1 ...81828384858687888990... 95
返回列表 發帖
navimak

Rank: 2Rank: 2
821# 跳轉到 »
發表於 2018-6-3 19:40 | 只看該作者
回覆 815# 雯雯


    有冇sample 可以參考逆向翻牆?

TOP

雯雯

Rank: 3Rank: 3Rank: 3
822#
發表於 2018-6-3 20:07 | 只看該作者
回覆  雯雯


    有冇sample 可以參考逆向翻牆?
navimak 發表於 2018-6-3 19:40


其實就係起好VPN tunnel, 兩邊set好routing同埋NAT:
https://www.mobile01.com/topicde ... 4&p=33#42935068

TOP

navimak

Rank: 2Rank: 2
823#
發表於 2018-6-3 21:52 | 只看該作者
回覆 822# 雯雯


    先看一下,謝謝你的link

TOP

张无忌

Rank: 3Rank: 3Rank: 3
824#
發表於 2018-6-4 08:08 | 只看該作者
积木化的router,多少WAN and LAN ports你自己决定。

一般我们用的router,一个WAN port,4个LAN ports,因为现在有些plan可以提供多过一个public IP address,于是需要Multi-WAN router。但是一般的Multi-WAN router都比较贵。不过大家考虑Mikrotik的routers,一般Mikrotik的routers都有5个(ether)ports,而default configuration是ether1是WAN ports,ether2-5是LAN ports,但是如果你不用default configuration,你自己可以set ether1为WAN1,ether2为WAN2,ether3-5为LAN 1-3。

那么Mikrotik的routers里有什么选择呢?

如果不需要WiFi的,性价比最高就是RB750Gr3,人民币卖大约300元。如果需要WiFi(2.4GHz,5GHz)的,性价比最高就是hAP ac^2,买大约420元人民币。如果需要效能更叫高(没有WiFi),那么可以考虑用CCR1009,最低卖2300元人民币。

Mikrotik的routers的OS是什么?就是RouterOS,它包含很多VPN configuration,如PPTP,L2TP,ISPec,SSTP,Site-to-Site VPN, VLAN等等,RouterOS在routing and switching这方面是比较强大的,性能可以媲美Cisco这一类的router,很多Cisco能做的东西,大部分脑场所卖的routers都不能做到,Mikrotik的RouterOS都能做到,但是价格就便宜很多,估计是Cisco的10分之一,什么100分之一(这是一个估算)。

(当然你可以选择比的router,但是我就不太会了。)

TOP

张无忌

Rank: 3Rank: 3Rank: 3
825#
發表於 2018-6-4 11:21 | 只看該作者
本帖最後由 张无忌 於 2018-6-5 12:26 編輯

怎样更改mac address,换新的IP address?

基于某个原因,我们需要更换一个新的IP address,如果是普通启动,一般取回来的IP address都是一样的,你需要先关机5分钟,再重启,才有可能取道新的IP address。如果你不在家里,怎样做这个动作呢?你需要在远方行script。下面提供一个script,你把下面的script放在/system/script里,然后apply and run就可以。

如果没有反应,再做一次。一般router更改mac address,ISP会给你一个新的IP,但是由于DNS server update信息需要时间,一般要等5分钟才能把新的IP address登记好!才能用!
  1. :local r
  2. :local tonum do={
  3.         :local in ($1->0)
  4.         :local j
  5.         :for i from=0 to=([:len $in]-1) do={
  6.                 :local t
  7.                 :set t [:pick $in $i]
  8.                 :if ($t!=" ") do={:set $j "$j$t"}               
  9.         }
  10.         :set j ([:tonum $j])
  11.         :return $j
  12. }

  14. :local hex 0123456789abcdef
  15. :local mac "";

