電訊茶室's Archiver

角色 發表於 2018-6-20 14:36

MikroTik hAP ac² - 从香港 smart connect to 大陆 VPN client(逆向翻墙)

[i=s] 本帖最後由 角色 於 2018-6-20 15:05 編輯 [/i]

从香港 smart connect to 大陆 VPN client(逆向翻墙)

现在很多大陆的家用broadband,ISP给都是private IP address,在香港根本不VPN过去,那么有什么方法?答案是利用“逆向翻墙”方法。我们可以采用MikroTik routers,如果不需要WiFi,可以使用RB750Gr3,大陆买大约人民币300元,如果需要WiFi的话,可以考虑MikroTik 2018最新的产品hAP ac^2,在大陆买大约人民币420元。

如果家里有个设备,能某个port变成CN IP port,有不同SSID,一组是去大陆,一组是香港,一组是可以同时(smart connect)上大陆和香港网站的,简单说如果是大陆IP就走大陆Gateway,不然就走香港Gateway。
么怎样set hAP ac^2呢?

Configruation 目标:
1.        Ether5是CN IP port
2.        Ether4是Smart IP port
3.        Ether2-3是香港IP port
4.        Ether1是香港 WAN port
5.        SSID 1(MT-2G)是香港IP
6.        SSID 2(MT-5G)是香港IP
7.        SSID 3(MT-2G-CN)是大陆IP
8.        SSID 4(MT-5G-CN)是大陆IP
9.        SSID 5(MT-2Gs)是Smart IP
10.       SSID 6(MT-5Gs)是Smart IP


address:vpn.abc.com (你香港的vpn server address)
user name:cn
password:cn-password
VPN protocol:pptp


大陆的VPN router vpn client side settings

如果大陆用MikroTik router,用pptp VPN client去连接香港的VPN server。[code]
/interface pptp-client
    add connect-to=vpn.abc.com disabled=no name=pptp-hk password=cn-password user=cn
[/code].

香港的VPN router vpn server side settings

Step 1:Reset your router[code]
/system reset-configuration skip-backup=yes
[/code].

Step 2:VPN settings and MikroTik DNS[code]
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255

/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn

/interface l2tp-server server
set enabled=yes ipsec-secret=vpn-password use-ipsec=yes

/interface pptp-server server
set enabled=yes

/interface sstp-server server
set default-profile=default-encryption enabled=yes

/ip cloud
set ddns-enabled=yes

/system ntp client
set enabled=yes primary-ntp=118.143.17.82

/system clock
set time-zone-name=Asia/Hong_Kong

/ip firewall filter
add chain=input protocol=ipsec-esp comment="ISsec ESP method"
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp

/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24

/ppp secret
add name=cn password=cn-password
[/code].

move the rules under firewall filter just after the rules for ICMP and before the drop rules for the input chain.

图一:Before moving
[attach]4111[/attach]

图二:After moving
[attach]4112[/attach]

Step 3: Set the default WiFi security profile (eg. password=wifi-123)[code]
/interface wireless security-profiles
    set authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=wifi-123 [find name="default"]
[/code].

Step 4:Set 2.4GHz SSID=MT-2G, 5GHz SSID=MT-5G[code]
/interface wireless
    set wlan1 ssid=MT-2G frequency=auto security-profile=default disabled=no
    set wlan2 ssid=MT-5G frequency=auto security-profile=default disabled=no
[/code].


Step 5: Create new bridge named bridge-cn and bridge-smart[code]
/interface bridge
    add name=bridge-cn
    add name=bridge-smart
[/code].


Step 6: Create virtual APs[code]
/interface wireless
    add disabled=no master-interface=wlan1 name=wlan3 ssid=MT-2G-CN
    add disabled=no master-interface=wlan1 name=wlan4 ssid=MT-2Gs
    add disabled=no master-interface=wlan2 name=wlan5 ssid=MT-5G-CN
    add disabled=no master-interface=wlan2 name=wlan6 ssid=MT-5Gs
[/code].


Step 7: Detach (remove) ether4 and ether5 from the default bridge[code]
/interface bridge port
    remove [find interface=“ether5”]
/interface bridge port
    remove [find interface=“ether4”]
[/code].


Step 8: Add ether5, wlan3 and wlan5 to the new bridge “bridge-cn”[code]
/interface bridge port
    add bridge=bridge-cn interface=ether5
    add bridge=bridge-cn interface=wlan3
    add bridge=bridge-cn interface=wlan5
[/code].

Step 9: Add ether4, wlan4 and 6 to the new bridge “bridge-smart”[code]
/interface bridge port
    add bridge=bridge-smart interface=ether4
    add bridge=bridge-smart interface=wlan4
    add bridge=bridge-smart interface=wlan6
[/code].


