Barchangizga xayrli kun!
Shunday bo'ldiki, bizning kompaniyamizda so'nggi ikki yil ichida biz asta-sekin mikrotikaga o'tdik. Asosiy tugunlar CCR1072 da qurilgan va qurilmalardagi kompyuterlar uchun mahalliy ulanish nuqtalari oddiyroq. Albatta, IPSEC tunneli orqali tarmoqlarning kombinatsiyasi ham mavjud, bu holda sozlash juda oddiy va hech qanday qiyinchilik tug'dirmaydi, chunki tarmoqda juda ko'p materiallar mavjud. Ammo mijozlarning mobil aloqasi bilan bog'liq ma'lum qiyinchiliklar mavjud, ishlab chiqaruvchining wiki-da Shrew soft VPN mijozidan qanday foydalanish kerakligi aytiladi (bu sozlamada hamma narsa aniq ko'rinadi) va masofaviy kirish foydalanuvchilarining 99 foizi aynan shu mijoz tomonidan foydalaniladi. , va 1% men, men juda dangasa edim, har bir mijozga login va parolni kiritib, divanda dangasa joylashishni va ish tarmoqlariga qulay ulanishni xohlardim. Men Mikrotikni hatto kulrang manzilning orqasida emas, balki butunlay qora va hatto tarmoqdagi bir nechta NAT-ning orqasida bo'lgan holatlar uchun sozlash bo'yicha ko'rsatmalar topa olmadim. Shuning uchun men improvizatsiya qilishim kerak edi, shuning uchun men natijaga qarashni taklif qilaman.
Mavjud:
- CCR1072 asosiy qurilma sifatida. 6.44.1 versiyasi
- Uyga ulanish nuqtasi sifatida CAP ac. 6.44.1 versiyasi
Sozlamaning asosiy xususiyati shundaki, kompyuter va Mikrotik bir xil tarmoqda bo'lishi kerak, bu asosiy 1072 tomonidan chiqarilgan.
Keling, sozlamalarga o'tamiz:
1. Albatta, biz Fasttrack-ni yoqamiz, lekin fasttrack vpn bilan mos kelmagani uchun uning trafigini qisqartirishimiz kerak.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Uydan va ishdan /dan tarmoqqa yo'naltirishni qo'shish
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Foydalanuvchi ulanishi tavsifini yarating
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. IPSEC taklifini yarating
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. IPSEC siyosatini yarating
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. IPSEC profilini yarating
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. IPSEC tengdoshini yarating
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Endi oddiy sehr uchun. Uy tarmog'imdagi barcha qurilmalardagi sozlamalarni o'zgartirishni istamaganim uchun DHCP-ni qandaydir tarzda bitta tarmoqqa osib qo'yishim kerak edi, ammo Mikrotik bir ko'prikda bir nechta manzillar havzasini osib qo'yishga ruxsat bermaydi. , shuning uchun men vaqtinchalik yechim topdim, ya'ni noutbuk uchun, men hozirgina qo'lda parametrlar bilan DHCP lizingini yaratdim va tarmoq niqobi, shlyuz va dns DHCP-da parametr raqamlariga ega bo'lgani uchun ularni qo'lda ko'rsatdim.
1.DHCP parametrlari
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP ijarasi
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Shu bilan birga, 1072-ni sozlash amalda asosiy hisoblanadi, faqat sozlamalarda mijozga IP-manzilni berishda unga hovuzdan emas, balki qo'lda kiritilgan IP-manzil berilishi kerakligi ko'rsatiladi. Oddiy shaxsiy kompyuter mijozlari uchun quyi tarmoq Wiki konfiguratsiyasi 192.168.55.0/24 bilan bir xil.
Bunday sozlama uchinchi tomon dasturlari orqali shaxsiy kompyuterga ulanmaslikka imkon beradi va tunnelning o'zi kerak bo'lganda yo'riqnoma tomonidan ko'tariladi. Mijozning CAP AC yuki deyarli minimal, tunnelda 8-11MB / s tezlikda 9-10%.
Barcha sozlamalar Winbox orqali amalga oshirildi, garchi bir xil muvaffaqiyat bilan konsol orqali amalga oshirilishi mumkin.
Manba: www.habr.com