  17. :set r [/interface ethernet get ether1 rx-bytes]
  18. :set r [$tonum $r]
  19. :local i1 ($r/16)
  20. :set i1 ($i1-($i1/16)*16)
  21. :local i2 ($r-($r/16)*16)
  22. :set r [/interface ethernet get ether1 rx-64]
  23. :set r [$tonum $r]
  24. :local i3 ($r/16)
  25. :set i3 ($i3-($i3/16)*16)
  26. :local i4 ($r-($r/16)*16)
  27. :set r [/interface ethernet get ether1 rx-65-127]
  28. :set r [$tonum $r]
  29. :local i5 ($r/16)
  30. :set i5 ($i5-($i5/16)*16)
  31. :local i6 ($r-($r/16)*16)
  32. :set r [/interface ethernet get ether1 tx-bytes]
  33. :set r [$tonum $r]
  34. :local i7 ($r/16)
  35. :set i7 ($i7-($i7/16)*16)
  36. :local i8 ($r-($r/16)*16)
  37. :set r [/interface ethernet get ether1 tx-64]
  38. :set r [$tonum $r]
  39. :local i9 ($r/16)
  40. :set i9 ($i9-($i9/16)*16)
  41. :local i10 ($r-($r/16)*16)
  42. :set r [/interface ethernet get ether1 tx-65-127]
  43. :set r [$tonum $r]
  44. :local i11 ($r/16)
  45. :set i11 ($i11-($i11/16)*16)
  46. :local i12 ($r-($r/16)*16)

  48. :set mac ([:tostr [:pick $hex $i1]].[:tostr [:pick $hex $i2]].[:tostr [:pick $hex $i3]].[:tostr [:pick $hex $i4]].[:tostr [:pick $hex $i5]].[:tostr [:pick $hex $i6]].[:tostr [:pick $hex $i7]].[:tostr [:pick $hex $i8]].[:tostr [:pick $hex $i9]].[:tostr [:pick $hex $i10]].[:tostr [:pick $hex $i11]].[:tostr [:pick $hex $i12]]);
  49. :log warning "New MAC $mac"

  51. /interface ethernet set ether1 mac-address=$mac;
複製代碼

TOP

张无忌

Rank: 3Rank: 3Rank: 3
826#
發表於 2018-6-4 15:23 | 只看該作者
本帖最後由 张无忌 於 2018-6-4 19:21 編輯

从大陆 smart connect to HK VPN server

估计很多members在香港都有VPN servers,而在大陆时,手机和电脑需要做一些配置才能连接电脑,有的时候某些devices不能安装或者非要L2TP over IPSec这类的VPN protocol才能连接上,而L2TP over IPSec的router比较少。

如果家里有个设备,能某个port变成HK IP port,有不同SSID,一组是去大陆,一组是香港,一组是可以同时(smart connect)上大陆和香港网站的,简单说如果是大陆IP就走大陆Gateway,不然就走香港Gateway。

怎样的设备才能满足这个要求呢?Mikrotik的WiFi router可以做到(估计某些router改装也能做到)。2018性价比最高就是2018年Mikrotik的新产品hAP ac^2,详细性能就不说了,那么怎样set hAP ac^2呢?

目标:
1.        Ether5是HK IP port
2.        Ether4是Smart IP port
3.        Ether2-3是大陆IP port
4.        Ether1是大陆 WAN port
5.        SSID 1(MT-2G)是大陆IP
6.        SSID 2(MT-5G)是大陆IP
7.        SSID 3(MT-2G-HK)是香港IP
8.        SSID 4(MT-5G-HK)是香港IP
9.        SSID 5(MT-2Gs)是Smart IP
10.        SSID 6(MT-5Gs)是Smart IP

香港是VPN server资料:

address:vpn.abc.com (你香港的vpn address)
user name:abc123
password:password123
VPN protocol:pptp

Step 1:Reset your router
  1. /system reset-configuration skip-backup=yes
複製代碼
.

Step 2: Set the default WiFi security profile (eg. password=wifi-123)
  1. /interface wireless security-profiles
  2.     set authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=wifi-123 [find name="default"]
複製代碼
.

Step 3:Set 2.4GHz SSID=MT-2G, 5GHz SSID=MT-5G
  1. /interface wireless
  2.     set wlan1 ssid=MT-2G frequency=auto security-profile=default disabled=no
  3.     set wlan2 ssid=MT-5G frequency=auto security-profile=default disabled=no
複製代碼
.


