Ka tataiso ena ea mohato ka mohato, ke tla u bolella mokhoa oa ho theha Mikrotik e le hore libaka tse thibetsoeng li bulehe ka ho toba ka VPN ena 'me u ka qoba ho tantša ka meropa: e behe hang' me ntho e 'ngoe le e' ngoe e sebetse.
Ke khethile SoftEther joalo ka VPN ea ka: ho bonolo ho e qala joalo ka mme ka potlako feela. Ke nolofalitse NAT e Sireletsehileng ka lehlakoreng la seva sa VPN, ha ho litlhophiso tse ling tse entsoeng.
Ke ne ke nka RRAS e le mokhoa o mong, empa Mikrotik ha e tsebe ho sebetsa le eona. Khokahano e thehiloe, VPN e sebetsa, empa Mikrotik e ke ke ea boloka khokahanyo ntle le ho kopanya khafetsa le liphoso ho log.
Boemo bo entsoe ka mohlala oa RB3011UiAS-RM ho firmware version 6.46.11.
Jwale, ka tatellano, ke eng le hobaneng.
1. Theha khokahano ea VPN
E le tharollo ea VPN, ho hlakile, SoftEther, L2TP e nang le senotlolo se arolelanoang esale pele e khethiloe. Boemo bona ba tšireletso bo lekane ho mang kapa mang, hobane ke router feela le mong'a eona ba tsebang senotlolo.
Eya karolong ea li-interfaces. Ntlha ea pele, re eketsa sebopeho se secha, ebe re kenya ip, login, password le senotlolo se arolelanoang ka har'a sebopeho. Tobetsa ok.
E tšoanang taelo:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
SoftEther e tla sebetsa ntle le ho fetola litlhahiso tsa ipsec le li-profiles tsa ipsec, ha re nahane ka tlhophiso ea bona, empa mongoli o siile li-screenshots tsa litlaleho tsa hae, haeba ho ka etsahala.
Bakeng sa RRAS ho IPsec Proposals, fetola feela PFS Group hore e se ke ea e-ba teng.
Hona joale o hloka ho ema ka morao ho NAT ea seva sena sa VPN. Ho etsa sena, re hloka ho ea ho IP> Firewall> NAT.
Mona re nolofalletsa maskera bakeng sa li-interfaces tsa PPP tse itseng, kapa kaofela. Router ea sengoli e hokahane le li-VPN tse tharo ka nako e le 'ngoe, kahoo ke entse sena:
E tšoanang taelo:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Eketsa Melao ho Mangle
Ntho ea pele eo u e batlang, ehlile, ke ho sireletsa ntho e 'ngoe le e' ngoe ea bohlokoa ka ho fetisisa le e se nang tšireletso, e leng sephethephethe sa DNS le HTTP. Ha re qale ka HTTP.
Eya ho IP → Firewall → Mangle 'me u thehe molao o mocha.
Ka molao, Chain khetha Prerouting.
Haeba ho na le Smart SFP kapa router e 'ngoe ka pel'a router,' me u batla ho hokela ho eona ka sebopeho sa marang-rang, ho Dst. Aterese e hloka ho kenya aterese ea eona ea IP kapa subnet ebe o beha lets'oao le fosahetseng la ho se sebelise Mangle atereseng kapa ho subnet eo. Sengoli se na le SFP GPON ONU ka mokhoa oa borokho, kahoo mongoli o ile a boloka bokhoni ba ho hokela ho webmord ea hae.
Ka nako e sa lekanyetsoang, Mangle e tla sebelisa molao oa eona ho Linaha tsohle tsa NAT, sena se tla etsa hore phetisetso ea boema-kepe ho IP ea hau e tšoeu e se khonehe, ka hona, Naheng ea Connection NAT, hlahloba dstnat le lets'oao le fosahetseng. Sena se tla re lumella ho romella sephethephethe se tsoang marang-rang ka VPN, empa re ntse re fetisetsa likou ka IP ea rona e tšoeu.
Ka mor'a moo, ho "Action tab", khetha mokhoa oa ho tsamaisa, o reha Letšoao le Lecha la Routing e le hore re hlakeloe nakong e tlang 'me u tsoele pele.
E tšoanang taelo:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Joale ha re tsoeleng pele ho boloka DNS. Tabeng ena, o hloka ho theha melao e 'meli. E 'ngoe ke ea router, e' ngoe bakeng sa lisebelisoa tse amanang le router.
Haeba u sebelisa DNS e hahiloeng ho router, eo mongoli a e etsang, e tlameha ho sireletsoa hape. Ka hona, bakeng sa molao oa pele, joalo ka ka holimo, re khetha prerouting ea ketane, empa bakeng sa ea bobeli, re hloka ho khetha tlhahiso.
Output ke ketane eo router ka boeona e e sebelisang bakeng sa likopo ho sebelisa ts'ebetso ea eona. Ntho e 'ngoe le e' ngoe mona e tšoana le HTTP, protocol ea UDP, port 53.
Litaelo tse tšoanang:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Ho aha tsela ka VPN
Eya ho IP → Litsela 'me u thehe litsela tse ncha.
Tsela ea ho tsamaisa HTTP holim'a VPN. Hlalosa lebitso la li-interface tsa rona tsa VPN ebe u khetha Routing Mark.
Mothating ona, u se u utloile hore na opereishene ea hau e emisitse joang .
E tšoanang taelo:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Melao ea ts'ireletso ea DNS e tla tšoana hantle, khetha feela lengolo le lakatsehang:
Mona u utloile kamoo lipotso tsa hau tsa DNS li emisitseng ho mamela. Litaelo tse tšoanang:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Qetellong, bula Rutracker. Subnet eohle ke ea hae, kahoo subnet e hlalositsoe.
Ke kamoo ho neng ho le bonolo ho khutlisa Marang-rang. Sehlopha:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Ka mokhoa o ts'oanang hantle le ka tracker ea metso, o ka tsamaisa lisebelisoa tsa khoebo le libaka tse ling tse koetsoeng.
Sengoli se ts'epa hore u tla thabela monyetla oa ho fihlella tracker ea metso le portal ea khoebo ka nako e le 'ngoe ntle le ho hlobola jesi ea hau.
Source: www.habr.com