返回列表 發帖
gfx86674

Rank: 1
1# 跳轉到 »
發表於 2018-2-10 13:29 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-20 15:01 編輯

假設:
ISP1與ISP2都有提供Public地址供遠端連接,並啟用cloud供VPN橋接
CN:192.168.100.254/24 / xxx1234.sn.mynetname.net
HK:192.168.200.254/24 / xxx5678.sn.mynetname.net

CN:
ether6-8:直接翻牆至Hong Kong
192.168.100.0/24連接CN外的地址,透過policy routing改由ISP2連接

192.168.100.201-192.168.100.250有連外國需求,
綁HK_DNS-Server,免除被DNS被污染風險.

HK:
ether6-8:直接翻牆至China
192.168.200.0/24連接是CN地址,透過policy routing改由ISP1連接

192.168.100.0/24 <=> 192.168.200.0/24 電腦群組彼此可互連
  1. #CN:
  2. /ip cloud
  3. set ddns-enabled=yes

  5. /interface eoip
  6. add allow-fast-path=no mac-address=02:F1:04:27:75:96 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx1234.sn.mynetname.net remote-address=xxx5678.sn.mynetname.net

  8. /interface bridge
  9. add name=bridge1 vlan-filtering=no

  11. /interface bridge port
  12. add bridge=bridge1 interface=eoip-tunnel1
  13. add bridge=bridge1 interface=sfp1 pvid=100
  14. add bridge=bridge1 interface=ether2 pvid=100
  15. add bridge=bridge1 interface=ether3 pvid=100
  16. add bridge=bridge1 interface=ether4 pvid=100
  17. add bridge=bridge1 interface=ether5 pvid=100
  18. add bridge=bridge1 interface=ether6 pvid=200
  19. add bridge=bridge1 interface=ether7 pvid=200
  20. add bridge=bridge1 interface=ether8 pvid=200

  22. /interface bridge vlan
  23. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=100
  24. add bridge=bridge1 tagged=eoip-tunnel1,bridge1 untagged=ether6,ether7,ether8 vlan-ids=200

  26. /interface vlan
  27. add interface=bridge1 name=vlan200 vlan-id=200

  29. /ip address
  30. add address=192.168.100.254/24 interface=sfp1 network=192.168.100.0
  31. add address=192.168.200.1/24 interface=vlan200

  33. /interface bridge set bridge1 vlan-filtering=yes

  35. /ip firewall nat
  36. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24 !src-address
  37. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=192.168.200.254

  39. /ip firewall mangle
  40. add action=accept chain=prerouting dst-address=192.168.200.0/24
  41. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24

  43. /ip route
  44. add distance=1 gateway=192.168.200.254 routing-mark=vpn
複製代碼
  1. #HK:
  2. /ip cloud
  3. set ddns-enabled=yes

  5. /ip dns
  6. set allow-remote-requests=yes

  8. /interface eoip
  9. add allow-fast-path=no mac-address=02:F1:04:27:76:95 name=eoip-tunnel1 ipsec-secret=aaa tunnel-id=123 local-address=xxx5678.sn.mynetname.net remote-address=xxx1234.sn.mynetname.net

  11. /interface bridge
  12. add name=bridge1 vlan-filtering=no

  14. /interface bridge port
  15. add bridge=bridge1 interface=eoip-tunnel1
  16. add bridge=bridge1 interface=sfp1 pvid=200
  17. add bridge=bridge1 interface=ether2 pvid=200
  18. add bridge=bridge1 interface=ether3 pvid=200
  19. add bridge=bridge1 interface=ether4 pvid=200
  20. add bridge=bridge1 interface=ether5 pvid=200
  21. add bridge=bridge1 interface=ether6 pvid=100
  22. add bridge=bridge1 interface=ether7 pvid=100
  23. add bridge=bridge1 interface=ether8 pvid=100

  25. /interface bridge vlan
  26. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=200
  27. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=100

  29. /ip address
  30. add address=192.168.200.254/24 interface=sfp1 network=192.168.200.0

  32. /interface bridge set bridge1 vlan-filtering=yes

  34. /ip firewall nat
  35. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24 !src-address

  37. /ip firewall mangle
  38. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24

  40. /ip route
  41. add distance=1 gateway=192.168.200.1 dst-address=192.168.100.0/24
  42. add distance=1 gateway=192.168.200.1 routing-mark=vpn
複製代碼

TOP

gfx86674

Rank: 1
2#
發表於 2018-2-10 17:14 | 顯示全部帖子
谢谢CHing的Scripts.