Step 4: Create new bridge named bridge-hk and bridge-smart
  1. /interface bridge
  2.     add name=bridge-hk
  3.     add name=bridge-smart
複製代碼
.


Step 5: Create virtual APs
  1. /interface wireless
  2.     add disabled=no master-interface=wlan1 name=wlan3 ssid=MT-2G-HK
  3.     add disabled=no master-interface=wlan1 name=wlan4 ssid=MT-2Gs
  4.     add disabled=no master-interface=wlan2 name=wlan5 ssid=MT-5G-HK
  5.     add disabled=no master-interface=wlan2 name=wlan6 ssid=MT-5Gs
複製代碼
.


Step 6: Detach (remove) ether4 and ether5 from the default bridge
  1. /interface bridge port
  2.     remove [find interface=“ether5”]
  3. /interface bridge port
  4.     remove [find interface=“ether4”]
複製代碼
.


Step 7: Add ether5, wlan3 and wlan5 to the new bridge “bridge-hk”
  1. /interface bridge port
  2.     add bridge=bridge-hk interface=ether5
  3.     add bridge=bridge-hk interface=wlan3
  4.     add bridge=bridge-hk interface=wlan5
複製代碼
.

Step 8: Add ether4, wlan4 and 6 to the new bridge “bridge-smart”
  1. /interface bridge port
  2.     add bridge=bridge-smart interface=ether4
  3.     add bridge=bridge-smart interface=wlan4
  4.     add bridge=bridge-smart interface=wlan6
複製代碼
.


Step 9: Assign an IP address range 192.168.80.1/24 to the bridge-hk interface
  1. /ip address
  2.     add address=192.168.80.1/24 interface=bridge-hk
複製代碼
.

Step 10: Assign an IP address range 192.168.81.1/24 to the bridge-smart interface
  1. /ip address
  2.     add address=192.168.81.1/24 interface=bridge-smart
複製代碼
.

Step 11: Set up a DHCP server for bridge-hk
  1. /ip dhcp-server setup
複製代碼
.

Based on the following screen dump, inupt the correct bridge name “bridge-hk” and the DNS servers: 8.8.8.8 and 8.8.4.4
  1. [admin@MikroTik] /ip address> /ip dhcp-server setup
  2. Select interface to run DHCP server on

  4. dhcp server interface: bridge-hk
  5. Select network for DHCP addresses

  7. dhcp address space: 192.168.80.0/24
  8. Select gateway for given network

  10. gateway for dhcp network: 192.168.80.1
  11. Select pool of ip addresses given out by DHCP server

  13. addresses to give out: 192.168.80.2-192.168.80.254
  14. Select DNS servers

  16. dns servers: 8.8.8.8,8.8.4.4                     
  17. Select lease time

  19. lease time: 10m
  20. [admin@MikroTik] /ip address>
複製代碼
.

Step 12: Set up a DHCP server for bridge-smart
  1. /ip dhcp-server setup
複製代碼
.

Same as bridge-hk and replace bridge-hk by bridge-smart

Step 13: Set up dial-out to the HK VPN server
  1. /interface pptp-client
  2.     add connect-to=vpn.abc.com disabled=no name=pptp-hk password=password123 user=abc123
複製代碼
.

Step 14: Input China IP address list
  1. /tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
複製代碼
.

Step 15: Import the list to CN file
  1. /import file-name=CN
複製代碼
.

Step 16: Mangling packets for policy route by applying different routing marks
  1. /ip firewall mangle
  2.     add action=mark-routing chain=prerouting in-interface=bridge-hk new-routing-mark=hk-gateway passthrough=no
  3.     add action=mark-routing chain=prerouting in-interface=bridge-smart dst-address-list=!CN new-routing-mark=hk-gateway passthrough=no
複製代碼
.

Step 17: Apply masquerade to the out-interface "pptp-hk"
  1. /ip firewall nat
  2.     add action=masquerade chain=srcnat out-interface=pptp-hk
複製代碼
.

