Sanibonani nonke!
Kwenzeka lokhu nje enkampanini yethu eminyakeni emibili edlule besishintsha kancane kancane kuma-microtics. Ama-node amakhulu akhiwe ku-CCR1072, futhi izindawo zokuxhuma zendawo zamakhompiyutha kumadivayisi zilula. Vele, kukhona futhi inhlanganisela yamanethiwekhi ngomhubhe we-IPSEC, kulokhu, ukusetha kulula futhi akubangeli bunzima, ngoba kunezinsiza eziningi kunethiwekhi. Kepha kunobunzima obuthile ngoxhumano lweselula lwamakhasimende, i-wiki yomkhiqizi ikutshela ukuthi ungasebenzisa kanjani iklayenti le-Shrew soft VPN (yonke into ibonakala icacile ngalesi silungiselelo) futhi yileli klayenti elisetshenziswa i-99% yabasebenzisi bokufinyelela kude. , futhi u-1% yimina, ngangivilapha kakhulu ngamunye ngivele ngifake ukungena ngemvume nephasiwedi kuklayenti futhi ngangifuna indawo evilaphayo esofeni nokuxhumeka okulula kumanethiwekhi omsebenzi. Angizange ngithole imiyalo yokumisa i-Mikrotik yezimo lapho ingekho ngisho ngemuva kwekheli elimpunga, kodwa ingemuva ngokuphelele elimnyama futhi mhlawumbe nama-NAT amaningana kunethiwekhi. Ngakho-ke, kwadingeka ngithuthukise, ngakho-ke ngiphakamisa ukubheka umphumela.
Iyatholakala:
- I-CCR1072 njengedivayisi eyinhloko. inguqulo 6.44.1
- I-CAP ac njengendawo yokuxhumana yasekhaya. inguqulo 6.44.1
Isici esiyinhloko sokusetha ukuthi i-PC ne-Mikrotik kufanele ibe kunethiwekhi efanayo enekheli elifanayo, elikhishwe yi-main 1072.
Asiqhubekele kuzilungiselelo:
1. Yebo sivula i-Fasttrack, kodwa njengoba i-fasttrack ingahambisani ne-vpn, kufanele sinciphise ithrafikhi yayo.
/ip firewall mangle
add action=mark-connection chain=forward comment="ipsec in" ipsec-policy=
in,ipsec new-connection-mark=ipsec passthrough=yes
add action=mark-connection chain=forward comment="ipsec out" ipsec-policy=
out,ipsec new-connection-mark=ipsec passthrough=yes
/ip firewall filter add action=fasttrack-connection chain=forward connection-mark=!ipsec
2. Engeza ukudluliselwa kwenethiwekhi ukusuka / ukuya ekhaya nasemsebenzini
/ip firewall raw
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.76.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.98.0/24
add action=accept chain=prerouting disabled=yes dst-address=192.168.55.0/24
src-address=10.7.78.0/24
add action=accept chain=prerouting dst-address=10.7.76.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.77.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting dst-address=10.7.98.0/24 src-address=
192.168.33.0/24
add action=accept chain=prerouting disabled=yes dst-address=10.7.78.0/24
src-address=192.168.55.0/24
add action=accept chain=prerouting dst-address=192.168.33.0/24 src-address=
10.7.77.0/24
3. Dala incazelo yokuxhumana nomsebenzisi
/ip ipsec identity
add auth-method=pre-shared-key-xauth notrack-chain=prerouting peer=CO secret=
ΠΎΠ±ΡΠΈΠΉ ΠΊΠ»ΡΡ xauth-login=username xauth-password=password
4. Dala isiphakamiso se-IPSEC
/ip ipsec proposal
add enc-algorithms=3des lifetime=5m name="prop1" pfs-group=none
5. Dala Inqubomgomo ye-IPSEC
/ip ipsec policy
add dst-address=10.7.76.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
add dst-address=10.7.77.0/24 level=unique proposal="prop1"
sa-dst-address=<white IP 1072> sa-src-address=0.0.0.0 src-address=
192.168.33.0/24 tunnel=yes
6. Dala iphrofayela ye-IPSEC
/ip ipsec profile
set [ find default=yes ] dpd-interval=disable-dpd enc-algorithm=
aes-192,aes-128,3des nat-traversal=no
add dh-group=modp1024 enc-algorithm=aes-192,aes-128,3des name=profile_1
add name=profile_88
add dh-group=modp1024 lifetime=4h name=profile246
7. Dala untanga we-IPSEC
/ip ipsec peer
add address=<white IP 1072>/32 local-address=<Π²Π°Ρ Π°Π΄ΡΠ΅Ρ ΡΠΎΡΡΠ΅ΡΠ°> name=CO profile=
profile_88
Manje ngomlingo olula. Njengoba ngangingafuni ngempela ukushintsha izilungiselelo kuwo wonke amadivayisi kunethiwekhi yami yasekhaya, kwadingeka ngandlela thize ngilengise i-DHCP kunethiwekhi efanayo, kodwa kunengqondo ukuthi iMikrotik ayikuvumeli ukuthi ulengise ichibi lamakheli angaphezu kwelilodwa ebhulohweni elilodwa. , ngakho-ke ngithole indlela yokusebenza, okungukuthi ikhompuyutha ephathekayo, ngisanda kwenza i-DHCP Lease enemingcele eyenziwa ngesandla, futhi njengoba i-netmask, isango ne-dns nazo zinezinombolo zenketho ku-DHCP, ngizicacisile mathupha.
1.DHCP Izinketho
/ip dhcp-server option
add code=3 name=option3-gateway value="'192.168.33.1'"
add code=1 name=option1-netmask value="'255.255.255.0'"
add code=6 name=option6-dns value="'8.8.8.8'"
2.DHCP ukuqashisa
/ip dhcp-server lease
add address=192.168.33.4 dhcp-option=
option1-netmask,option3-gateway,option6-dns mac-address=<MAC Π°Π΄ΡΠ΅Ρ Π½ΠΎΡΡΠ±ΡΠΊΠ°>
Ngesikhathi esifanayo, ukusetha i-1072 kuyisisekelo esiyisisekelo, kuphela lapho kukhishwa ikheli le-IP kuklayenti kuzilungiselelo kuboniswa ukuthi ikheli le-IP elifakwe ngesandla, hhayi echibini, kufanele linikezwe yena. Kumakhasimende e-PC avamile, i-subnet iyafana nokucushwa kwe-Wiki 192.168.55.0/24.
Ukulungiselelwa okunjalo kukuvumela ukuthi ungaxhumeki ku-PC ngokusebenzisa isofthiwe yomuntu wesithathu, futhi umhubhe ngokwawo uphakanyiswa umzila njengoba kudingeka. Umthwalo we-CAP ac weklayenti ucishe ube mncane, u-8-11% ngesivinini esingu-9-10MB / s emhubheni.
Zonke izilungiselelo zenziwe nge-Winbox, nakuba ngempumelelo efanayo ingenziwa nge-console.
Source: www.habr.com