Tilmaamahan tallaabo-tallaabo ah, waxaan kuu sheegi doonaa sida loo sameeyo Mikrotik si goobaha mamnuuca ah ay si toos ah ugu furmaan VPN-kan oo aad ka fogaan karto qoob ka ciyaarka dambouriyada: hal mar deji wax walbana waa shaqeeyaan.
Waxaan u doortay SoftEther VPN-kayga: way fududahay in la dejiyo iyo sida ugu dhakhsaha badan. Waxaan awood u siiyay Secure NAT dhanka server-ka VPN, wax dejin kale ah lama samayn.
Waxaan u tixgeliyey RRAS beddelkeeda, laakiin Mikrotik ma garanayo sida loola shaqeeyo. Xidhiidhku waa la aasaasay, VPN-ku wuu shaqeeyaa, laakiin Mikrotik ma sii wadi karo xidhiidhka iyada oo aan dib-u-celin joogto ah iyo khaladaad ku jirin log.
Goobta waxaa lagu sameeyay tusaale ahaan RB3011UiAS-RM ee nooca firmware 6.46.11.
Hadda, siday u kala horreeyaan, maxaa iyo sababta.
1. Deji isku xidhka VPN
Sida xalka VPN, dabcan, SoftEther, L2TP oo leh fure la wadaago ayaa la doortay. Heerkan amniga ayaa ku filan qof kasta, sababtoo ah kaliya router iyo milkiilaha ayaa yaqaan furaha.
Tag qaybta interneedka Marka hore, waxaan ku darnaa interface cusub, ka dibna waxaan geli ip, login, password iyo furaha la wadaago gudaha interface. Riix ok.
Isla amar:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther waxay shaqeyn doontaa iyada oo aan la beddelin soo jeedinta ipsec iyo profiles ipsec, ma tixgelineyno qaabeyntooda, laakiin qoraaga ayaa ka tagay sawirada muuqaalkiisa, haddii ay dhacdo.
Wixii RRAS ee soo jeedinta IPsec, kaliya u beddel kooxda PFS midna.
Hadda waxaad u baahan tahay inaad ka danbeyso NAT ee server-kan VPN. Si tan loo sameeyo, waxaan u baahanahay inaan aado IP> Firewall> NAT.
Halkan waxaan awood u siinaynaa masquerade gaar ah, ama dhammaan, interfaces PPP. Router-ka qoraagu wuxuu ku xidhan yahay saddex VPN-yada hal mar, marka waxaan sameeyay tan:
Isla amar:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Xeerarka ku dar Mangle
Waxa ugu horreeya ee aad rabto, dabcan, waa inaad ilaaliso wax kasta oo ugu qiimaha badan oo aan difaac lahayn, kuwaas oo ah DNS iyo taraafikada HTTP. Aan ku bilowno HTTP.
Tag IP β Firewall β Mangle oo samee xeer cusub.
Xeerka, Chain dooro Prerouting.
Haddii uu jiro Smart SFP ama router kale oo ka horreeya router, oo aad rabto inaad ku xirto iyada oo loo marayo interface webka, gudaha Dst. Cinwaanku wuxuu u baahan yahay inuu galo ciwaankiisa IP-ga ama subnet-ka oo uu saaro calaamad diidmo ah si aan Mangle loogu dabaqin ciwaanka ama subnet-kaas. Qoraagu waxa uu ku leeyahay qaabka buundada SFP GPON ONU, sidaa awgeed qoraagu waxa uu sii xajistay awooda uu ku xidho webmord-kiisa.
Sida caadiga ah, Mangle wuxuu ku dabaqi doonaa sharcigiisa dhammaan NAT States, tani waxay ka dhigi doontaa gudbinta dekedda IP-gaaga cad mid aan macquul ahayn, markaa Connection NAT State, hubi dstnat iyo calaamad taban. Tani waxay noo ogolaan doontaa inaan u dirno taraafikada dibadda ee shabakadda iyada oo loo marayo VPN, laakiin weli u gudbinta dekedaha IP-ga cad.
Marka xigta, tabka Action-ka, dooro calaamadda routing, magacow New Routing Mark si ay mustaqbalka noogu caddaato oo hore u soco.
Isla amar:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Hadda aan u gudubno sugidda DNS. Xaaladdan oo kale, waxaad u baahan tahay inaad abuurto laba xeer. Mid ka mid ah router-ka, kan kale ee qalabka ku xiran router-ka.
Haddii aad isticmaasho DNS-ka lagu dhex dhisay router-ka, kaas oo qoraagu sameeyo, waa in sidoo kale la ilaaliyo. Sidaa darteed, qaanuunka ugu horreeya, sida kor ku xusan, waxaan dooraneynaa silsiladda prerouting, tan labaad, waxaan u baahanahay inaan doorano wax soo saarka.
Output waa silsilad uu router laftiisa u isticmaalo codsiyada isagoo isticmaalaya shaqadiisa. Wax kasta oo halkan ku yaal waxay la mid yihiin HTTP, borotokoolka UDP, dekedda 53.
Isla amarradaas:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Dhisida dariiqa loo maro VPN
Tag IP β Wadooyinka oo samee wadooyin cusub.
Dariiqa marinka HTTP ee VPN. Sheeg magaca VPN interfacesyada oo dooro Routing Mark.
Marxaladdan, waxaad horeyba u dareentay sida uu u joogsaday hawlwadeenkaaga .
Isla amar:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Xeerarka ilaalinta DNS waxay u ekaan doonaan isla isku mid, kaliya dooro summada la rabo:
Halkan waxa aad ka dareentay sida waydiimaha DNS-kaagu u joojiyay dhegaysiga. Isla amarradaas:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Hagaag, dhamaadka, fur Rutracker. Subnetka oo dhan isagaa iska leh, marka subnet-ka ayaa la cayimay.
Taasi waa sida ay u fududayd in Internetka dib loo soo celiyo. Kooxda:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Si la mid ah sida raadraaca xididka, waxaad u marin kartaa ilaha shirkadda iyo goobaha kale ee xanniban.
Qoraagu waxa uu rajaynaya in aad qadarin doonto ku habboonaanta helitaanka xididka raadraacayaasha iyo marinka shirkadda isla mar ahaantaana adoon iska bixin funaanadahaaga.
Source: www.habr.com