Board logo

標題: MikroTik hAP ac² - 从大陆 smart connect to HK VPN server [打印本頁]
作者: 角色    時間: 2018-6-20 15:16     標題: MikroTik hAP ac² - 从大陆 smart connect to HK VPN server

本帖最後由 角色 於 2018-6-20 15:18 編輯

从香港 smart connect to 大陆 VPN client(逆向翻墙)

现在很多大陆的家用broadband,ISP给都是private IP address,在香港根本不VPN过去,那么有什么方法?答案是利用“逆向翻墙”方法。我们可以采用MikroTik routers,如果不需要WiFi,可以使用RB750Gr3,大陆买大约人民币300元,如果需要WiFi的话,可以考虑MikroTik 2018最新的产品hAP ac^2,在大陆买大约人民币420元。

如果家里有个设备,能某个port变成CN IP port,有不同SSID,一组是去大陆,一组是香港,一组是可以同时(smart connect)上大陆和香港网站的,简单说如果是大陆IP就走大陆Gateway,不然就走香港Gateway。
么怎样set hAP ac^2呢?

Configruation 目标:
1.        Ether5是CN IP port
2.        Ether4是Smart IP port
3.        Ether2-3是香港IP port
4.        Ether1是香港 WAN port
5.        SSID 1(MT-2G)是香港IP
6.        SSID 2(MT-5G)是香港IP
7.        SSID 3(MT-2G-CN)是大陆IP
8.        SSID 4(MT-5G-CN)是大陆IP
9.        SSID 5(MT-2Gs)是Smart IP
10.       SSID 6(MT-5Gs)是Smart IP


address:vpn.abc.com (你香港的vpn server address)
user name:cn
password:cn-password
VPN protocol:pptp


大陆的VPN router vpn client side settings

如果大陆用MikroTik router,用pptp VPN client去连接香港的VPN server。
  1. /interface pptp-client
  2.     add connect-to=vpn.abc.com disabled=no name=pptp-hk password=cn-password user=cn
複製代碼
.

香港的VPN router vpn server side settings

Step 1:Reset your router
  1. /system reset-configuration skip-backup=yes
複製代碼
.

Step 2:VPN settings and MikroTik DNS
  1. /ip pool
  2. add name=vpn ranges=192.168.89.2-192.168.89.255

  4. /ppp profile
  5. set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

  7. /interface l2tp-server server
  8. set enabled=yes ipsec-secret=vpn-password use-ipsec=yes

  10. /interface pptp-server server
  11. set enabled=yes

  13. /interface sstp-server server
  14. set default-profile=default-encryption enabled=yes

  16. /ip cloud
  17. set ddns-enabled=yes

  19. /system ntp client
  20. set enabled=yes primary-ntp=118.143.17.82

  22. /system clock
  23. set time-zone-name=Asia/Hong_Kong

  25. /ip firewall filter
  26. add chain=input protocol=ipsec-esp comment="ISsec ESP method"
  27. add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
  28. add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
  29. add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
  30. add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
  31. add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

  33. /ip firewall nat
  34. add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

  36. /ppp secret
  37. add name=cn password=cn-password
複製代碼
.

move the rules under firewall filter just after the rules for ICMP and before the drop rules for the input chain.

图一:Before moving
[attach]4114[/attach]

图二:After moving
[attach]4113[/attach]

Step 3: Set the default WiFi security profile (eg. password=wifi-123)
  1. /interface wireless security-profiles
  2.     set authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=wifi-123 [find name="default"]
複製代碼
.

Step 4:Set 2.4GHz SSID=MT-2G, 5GHz SSID=MT-5G
  1. /interface wireless
  2.     set wlan1 ssid=MT-2G frequency=auto security-profile=default disabled=no
  3.     set wlan2 ssid=MT-5G frequency=auto security-profile=default disabled=no
複製代碼
.


Step 5: Create new bridge named bridge-cn and bridge-smart
  1. /interface bridge
  2.     add name=bridge-cn
  3.     add name=bridge-smart
複製代碼
.


Step 6: Create virtual APs
  1. /interface wireless
  2.     add disabled=no master-interface=wlan1 name=wlan3 ssid=MT-2G-CN
  3.     add disabled=no master-interface=wlan1 name=wlan4 ssid=MT-2Gs
  4.     add disabled=no master-interface=wlan2 name=wlan5 ssid=MT-5G-CN
  5.     add disabled=no master-interface=wlan2 name=wlan6 ssid=MT-5Gs
複製代碼
.


Step 7: Detach (remove) ether4 and ether5 from the default bridge
  1. /interface bridge port
  2.     remove [find interface=“ether5”]
  3. /interface bridge port
  4.     remove [find interface=“ether4”]
複製代碼
.


Step 8: Add ether5, wlan3 and wlan5 to the new bridge “bridge-cn”
  1. /interface bridge port
  2.     add bridge=bridge-cn interface=ether5
  3.     add bridge=bridge-cn interface=wlan3
  4.     add bridge=bridge-cn interface=wlan5
複製代碼
.