有下面的问题:
“192.168.100.201-192.168.100.250有連外國需求,綁HK_DNS-Server,免 ...
角色 發表於 2018-2-10 14:26
不會,是在內網裡進行 gfw管不到...

會污染的都是經isp,被isp被感染 .

TOP

gfx86674

Rank: 1
3#
發表於 2018-2-10 17:18 | 顯示全部帖子
但是現在深圳的isp大多都不給Public address的。我想應該IP cloud也不工作呢!有其他方法嗎? ...
passby 發表於 2018-2-10 16:46

找一個可單向連接的vpn ,vpn連線後都會有local-address與remote-address.
把local-address與remote-address複製到eoip-tunnel ,即能建立layer2隧道.

TOP

gfx86674

Rank: 1
4#
發表於 2018-2-10 18:24 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-10 18:27 編輯
回復  gfx86674
謝謝你的答覆!
就用你提供的例子。如果只有HK router的ip cloud ddns。那我應該怎樣做? ...
passby 發表於 2018-2-10 17:36

與18樓的答覆相同,您讓CN透過SSTP撥號HK cloud的地址.
連線成功不管是SSTP-Client或SSTP-Server都會顯示local-address或remote-address.

把SSTP-Client顯示的local-address與remote-address輸入CN Router的eoip-tunnel;
把SSTP-Server顯示的local-address與remote-address輸入HK Router的eoip-tunnel

RouterOS可穿越GFW的PPP-Tunnel大概只剩SSTP ,PPTP/L2TP/OVPN大概都穿不過.
IPSec的Road Warrior設置較麻煩些,但值得一試.

TOP

gfx86674

Rank: 1
5#
發表於 2018-2-10 18:47 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-10 18:50 編輯

回復 23# passby
可以,在sstp-tunnel內再建立eoip-tunnel
選項ipsec要關閉(勾ipsec會強逼用public-address).

TOP

gfx86674

Rank: 1
6#
發表於 2018-2-10 23:27 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-10 23:52 編輯
回復  gfx86674
    例如我HK做VPN Server, CN做VPN client。當連接接後,我在HK的interface裏看到的cal ...
passby 發表於 2018-2-10 18:35

不要再質疑,我幫朋友設置:住家對公司使用l2tp-tunnel ,再用Private ip建置eoip-tunnel
從ros v5.x就已經開始這麼做了.
l2tp-client(Home)

l2tp-server(Office)

註:
使用eoip-tunnel記得開啟Keepalive ,否則Running並不是代表連線,而只是啟用而已.
唯有啟用Keepalive ,Running才代表eoip-tunnel兩端真的已連接上.

TOP

gfx86674

Rank: 1
7#
發表於 2018-2-20 00:52 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-20 14:37 編輯
再看你的例子,VLAN能雙向。我用兩個Bridge 是單向的。 能否做一個VLAN over EOIP over SSTP例子? 中國的Et ...
yiucsw 發表於 2018-2-19 01:56

sstp連線用的是互聯網協議位址,屬layer3
與ethernet和eoip-tunnel的layer2是兩回事...您不能在ip mode(layer3)做更高位階(如:layer2)的行為

您說的sstp+eoip表現不佳,或許更正確的形容是sstp不好,而非eoip.
sstp經網友測試似乎有20M的瓶頸,沒法再達更高的數據
——————————————————————————————————————
RouterOS v6.41後bridge添加vlan新功能,才賣弄新技巧把vlan放入主題裡;
若是不用vlan,就如您所說的用2個bridge也不是不可,或許更容易配置.

