Lumelang bohle!
Ho ile ha etsahala hore k'hamphaning ea rona lilemong tse peli tse fetileng re ntse re fetohela Mikrotik butle-butle. Li-node tse kholo li hahiloe ho CCR1072, 'me lintlha tsa khokahanyo tsa sebaka sa lik'homphieutha ka lisebelisoa li bonolo. Ha e le hantle, ho boetse ho na le kopanyo ea marang-rang ka IPSEC kotopo, tabeng ena ho seta ho bonolo ebile ha ho bake mathata leha e le afe, ka lehlohonolo ho na le boitsebiso bo bongata marang-rang. Empa ho na le mathata a itseng mabapi le khokahanyo ea mohala oa bareki, wiki ea moetsi e u joetsa mokhoa oa ho sebelisa moreki oa Shrew soft VPN (ntho e ngoe le e ngoe e bonahala e hlakile ho ipapisitse le tlhophiso ena) mme ke moreki enoa ea sebelisoang ke 99% ea phihlello e hole. basebelisi, 'me 1% ke' na, ke botsoa haholo ke motho e mong le e mong Hang ha ke kentse ho kena ha ka le phasewete ho mofani, ke ne ke batla boemo bo botsoa holim'a bethe le khokahanyo e loketseng ho marang-rang a mosebetsi. Ha kea fumana litaelo tsa ho theha Mikrotik bakeng sa maemo ao e seng ka morao ho aterese ea bohlooho, empa e ntšo ka ho feletseng 'me mohlomong le NAT tse' maloa marang-rang. Ka hona, ke ile ka tlameha ho ntlafatsa, ka hona ke fana ka maikutlo a hore u shebe sephetho.
E teng:
- CCR1072 joalo ka sesebelisoa sa mantlha. phetolelo 6.44.1
- CAP ac e le sebaka sa khokahanyo lapeng. phetolelo 6.44.1
Ntho e ka sehloohong ea ho seta ke hore PC le Mikrotik li tlameha ho ba marang-rang a tšoanang le aterese e tšoanang, e leng eona e fanoang ho 1072 e kholo.
Ha re feteleng ho li-setting:
1. Ha e le hantle, re nolofalletsa Fasttrack, empa kaha fasttrack ha e lumellane le VPN, re tlameha ho khaola sephethephethe sa eona.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Kenya phetiso ea marang-rang ho tloha / ho ea hae le mosebetsing
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Etsa tlhaloso ea khokahanyo ea mosebedisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Etsa Tlhahiso ea IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Etsa Leano la IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Etsa profil ea IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Etsa thaka ea IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Joale bakeng sa boselamose bo bonolo. Kaha ke ne ke hlile ke sa batle ho fetola litlhophiso ho lisebelisoa tsohle tsa marang-rang a lehae, ke ne ke tlameha ho theha DHCP ka marang-rang a tšoanang, empa hoa utloahala hore Mikrotik ha e u lumelle ho theha letamo la aterese e fetang e le 'ngoe. borokho bo le bong, ka hona ke fumane sebaka sa ho sebetsa, e leng bakeng sa laptop ke ile ka theha DHCP Lease ka ho hlakisa li-parameter, mme kaha netmask, gateway & dns le tsona li na le linomoro tsa khetho ho DHCP, ke li hlalositse ka letsoho.
1.DHCP Kgetho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP Ho hira
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Ka nako e ts'oanang, ho beha 1072 ke ntho ea motheo, feela ha u fana ka aterese ea IP ho mofani, e bontšoa ka litlhophiso hore e lokela ho fuoa aterese ea IP e kentsoeng ka letsoho, eseng ho tloha letamong. Bakeng sa bareki ba kamehla ho tloha lik'homphieutha tsa botho, subnet e tšoana le ha e etsoa ka Wiki 192.168.55.0/24.
Setupo sena se u lumella ho se hokahane le PC ea hau ka software ea motho oa boraro, 'me kotopo ka boeona e phahamisoa ke router ha ho hlokahala. Mojaro o ho moreki CAP ac o batla o fokola, 8-11% ka lebelo la 9-10MB/s kotopong.
Litlhophiso tsohle li entsoe ka Winbox, leha e ne e ka etsoa hantle ka console.
Source: www.habr.com