Maalin wanaagsan qof walba!
Waxaa dhacday in shirkadeena labadii sano ee la soo dhaafay aan si tartiib tartiib ah ugu wareegnay microtics. Nodes-yada ugu muhiimsan waxaa lagu dhisay CCR1072, iyo meelaha isku xirka maxalliga ah ee kombuyuutarrada aaladaha ayaa ka fudud. Dabcan, waxaa sidoo kale jira isku dhafka shabakadaha iyada oo loo marayo tunnel IPSEC, kiiskan, dejinta waa mid fudud oo aan wax dhib ah keenin, maadaama ay jiraan waxyaabo badan oo shabakadda ah. Laakiin waxaa jira dhibaatooyin gaar ah oo ku saabsan isku xirka mobilada ee macaamiisha, wiki soo saaraha ayaa kuu sheegaya sida loo isticmaalo shrew soft VPN macmiilka (wax walba waxay u muuqdaan inay ku cad yihiin goobtan) waana macmiilkan ay adeegsadaan 99% isticmaalayaasha marinka fog. , iyo 1% waa aniga, waxaan ahaa caajis mid kasta oo kaliya geli login iyo erayga sirta ah ee macmiilka waxaanan rabay meel caajis ah oo ku yaal sariirta iyo isku xirka ku habboon shabakadaha shaqada. Ma helin tilmaamo ku saabsan habaynta Mikrotik xaaladaha marka aysan xitaa ka dambeyn ciwaanka cawl, laakiin gabi ahaanba ka dambeeya mid madow iyo laga yaabee xitaa dhowr NATs ee shabakada. Sidaa darteed, waa inaan hagaajiyo, sidaas darteed waxaan soo jeedinayaa inaan eego natiijada.
La heli karo:
- CCR1072 oo ah aaladda ugu muhiimsan. nooca 6.44.1
- CAP ac sida barta isku xirka guriga. nooca 6.44.1
Tilmaamaha ugu muhiimsan ee goobta ayaa ah in PC iyo Mikrotik ay ku jiraan shabakad isku mid ah oo leh ciwaan isku mid ah, kaas oo soo saaray 1072 ugu weyn.
Aan u gudubno goobaha:
1. Dabcan waanu shidnaa Fasttrack, laakiin maadaama Fasttrack aanu la socon karin vpn, waa inaan jarnaa taraafikada.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ku darista shabakada u gudbinta guriga iyo shaqada
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Samee sharaxaadda xidhiidhka isticmaalaha
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Samee soo jeedin IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Samee siyaasadda IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Samee astaanta IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Abuur asaag IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Hadda qaar ka mid ah sixir fudud. Maadaama aanan runtii rabin inaan beddelo jaangooyooyinka dhammaan aaladaha shabakadda gurigayga, waxay ahayd inaan si uun u soo laadlaadsado DHCP isla shabakad isku mid ah, laakiin waa macquul in Mikrotik aanu kuu oggolaan inaad ka laadlaadsato barkad cinwaan oo ka badan hal buundo. , sidaas darteed waxaan helay meel ka baxsan, oo ah laptop-ka, waxaan hadda abuuray DHCP Lease oo leh jaangooyooyin gacanta ah, iyo tan iyo netmask, gateway & dns sidoo kale waxay leeyihiin lambarro ikhtiyaari ah DHCP, waxaan ku qeexay gacanta.
1.DHCP Options
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP heshiis
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Isla mar ahaantaana, dejinta 1072 waa ficil ahaan aasaasi ah, kaliya marka la soo saarayo ciwaanka IP-ga macmiilka ee goobaha waxaa la tilmaamayaa in ciwaanka IP-ga la galiyo gacanta, oo aan ka iman barkadda, waa in la siiyaa isaga. Macaamiisha PC-ga caadiga ah, shabakada hoose waxay la mid tahay qaabeynta Wiki 192.168.55.0/24.
Goobtan oo kale waxay kuu ogolaaneysaa inaadan ku xirin PC-ga iyada oo loo marayo software-ka saddexaad, iyo tunnel-ka laftiisa ayaa kor u qaadaya router haddii loo baahdo. Culayska macmiilka CAP ac waa ku dhawaad ββugu yar, 8-11% xawaare dhan 9-10MB / s ee tunnelka.
Dhammaan goobaha waxaa lagu sameeyay Winbox, in kasta oo isla guushaas lagu samayn karo console-ka.
Source: www.habr.com