O dara ọjọ gbogbo eniyan!
O kan ṣẹlẹ pe ni ile-iṣẹ wa ni ọdun meji sẹhin a ti yipada laiyara si microtics. Awọn apa akọkọ ti wa ni itumọ ti lori CCR1072, ati awọn aaye asopọ agbegbe fun awọn kọnputa lori awọn ẹrọ jẹ rọrun. Nitoribẹẹ, apapọ awọn nẹtiwọọki tun wa nipasẹ oju eefin IPSEC, ninu ọran yii, iṣeto jẹ ohun rọrun ati pe ko fa awọn iṣoro eyikeyi, nitori ọpọlọpọ awọn ohun elo wa lori nẹtiwọọki. Ṣugbọn awọn iṣoro kan wa pẹlu asopọ alagbeka ti awọn alabara, wiki olupese ni imọran bi o ṣe le lo alabara Shrew asọ VPN (ohun gbogbo dabi pe o han gbangba pẹlu eto yii) ati pe alabara yii ni o lo nipasẹ 99% ti awọn olumulo iwọle latọna jijin, ati 1% jẹ mi, Mo kan di ọlẹ pupọ kọọkan kan tẹ iwọle ati ọrọ igbaniwọle ni alabara ati pe Mo fẹ ipo ọlẹ lori ijoko ati asopọ irọrun si awọn nẹtiwọọki iṣẹ. Emi ko wa awọn itọnisọna fun atunto Mikrotik fun awọn ipo nigbati ko paapaa lẹhin adirẹsi grẹy, ṣugbọn patapata lẹhin dudu kan ati boya paapaa awọn NAT pupọ lori nẹtiwọọki. Nitorinaa, Mo ni lati ṣe ilọsiwaju, nitorinaa Mo daba lati wo abajade naa.
Wa:
- CCR1072 bi akọkọ ẹrọ. ẹya 6.44.1
- CAP ac bi aaye asopọ ile. ẹya 6.44.1
Ẹya akọkọ ti eto ni pe PC ati Mikrotik gbọdọ wa lori nẹtiwọọki kanna pẹlu adirẹsi kanna, eyiti o jẹjade nipasẹ 1072 akọkọ.
Jẹ ki a lọ si awọn eto:
1. Dajudaju a tan Fasttrack, ṣugbọn niwon fasttrack ko ni ibamu pẹlu vpn, a ni lati ge ijabọ rẹ.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Fifi nẹtiwọki Nfiranšẹ siwaju lati / si ile ati ise
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Ṣẹda a olumulo asopọ apejuwe
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
общий ключ xauth-login=username xauth-password=password
4. Ṣẹda IPSEC imọran
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Ṣẹda IPSEC Afihan
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Ṣẹda IPSEC profaili
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Ṣẹda IPSEC ẹlẹgbẹ
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<ваш адрес роутера> name=CO profile=
profile_88
Bayi fun diẹ ninu awọn idan rọrun. Niwọn igba ti Emi ko fẹ gaan lati yi awọn eto pada lori gbogbo awọn ẹrọ lori nẹtiwọọki ile mi, Mo ni lati gbe DHCP sori bakan lori nẹtiwọọki kanna, ṣugbọn o jẹ oye pe Mikrotik ko gba ọ laaye lati gbe adagun adiresi diẹ sii ju ọkan lọ lori Afara kan, nitorinaa Mo rii ibi-iṣẹ kan, eyun fun kọǹpútà alágbèéká kan, Mo ṣẹṣẹ ṣẹda yiyalo DHCP pẹlu awọn aye afọwọṣe, ati niwọn igba ti netmask, ẹnu-ọna & dns tun ni awọn nọmba aṣayan ni DHCP, Mo ṣalaye wọn pẹlu ọwọ.
1.DHCP Awọn aṣayan
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP iyalo
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC адрес ноутбука>
Ni akoko kanna, eto 1072 jẹ ipilẹ iṣe, nikan nigbati ipinfunni adiresi IP kan si alabara ninu awọn eto o tọka pe adiresi IP ti a tẹ pẹlu ọwọ, kii ṣe lati inu adagun omi, o yẹ ki o fi fun u. Fun awọn onibara PC deede, subnet jẹ kanna bi iṣeto ni Wiki 192.168.55.0/24.
Iru eto yii gba ọ laaye lati ma sopọ si PC nipasẹ sọfitiwia ẹnikẹta, ati oju eefin funrararẹ dide nipasẹ olulana bi o ṣe nilo. Ẹru ti CAP ac alabara jẹ o kere ju, 8-11% ni iyara ti 9-10MB / s ninu eefin.
Gbogbo awọn eto ni a ṣe nipasẹ Winbox, botilẹjẹpe pẹlu aṣeyọri kanna o le ṣee ṣe nipasẹ console.
orisun: www.habr.com