範例:
只有HK提供Public地址供遠端連接,所以HK為sstp-server ,CN為sstp-client
CN:192.168.100.254/24 / private-address:10.200.0.53
HK:192.168.200.254/24 / public-address:123.123.123.123

CN:
ether5:直接翻牆至Hong Kong
192.168.100.0/24連接CN外的地址,透過policy routing改由ISP2連接

192.168.100.201-192.168.100.250有連外國需求,
綁HK_DNS-Server,免除被DNS被污染風險.

HK:
ether5:直接翻牆至China
192.168.200.0/24連接是CN地址,透過policy routing改由ISP1連接
192.168.100.0/24 <=> 192.168.200.0/24 電腦群組彼此可互連
  1. #CN:

  3. /interface sstp-client
  4. add authentication=pap certificate=cert connect-to=123.123.123.123:443 name=sstp-out1 password=123 user=123 verify-server-address-from-certificate=no

  6. /interface eoip
  7. add allow-fast-path=no name=eoip-hk tunnel-id=200 local-address=172.16.0.1 remote-address=172.16.0.0
  8. add allow-fast-path=no name=eoip-cn tunnel-id=100 local-address=172.16.0.1 remote-address=172.16.0.0

  10. /interface bridge
  11. add name=bridge-local
  12. add name=bridge-remote

  14. /interface bridge port
  15. add bridge=bridge-local interface=eoip-cn
  16. add bridge=bridge-local interface=ether2
  17. add bridge=bridge-local interface=ether3
  18. add bridge=bridge-local interface=ether4
  19. add bridge=bridge-remote interface=eoip-hk
  20. add bridge=bridge-remote interface=ether5

  22. /ip address
  23. add address=10.200.0.53/24 interface=ether1 network=10.200.0.0
  24. add address=192.168.100.254/24 interface=bridge-local network=192.168.100.0

  26. /ip route
  27. add distance=2 dst-address=192.168.200.0/24 gateway=172.16.0.0
  28. add distance=3 gateway=172.16.0.0 routing-mark=vpn
  29. add distance=5 gateway=ether1

  31. /ip firewall nat
  32. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24
  33. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=192.168.200.254

  35. /ip firewall mangle
  36. add action=accept chain=prerouting dst-address=192.168.200.0/24
  37. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24
複製代碼
  1. #HK:

  3. /interface sstp-server server
  4. set authentication=pap certificate=cert default-profile=default enabled=yes port=443

  6. /ppp secret
  7. add local-address=172.16.0.0 remote-address=172.16.0.1 name=123 password=123 routes="192.168.100.0/24 172.16.0.1 2" service=sstp

  9. /interface eoip
  10. add allow-fast-path=no name=eoip-cn tunnel-id=100 local-address=172.16.0.0 remote-address=172.16.0.1
  11. add allow-fast-path=no name=eoip-hk tunnel-id=200 local-address=172.16.0.0 remote-address=172.16.0.1

  13. /interface bridge
  14. add name=bridge-local
  15. add name=bridge-remote

  17. /interface bridge port
  18. add bridge=bridge-local interface=eoip-hk
  19. add bridge=bridge-local interface=ether2
  20. add bridge=bridge-local interface=ether3
  21. add bridge=bridge-local interface=ether4
  22. add bridge=bridge-remote interface=eoip-cn
  23. add bridge=bridge-remote interface=ether5

  25. /ip address
  26. add address=123.123.123.123/24 interface=ether1 network=123.123.123.0
  27. add address=192.168.200.254/24 interface=bridge-local network=192.168.200.0

  29. /ip route
  30. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  31. add distance=5 gateway=ether1

  33. /ip firewall nat
  34. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24

  36. /ip firewall mangle
  37. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24
複製代碼

TOP

gfx86674

Rank: 1
8#
發表於 2018-2-20 14:34 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-20 15:08 編輯
  1. #CN:

