Rimiya wrote: 想請教一下各位先進,...(恕刪)
Q:RB760iGS同時作為OpenVPN Server和Ipsec/IKEv2 VPN Server,其local address能否設定為同一個? A:IKEv2 VPN Server因IPSec架構的關係,它沒有local address。 Q:又能否設定和DHCP Server的Gateway同樣(即全部設定成10.0.0.250)? A:其實OpenVPN不應該與DHCP Server同網段,會造成路由表混亂。但啟用橋接器的arp偽裝(arp-proxy),VPN用戶端可偽裝成DHCP Server的Gateway ,與DHCP裝置連繫。假設VPN Server也是10.0.0.250,VPN用戶端觸發arp偽裝瞬間,VPN隧道本地與遠端皆是相同的ip(10.0.0.250),將出現無法預期的錯誤。 VLAN:
#RB260GS: #RB760iGS: /interface bridge add name=bridge1 protocol-mode=none arp=proxy-arp /interface bridge port add bridge=bridge1 interface=ether1 hw=no add bridge=bridge1 interface=ether2 hw=no add bridge=bridge1 interface=ether3 hw=no add bridge=bridge1 interface=ether4 hw=no add bridge=bridge1 interface=ether5 hw=no add bridge=bridge1 interface=sfp1 hw=no /interface bridge vlan add bridge=bridge1 untagged=bridge1,ether1,ether3,ether4,sfp1 vlan-ids=1 add bridge=bridge1 tagged=bridge1,ether5 vlan-ids=20 add bridge=bridge1 tagged=bridge1,ether5 untagged=ether2 vlan-ids=10 /interface vlan add name=vlan20 vlan-id=20 interface=bridge1 add name=vlan10 vlan-id=10 interface=bridge1 /ip address add address=10.0.0.250/24 interface=bridge1 network=10.0.0.0 add address=10.0.1.250/24 interface=vlan20 network=10.0.1.0 /interface bridge set bridge1 vlan-filtering=yes
RB760iGS LAN & PPPoE:
/ip pool add name=dhcp1 ranges=10.0.0.100-10.0.0.199 add name=dhcp2 ranges=10.0.1.1-10.0.1.249 add name=vpn1 ranges=10.0.0.201-10.0.0.214 add name=vpn2 ranges=10.0.0.216-10.0.0.229 /ip dhcp-server add address-pool=pool1 interface=bridge1 lease-time=1h name=dhcp1 add address-pool=pool2 interface=vlan20 lease-time=1h name=dhcp2 /ip dhcp-server network add address=10.0.0.0/24 gateway=10.0.0.250 dns-server=8.8.8.8 add address=10.0.1.0/24 gateway=10.0.1.250 dns-server=8.8.8.8 /interface pppoe-client add allow=pap interface=vlan10 name=pppoe-out1 profile=default [email protected] add allow=pap interface=vlan10 name=pppoe-out2 profile=default [email protected] /interface list add name=PPPoE add name=LAN add name=VPN /interface list member add interface=bridge1 list=LAN add interface=vlan20 list=LAN add interface=pppoe-out1 list=PPPoE add interface=pppoe-out2 list=PPPoE /routing table add fib=yes name=pppoe1 add fib=yes name=pppoe2 /routing rule add action=lookup dst-address=10.0.0.0/23 table=main #10.0.0.100-10.0.0.229 add action=lookup src-address=10.0.0.100/30 table=pppoe2 add action=lookup src-address=10.0.0.104/29 table=pppoe2 add action=lookup src-address=10.0.0.112/28 table=pppoe2 add action=lookup src-address=10.0.0.128/26 table=pppoe2 add action=lookup src-address=10.0.0.192/27 table=pppoe2 add action=lookup src-address=10.0.0.224/30 table=pppoe2 add action=lookup src-address=10.0.0.228/31 table=pppoe2 #10.0.1.1-10.0.1.249 add action=lookup src-address=10.0.1.0/25 table=pppoe2 add action=lookup src-address=10.0.1.128/26 table=pppoe2 add action=lookup src-address=10.0.1.192/27 table=pppoe2 add action=lookup src-address=10.0.1.224/28 table=pppoe2 add action=lookup src-address=10.0.1.240/29 table=pppoe2 add action=lookup src-address=10.0.1.248/31 table=pppoe2 /ip route add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 add distance=2 dst-address=0.0.0.0/0 gateway=pppoe-out2 add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-table=pppoel add distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-table=pppoe2 /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=change-mss chain=output new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=accept chain=prerouting in-interface=bridge1 dst-address=10.0.0.0/23 add action=accept chain=prerouting dst-address-type=local,broadcast,multicast in-interface=bridge1 add action=mark-connection chain=prerouting ipsec-policy=in,none in-interface=pppoe-out1 new-connection-mark=pppoe1_conn passthrough=yes add action=mark-routing chain=prerouting connection-mark=pppoe1_conn in-interface=bridge1 new-routing-mark=pppoe1 passthrough=no add action=mark-routing chain=output connection-mark=pppoe1_conn new-routing-mark=pppoe1 passthrough=no add action=mark-connection chain=prerouting ipsec-policy=in,none in-interface=pppoe-out2 new-connection-mark=pppoe2_conn passthrough=yes add action=mark-routing chain=prerouting connection-mark=pppoe2_conn in-interface=bridge1 new-routing-mark=pppoe2 passthrough=no add action=mark-routing chain=output connection-mark=pppoe2_conn new-routing-mark=pppoe2 passthrough=no /ip firewall nat add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=PPPoE add action=masquerade chain=srcnat dst-address=10.0.0.0/24 dst-address-type=!local out-interface=bridge1 src-address=10.0.0.0/24 /ip firewall filter add action=fasttrack-connection chain=forward ipsec-policy=in,none connection-mark=no-mark connection-state=established,related connection-nat-state=srcnat in-interface-list=PPPoE
RB760iGS VPN:
#OpenVPN Server: /interface ovpn-server server set auth=sha1,sha256 certificate=ovpn.ca default-profile=ovpn.pro enabled=yes netmask=28 protocol=udp redirect-gateway=def1 require-client-certificate=yes /ppp profile add change-tcp-mss=yes dns-server=8.8.8.8 interface-list=VPN local-address=10.0.0.200 name=ovpn.pro only-one=no remote-address=vpn1 use-compression=no use-encryption=no use-ipv6=no /ppp secret add name=帳號 password=密碼 profile=ovpn.pro service=ovpn
#IKEv2 VPN Server: /ip ipsec profile add dpd-interval=disable-dpd enc-algorithm=aes-256,3des hash-algorithm=sha256 name=ikev2.pro prf-algorithm=sha256 /ip ipsec mode-config add address-pool=vpn2 address-prefix-length=32 name=ikev2.cfg static-dns=8.8.8.8 system-dns=no /ip ipsec proposal set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc,aes-128-cbc,3des pfs-group=modp2048 /ip ipsec policy group add name=ike2-s /ip ipsec policy add comment=IKEv2-Server group=ike2-s template=yes /ip ipsec peer add exchange-mode=ike2 name=ike2.psk-in-server passive=yes profile=ikev2.pro send-initial-contact=no /ip ipsec identity add generate-policy=port-strict mode-config=ikev2.cfg my-id=auto peer=ike2.psk-in-server policy-template-group=ike2-s remote-id=ignore secret=密鑰
VIDEO VIDEO VIDEO