Step 18: 下面的rules,一般搬到Fasttrack之前。
  1. /ip firewall filter
  2.     add action=accept chain=forward in-interface=bridge-hk
  3.     add action=accept chain=forward out-interface=bridge-hk
  4.     add action=accept chain=forward in-interface=bridge-smart
  5.     add action=accept chain=forward out-interface=bridge-smart
複製代碼
.

在最初的时候那些rules都放在最后,用drag and move方式把它们放到FastTrack Rules之前。

图一:刚安装


图二:移动后



Step 19: Policy route based on the new mark routing-mark "hk-gateway"
  1. /ip route
  2.     add distance=1 gateway=pptp-hk routing-mark=hk-gateway
複製代碼
.

Step 20: Reboot the router
  1. /system reboot
複製代碼
.
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

张无忌

Rank: 3Rank: 3Rank: 3
827#
發表於 2018-6-4 17:40 | 只看該作者
本帖最後由 张无忌 於 2018-6-6 00:42 編輯

Script difference before and after for checking VPN tab box

Listing 1: Before checking the VPN tab box
  1. /interface bridge
  2. add admin-mac=CC:2D:E0:xx:xx:xx auto-mac=no comment=defconf name=bridge
  3. /interface wireless
  4. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx1 \
  5.     wireless-protocol=802.11
  6. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge ssid=\
  7.     MikroTik-AExxx2 wireless-protocol=802.11
  8. /interface list
  9. add comment=defconf name=WAN
  10. add comment=defconf name=LAN
  11. /interface wireless security-profiles
  12. set [ find default=yes ] supplicant-identity=MikroTik
  13. /ip pool
  14. add name=default-dhcp ranges=192.168.88.10-192.168.88.254
  15. /ip dhcp-server
  16. add address-pool=default-dhcp disabled=no interface=bridge name=defconf
  17. /interface bridge port
  18. add bridge=bridge comment=defconf interface=ether2
  19. add bridge=bridge comment=defconf interface=ether3
  20. add bridge=bridge comment=defconf interface=ether4
  21. add bridge=bridge comment=defconf interface=ether5
  22. add bridge=bridge comment=defconf interface=wlan1
  23. add bridge=bridge comment=defconf interface=wlan2
  24. /ip neighbor discovery-settings
  25. set discover-interface-list=LAN
  26. /interface list member
  27. add comment=defconf interface=bridge list=LAN
  28. add comment=defconf interface=ether1 list=WAN
  29. /ip address
  30. add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
  31. /ip dhcp-client
  32. add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
  33. /ip dhcp-server network
  34. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
  35. /ip dns
  36. set allow-remote-requests=yes
  37. /ip dns static
  38. add address=192.168.88.1 name=router.lan
  39. /ip firewall filter
  40. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  41. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  42. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  43. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  44. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,apices
  45. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  46. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  47. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  48. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  49. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  50. /ip firewall nat
  51. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
  52. /system routerboard settings
  53. set silent-boot=no
  54. /tool mac-server
  55. set allowed-interface-list=LAN
  56. /tool mac-server mac-winbox
  57. set allowed-interface-list=LAN
  58. [admin@MikroTik] >
複製代碼
.

