika kuhondo ο, tora ruzivo urwu sekuedza kusina kupfuura kumira kwe20 routers.
Tinofanira kushandisa chitupa kana account. Zviri kwauri kusarudza, ini ndiri wezvitupa. Dzimwe pfungwa dzisinganzwisisiki pakodzero. Ini ndinopa kodzero dzekunyora - zvirinani "reset config" haishande.
Hapafanirwe kunge paine matambudziko nekugadzira, kukopa chitupa uye kuendesa kunze:
Kurongwa kupfupi kwemirairoPaPC yako
ssh-keygen -t RSA, pindura mibvunzo, chengetedza kiyi.
Kopa ku mikrotik:
mushandisi ssh-kiyi pinza public-key-file=id_mtx.pub user=acible
Kutanga iwe unofanirwa kugadzira account uye kugovera kodzero kwairi.
Kutarisa kubatana nechitupa
ssh -p 49475 -i /keys/mtx [email inodzivirirwa]
Nyora vi /etc/ansible/hosts
MT01 ansible_network_os=routers ansible_ssh_port=49475 ansible_ssh_user= zvinobatika
MT02 ansible_network_os=routers ansible_ssh_port=49475 ansible_ssh_user= zvinobatika
MT03 ansible_network_os=routers ansible_ssh_port=49475 ansible_ssh_user= zvinobatika
MT04 ansible_network_os=routers ansible_ssh_port=49475 ansible_ssh_user= zvinobatika
Zvakanaka, muenzaniso webhuku rekutamba: zita: add_work_sites
hosts:testmt
serial: 1
kubatana:network_cli
remote_user: mikrotik.west
unganidza_chokwadi: hongu
mabasa:
zita: wedzera Work_sites
routeros_command:
anorayira kuti:
- /ip firewall address-list add address=gov.ru list=work_sites comment=Ticket665436_Ochen_nado
- /ip firewall address-list add address=habr.com list=work_sites comment=for_habr
Sezvauri kuona kubva kugadziriso iri pamusoro, kuunganidza yako wega mabhuku ekutamba inyaya iri nyore. Zvakanaka zvakakwana kuti uzive cli mikrotik. Fungidzira mamiriro ezvinhu apo iwe unofanirwa kubvisa rondedzero yekero neimwe data pane ese ma routers, zvino:
Tsvaga uye bvisa/ ip firewal kero-list bvisa [wana kupi runyoro = "gov.ru"]
Ini nemaune handina kusanganisa iyo yese firewall rondedzero pano. ichave yega yega yega chirongwa. Asi ini ndinogona kutaura chinhu chimwe chete, shandisa chete kero rondedzero.
Maererano neGITLAB, zvese zviri pachena. Handisi kuzoramba ndiri panguva ino. Zvese zvakanaka maererano nemabasa ega ega, matemplate, vabati.
Powershell
Pachave nemafaira matatu. Sei powershell? Chishandiso chekugadzira configs chinogona kusarudzwa nemunhu wese anonyatso gadzikana. Muchiitiko ichi, munhu wese ane mahwindo paPC yavo, saka sei uchizviita pabash kana powershell iri nyore. Ndiani anonyanya kugadzikana.
Iyo script pachayo (yakapusa uye inonzwisisika):[cmdletBinding()] Param(
[Parameter(Inosungirwa=$chokwadi)] [tambo]$EXTERNALIPADDRESS,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$EXTERNALIPROUTE,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$BWorknets,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$CWorknets,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$BVoipNets,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$CVoipNets,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$CClients,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$BVPNWORKs,
[Parameter(Zvinosungirwa=$chokwadi)] [tambo]$CPWORKs,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$BVPNCLIENTSs,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$cVPNCLIENTSs,
[Parameta(Zvinosungirwa=$chokwadi)] [tambo]$NAMEROUTER,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$ServerCertificates,
[Parameter(Inosungirwa=$chokwadi)] [tambo]$infile,
[Parameta(Inosungirwa=$chokwadi)] [tambo]$outfile
)
Get-Content $infile | Foreach-Object {$_.Replace("EXTERNIP", $EXTERNALIPADDRESS)} |
Foreach-Object {$_.Replace("EXTOUTE", $EXTERNALIPROUTE)} |
Foreach-Object {$_.Replace("BWorknet", $BWorknets)} |
Foreach-Object {$_.Replace("CWorknet", $CWorknets)} |
Foreach-Object {$_.Replace("BVoipNet", $BVoipNets)} |
Foreach-Object {$_.Replace("CVoipNet", $CVoipNets)} |
Foreach-Object {$_.Replace("Clients", $CClientss)} |
Foreach-Object {$_.Replace("BVPNWORK", $BVPNWORKs)} |
Foreach-Object {$_.Replace("CPVWORK", $CPWORKs)} |
Foreach-Object {$_.Replace("BVPNCLIENTS", $BVPNCLIENTSs)} |
Foreach-Object {$_.Replace("CPVCLIENTS", $cVPNCLIENTSs)} |
Foreach-Object {$_.Replace("MYNAMERROUTER", $NAMEROUTER)} |
Foreach-Object {$_.Replace("ServerCertificate", $ServerCertificates)} | Set-Content $outfile
Ndinokumbira ruregerero, handigoni kuisa mitemo yose. hazvizove zvakanaka. Iwe unogona kugadzira mitemo iwe pachako, uchitungamirirwa nemaitiro akanaka.
