192.168.88.0/24
subnet. Open the address in the browser, download and save on your computer, Winbox.exe
.Winbox
, on the contrary Connect to
press the "β¦"
button, and after a few seconds your router should appear in the list.admin
without a password.Remove Configuration
button:Winbox
console closes, and after a few seconds we start Winbox
again (from where you saved it) and again connect to the MAC address.Interfaces
on the left and delete unnecessary interfaces - VLAN, Bridge
. We go into the settings of each interface (there are only 5 of them on the company's router) and disable the Master-port
and proxy-arp
, bringing the settings to the following form:IP β Addresses
. We issue the necessary addresses to the necessary interfaces. In case of using a router in the Escort network, 2 Internet service providers and an internal network are connected to it. The second internal network is formed via VPN. We specify the required IP for each interface. [admin@Mikrotik] /ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 I ;;; , !!! 10.0.33.1/24 10.0.33.0 ether4-hosting-network 1 22.22.22.17/29 22.22.22.16 ether2-gateway2 2 11.11.11.1/28 11.11.11.0 ether1-gateway1 3 192.168.3.101/22 192.168.0.0 ether3-internal-network 4 I 192.168.4.2/22 192.168.4.0 ether4-hosting-network
IP β Routes
. By default, interfaces are used instead of hosts for routing. It is recommended to remove all static routes, and dynamic ones after changing statics will change themselves. Attention: in order to remove everything painlessly, you need to connect to the router via a local network, without using routes, otherwise the connection will be interrupted when you delete the main one . Next, create new routes: in the Dst.Address
field Dst.Address
specify 0.0.0.0/0, in the Gateway field, set the IP of the main gateway. Do not forget about the distance - which route is shorter, it will be the main one. In general, route settings should look like this:Copy
button and add the Routing Mark
- mark the routes with the interface name, respectively. I called them to_ISP1
and to_ISP2
General: Chain: prerouting In-interface: Connection Mark: no-mark , Action: Action: mark connection New Connection Mark: ISP1_conn Passthrough: .
ISP1_conn
and ISP2_conn
respectively).ISP1_conn
and ISP2_conn
to the routes marked above. Create a rule: General: Chain: output Connection Mark: ISP1_conn Action: mark routing New Routing Mark: to_ISP1 Passthrough: .
Netwatch
, you need to use the Netwatch
feature, which monitors the presence of traffic on the interfaces and switches traffic depending on the rules. Configuring this functionality consists of 3 steps.System β Scripts
. Create 4 scripts with the names ISP1-DOWN, ISP1-UP, ISP2-DOWN, ISP2-UP
. All scripts give maximum rights. /ip route disable [find dst-address=0.0.0.0/0 and gateway=11.11.11.11 and distance >=4];
/ip route enable [find dst-address=0.0.0.0/0 and gateway=11.11.11.11 and distance >= 4];
/ip route disable [find dst-address=0.0.0.0/0 and gateway=22.22.22.22 and distance >=3];
/ip route enable [find dst-address=0.0.0.0/0 and gateway=22.22.22.22 and distance >=3];
Tools β Netwatch
host: 8.8.4.4 Interval: 00:00:10 timeout: 1000ms Up: ISP2-UP Down: ISP2-DOWN : host: 8.8.8.8 Interval: 00:00:10 timeout: 1000ms Up: ISP1-UP Down: ISP1-DOWN
netwatch
breaking a logical (non-physical) link on one of the external interfaces. In my company, a managed switch was used for this, where a port that was not adjacent to the router was extinguished. Thus, the ping to host 8.8.8.8 failed, but the physical link was active. After the termination of the ping, Netwatch extinguished the necessary routes and the internal network accessed the Internet through a backup interface.IP β Firewall
, go to the tab NAT
Chain: srcnat Out-Interface: Action: masquerade
IP β Pool
and create a new vpn-pool
with a range of 192.168.170.2-192.168.171.254:PPP
menu item, then on the Interfaces
tab we find the PPTP Server
button. Put the Enabled, mschap2
and select Default Profile: default-encoding
.PPP Profile
tab. On the General
tab, we specify the Local Address: 192.168.170.1
, Remote Address: vpn-pool
. On the Protocols
tab on the option Use Encryption
set the answer option is Yes
.Secrets
tab. Create user: Name: Password: Service: any Profile: default-encryption Local Address: 192.168.170.1 Remote Address: , , , vpn-pool. , VPN .