Step 9: Add ether4, wlan4 and 6 to the new bridge “bridge-smart”
  1. /interface bridge port
  2.     add bridge=bridge-smart interface=ether4
  3.     add bridge=bridge-smart interface=wlan4
  4.     add bridge=bridge-smart interface=wlan6
複製代碼
.


Step 10: Assign an IP address range 192.168.80.1/24 to the bridge-cn interface
  1. /ip address
  2.     add address=192.168.80.1/24 interface=bridge-cn
複製代碼
.

Step 11: Assign an IP address range 192.168.81.1/24 to the bridge-smart interface
  1. /ip address
  2.     add address=192.168.81.1/24 interface=bridge-smart
複製代碼
.

Step 12: Set up a DHCP server for bridge-cn
  1. /ip dhcp-server setup
複製代碼
複製代碼
.

Based on the following screen dump, inupt the correct bridge name “bridge-cn” and the DNS servers: 8.8.8.8 and 8.8.4.4
  1. [admin@MikroTik]
  2. /ip address>
  3. /ip dhcp-server setup
  4. Select interface to run DHCP server on

  6. dhcp server interface: bridge-cn
  7. Select network for DHCP addresses

  9. dhcp address space: 192.168.80.0/24
  10. Select gateway for given network

  12. gateway for dhcp network: 192.168.80.1
  13. Select pool of ip addresses given out by DHCP server

  15. addresses to give out: 192.168.80.2-192.168.80.254
  16. Select DNS servers

  18. dns servers: 8.8.8.8,8.8.4.4                     
  19. Select lease time

  21. lease time: 10m
  22. [admin@MikroTik] /ip address>
複製代碼
.

Step 12: Set up a DHCP server for bridge-smart
  1. /ip dhcp-server setup
複製代碼
.

Same as bridge-cn and replace bridge-cn by bridge-smart

Step 13: blank
.

Step 14: Input China IP address list
  1. /tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
複製代碼
.

Step 15: Import the list to CN file
  1. /import file-name=CN
複製代碼
.

Step 16: Mangling packets for policy route by applying different routing marks
  1. /ip firewall mangle
  2.     add action=mark-routing chain=prerouting in-interface=bridge-cn new-routing-mark=cn-gateway passthrough=no
  3.     add action=mark-routing chain=prerouting in-interface=bridge-smart dst-address-list=CN new-routing-mark=cn-gateway passthrough=no
複製代碼
.

Step 17: Apply masquerade to the out-interface "pptp-cn"
  1. /ip firewall nat
  2.     add action=masquerade chain=srcnat out-interface=<pptp-cn>
複製代碼
.

Step 18: 下面的rules,一般搬到Fasttrack之前。
  1. /ip firewall filter
  2.     add action=accept chain=forward in-interface=bridge-cn
  3.     add action=accept chain=forward out-interface=bridge-cn
  4.     add action=accept chain=forward in-interface=bridge-smart
  5.     add action=accept chain=forward out-interface=bridge-smart
複製代碼
.

在最初的时候那些rules都放在最后,用drag and move方式把它们放到FastTrack Rules之前。

图一:刚安装
(参考别的图)

图二:移动后
(参考别的图)

Step 19: Policy route based on the new mark routing-mark “cn-gateway"
  1. /ip route
  2.     add distance=1 gateway=<pptp-cn> routing-mark=cn-gateway
複製代碼
.

Step 20: Reboot the router
  1. /system reboot
複製代碼
.
作者: 角色    時間: 2018-10-15 23:53

估计有些members对这条thread有兴趣。
作者: yiucsw    時間: 2019-1-6 12:07

我要重做大陸那邊的VPN,因為在LTAP上,不能用BCP。要SSTP加 SSID HK,全Route到 香港,SSID smart, Policy route 到香港。看到你的Setting,是在香港Router 還是中國的Route。L2TP VPN 用來是做什麼?
作者: yiucsw    時間: 2019-1-6 12:20

其實除了google 的 DNS 8.8.8.8,還有其他的 DNS 在中國好用多。
作者: 角色    時間: 2019-1-6 12:31

回復 3# yiucsw

在大陆route去ppp link (linked to HK VPN router)。

L2TP over IPSec OR PPTP OR SSTP都是一样,不同的是方法不一样。
作者: yiucsw    時間: 2019-1-7 00:31

我猜是SSTP 同PPTP 的方法不一样。
SSTP server 是没有 default route/IP assign 到Client 端。
IP route 到 Server 端,是没法 IP forward 回 Client..
我不太想加 IP 地址到 SSTP。。。 问问还有什么方法?
作者: 角色    時間: 2019-1-7 10:53

我记得我用PPTP和SSTP都可以,最主要是先建立一条PPP link,然后再跟着一般的做法就可以,server那一边不需要做什么。



歡迎光臨 電訊茶室 (http://telecom-cafe.com/forum/) Powered by Discuz! 7.2