Barchangizga xayrli kun!
Bizning kompaniyamizda so'nggi ikki yil ichida biz asta-sekin Mikrotik chiplariga o'tmoqdamiz. Asosiy tugunlar CCR1072 asosida qurilgan, mahalliy kompyuter ulanish nuqtalari esa sodda qurilmalarda joylashgan. Albatta, biz IPSEC tunnellari orqali tarmoq integratsiyasini ham taklif qilamiz; bu holda, onlayn mavjud resurslarning ko'pligi tufayli sozlash juda oddiy va tushunarli. Biroq, mobil mijoz ulanishlari ma'lum qiyinchiliklarni keltirib chiqaradi; ishlab chiqaruvchining vikisida Shrew dasturidan qanday foydalanish tushuntirilgan. VPN mijoz (bu sozlama o'z-o'zidan tushunarli ko'rinadi) va bu masofaviy kirish foydalanuvchilarining 99% tomonidan ishlatiladigan mijoz, qolgan 1% esa men. Men shunchaki har safar login va parolimni kiritishga qiynalmasdim va ish tarmoqlariga qulay ulanishlar bilan yanada xotirjam, qulayroq divan tajribasini xohlardim. Mikrotikni hatto shaxsiy manzil orqasida emas, balki butunlay qora ro'yxatga olingan manzil orqasida va hatto tarmoqda bir nechta NATlar bo'lgan holatlar uchun sozlash bo'yicha hech qanday ko'rsatma topa olmadim. Shuning uchun men improvizatsiya qilishim kerak edi va natijalarga qarashingizni maslahat beraman.
Mavjud:
- CCR1072 asosiy qurilma sifatida. 6.44.1 versiyasi
- Uyga ulanish nuqtasi sifatida CAP ac. 6.44.1 versiyasi
Sozlamaning asosiy xususiyati shundaki, kompyuter va Mikrotik bir xil tarmoqda bo'lishi kerak, bu asosiy 1072 tomonidan chiqarilgan.
Keling, sozlamalarga o'tamiz:
1. Albatta, biz Fasttrack-ni yoqamiz, lekin fasttrack vpn bilan mos kelmagani uchun uning trafigini qisqartirishimiz kerak.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Uydan va ishdan /dan tarmoqqa yo'naltirishni qo'shish
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Foydalanuvchi ulanishi tavsifini yarating
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. IPSEC taklifini yarating
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. IPSEC siyosatini yarating
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. IPSEC profilini yarating
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. IPSEC tengdoshini yarating
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Endi oddiy sehr uchun. Uy tarmog'imdagi barcha qurilmalardagi sozlamalarni o'zgartirishni istamaganim uchun DHCP-ni qandaydir tarzda bitta tarmoqqa osib qo'yishim kerak edi, ammo Mikrotik bir ko'prikda bir nechta manzillar havzasini osib qo'yishga ruxsat bermaydi. , shuning uchun men vaqtinchalik yechim topdim, ya'ni noutbuk uchun, men hozirgina qo'lda parametrlar bilan DHCP lizingini yaratdim va tarmoq niqobi, shlyuz va dns DHCP-da parametr raqamlariga ega bo'lgani uchun ularni qo'lda ko'rsatdim.
1.DHCP parametrlari
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP ijarasi
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Shu bilan birga, 1072-ni sozlash amalda asosiy hisoblanadi, faqat sozlamalarda mijozga IP-manzilni berishda unga hovuzdan emas, balki qo'lda kiritilgan IP-manzil berilishi kerakligi ko'rsatiladi. Oddiy shaxsiy kompyuter mijozlari uchun quyi tarmoq Wiki konfiguratsiyasi 192.168.55.0/24 bilan bir xil.
Bunday sozlama uchinchi tomon dasturlari orqali shaxsiy kompyuterga ulanmaslikka imkon beradi va tunnelning o'zi kerak bo'lganda yo'riqnoma tomonidan ko'tariladi. Mijozning CAP AC yuki deyarli minimal, tunnelda 8-11MB / s tezlikda 9-10%.
Barcha sozlamalar Winbox orqali amalga oshirildi, garchi bir xil muvaffaqiyat bilan konsol orqali amalga oshirilishi mumkin.
Manba: www.habr.com