System β Scripts
, click "create a new" and insert the text of the script we need. :global content [/file get [/file find name=vpnusers.txt] contents] ; :global contentLen [ :len $content ] ; :global lineEnd 0; :global line ""; :global lastEnd 0; :do { :set lineEnd [:find $content "\r\n" $lastEnd ] ; :set line [:pick $content $lastEnd $lineEnd] ; :set lastEnd ( $lineEnd + 2 ) ; :local tmpArray [:toarray $line] ; :if ( [:pick $tmpArray 0] != "" ) do={ :put $tmpArray; /ppp secret add name=[:pick $tmpArray 0] password=[:pick $tmpArray 1] \ local-address=[:pick $tmpArray 2] remote-address=[:pick $tmpArray 3] \ profile=[:pick $tmpArray 4] service=[:pick $tmpArray 5]; } } while ($lineEnd < $contentLen)
,,IP_,IP_,_,
Files
. The created file must be dragged with the mouse into the resulting window. The file must be called vpnusers.txt
, otherwise the script will not work.System β Scripts
, select the script we need and click Run Script
:PPP β Secrets
you can see the added accountsc:\Program Files\OpenVPN\easy-rsa\
directory (or Program Files (x86)
, if you installed the 32-bit version of OpenVPN on 64-bit Windows). Open for editing the file vars.bat
. If not, then rename vars.bat.sample
to vars.bat
and vars.bat
it to the form: @echo off rem Edit this variable to point to rem the openssl.cnf file included rem with easy-rsa. set HOME=%ProgramFiles%\OpenVPN\easy-rsa set KEY_CONFIG=openssl-1.0.0.cnf rem Edit this variable to point to rem your soon-to-be-created key rem directory. rem rem WARNING: clean-all will do rem a rm -rf on this directory rem so make sure you define rem it correctly! set KEY_DIR=keys rem Increase this to 2048 if you rem are paranoid. This will slow rem down TLS negotiation performance rem as well as the one-time DH parms rem generation process. set KEY_SIZE=1024 rem These are the default values for fields rem which will be placed in the certificate. rem Change these to reflect your site. rem Don't leave any of these parms blank. set KEY_COUNTRY=RU set KEY_PROVINCE=Nsk set KEY_CITY=Novosibirsk set KEY_ORG=Escort set KEY_EMAIL=i_nichupienko@soft-escort.ru set KEY_CN=87.245.176.183 set KEY_NAME=temp_nie set KEY_OU=changeme set PKCS11_MODULE_PATH=changeme set PKCS11_PIN=1234
build-ca.bat
: @echo off cd %HOME% rem build a cert authority valid for ten years, starting now "c:\Program Files\OpenVPN\bin\openssl.exe" req -days 3650 -nodes -new -x509 -keyout %KEY_DIR%\%1.key -out %KEY_DIR%\%1.crt -config %KEY_CONFIG%
c:\Program Files\OpenVPN\easy-rsa>vars.bat c:\Program Files\OpenVPN\easy-rsa>clean-all.bat c:\Program Files\OpenVPN\easy-rsa>build-ca.bat newuser
vars.bat
file will be used), and you can enter new data. In general, as convenient.Winbox
router, click the Files
button and copy the resulting files from the folder using the Drag'n'Drop method.Winbox
go to System β Certificates
. Click Import
, first select one file, then the second:PPP β Profile
, open the default-encryption
created earlier, click Copy
and on the Protocol
tab change the value of the Use Encryption
field from Yes
to Required
:SSTPprofile
.System β PPP
go to the Interface
tab and click the SSTP-Server
button there. We set the Enabled
SSTPProfile
, select SSTPProfile
as the Default Profile
and specify the certificate we need. We select only mschap2
as the authentication method.PPP
we initially specified the type of service Any
, but now we donβt need to create anything extra. Connection is ready.IP β Firewall β Filter Rules
Winbox
from the internal network Chain: Input Protocol: tcp Dst.Port: 8291 In. Interface: ether3-internal Action: accept
Chain: forward Protocol: icmp Out. Interface: ether1-gateway1 ether2-gateway2 ( , .. . , 2) Action: accept
Chain: forward Protocol: icmp Src.Address: 192.168.170.0/24 Dst.Address: 192.168.0.0/22 Action: accept
Chain: forward Protocol: tcp Src.Address: 192.168.170.0/24 Dst.Address: 192.168.0.0/22 Dst.Port: 3389 Action: accept
IP β Firewall β NAT
Chain: dstnat Protocol: tcp Dst.Port: 80 In.Interface: ether1-gateway1 ( ether2-gateway2 ) Action: netmap To Addresses: 192.168.2.82 To Ports: 80
IP-:
from the same subnet segment as the VPN client.IP β Firewall β NAT
Chain: dstnat Dst.Address: 192.168.170.82 Protocol: tcp Dst.Port: 3389 Action: dst-nat To Addresses: 192.168.2.82 To Ports: 3389
Source: https://habr.com/ru/post/227913/
All Articles