返回列表 發帖
本帖最後由 gfx86674 於 2018-2-20 15:01 編輯

假設:
ISP1與ISP2都有提供Public地址供遠端連接,並啟用cloud供VPN橋接
CN:192.168.100.254/24 / xxx1234.sn.mynetname.net
HK:192.168.200.254/24 / xxx5678.sn.mynetname.net

CN:
ether6-8:直接翻牆至Hong Kong
192.168.100.0/24連接CN外的地址,透過policy routing改由ISP2連接

192.168.100.201-192.168.100.250有連外國需求,
綁HK_DNS-Server,免除被DNS被污染風險.


HK:
ether6-8:直接翻牆至China
192.168.200.0/24連接是CN地址,透過policy routing改由ISP1連接

192.168.100.0/24 <=> 192.168.200.0/24 電腦群組彼此可互連
  1. #CN:
  2. /ip cloud
  3. set ddns-enabled=yes

  4. /interface eoip
  5. add allow-fast-path=no mac-address=02:F1:04:27:75:96 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx1234.sn.mynetname.net remote-address=xxx5678.sn.mynetname.net

  6. /interface bridge
  7. add name=bridge1 vlan-filtering=no

  8. /interface bridge port
  9. add bridge=bridge1 interface=eoip-tunnel1
  10. add bridge=bridge1 interface=sfp1 pvid=100
  11. add bridge=bridge1 interface=ether2 pvid=100
  12. add bridge=bridge1 interface=ether3 pvid=100
  13. add bridge=bridge1 interface=ether4 pvid=100
  14. add bridge=bridge1 interface=ether5 pvid=100
  15. add bridge=bridge1 interface=ether6 pvid=200
  16. add bridge=bridge1 interface=ether7 pvid=200
  17. add bridge=bridge1 interface=ether8 pvid=200

  18. /interface bridge vlan
  19. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=100
  20. add bridge=bridge1 tagged=eoip-tunnel1,bridge1 untagged=ether6,ether7,ether8 vlan-ids=200

  21. /interface vlan
  22. add interface=bridge1 name=vlan200 vlan-id=200

  23. /ip address
  24. add address=192.168.100.254/24 interface=sfp1 network=192.168.100.0
  25. add address=192.168.200.1/24 interface=vlan200

  26. /interface bridge set bridge1 vlan-filtering=yes

  27. /ip firewall nat
  28. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24 !src-address
  29. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=192.168.200.254

  30. /ip firewall mangle
  31. add action=accept chain=prerouting dst-address=192.168.200.0/24
  32. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24

  33. /ip route
  34. add distance=1 gateway=192.168.200.254 routing-mark=vpn
複製代碼
  1. #HK:
  2. /ip cloud
  3. set ddns-enabled=yes

  4. /ip dns
  5. set allow-remote-requests=yes

  6. /interface eoip
  7. add allow-fast-path=no mac-address=02:F1:04:27:76:95 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx5678.sn.mynetname.net remote-address=xxx1234.sn.mynetname.net

  8. /interface bridge
  9. add name=bridge1 vlan-filtering=no

  10. /interface bridge port
  11. add bridge=bridge1 interface=eoip-tunnel1
  12. add bridge=bridge1 interface=sfp1 pvid=200
  13. add bridge=bridge1 interface=ether2 pvid=200
  14. add bridge=bridge1 interface=ether3 pvid=200
  15. add bridge=bridge1 interface=ether4 pvid=200
  16. add bridge=bridge1 interface=ether5 pvid=200
  17. add bridge=bridge1 interface=ether6 pvid=100
  18. add bridge=bridge1 interface=ether7 pvid=100
  19. add bridge=bridge1 interface=ether8 pvid=100

  20. /interface bridge vlan
  21. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=200
  22. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=100

  23. /ip address
  24. add address=192.168.200.254/24 interface=sfp1 network=192.168.200.0

  25. /interface bridge set bridge1 vlan-filtering=yes

  26. /ip firewall nat
  27. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24 !src-address

  28. /ip firewall mangle
  29. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24

  30. /ip route
  31. add distance=1 gateway=192.168.200.1 dst-address=192.168.100.0/24
  32. add distance=1 gateway=192.168.200.1 routing-mark=vpn
複製代碼

TOP

谢谢CHing的Scripts.

有下面的问题:
“192.168.100.201-192.168.100.250有連外國需求,綁HK_DNS-Server,免 ...
角色 發表於 2018-2-10 14:26
不會,是在內網裡進行 gfw管不到...

會污染的都是經isp,被isp被感染 .

