Mune ino nhanho-ne-nhanho gwara, ini ndichakuudza nzira yekumisikidza Mikrotik kuitira kuti nzvimbo dzakarambidzwa dzivhurwe otomatiki kuburikidza neVPN iyi uye iwe unogona kudzivirira kutamba nematamborini: imise kamwe chete uye zvese zvinoshanda.
Ndakasarudza SoftEther seVPN: zviri nyore kumisikidza se uye nokukurumidza. Padivi reVPN server, ndakagonesa Chengetedza NAT; hapana mamwe marongero akaitwa.
Ndakatarisa RRAS seimwe nzira, asi Mikrotik haazivi kushanda nayo. Kubatana kwakasimbiswa, iyo VPN inoshanda, asi Mikrotik haikwanisi kuchengetedza kuwirirana pasina nguva dzose kuwirirana uye zvikanganiso mu log.
Iyo setup yakaitwa uchishandisa muenzaniso weRB3011UiAS-RM pane firmware version 6.46.11.
Zvino, muhurongwa, chii uye sei.
1. Gadzira kubatana kweVPN
Ehe saizvozvo, SoftEther, L2TP ine pre-yakagovaniswa kiyi, yakasarudzwa seVPN mhinduro. Iyi nhanho yekuchengeteka yakakwana kune chero munhu, nokuti chete router uye muridzi wayo anoziva kiyi.
Enda kune interfaces chikamu. Kutanga, isu tinowedzera chimiro chitsva, uye tozoisa iyo ip, login, password uye yakagovaniswa kiyi mukati meiyo interface. Dzvanya ok.
Murairo wakafanana:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther ichashanda isina kushandura ipsec proposals uye ipsec profiles, isu hatisi kufunga kuzvimisa, asi munyori akasiya zviratidziro zveprofiles yake, kana zvikaitika.
Kune RRAS muIPsec Proposals, ingochinja PFS Boka kuti rishaye.
Zvino iwe unofanirwa kumira kuseri kweNAT yeiyi VPN server. Kuti tiite izvi tinofanira kuenda IP> Firewall> NAT.
Pano isu tinogonesa masquerade kune yakatarwa kana yese PPP nzvimbo. Router yemunyori yakabatana nemaVPN matatu kamwechete, saka ndakaita izvi:
Murairo wakafanana:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Wedzera mitemo kuMangle
Chinhu chekutanga chandinoda, chokwadi, kuchengetedza zvese zvakakosha uye zvisingadzivirirwe, zvinoti DNS uye HTTP traffic. Ngatitangei neHTTP.
Enda kuIP β Firewall β Mangle uye gadzira mutemo mutsva.
Mumutemo, Chain, sarudza Prerouting.
Kana paine Smart SFP kana imwe router pamberi peiyo router, uye iwe unoda kuibatanidza nayo kuburikidza newebhu interface, mumunda weDst. Kero yaunoda kuisa yayo IP kero kana subnet woisa chiratidzo chisina kunaka kuti usashandise Mangle kukero kana kune iyi subnet. Munyori ane SFP GPON ONU mune bhiriji modhi, saka munyori akachengeta kugona kwekubatanidza kune yake webhu interface.
Nekutadza, Mangle ichashandisa mutemo wayo kune ese NAT States, izvi zvichaita kuti chiteshi chekufambisa pamusoro pepi chena IP zvisaite, saka muConnection NAT State tinoisa cheki pa dstnat uye chiratidzo chisina kunaka. Izvi zvinotitendera kutumira traffic inobuda pamusoro petiweki kuburikidza neVPN, asi tichiri kumberi zviteshi kuburikidza neyedu chena IP.
Tevere, pane iyo Action tebhu, sarudza mamaki routing, idaidze Nyowani Routing Mako kuitira kuti zvijeke kwatiri mune ramangwana uye kuenderera mberi.
Murairo wakafanana:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Zvino ngatienderere mberi kune DNS dziviriro. Muchiitiko ichi, unofanirwa kugadzira mitemo miviri. Imwe ye router, imwe yemidziyo yakabatana kune router.
Kana iwe ukashandisa DNS yakavakwa mu router, iyo munyori anoita, inodawo kuchengetedzwa. Nokudaro, nokuda kwekutonga kwekutanga, sepamusoro, tinosarudza chain prerouting, kwechipiri tinoda kusarudza kubuda.
Kubuda idunhu iro router pachayo inoshandisa kuita zvikumbiro uchishandisa mashandiro ayo. Zvese zviri pano zvakafanana neHTTP, UDP protocol, port 53.
Mirairo yakafanana:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Kuvaka nzira kuburikidza neVPN
Enda kuIP β Nzira uye gadzira nzira nyowani.
Nzira yekufambisa HTTP pamusoro peVPN. Isu tinoratidza zita reVPN yedu interfaces uye sarudza Routing Mark.
Panguva ino, watonzwa kuti mushandisi wako amira sei .
Murairo wakafanana:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Mitemo yekudzivirira yeDNS inotaridzika chaizvo, ingosarudza iyo yaunoda label:
Ipapo wakanzwa kuti zvikumbiro zvako zveDNS zvakamira sei kuteererwa. Mirairo yakafanana:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Zvakanaka, pakupedzisira, ngativhure Rutracker. Iyo yese subnet ndeyake, saka iyo subnet inotsanangurwa.
Ndizvo zvaive nyore kudzosa internet yako. Chikwata:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Nenzira imwecheteyo senge nemudzi tracker, unogona kufambisa zviwanikwa zvemakambani uye mamwe masaiti akavharika.
Iye munyori anotarisira kuti iwe uchakoshesa kuve nyore kwekupinda mumudziyo tracker uye yekambani portal panguva imwe chete pasina kubvisa jezi rako.
Source: www.habr.com