Maalin wanaagsan qof walba!
Waxay dhacdaa in shirkaddayada, aan si tartiib tartiib ah ugu beddelanaynay jajabyada Mikrotik labadii sano ee la soo dhaafay. Qaloocyada ugu muhiimsan waxaa lagu dhisay CCR1072, halka meelaha isku xirka kumbuyuutarrada maxalliga ah ay ku yaalliin aaladaha fudud. Dabcan, waxaan sidoo kale bixinnaa is-dhexgalka shabakadda iyada oo loo marayo tunnel-yada IPSEC; kiiskan, dejinta waa mid aad u fudud oo toos ah, taas oo ay ugu wacan tahay kheyraadka badan ee laga heli karo khadka tooska ah. Si kastaba ha ahaatee, isku xirka macaamiisha moobaylka ayaa soo bandhigaya caqabado gaar ah; wiki-ga soo saaraha ayaa sharraxaya sida loo isticmaalo barnaamijka Shrew. VPN macmiil (habayntani waxay u muuqataa mid is-sharaxaysa), kani waa macmiilka ay isticmaalaan 99% dadka isticmaala marin-u-helka fog, 1%-ka soo harayna waa aniga. Si fudud uma aanan dhibsan karin inaan geliyo galitaankayga iyo erayga sirta ah mar kasta, waxaana rabay khibrad baradho fadhiga ah oo nasasho badan leh oo leh xiriiro ku habboon shabakadaha shaqada. Ma aanan helin wax tilmaamo ah oo ku saabsan habaynta Mikrotik xaaladaha aysan ku jirin xitaa cinwaan gaar ah, laakiin gadaashiisa mid gebi ahaanba madow ku jira, iyo laga yaabee xitaa iyadoo ay jiraan NAT badan oo shabakadda ku jira. Markaa waa inaan horumariyaa, waxaana kugula talinayaa inaad eegto natiijooyinka.
La heli karo:
- CCR1072 oo ah aaladda ugu muhiimsan. nooca 6.44.1
- CAP ac sida barta isku xirka guriga. nooca 6.44.1
Tilmaamaha ugu muhiimsan ee goobta ayaa ah in PC iyo Mikrotik ay ku jiraan shabakad isku mid ah oo leh ciwaan isku mid ah, kaas oo soo saaray 1072 ugu weyn.
Aan u gudubno goobaha:
1. Dabcan waanu shidnaa Fasttrack, laakiin maadaama Fasttrack aanu la socon karin vpn, waa inaan jarnaa taraafikada.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ku darista shabakada u gudbinta guriga iyo shaqada
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Samee sharaxaadda xidhiidhka isticmaalaha
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Samee soo jeedin IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Samee siyaasadda IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Samee astaanta IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Abuur asaag IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Hadda qaar ka mid ah sixir fudud. Maadaama aanan runtii rabin inaan beddelo jaangooyooyinka dhammaan aaladaha shabakadda gurigayga, waxay ahayd inaan si uun u soo laadlaadsado DHCP isla shabakad isku mid ah, laakiin waa macquul in Mikrotik aanu kuu oggolaan inaad ka laadlaadsato barkad cinwaan oo ka badan hal buundo. , sidaas darteed waxaan helay meel ka baxsan, oo ah laptop-ka, waxaan hadda abuuray DHCP Lease oo leh jaangooyooyin gacanta ah, iyo tan iyo netmask, gateway & dns sidoo kale waxay leeyihiin lambarro ikhtiyaari ah DHCP, waxaan ku qeexay gacanta.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP heshiis
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Isla mar ahaantaana, dejinta 1072 waa ficil ahaan aasaasi ah, kaliya marka la soo saarayo ciwaanka IP-ga macmiilka ee goobaha waxaa la tilmaamayaa in ciwaanka IP-ga la galiyo gacanta, oo aan ka iman barkadda, waa in la siiyaa isaga. Macaamiisha PC-ga caadiga ah, shabakada hoose waxay la mid tahay qaabeynta Wiki 192.168.55.0/24.
Goobtan oo kale waxay kuu ogolaaneysaa inaadan ku xirin PC-ga iyada oo loo marayo software-ka saddexaad, iyo tunnel-ka laftiisa ayaa kor u qaadaya router haddii loo baahdo. Culayska macmiilka CAP ac waa ku dhawaad ugu yar, 8-11% xawaare dhan 9-10MB / s ee tunnelka.
Dhammaan goobaha waxaa lagu sameeyay Winbox, in kasta oo isla guushaas lagu samayn karo console-ka.
Source: www.habr.com