TOP

但是現在深圳的isp大多都不給Public address的。我想應該IP cloud也不工作呢!有其他方法嗎? ...
passby 發表於 2018-2-10 16:46

找一個可單向連接的vpn ,vpn連線後都會有local-address與remote-address.
把local-address與remote-address複製到eoip-tunnel ,即能建立layer2隧道.

TOP

本帖最後由 gfx86674 於 2018-2-10 18:27 編輯
回復  gfx86674
謝謝你的答覆!
就用你提供的例子。如果只有HK router的ip cloud ddns。那我應該怎樣做? ...
passby 發表於 2018-2-10 17:36

與18樓的答覆相同,您讓CN透過SSTP撥號HK cloud的地址.
連線成功不管是SSTP-Client或SSTP-Server都會顯示local-address或remote-address.

把SSTP-Client顯示的local-address與remote-address輸入CN Router的eoip-tunnel;
把SSTP-Server顯示的local-address與remote-address輸入HK Router的eoip-tunnel

RouterOS可穿越GFW的PPP-Tunnel大概只剩SSTP ,PPTP/L2TP/OVPN大概都穿不過.
IPSec的Road Warrior設置較麻煩些,但值得一試.

TOP

本帖最後由 gfx86674 於 2018-2-10 18:50 編輯

回復 23# passby
可以,在sstp-tunnel內再建立eoip-tunnel
選項ipsec要關閉(勾ipsec會強逼用public-address).

TOP

本帖最後由 gfx86674 於 2018-2-10 23:52 編輯
回復  gfx86674
    例如我HK做VPN Server, CN做VPN client。當連接接後,我在HK的interface裏看到的cal ...
passby 發表於 2018-2-10 18:35

不要再質疑,我幫朋友設置:住家對公司使用l2tp-tunnel ,再用Private ip建置eoip-tunnel
從ros v5.x就已經開始這麼做了.
l2tp-client(Home)

l2tp-server(Office)

註:
使用eoip-tunnel記得開啟Keepalive ,否則Running並不是代表連線,而只是啟用而已.
唯有啟用Keepalive ,Running才代表eoip-tunnel兩端真的已連接上.

TOP

本帖最後由 gfx86674 於 2018-2-20 14:37 編輯
再看你的例子,VLAN能雙向。我用兩個Bridge 是單向的。 能否做一個VLAN over EOIP over SSTP例子? 中國的Et ...
yiucsw 發表於 2018-2-19 01:56

sstp連線用的是互聯網協議位址,屬layer3
與ethernet和eoip-tunnel的layer2是兩回事...您不能在ip mode(layer3)做更高位階(如:layer2)的行為

您說的sstp+eoip表現不佳,或許更正確的形容是sstp不好,而非eoip.
sstp經網友測試似乎有20M的瓶頸,沒法再達更高的數據
——————————————————————————————————————
RouterOS v6.41後bridge添加vlan新功能,才賣弄新技巧把vlan放入主題裡;
若是不用vlan,就如您所說的用2個bridge也不是不可,或許更容易配置.

範例:
只有HK提供Public地址供遠端連接,所以HK為sstp-server ,CN為sstp-client
CN:192.168.100.254/24 / private-address:10.200.0.53
HK:192.168.200.254/24 / public-address:123.123.123.123

CN:
ether5:直接翻牆至Hong Kong
192.168.100.0/24連接CN外的地址,透過policy routing改由ISP2連接

192.168.100.201-192.168.100.250有連外國需求,
綁HK_DNS-Server,免除被DNS被污染風險.


HK:
ether5:直接翻牆至China
192.168.200.0/24連接是CN地址,透過policy routing改由ISP1連接

192.168.100.0/24 <=> 192.168.200.0/24 電腦群組彼此可互連
  1. #CN:

  2. /interface sstp-client
  3. add authentication=pap certificate=cert connect-to=123.123.123.123:443 name=sstp-out1 password=123 user=123 verify-server-address-from-certificate=no

  4. /interface eoip
  5. add allow-fast-path=no name=eoip-hk tunnel-id=200 local-address=172.16.0.1 remote-address=172.16.0.0
  6. add allow-fast-path=no name=eoip-cn tunnel-id=100 local-address=172.16.0.1 remote-address=172.16.0.0

  7. /interface bridge
  8. add name=bridge-local
  9. add name=bridge-remote

  10. /interface bridge port
  11. add bridge=bridge-local interface=eoip-cn
  12. add bridge=bridge-local interface=ether2
  13. add bridge=bridge-local interface=ether3
  14. add bridge=bridge-local interface=ether4
  15. add bridge=bridge-remote interface=eoip-hk
  16. add bridge=bridge-remote interface=ether5