Listing 2: After checking the VPN tab box
  1. /interface bridge
  2. add admin-mac=CC:2D:E0:xx:xx:xx auto-mac=no comment=defconf name=bridge
  3. /interface wireless
  4. set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx1 \
  5.     wireless-protocol=802.11
  6. set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee distance=indoors frequency=auto mode=ap-bridge ssid=MikroTik-AExxx2 \
  7.     wireless-protocol=802.11
  8. /interface list
  9. add comment=defconf name=WAN
  10. add comment=defconf name=LAN
  11. /interface wireless security-profiles
  12. set [ find default=yes ] supplicant-identity=MikroTik
  13. /ip hotspot profile
  14. set [ find default=yes ] html-directory=flash/hotspot
  15. /ip pool
  16. add name=dhcp ranges=192.168.88.10-192.168.88.254
  17. add name=vpn ranges=192.168.89.2-192.168.89.255
  18. /ip dhcp-server
  19. add address-pool=dhcp disabled=no interface=bridge name=defconf
  20. /ppp profile
  21. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
  22. /interface bridge port
  23. add bridge=bridge comment=defconf interface=ether2
  24. add bridge=bridge comment=defconf interface=ether3
  25. add bridge=bridge comment=defconf interface=ether4
  26. add bridge=bridge comment=defconf interface=ether5
  27. add bridge=bridge comment=defconf interface=wlan1
  28. add bridge=bridge comment=defconf interface=wlan2
  29. /ip neighbor discovery-settings
  30. set discover-interface-list=LAN
  31. /interface l2tp-server server
  32. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes
  33. /interface list member
  34. add comment=defconf interface=bridge list=LAN
  35. add comment=defconf interface=ether1 list=WAN
  36. /interface pptp-server server
  37. set enabled=yes
  38. /interface sstp-server server
  39. set default-profile=default-encryption enabled=yes
  40. /ip address
  41. add address=192.168.88.1/24 comment=defconf interface=ether2 network=192.168.88.0
  42. /ip cloud
  43. set ddns-enabled=yes
  44. /ip dhcp-client
  45. add comment=defconf dhcp-options=hostname,clientid disabled=no interface=ether1
  46. /ip dhcp-server network
  47. add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
  48. /ip dns
  49. set allow-remote-requests=yes
  50. /ip dns static
  51. add address=192.168.88.1 name=router.lan
  52. /ip firewall filter
  53. add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
  54. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  55. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  56. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  57. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  58. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
  59. add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
  60. add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
  61. add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
  62. add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
  63. add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
  64. add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
  65. add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
  66. add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
  67. add action=drop chain=forward comment="defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
  68. /ip firewall nat
  69. add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
  70. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
  71. /ppp secret
  72. add name=vpn password=vpn-password
  73. /system routerboard settings
  74. set silent-boot=no
  75. /tool mac-server
  76. set allowed-interface-list=LAN
  77. /tool mac-server mac-winbox
  78. set allowed-interface-list=LAN
  79. [admin@MikroTik] >
複製代碼
.

The difference in code are
  1. /ip pool
  2. add name=vpn ranges=192.168.89.2-192.168.89.255

  4. /ppp profile
  5. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

  7. /ppp secret
  8. add name=vpn password=vpn-password

  10. /interface l2tp-server server
  11. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes

  13. /interface pptp-server server
  14. set enabled=yes
  15. /interface sstp-server server
  16. set default-profile=default-encryption enabled=yes

  18. /ip cloud
  19. set ddns-enabled=yes

  21. /ip firewall filter
  22. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  23. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  24. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  25. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  26. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

  28. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
複製代碼

TOP

张无忌

Rank: 3Rank: 3Rank: 3
828#
發表於 2018-6-5 01:33 | 只看該作者
本帖最後由 张无忌 於 2018-6-5 02:01 編輯

从香港 smart connect to 大陆 VPN client(逆向翻墙)

现在很多大陆的家用broadband,ISP给都是private IP address,在香港根本不VPN过去,那么有什么方法?答案是利用“逆向翻墙”方法。我们可以采用MikroTik routers,如果不需要WiFi,可以使用RB750Gr3,大陆买大约人民币300元,如果需要WiFi的话,可以考虑MikroTik 2018最新的产品hAP ac^2,在大陆买大约人民币420元。

如果家里有个设备,能某个port变成CN IP port,有不同SSID,一组是去大陆,一组是香港,一组是可以同时(smart connect)上大陆和香港网站的,简单说如果是大陆IP就走大陆Gateway,不然就走香港Gateway。
么怎样set hAP ac^2呢?