  3. /interface sstp-client
  4. add authentication=pap certificate=cert connect-to=123.123.123.123:443 name=sstp-out1 password=123 user=123 verify-server-address-from-certificate=no

  6. /interface eoip
  7. add allow-fast-path=no mac-address=02:F1:04:27:75:96 name=eoip-tunnel1 tunnel-id=123 local-address=172.16.0.1 remote-address=172.16.0.0

  9. /interface bridge
  10. add name=bridge1 vlan-filtering=no

  12. /interface bridge port
  13. add bridge=bridge1 interface=eoip-tunnel1
  14. add bridge=bridge1 interface=sfp1 pvid=100
  15. add bridge=bridge1 interface=ether2 pvid=100
  16. add bridge=bridge1 interface=ether3 pvid=100
  17. add bridge=bridge1 interface=ether4 pvid=100
  18. add bridge=bridge1 interface=ether5 pvid=100
  19. add bridge=bridge1 interface=ether6 pvid=200
  20. add bridge=bridge1 interface=ether7 pvid=200
  21. add bridge=bridge1 interface=ether8 pvid=200

  23. /interface bridge vlan
  24. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=100
  25. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=200

  27. /ip address
  28. add address=192.168.100.254/24 interface=sfp1 network=192.168.100.0

  30. /interface bridge set bridge1 vlan-filtering=yes

  32. /ip firewall nat
  33. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.200.0/24 !src-address
  34. add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=192.168.100.201-192.168.100.250 to-addresses=172.16.0.0

  36. /ip firewall mangle
  37. add action=accept chain=prerouting dst-address=192.168.200.0/24
  38. add action=mark-routing chain=prerouting dst-address-type=!local dst-address-list=!cn new-routing-mark=vpn passthrough=no src-address=192.168.100.0/24

  40. /ip route
  41. add distance=2 dst-address=192.168.200.0/24 gateway=172.16.0.0
  42. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  43. add distance=5 gateway=ether1
複製代碼
  1. #HK:

  3. /interface sstp-server server
  4. set authentication=pap certificate=cert default-profile=default enabled=yes port=443

  6. /ppp secret
  7. add local-address=172.16.0.0 remote-address=172.16.0.1 name=123 password=123  routes="192.168.100.0/24 172.16.0.1 2" service=sstp

  9. /interface eoip
  10. add allow-fast-path=no mac-address=02:F1:04:27:96:75 name=eoip-tunnel1 tunnel-id=123 local-address=172.16.0.0 remote-address=172.16.0.1

  12. /ip dns
  13. set allow-remote-requests=yes

  15. /interface bridge
  16. add name=bridge1 vlan-filtering=no

  18. /interface bridge port
  19. add bridge=bridge1 interface=eoip-tunnel1
  20. add bridge=bridge1 interface=sfp1 pvid=200
  21. add bridge=bridge1 interface=ether2 pvid=200
  22. add bridge=bridge1 interface=ether3 pvid=200
  23. add bridge=bridge1 interface=ether4 pvid=200
  24. add bridge=bridge1 interface=ether5 pvid=200
  25. add bridge=bridge1 interface=ether6 pvid=100
  26. add bridge=bridge1 interface=ether7 pvid=100
  27. add bridge=bridge1 interface=ether8 pvid=100

  29. /interface bridge vlan
  30. add bridge=bridge1 tagged=eoip-tunnel1 untagged=sfp1,ether2,ether3,ether4,ether5 vlan-ids=200
  31. add bridge=bridge1 tagged=eoip-tunnel1 untagged=ether6,ether7,ether8 vlan-ids=100

  33. /ip address
  34. add address=192.168.200.254/24 interface=sfp1 network=192.168.200.0

  36. /interface bridge set bridge1 vlan-filtering=yes

  38. /ip firewall nat
  39. set [find action="masquerade"] out-interface=ether1 dst-address=!192.168.100.0/24 !src-address

  41. /ip firewall mangle
  42. add action=mark-routing chain=prerouting dst-address-list=cn new-routing-mark=vpn passthrough=no src-address=192.168.200.0/24