  17. /ip address
  18. add address=10.200.0.53/24 interface=ether1 network=10.200.0.0
  19. add address=192.168.100.254/24 interface=bridge-local network=192.168.100.0

  20. /ip route
  21. add distance=2 dst-address=192.168.200.0/24 gateway=172.16.0.0
  22. add distance=3 gateway=172.16.0.0 routing-mark=vpn
  23. add distance=5 gateway=ether1

  24. /ip firewall nat
  25. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24
  26. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=192.168.200.254

  27. /ip firewall mangle
  28. add action=accept chain=prerouting dst-address=192.168.200.0/24
  29. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24
複製代碼
  1. #HK:

  2. /interface sstp-server server
  3. set authentication=pap certificate=cert default-profile=default enabled=yes port=443

  4. /ppp secret
  5. add local-address=172.16.0.0 remote-address=172.16.0.1 name=123 password=123 routes="192.168.100.0/24 172.16.0.1 2" service=sstp

  6. /interface eoip
  7. add allow-fast-path=no name=eoip-cn tunnel-id=100 local-address=172.16.0.0 remote-address=172.16.0.1
  8. add allow-fast-path=no name=eoip-hk tunnel-id=200 local-address=172.16.0.0 remote-address=172.16.0.1

  9. /interface bridge
  10. add name=bridge-local
  11. add name=bridge-remote

  12. /interface bridge port
  13. add bridge=bridge-local interface=eoip-hk
  14. add bridge=bridge-local interface=ether2
  15. add bridge=bridge-local interface=ether3
  16. add bridge=bridge-local interface=ether4
  17. add bridge=bridge-remote interface=eoip-cn
  18. add bridge=bridge-remote interface=ether5

  19. /ip address
  20. add address=123.123.123.123/24 interface=ether1 network=123.123.123.0
  21. add address=192.168.200.254/24 interface=bridge-local network=192.168.200.0

  22. /ip route
  23. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  24. add distance=5 gateway=ether1

  25. /ip firewall nat
  26. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24

  27. /ip firewall mangle
  28. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24
複製代碼

TOP

本帖最後由 gfx86674 於 2018-2-20 15:08 編輯
  1. #CN:

  2. /interface sstp-client
  3. add authentication=pap certificate=cert connect-to=123.123.123.123:443 name=sstp-out1 password=123 user=123 verify-server-address-from-certificate=no

  4. /interface eoip
  5. add allow-fast-path=no mac-address=02:F1:04:27:75:96 name=eoip-tunnel1 tunnel-id=123 local-address=172.16.0.1 remote-address=172.16.0.0

  6. /interface bridge
  7. add name=bridge1 vlan-filtering=no

  8. /interface bridge port
  9. add bridge=bridge1 interface=eoip-tunnel1
  10. add bridge=bridge1 interface=sfp1 pvid=100
  11. add bridge=bridge1 interface=ether2 pvid=100
  12. add bridge=bridge1 interface=ether3 pvid=100
  13. add bridge=bridge1 interface=ether4 pvid=100
  14. add bridge=bridge1 interface=ether5 pvid=100
  15. add bridge=bridge1 interface=ether6 pvid=200
  16. add bridge=bridge1 interface=ether7 pvid=200
  17. add bridge=bridge1 interface=ether8 pvid=200

  18. /interface bridge vlan
  19. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=100
  20. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=200

  21. /ip address
  22. add address=192.168.100.254/24 interface=sfp1 network=192.168.100.0

  23. /interface bridge set bridge1 vlan-filtering=yes

  24. /ip firewall nat
  25. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24 !src-address
  26. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=172.16.0.0

  27. /ip firewall mangle
  28. add action=accept chain=prerouting dst-address=192.168.200.0/24
  29. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24

  30. /ip route
  31. add distance=2 dst-address=192.168.200.0/24 gateway=172.16.0.0
  32. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  33. add distance=5 gateway=ether1
複製代碼
  1. #HK:

  2. /interface sstp-server server
  3. set authentication=pap certificate=cert default-profile=default enabled=yes port=443

  4. /ppp secret
  5. add local-address=172.16.0.0 remote-address=172.16.0.1 name=123 password=123  routes="192.168.100.0/24 172.16.0.1 2" service=sstp

  6. /interface eoip
  7. add allow-fast-path=no mac-address=02:F1:04:27:96:75 name=eoip-tunnel1 tunnel-id=123 local-address=172.16.0.0 remote-address=172.16.0.1

