注册 登录
自由的生活_软路由 返回首页

hainanmm的个人空间 https://bbs.routerclub.com/?7232 [收藏] [复制] [分享] [RSS]

留言板

facelist doodle涂鸦板

您需要登录后才可以留言 登录 | 注册


cspm333 2016-5-16 12:40
[VPN] Android手機使用IPSec Xauth PSK 翻網
http://i.imgur.com/iSydlng.png

Mikrotik官網提這是Road Warrior服務,直白一點其實是手機的IPSec Xauth PSK.
RouterOS v6.12開始支援手機,但用的人似乎不多...
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec

若原先已在主機設定L2TP over IPSec Server,得先關閉其下的IPSec ,
透過UDP Port:500 連進RouterOS ,主機才不會分不清封包是IPSec Xauth 或L2TP over IPSec.

另外sha1 /aes-128 cbc 加密需啟用才行.
http://i.imgur.com/uHjiSEy.png

接下來無需繁雜的設定,直接匯入即可.
    /ip pool
    add name=IPSec_Xauth ranges=172.19.15.0/24

    /ip ipsec mode-config
    add address-pool=IPSec_Xauth address-prefix-length=24 \
    name="IPSec_Xauth (Android)" split-include=0.0.0.0/0

    /ip ipsec policy group
    add name="IPSec_Xauth (Android)"

    /ip ipsec policy
    add comment="IPSec_Xauth (Android)" dst-address=0.0.0.0/0 \
    group="IPSec_Xauth (Android)" src-address=172.19.15.0/24 template=yes

    /ip ipsec peer
    add auth-method=pre-shared-key-xauth comment="IPSec_Xauth (Android)" \
    enc-algorithm=aes-128 generate-policy=port-strict \
    mode-config="IPSec_Xauth (Android)" \
    passive=yes policy-template-group="IPSec_Xauth (Android)" secret=abc1234

    /ip firewall mangle
    add action=change-mss chain=forward dst-address=172.19.15.0/30 new-mss=\
        clamp-to-pmtu passthrough=no protocol=tcp tcp-flags=syn
    add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=no \
        protocol=tcp src-address=172.19.15.0/30 tcp-flags=syn

172.19.15.0/24 是您個人的VPN網域  ,secret=abc1234則是您的個人預先共用金鑰 ,可自訂
至於用戶 帳號/密碼,則可在這新增:
http://i.imgur.com/dWzYbUx.png

Android成功連線畫面:
http://i.imgur.com/cOoXXRz.png
http://i.imgur.com/4mUsak5.png
cspm333 2016-5-15 19:26
實做vlan 橋接IPTV (RB450G+RB260GS)
IPTV裝置是中華電信MOD,以下直接用MOD直呼IPTV.
小弟vlan目前只用在MOD上,所以只切一組.
ROS(RB450G):
1.http://i.imgur.com/tENcBCx.png
2.http://i.imgur.com/xxWbTsX.png
3.http://i.imgur.com/d8SW88i.png
4.http://i.imgur.com/PnSp6vD.png
5.http://i.imgur.com/Jws9dqV.png
6.http://i.imgur.com/xvPhgzs.png
7.http://i.imgur.com/UuXRezn.png
8.http://i.imgur.com/F1P3le6.png
9.http://i.imgur.com/GjBBzQx.png

Vlan Switch(交換器):
Switch不一定要Mikrotik這品牌,但一定需vlan規範一定要支援802.11q才行.
1.http://i.imgur.com/np4ubw5.png
2.http://i.imgur.com/wHLwyaf.png
若是RB260GS還要接更多的MOD主機,只要RB260GS指定的port變更與ether4相同內容即可.
cspm333 2016-5-15 19:25
雙線+PCC負載平衡+小封包優先:

/interface pppoe-client
add allow=pap interface=Wan1 max-mru=1492 max-mtu=1492 name=pppoe-out1 password=aaaa user=11111
add allow=pap interface=Wan2 max-mru=1492 max-mtu=1492 name=pppoe-out2 password=bbbb user=22222

/ip firewall address-list
add list=PPPoE1 address=1.1.1.1
add list=PPPoE2 address=2.2.2.2

#PPPoE更新Script:
:for i from=1 to=2 \
   do={/interface pppoe-client monitor "PPPoE$i" once \
             do={:if ($status="connected" && \
                      [/ip firewall address-list get [find list="PPPoE$i"] address]!=$"local-address") \
                         do={/ip firewall address-list set [find list="PPPoE$i"] address=$"local-address"}}}

/ip firewall mangle
#遇標記時例外的情況
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address=192.168.1.0/24
add action=accept chain=prerouting src-address=192.168.1.0/24 dst-address-type=local
add action=accept chain=output dst-address=192.168.1.0/24

