Kule khokelo yesinyathelo-nge-nyathelo, ndiya kukuxelela indlela yokuseta iMikrotik ukwenzela ukuba iziza ezingavumelekanga zivuleke ngokuzenzekelayo ngale VPN kwaye unokuphepha ukudansa ngeentambula: yimise kanye kwaye yonke into isebenze.
Ndikhethe iSoftEther njengeVPN yam: kulula ukuseta njenge kwaye ngokukhawuleza. Ndenze uKhuseleko lwe-NAT kwicala leseva yeVPN, akukho zisetingi zenziwayo.
Njengenye indlela, ndaqwalasela i-RRAS, kodwa iMikrotik ayikwazi ukusebenza nayo. Uxhulumaniso lusekwe, i-VPN isebenza, kodwa i-Mikrotik ayikwazi ukugcina uxhumano ngaphandle kokudibanisa rhoqo kunye neempazamo kwilogi.
Isilungiselelo senziwe kumzekelo we-RB3011UiAS-RM kwi-firmware version 6.46.11.
Ngoku, ngokulandelelana, yintoni kwaye kutheni.
1. Seta uqhagamshelo lweVPN
Njengesisombululo se-VPN, ngokuqinisekileyo, iSoftEther, i-L2TP eneqhosha ekwabelwana ngalo ngaphambili yakhethwa. Eli nqanaba lokhuseleko lanele nabani na, kuba kuphela i-router kunye nomnini wayo owaziyo isitshixo.
Yiya kwicandelo lojongano. Okokuqala, songeza i-interface entsha, kwaye emva koko sifaka i-ip, ukungena, igama lokugqitha kunye nesitshixo esabelwana ngaso kwi-interface. Cofa ok.
Umyalelo ofanayo:
/interface l2tp-client
name="LD8" connect-to=45.134.254.112 user="Administrator" password="PASSWORD" profile=default-encryption use-ipsec=yes ipsec-secret="vpn"
I-SoftEther iya kusebenza ngaphandle kokutshintsha iziphakamiso ze-ipsec kunye neeprofayili ze-ipsec, asiyicingi ukucwangciswa kwazo, kodwa umbhali ushiye izikrini zeeprofayili zakhe, xa kunjalo.
Kwi-RRAS kwi-IPsec Izindululo, vele utshintshe iQela le-PFS ukuba lingabikho.
Ngoku kufuneka ume emva kwe-NAT yale seva yeVPN. Ukwenza oku, kufuneka siye kwi-IP> Firewall> NAT.
Apha senza imasquerade ethile, okanye zonke, ujongano lwe PPP. Umzila wombhali uqhagamshelwe kwiiVPN ezintathu ngaxeshanye, ndiye ndenza oku:
Umyalelo ofanayo:
/ip firewall nat
chain=srcnat action=masquerade out-interface=all-ppp
2. Yongeza iMithetho kwiMangle
Into yokuqala oyifunayo, ngokuqinisekileyo, kukukhusela yonke into ebaluleke kakhulu kwaye ingenakuzikhusela, oko kukuthi i-DNS kunye ne-HTTP traffic. Masiqale ngeHTTP.
Yiya kwi-IP β Firewall β Mangle kwaye wenze umthetho omtsha.
Kumgaqo, iChain khetha Prerouting.
Ukuba kukho i-SFP ye-Smart okanye enye i-router phambi kwe-router, kwaye ufuna ukuxhuma kuyo nge-interface yewebhu, kwi-Dst. Idilesi idinga ukufaka idilesi yayo ye-IP okanye i-subnet kwaye ibeke uphawu olubi lokungasebenzisi iMangle kwidilesi okanye kuloo subnet. Umbhali une-SFP GPON ONU kwimodi yebhulorho, ngoko ke umbhali wagcina ukukwazi ukuxhuma kwi-webmord yakhe.
Ngokungagqibekanga, iMangle izakusebenzisa umthetho wayo kuzo zonke iZizwe zeNAT, oku kuyakwenza ugqithiso lwezibuko kwi IP yakho emhlophe akunakwenzeka, ke ngoko, kuQhagamshelwano lweNAT State, khangela dstnat kunye nophawu olubi. Oku kuya kusivumela ukuba sithumele i-traffic ephumayo kwinethiwekhi nge-VPN, kodwa siqhubele phambili amachweba nge-IP yethu emhlophe.
Okulandelayo, kwi-Action tab, khetha indlela yokumakisha, gama uPhawu olutsha lweNdlela ukuze kucace kuthi kwixesha elizayo kwaye uqhubeke.
Umyalelo ofanayo:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=HTTP passthrough=no connection-nat-state=!dstnat protocol=tcp dst-address=!192.168.1.1 dst-port=80
Ngoku makhe siqhubele phambili ekukhuseleni iDNS. Kule meko, kufuneka udale imithetho emibini. Enye yeyerouter, enye yeyezixhobo eziqhagamshelwe kwirutha.
Ukuba usebenzisa i-DNS eyakhelwe kwi-router, eyenziwa ngumbhali, kufuneka kwakhona ikhuselwe. Ngoko ke, kumgaqo wokuqala, njengoko ngasentla, sikhetha i-chain prerouting, okwesibini, kufuneka sikhethe imveliso.
Imveliso yitsheyini esetyenziswa yi-router ngokwayo kwizicelo isebenzisa ukusebenza kwayo. Yonke into apha ifana ne-HTTP, i-UDP protocol, i-port 53.
Imiyalelo efanayo:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=DNS passthrough=no protocol=udp
add chain=output action=mark-routing new-routing-mark=DNS-Router passthrough=no protocol=udp dst-port=53
3. Ukwakha indlela ngeVPN
Yiya kwi-IP β Iindlela kwaye wenze iindlela ezintsha.
Indlela ye-HTTP kwi-VPN. Cacisa igama le-interfaces yethu yeVPN kwaye ukhethe uPhawu lokuLawula.
Kweli nqanaba, sele uvile ukuba umsebenzi wakho uyeke njani .
Umyalelo ofanayo:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=HTTP distance=2 comment=HTTP
Imigaqo yokhuseleko lwe-DNS iya kujongeka ngokufanayo, khetha nje ileyibhile oyifunayo:
Apha uve ukuba imibuzo yakho yeDNS iyeke ukumamela. Imiyalelo efanayo:
/ip route
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS distance=1 comment=DNS
add dst-address=0.0.0.0/0 gateway=LD8 routing-mark=DNS-Router distance=1 comment=DNS-Router
Ewe, ekugqibeleni, vula iRutracker. Yonke i-subnet yeyakhe, ngoko ke i-subnet icacisiwe.
Yiloo ndlela ekwakulula ngayo ukufumana i-intanethi kwakhona. Iqela:
/ip route
add dst-address=195.82.146.0/24 gateway=LD8 distance=1 comment=Rutracker.Org
Ngendlela efanayo kunye ne-root tracker, ungahambisa izixhobo zenkampani kunye nezinye iisayithi ezivaliweyo.
Umbhali unethemba lokuba uya kukuxabisa ukufikelela kwi-root tracker kunye ne-portal yenkampani ngaxeshanye ngaphandle kokukhulula ijezi yakho.
umthombo: www.habr.com