  8. /ip dns
  9. set allow-remote-requests=yes

  10. /interface bridge
  11. add name=bridge1 vlan-filtering=no

  12. /interface bridge port
  13. add bridge=bridge1 interface=eoip-tunnel1
  14. add bridge=bridge1 interface=sfp1 pvid=200
  15. add bridge=bridge1 interface=ether2 pvid=200
  16. add bridge=bridge1 interface=ether3 pvid=200
  17. add bridge=bridge1 interface=ether4 pvid=200
  18. add bridge=bridge1 interface=ether5 pvid=200
  19. add bridge=bridge1 interface=ether6 pvid=100
  20. add bridge=bridge1 interface=ether7 pvid=100
  21. add bridge=bridge1 interface=ether8 pvid=100

  22. /interface bridge vlan
  23. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=200
  24. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=100

  25. /ip address
  26. add address=192.168.200.254/24 interface=sfp1 network=192.168.200.0

  27. /interface bridge set bridge1 vlan-filtering=yes

  28. /ip firewall nat
  29. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24 !src-address

  30. /ip firewall mangle
  31. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24

  32. /ip route
  33. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  34. add distance=5 gateway=ether1
複製代碼

TOP

本帖最後由 gfx86674 於 2018-2-20 17:17 編輯
回復  gfx86674

我在中國有兩個ISP(CN1,CN2)在不同地點,在香港也有兩個ISP(HK1,HK2)在不同的地點
...
yiucsw 發表於 2018-2-20 16:53

是假設您是固定ip的用戶,ether1的地址是123.123.123.123
(123.123.123.123是公網地址,您可能誤會成虛擬的了)
(在/ip address宣告地址需加遮罩,所以才用123.123.123.123/24)

若您非是固定ip用戶,用的是dhcp-client或是pppoe撥號取得public-address,
有關ether1的描述是完全不需理會的.

TOP

本帖最後由 gfx86674 於 2018-2-20 22:00 編輯

change mss我習慣平日就掛著且放在最優先的位置,否則mtu衍生的問題真的一堆


hw-offloading只有對ethernet才有用 ,Wifi模組是分開的幫不到忙.
另外eoip-tunnel是虛擬的,切的valn也是...
就算勾上Hardware Offload也不會有任何作用.

使用bridge的vlan功能需開啟vlan-filtering,
但這會反而讓hw-offloading自動關閉,您應該沒想過這個問題吧!

或許依您原來的橋接方式,才是對你最有利的.

ps:
我用youtube搜尋到國外有趣的方式:
上述有提到開vlan-filtering會讓hw-offloading關閉對吧...

先用bridge將ethernet全橋接起來,
但vlan規劃不在bridge內設定而是像v6.41之前一樣用switch方式劃開,
或許hw-offloading就不會受影響.

TOP

回復  gfx86674
    以前試過這個雙EOIP理論上是可以,但實際是有問題。 我沒有找到原因。所有想看看VLAN  ...
yiucsw 發表於 2018-2-21 11:16

雙eoip是不會有任何問題的,在台灣我幫朋友eoip橋接到5組.
您可能共用相同的tunnel-id ,若是雙eoip那tunnel-id也要2組才行.

TOP

回復 40# yiucsw
MRRU的選項並非全部的VPN支援,只有PPTP/SSTP/L2TP Server有.
像GRE/IPIP/EOIP只能勾Change MSS的方式...

但像IPSec的VPN-Tunnel則就更慘了,連Change MSS都沒得勾...
只好手動新增Change MSS使用.

TOP

回復  kmc87

你说PPTP和SSTP的问题,我也知道SSTP是secruity比较高,但是有的时候PPTP能行,SSTP却不能。 ...
角色 發表於 2018-6-19 12:00

可以用script判斷,若目前的vpn無法順利連線,就自動換另外一種...直到成功才停止

TOP

本帖最後由 gfx86674 於 2018-6-19 22:43 編輯
回復  gfx86674


    可以指導一下怎樣做嗎? 現在我是人工判斷的。
kmc87 發表於 2018-6-19 18:17

您會用script的判斷語法嗎? 概念是:
:local sstp [/interface get sstp-client1 running]
:local pptp [/interface get pptp-client1 running]

#用OR閘判斷是否VPN已上線
:if ($sstp || $pptp) do={
   #OR閘是TRUE(VPN已上線)的情況,是sstp或pptp
   :if ($sstp) do={
       #是sstp的情況...
   } else={
       #是pptp的情況...
   }
} else={
   #OR閘是FALSE(VPN是離線)的情況
}

TOP

返回列表