Molweni nonke!
Kwenzeka nje ukuba kwinkampani yethu, siye satshintsha kancinci kancinci saya kwiitships zeMikrotik kwiminyaka emibini edlulileyo. Ii-nodes eziphambili zakhiwe kwi-CCR1072, ngelixa iindawo zoqhagamshelo lwekhompyutha zasekuhlaleni zikwizixhobo ezilula. Ewe, sikwabonelela ngokudibanisa inethiwekhi ngee-tunnels ze-IPSEC; kule meko, ukuseta kulula kakhulu kwaye kulula, ngenxa yobuninzi bezixhobo ezifumaneka kwi-intanethi. Nangona kunjalo, uqhagamshelo lwabathengi beselula luzisa imingeni ethile; i-wiki yomenzi ichaza indlela yokusebenzisa iShrew soft. VPN umthengi (le nkqubo ibonakala icacile), kwaye le yiklayenti esetyenziswa yi-99% yabasebenzisi abasebenzisa ukufikelela kude, kwaye i-1% eseleyo ndim. Bendingenakukhathazwa kukufaka igama lam lokungena kunye negama lokugqitha ngalo lonke ixesha, kwaye bendifuna amava e-couch potato akhululekileyo, akhululekileyo kunye nonxibelelwano olulula kwiinethiwekhi zomsebenzi. Andikwazanga kufumana miyalelo yokumisela iMikrotik kwiimeko apho ingekho ngasemva kwedilesi yabucala, kodwa ngasemva kweyona imnyama ngokupheleleyo, kwaye mhlawumbi inee-NAT ezininzi kwinethiwekhi. Ngoko ke kwafuneka ndizenzele izinto ezintsha, kwaye ndicebisa ukuba ujonge iziphumo.
Iyafumaneka:
- CCR1072 njengesixhobo esiphambili. uguqulelo 6.44.1
- CAP ac njengendawo yoqhagamshelwano lwasekhaya. uguqulelo 6.44.1
Into ephambili yokumisela kukuba i-PC kunye ne-Mikrotik kufuneka ibe kwinethiwekhi efanayo kunye nedilesi efanayo, ekhutshwe yi-1072 engundoqo.
Masiqhubele phambili kwiisetingi:
1. Ngokuqinisekileyo sivula i-Fasttrack, kodwa ekubeni i-fasttrack ayihambelani ne-vpn, kufuneka sinciphise i-traffic yayo.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Ukongeza inethiwekhi yokuthumela ukusuka / ukuya ekhaya nasemsebenzini
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Yenza inkcazo yoqhagamshelwano lomsebenzisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Yenza isiphakamiso se-IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Yenza uMgaqo-nkqubo we-IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Yenza iprofayili ye-IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Yenza intanga ye-IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Ngoku malunga nomlingo olula. Ekubeni ndandingafuni ngokwenene ukutshintsha izicwangciso kuzo zonke izixhobo kwinethiwekhi yam yasekhaya, kuye kwafuneka ukuba ngandlela-thile ndixhome i-DHCP kwinethiwekhi efanayo, kodwa kunengqiqo ukuba iMikrotik ayikuvumeli ukuba uxhome ngaphezu kwechibi ledilesi enye kwibhulorho enye. , ngoko ke ndifumene i-workaround, eyile yelaptop, ndidale nje i-DHCP yokuQesha ngeeparamitha zesandla, kwaye ukusukela oko i-netmask, isango kunye ne-dns nazo zinamanani okhetho kwi-DHCP, ndizichaze ngesandla.
1.DHCP Iinketho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP yokuqeshisa
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Ngelo xesha, ukubeka i-1072 ngokuqhelekileyo kuyisiseko, kuphela xa ukhupha idilesi ye-IP kumxhasi kwiisethingi kuboniswa ukuba idilesi ye-IP ifakwe ngesandla, kwaye kungekhona echibini, kufuneka inikwe kuye. Kubathengi bePC rhoqo, i-subnet iyafana noqwalaselo lwe-Wiki 192.168.55.0/24.
Ukusetwa okunjalo kukuvumela ukuba ungaxhumeki kwiPC ngesoftware yomntu wesithathu, kwaye itonela ngokwayo iphakanyiswe ngumzila njengoko kufuneka. Umthwalo womthengi we-CAP ac uphantse uncinci, i-8-11% ngesantya se-9-10MB / s kwi-tunnel.
Zonke iisetingi zenziwe ngeWinbox, nangona ngempumelelo efanayo inokwenziwa ngeconsole.
umthombo: www.habr.com