#從PPPoE進入的封包,要從原PPPoE路線返回
add action=mark-connection chain=prerouting dst-address-list=PPPoE1 new-connection-mark=pppoe1_conn passthrough=yes
add action=mark-connection chain=prerouting dst-address-list=PPPoE2 new-connection-mark=pppoe2_conn passthrough=yes

add action=mark-routing chain=output connection-mark=pppoe1_conn new-routing-mark=to_pppoe1 passthrough=no
add action=mark-routing chain=output connection-mark=pppoe2_conn new-routing-mark=to_pppoe2 passthrough=no

add action=mark-routing chain=prerouting connection-mark=pppoe1_conn new-routing-mark=to_pppoe1 \
  src-address=192.168.1.0/24 passthrough=no
add action=mark-routing chain=prerouting connection-mark=pppoe2_conn new-routing-mark=to_pppoe2 \
  src-address=192.168.1.0/24 passthrough=no

#Site-to-Site用,可供GRE/IPIP/IPSEC local-address指定任一PPPoE
add action=mark-routing chain=output new-routing-mark=to_pppoe1 passthrough=no src-address-list=PPPoE1
add action=mark-routing chain=output new-routing-mark=to_pppoe2 passthrough=no src-address-list=PPPoE2

#PCC負載均衡
add action=mark-routing chain=prerouting new-routing-mark=to_pppoe1 \
  per-connection-classifier=both-ports:2/0 src-address=192.168.1.0/24 passthrough=no
add action=mark-routing chain=prerouting new-routing-mark=to_pppoe2 \
  per-connection-classifier=both-ports:2/1 src-address=192.168.1.0/24 passthrough=no

add action=mark-routing chain=output new-routing-mark=to_pppoe1 \
  per-connection-classifier=src-port:2/0 passthrough=no
add action=mark-routing chain=output new-routing-mark=to_pppoe2 \
  per-connection-classifier=src-port:2/1 passthrough=no

#標記從PPPoE進入,packet size大於512的封包
add action=mark-packet chain=forward in-interface=pppoe-out1 dst-address=192.168.1.0/24 packet-size=513-65535 \
  new-packet-mark=pppoe1_big_packets passthrough=yes
add action=mark-packet chain=forward in-interface=pppoe-out2 dst-address=192.168.1.0/24 packet-size=513-65535 \
  new-packet-mark=pppoe2_big_packets passthrough=yes

add action=mark-packet chain=input in-interface=pppoe-out1 packet-size=513-65535 \
  new-packet-mark=pppoe1_big_packets passthrough=yes
add action=mark-packet chain=input in-interface=pppoe-out2 packet-size=513-65535 \
  new-packet-mark=pppoe1_big_packets passthrough=yes

/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
add action=masquerade chain=srcnat out-interface=pppoe-out2

/ip route
#策略路由
add dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_pppoe1 distance=4
add dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_pppoe2 distance=4

#預設路由 (PPPoE斷線使致負載均衡失能時,由預設路由遞補)
add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=5
add dst-address=0.0.0.0/0 gateway=pppoe-out2 distance=6

/queue tree
#將大封包從原本可用的頻寬60M限制為52M後,剩餘的8M自然是小封包的保證頻寬(小封包優先)
add max-limit=52M name="PPPoE1_big_packets_limit" packet-mark=pppoe1_big_packets parent=Lan queue=default
add max-limit=52M name="PPPoE2_big_packets_limit" packet-mark=pppoe2_big_packets parent=Lan queue=default
cspm333 2016-5-15 19:23
您的PPTP/SSTP/L2TP/OVPN-Server常常被陌生人trying嗎?
http://i.imgur.com/4Ng3GXi.jpg

首先,您應透過防火牆把這些嘗試使用vpn-server的ip列入觀察名單.
請注意SSTP與OVPN ,您使用的連接埠可能會不一樣...
/ip firewall filter
add action=accept chain=input src-address-list=mobile
add action=accept chain=input src-address-list=temp dst-port=1723,443,1194 protocol=tcp
add action=accept chain=input src-address-list=temp dst-port=500,1701,4500 protocol=udp
add action=drop chain=input src-address-list="port scanners"
# PPTP #
add action=add-src-to-address-list address-list=temp address-list-timeout=1m20s \
  chain=input dst-port=1723 protocol=tcp
# SSTP #
add action=add-src-to-address-list address-list=temp address-list-timeout=1m20s \
  chain=input dst-port=443 protocol=tcp
# L2TP #
add action=add-src-to-address-list address-list=temp address-list-timeout=1m20s \
  chain=input dst-port=500,1701,4500 protocol=udp
# OVPN #
add action=add-src-to-address-list address-list=temp address-list-timeout=1m20s \
  chain=input dst-port=1194 protocol=tcp

在/system schedule新增 Vpn-points (VPN檢查哨) ,每分鐘驗證一次.
http://i.imgur.com/FNg5zRK.png
----------------------------------------
:for type from=1 to=2 \
    do={:local vpn
            :if ($type=1) do={:set vpn [:parse "/ppp active find"]}
            :if ($type=2) do={:set vpn [:parse "/ip ipsec policy find dynamic"]}
        
            :foreach i in=[$vpn] \
               do={:local clientip
                       :if ($type=1) do={:set clientip [/ppp active get $i caller-id]}
                       :if ($type=2) do={:set clientip [/ip ipsec policy get $i sa-src-address]}