Configruation 目标:
1.        Ether5是CN IP port
2.        Ether4是Smart IP port
3.        Ether2-3是香港IP port
4.        Ether1是香港 WAN port
5.        SSID 1(MT-2G)是香港IP
6.        SSID 2(MT-5G)是香港IP
7.        SSID 3(MT-2G-CN)是大陆IP
8.        SSID 4(MT-5G-CN)是大陆IP
9.        SSID 5(MT-2Gs)是Smart IP
10.       SSID 6(MT-5Gs)是Smart IP


address:vpn.abc.com (你香港的vpn server address)
user name:cn
password:cn-password
VPN protocol:pptp


大陆的VPN router vpn client side settings

如果大陆用MikroTik router,用pptp VPN client去连接香港的VPN server。
  1. /interface pptp-client
  2.     add connect-to=vpn.abc.com disabled=no name=pptp-hk password=cn-password user=cn
複製代碼
.

香港的VPN router vpn server side settings

Step 1:Reset your router
  1. /system reset-configuration skip-backup=yes
複製代碼
.

Step 2:VPN settings and MikroTik DNS
  1. /ip pool
  2. add name=vpn ranges=192.168.89.2-192.168.89.255

  4. /ppp profile
  5. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

  7. /interface l2tp-server server
  8. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes

  10. /interface pptp-server server
  11. set enabled=yes

  13. /interface sstp-server server
  14. set default-profile=default-encryption enabled=yes

  16. /ip cloud
  17. set ddns-enabled=yes

  19. /system ntp client
  20. set enabled=yes primary-ntp=118.143.17.82

  22. /system clock
  23. set time-zone-name=Asia/Hong_Kong

  25. /ip firewall filter
  26. add chain=input protocol=ipsec-esp comment="ISsec ESP method"
  27. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  28. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  29. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  30. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  31. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

  33. /ip firewall nat
  34. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

  36. /ppp secret
  37. add name=cn password=cn-password
複製代碼
.

move the rules under firewall filter just after the rules for ICMP and before the drop rules for the input chain.

图一:Before moving


图二:After moving


Step 3: Set the default WiFi security profile (eg. password=wifi-123)
  1. /interface wireless security-profiles
  2.     set authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=wifi-123 [find name="default"]
複製代碼
.

Step 4:Set 2.4GHz SSID=MT-2G, 5GHz SSID=MT-5G
  1. /interface wireless
  2.     set wlan1 ssid=MT-2G frequency=auto security-profile=default disabled=no
  3.     set wlan2 ssid=MT-5G frequency=auto security-profile=default disabled=no
複製代碼
.


Step 5: Create new bridge named bridge-cn and bridge-smart
  1. /interface bridge
  2.     add name=bridge-cn
  3.     add name=bridge-smart
複製代碼
.


Step 6: Create virtual APs
  1. /interface wireless
  2.     add disabled=no master-interface=wlan1 name=wlan3 ssid=MT-2G-CN
  3.     add disabled=no master-interface=wlan1 name=wlan4 ssid=MT-2Gs
  4.     add disabled=no master-interface=wlan2 name=wlan5 ssid=MT-5G-CN
  5.     add disabled=no master-interface=wlan2 name=wlan6 ssid=MT-5Gs
複製代碼
.


Step 7: Detach (remove) ether4 and ether5 from the default bridge
  1. /interface bridge port
  2.     remove [find interface=“ether5”]
  3. /interface bridge port
  4.     remove [find interface=“ether4”]
複製代碼
.


Step 8: Add ether5, wlan3 and wlan5 to the new bridge “bridge-cn”
  1. /interface bridge port
  2.     add bridge=bridge-cn interface=ether5
  3.     add bridge=bridge-cn interface=wlan3
  4.     add bridge=bridge-cn interface=wlan5
複製代碼
.

Step 9: Add ether4, wlan4 and 6 to the new bridge “bridge-smart”
  1. /interface bridge port
  2.     add bridge=bridge-smart interface=ether4
  3.     add bridge=bridge-smart interface=wlan4
  4.     add bridge=bridge-smart interface=wlan6
複製代碼
.


Step 10: Assign an IP address range 192.168.80.1/24 to the bridge-cn interface
  1. /ip address
  2.     add address=192.168.80.1/24 interface=bridge-cn
複製代碼
.

Step 11: Assign an IP address range 192.168.81.1/24 to the bridge-smart interface
  1. /ip address
  2.     add address=192.168.81.1/24 interface=bridge-smart
複製代碼
.