  44. /ip route
  45. add distance=3 gateway=172.16.0.1 routing-mark=vpn
  46. add distance=5 gateway=ether1
複製代碼

TOP

gfx86674

Rank: 1
9#
發表於 2018-2-20 17:00 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-20 17:17 編輯
回復  gfx86674

我在中國有兩個ISP(CN1,CN2)在不同地點,在香港也有兩個ISP(HK1,HK2)在不同的地點
...
yiucsw 發表於 2018-2-20 16:53

是假設您是固定ip的用戶,ether1的地址是123.123.123.123
(123.123.123.123是公網地址,您可能誤會成虛擬的了)
(在/ip address宣告地址需加遮罩,所以才用123.123.123.123/24)

若您非是固定ip用戶,用的是dhcp-client或是pppoe撥號取得public-address,
有關ether1的描述是完全不需理會的.

TOP

gfx86674

Rank: 1
10#
發表於 2018-2-20 20:19 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-2-20 22:00 編輯

change mss我習慣平日就掛著且放在最優先的位置,否則mtu衍生的問題真的一堆


hw-offloading只有對ethernet才有用 ,Wifi模組是分開的幫不到忙.
另外eoip-tunnel是虛擬的,切的valn也是...
就算勾上Hardware Offload也不會有任何作用.

使用bridge的vlan功能需開啟vlan-filtering,
但這會反而讓hw-offloading自動關閉,您應該沒想過這個問題吧!

或許依您原來的橋接方式,才是對你最有利的.

ps:
我用youtube搜尋到國外有趣的方式:
上述有提到開vlan-filtering會讓hw-offloading關閉對吧...

先用bridge將ethernet全橋接起來,
但vlan規劃不在bridge內設定而是像v6.41之前一樣用switch方式劃開,
或許hw-offloading就不會受影響.

TOP

gfx86674

Rank: 1
11#
發表於 2018-2-21 11:43 | 顯示全部帖子
回復  gfx86674
    以前試過這個雙EOIP理論上是可以,但實際是有問題。 我沒有找到原因。所有想看看VLAN  ...
yiucsw 發表於 2018-2-21 11:16

雙eoip是不會有任何問題的,在台灣我幫朋友eoip橋接到5組.
您可能共用相同的tunnel-id ,若是雙eoip那tunnel-id也要2組才行.

TOP

gfx86674

Rank: 1
12#
發表於 2018-2-23 14:45 | 顯示全部帖子
回復 40# yiucsw
MRRU的選項並非全部的VPN支援,只有PPTP/SSTP/L2TP Server有.
像GRE/IPIP/EOIP只能勾Change MSS的方式...

但像IPSec的VPN-Tunnel則就更慘了,連Change MSS都沒得勾...
只好手動新增Change MSS使用.

TOP

gfx86674

Rank: 1
13#
發表於 2018-6-19 16:47 | 顯示全部帖子
回復  kmc87

你说PPTP和SSTP的问题,我也知道SSTP是secruity比较高,但是有的时候PPTP能行,SSTP却不能。 ...
角色 發表於 2018-6-19 12:00

可以用script判斷,若目前的vpn無法順利連線,就自動換另外一種...直到成功才停止

TOP

gfx86674

Rank: 1
14#
發表於 2018-6-19 22:42 | 顯示全部帖子
本帖最後由 gfx86674 於 2018-6-19 22:43 編輯
回復  gfx86674


    可以指導一下怎樣做嗎? 現在我是人工判斷的。
kmc87 發表於 2018-6-19 18:17

您會用script的判斷語法嗎? 概念是:
:local sstp [/interface get sstp-client1 running]
:local pptp [/interface get pptp-client1 running]

#用OR閘判斷是否VPN已上線
:if ($sstp || $pptp) do={
   #OR閘是TRUE(VPN已上線)的情況,是sstp或pptp
   :if ($sstp) do={
       #是sstp的情況...
   } else={
       #是pptp的情況...
   }
} else={
   #OR閘是FALSE(VPN是離線)的情況
}

TOP

返回列表