                       :local clientarry [/ip firewall address-list find list=temp && address=$clientip]
                       :if ([:len $clientarry]>0 && [:len [/ip firewall address-list find list=mobile address=$clientip]]=0) \
                           do={
                                   /ip firewall address-list remove $clientarry
                                   /ip firewall address-list add list=mobile address=$clientip timeout=1d
                                  }
                       }
           }

:foreach j in=[/ip firewall address-list find list=temp && timeout>2s] \
    do={
            /ip firewall address-list add list="port scanners" address=[/ip firewall address-list get $j address] timeout=7d
            /ip firewall address-list remove $j
           }
----------------------------------------
透過檢查哨,1分鐘內未通過vpn-server驗證的陌生ip一律進port scanners封鎖掉.
http://i.imgur.com/RYqDcGk.png
cspm333 2016-5-15 19:20
Load Balancing(負載平衡)的目的不是多線網路加疊,而是如何透過機率讓多線平均分擔.
以下我們討論nth與pcc兩種機率記算,

NTH:
    /ip firewall mangle
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_1 nth=3,1 passthrough=yes
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_2 nth=3,2 passthrough=yes
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_3 nth=3,3 passthrough=yes
⑴ NTH=3,1即代表每3個發出的new封包,第1個標為Gateway_1
⑵ NTH=3,2即代表每3個發出的new封包,第2個標為Gateway_2
⑶ NTH=3,3即代表每3個發出的new封包,第3個標為Gateway_3

但nth只有這種分配計算嗎? 不...您還有其他方式:
    /ip firewall mangle
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_1 nth=3,1 passthrough=no
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_2 nth=2,1 passthrough=no
    add action=mark-packet chain=prerouting new-packet-mark=Gateway_3
⑴ NTH=3,1即代表每3個發出的new封包,第1個標為Gateway_1
⑵ 扣掉給Gateway_1的new封包後,3個new封包還剩2個..
所以將2個剩餘的new封包,留第1 new封包給Gateway_2 (所以用nth=2,1標示)
⑶ 因3個new封包,第1與第2都已經有路由,所以也不用透過nth計算,直接丟給Gateway_3算了
(您當然可以標nth=1,1 ,但沒太大實質意義)
----------------------------------------
PCC:
    /ip firewall mangle
    add action=mark-connection chain=prerouting new-connection-mark=Gateway_1 \
    per-connection-classifier=src-address-and-port:3/0

    add action=mark-connection chain=prerouting new-connection-mark=Gateway_2 \
    per-connection-classifier=src-address-and-port:3/1

    add action=mark-connection chain=prerouting new-connection-mark=Gateway_3 \
    per-connection-classifier=src-address-and-port:3/2
PCC是進行除法運算,用餘數來決定路由方向.
http://i.imgur.com/UqQ0FbR.png
如:
src:192.168.88.100:44117 dst:64.233.189.188:80
範例指定pcc用src-address和src-port計算 ,所以(192+168+88+100+44117)/3=14888.333333

.3333代表沒整除,餘數為1 ,所以此connection的最後mark是Gateway_2

因是餘數計算,所以只有3/0(代表整除) ,不可能有3/3 (餘數和除數等同,這是什鬼東西)

因是餘算運算,所以連線數量太少有時會固定落在幾條Gatway
如:
src:192.168.88.100:44117 與src:192.168.88.104:1003 因餘數皆為1,所以會固定落在Gateway_2

所以要不讓連線固定落在幾條Gateway ,
可在pcc加入更多變數,如:dst-address 或dst-port ,甚至both全混入計算,讓餘數有更多的變化~
----------------------------------------
以上得知...
nth傾向指定比例方式分配,pcc則傾向亂數.

思考方向:
3線時,nth 就只能用每3個封包去記算,pcc就只能用3去當除數嗎...

那可不...
nth您用每5個封包去決定,沒人說不可以.
pcc您用7去當除數,也沒人說不可以.

只是要注意的是:
nth 3線用每5個封包決定,您要標記好 封包4/封包5 該往那個路由.
pcc 3線用7去除時,您要標計好餘數是3/4/5/6時 該往那個路由.
xm520147x 2013-10-3 22:46
hainanmm: 你的QQ多少。加我。我的Q:892189!去过一次成都,双流机场。呵。。
qq:601772524
peckpock 2012-5-15 23:28
有了 谢了~
host2318 2012-1-13 11:57
hainanmm: 朋友.有没有Q,加一个...我的Q:892189
我教程都发出来了。商业那就是你自己整了啊。要帮忙就找我。有空请我吃饭就好!  ESXI是商业软件,版权很严重。如果你是大公司自己考虑了。
hainanmm 2011-3-26 13:51
qq:892189
miaomiao2008 2011-3-24 09:48
你qq多少? 给我说下 看看我能帮你不

QQ|Archiver|手机版|小黑屋|软路由 ( 渝ICP备15001194号-1|渝公网安备 50011602500124号 )

GMT+8, 2024-3-28 22:14 , Processed in 0.045168 second(s), 2 queries , Gzip On, Redis On.

Powered by Discuz! X3.5 Licensed

© 2001-2023 Discuz! Team.

返回顶部