Semuenzaniso, heino runyorwa rwemalink andakatungamirwa na::Kuchengetedza_Router_Yako
: IP/Firewall/Filter
:OSPF-mienzaniso
:Winbox
:Upgrading_RouterOS
:IP/Fasttrack - pano iwe unofanirwa kuziva kuti kana fasttrack ikagoneswa, iyo traffic yekutanga uye yekuumbwa mitemo haishande - inobatsira kune isina simba michina.
Variable Conventions:Manetiweki anotevera anotorwa semuenzaniso:
192.168.0.0/24 kushanda network
172.22.4.0/24 VOIP network
10.0.0.0/24 network yevatengi vasina LAN yekuwana
192.168.255.0/24 VPN network yemapazi makuru
172.19.255.0/24 VPN network yediki
Kero yetiweki ine manhamba mana, zvichiteerana ABCD, iyo inotsiviwa inoshanda zvinoenderana neiyo musimboti, kana ichibvunza B pakutanga, saka unofanirwa kuisa nhamba 4 kune network 192.168.0.0/24, uye C = 0. .
$EXTERNALIPADDRESS - kero yakagoverwa kubva kumupi.
$EXTERNALIPROUTE - default nzira kune network 0.0.0.0/0
$BWorknets -Kushanda network, mumuenzaniso wedu pachava ne168
$CWorknets - Work network, mumuenzaniso wedu ichave 0
$BVoipNets - VOIP network mumuenzaniso wedu pano 22
$CVoipNets - VOIP network mumuenzaniso wedu pano 4
$CClients - Network yevatengi - kuwana chete kuInternet, kwatiri isu pano 0
$BVPNWORKs - VPN network yemapazi makuru, mumuenzaniso wedu 20
$CPWORKs - VPN network yemapazi makuru, mumuenzaniso wedu 255
$BVPNCLIENTS - VPN network yemapazi madiki, zvinoreva 19
$ CVPNCLIENTS - VPN network yemapazi madiki, zvinoreva 255
$NAMEROUTER - zita re router
$ServerCertificate - zita rechitupa chauri kuunza kunze kwenyika
$infile - Taura nzira yekuenda kufaira kubva kwatichaverenga config, semuenzaniso D:config.txt (nzira iri nani yeChirungu isina makotesheni uye nzvimbo)
$outfile - tsanangura nzira yekuchengeta, semuenzaniso D:MT-test.txt
Ndakachinja nemaune kero mumienzaniso nokuda kwezvikonzero zviri pachena.
Ndakapotsa pfungwa yekuona kurwiswa uye hunhu husina kunaka - ichi chakakodzera chinyorwa chakasiyana. Asi zvakakosha kutaura kuti muchikamu ichi unogona kushandisa yekutarisa data data kubva kuZabbix + yakashanda curl data kubva elasticsearch.
Ndezvipi zvibodzwa zvekutarisa pazviri:
- Network plan. Zviri nani kuinyora nenzira inoverengwa. Excel yakakwana. Nehurombo, ini ndinowanzo kuona kuti network inounganidzwa zvinoenderana nemusimboti "Bazi idzva raonekwa, heino / 24 yako." Hapana anoona kuti mangani maturusi anotarisirwa munzvimbo yakapihwa uye kuti kuchave nekumwe kukura. Semuenzaniso, chitoro chidiki chakavhurwa, umo zvinotanga zvakajeka kuti mudziyo haungapfuuri gumi, nei uchigovera / 10? Kune matavi makuru, pane zvinopesana, vanogovera / 24, uye kune 24 zvishandiso - iwe unogona kungowedzera network, asi iwe unoda kufunga zvese nekukurumidza.
- Kusefa mitemo. Kana iyo purojekiti ichifungidzira kuti kuchave nekuparadzaniswa kwemanetiweki uye yakanyanya segmentation. Maitiro Akanakisisa anoshanduka nekufamba kwenguva. Pakutanga, vakagovana PC network uye printer network, zvino zvakajairika kuti usagovane netiweki iyi. Zvakakodzera kushandisa pfungwa uye kwete kugadzira akawanda subnets paasiri kudikanwa uye kwete kusanganisa ese maturusi kuita network imwe.
- "Golden" zvigadziriso pane ese ma routers. Avo. kana une hurongwa. Zvakakodzera kufanoona zvese kamwechete uye kuyedza kuve nechokwadi chekuti zvese zvigadziriso zvakafanana - pane chete akasiyana kero rondedzero uye ip kero. Mumamiriro ezvinhu ematambudziko, nguva yekugadzirisa ichava shoma.
- Mamiriro esangano haana kushomeka pane zvehunyanzvi. Kazhinji, vashandi vane usimbe vanotevera mazano aya "nemaoko", pasina kushandisa zvigadziridzo zvakagadzirirwa uye zvinyorwa, izvo zvinotungamirira kumatambudziko kubva pakutanga.
Ne dynamic routing. OSPF ine zoning yakashandiswa. Asi iyi ibhenji rekuyedza, mumamiriro ekurwa zvinhu zvakadaro zvinonyanya kunakidza kumisikidza.
Ndinovimba kuti hapana akagumbuka kuti handina kutumira kurongeka kwema routers. Ndinofunga kuti zvisungo zvichave zvakakwana, uye zvino zvose zvinoenderana nezvinodiwa. Uye chokwadi bvunzo, mimwe miedzo inodiwa.
Ndinoshuvira kuti munhu wese aone mapurojekiti avo mugore idzva. Dai kuwana kwakapihwa kuve newe !!!
Source: www.habr.com