Step 12: Set up a DHCP server for bridge-cn
  1. /ip dhcp-server setup
複製代碼
複製代碼
.

Based on the following screen dump, inupt the correct bridge name “bridge-cn” and the DNS servers: 8.8.8.8 and 8.8.4.4
  1. [admin@MikroTik]
  2. /ip address>
  3. /ip dhcp-server setup
  4. Select interface to run DHCP server on

  6. dhcp server interface: bridge-cn
  7. Select network for DHCP addresses

  9. dhcp address space: 192.168.80.0/24
  10. Select gateway for given network

  12. gateway for dhcp network: 192.168.80.1
  13. Select pool of ip addresses given out by DHCP server

  15. addresses to give out: 192.168.80.2-192.168.80.254
  16. Select DNS servers

  18. dns servers: 8.8.8.8,8.8.4.4                     
  19. Select lease time

  21. lease time: 10m
  22. [admin@MikroTik] /ip address>
複製代碼
.

Step 12: Set up a DHCP server for bridge-smart
  1. /ip dhcp-server setup
複製代碼
.

Same as bridge-cn and replace bridge-cn by bridge-smart

Step 13: blank
.

Step 14: Input China IP address list
  1. /tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
複製代碼
.

Step 15: Import the list to CN file
  1. /import file-name=CN
複製代碼
.

Step 16: Mangling packets for policy route by applying different routing marks
  1. /ip firewall mangle
  2.     add action=mark-routing chain=prerouting in-interface=bridge-cn new-routing-mark=cn-gateway passthrough=no
  3.     add action=mark-routing chain=prerouting in-interface=bridge-smart dst-address-list=CN new-routing-mark=cn-gateway passthrough=no
複製代碼
.

Step 17: Apply masquerade to the out-interface "pptp-cn"
  1. /ip firewall nat
  2.     add action=masquerade chain=srcnat out-interface=<pptp-cn>
複製代碼
.

Step 18: 下面的rules,一般搬到Fasttrack之前。
  1. /ip firewall filter
  2.     add action=accept chain=forward in-interface=bridge-cn
  3.     add action=accept chain=forward out-interface=bridge-cn
  4.     add action=accept chain=forward in-interface=bridge-smart
  5.     add action=accept chain=forward out-interface=bridge-smart
複製代碼
.

在最初的时候那些rules都放在最后,用drag and move方式把它们放到FastTrack Rules之前。

图一:刚安装
(参考别的图)

图二:移动后
(参考别的图)

Step 19: Policy route based on the new mark routing-mark “cn-gateway"
  1. /ip route
  2.     add distance=1 gateway=<pptp-cn> routing-mark=cn-gateway
複製代碼
.

Step 20: Reboot the router
  1. /system reboot
複製代碼
.
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

张无忌

Rank: 3Rank: 3Rank: 3
829#
發表於 2018-6-5 09:48 | 只看該作者
本帖最後由 张无忌 於 2018-6-5 09:56 編輯

有的时候,从大陆PPTP VPN client连过来的ppp link会突然被切断一段时间,那个时候香港的PPTP VPN server收不到大陆的ppp login,香港VPN server提供就选了一些不是预先的settings. 我们要进行调整财能回复正常。这个问题会经常出现,目前需要人手的reset一下,如果有空的可以写个script去自动更正。


图一:ip firewall nat,没有正确的<pptp-cn> interface


图二:在output Interface,把错误“wlan1” 改回正确的<pptp-cn>,然后按Apply键


图三:是图二的结果,不需要按任何键,按close就可以。


图四:ip route 出现问题


图五:gateway unknown and unreachable


图六:Gateway选回<pptp-cn> 然后点击Apply键


图七:Gateway <pptp-cn> reachable
附件: 您需要登錄才可以下載或查看附件。沒有帳號?註冊

TOP

kmc168

Rank: 1
830#
發表於 2018-6-5 11:40 | 只看該作者
回覆 829# 张无忌

謝謝這樣詳細的教材。造福人群。

消化後,有問題再請教。

TOP

1 ...81828384858687888990... 95
返回列表