Step 10: Assign an IP address range 192.168.80.1/24 to the bridge-cn interface[code]
/ip address
    add address=192.168.80.1/24 interface=bridge-cn
[/code].

Step 11: Assign an IP address range 192.168.81.1/24 to the bridge-smart interface[code]
/ip address
    add address=192.168.81.1/24 interface=bridge-smart
[/code].

Step 12: Set up a DHCP server for bridge-cn[code]
/ip dhcp-server setup
[/code]複製代碼
.

Based on the following screen dump, inupt the correct bridge name “bridge-cn” and the DNS servers: 8.8.8.8 and 8.8.4.4[code]
[admin@MikroTik]
/ip address>
/ip dhcp-server setup
Select interface to run DHCP server on

dhcp server interface: bridge-cn
Select network for DHCP addresses

dhcp address space: 192.168.80.0/24
Select gateway for given network

gateway for dhcp network: 192.168.80.1
Select pool of ip addresses given out by DHCP server

addresses to give out: 192.168.80.2-192.168.80.254
Select DNS servers

dns servers: 8.8.8.8,8.8.4.4                     
Select lease time

lease time: 10m
[admin@MikroTik] /ip address>
[/code].

Step 12: Set up a DHCP server for bridge-smart[code]
/ip dhcp-server setup
[/code].

Same as bridge-cn and replace bridge-cn by bridge-smart

Step 13: blank
.

Step 14: Input China IP address list[code]
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
[/code].

Step 15: Import the list to CN file[code]
/import file-name=CN
[/code].

Step 16: Mangling packets for policy route by applying different routing marks[code]
/ip firewall mangle
    add action=mark-routing chain=prerouting in-interface=bridge-cn new-routing-mark=cn-gateway passthrough=no
    add action=mark-routing chain=prerouting in-interface=bridge-smart dst-address-list=CN new-routing-mark=cn-gateway passthrough=no
[/code].

Step 17: Apply masquerade to the out-interface "pptp-cn"[code]
/ip firewall nat
    add action=masquerade chain=srcnat out-interface=<pptp-cn>
[/code].

Step 18: 下面的rules,一般搬到Fasttrack之前。[code]
/ip firewall filter
    add action=accept chain=forward in-interface=bridge-cn
    add action=accept chain=forward out-interface=bridge-cn
    add action=accept chain=forward in-interface=bridge-smart
    add action=accept chain=forward out-interface=bridge-smart
[/code].

在最初的时候那些rules都放在最后,用drag and move方式把它们放到FastTrack Rules之前。

图一:刚安装
(参考别的图)

图二:移动后
(参考别的图)

Step 19: Policy route based on the new mark routing-mark “cn-gateway"[code]
/ip route
    add distance=1 gateway=<pptp-cn> routing-mark=cn-gateway
[/code].

Step 20: Reboot the router[code]
/system reboot
[/code].

carlchan 發表於 2018-6-21 21:40

Use android mobile/LTE 可以上網
VPN 到家庭路由器 可以(connected)
[img]https://attach.mobile01.com/attach/201806/mobile01-74a626d180509054abe4bbbb19178e45.jpg[/img]
如何設置 ether5(interface) 用這個 VPN 上網
其他(ether2~4)直接上網 ...?

謝謝!!

角色 發表於 2018-6-21 21:57

Step 7 to 9有说的。
主要detach ether5,然后tie去大陆的bridge “bridge-cn”。

你的从香港逆向VPN回大陆吗?

你用什么Router?

carlchan 發表於 2018-6-21 22:13

[i=s] 本帖最後由 carlchan 於 2018-6-21 22:15 編輯 [/i]

ac^2 - l2tp server (home)
hAPac    - at office by mobile usb

hAPac juat like in china, mobile/usb just got the 192.168.42.0/24 address...

The hAPac would bring to others place and/or oversea ...

角色 發表於 2018-6-21 22:24

hAPac    - at office by mobile usb, 是否能介绍一下怎样接?用什么modem,还有是怎样接?能否capture几个图,因为有members想参考。

例如一下新界偏远地方,不用ADSL,改用4G USB modem 接入 hAP ac^2.

carlchan 發表於 2018-6-21 22:42

Android phone with usb cable connect into USB port of the hAP,
enable USB data share, and then the hAP would get the IP at lte or
DHCP client page...
Without other WAN interface , the lte act as a WAN

I can go internet , and setup L2tp client to connect my home L2tp server.

carlchan 發表於 2018-6-21 22:54

[i=s] 本帖最後由 carlchan 於 2018-6-21 22:55 編輯 [/i]

After vpn connected, I got lte route and vpn route,
How can I force all traffics to vpn?
Just change the distance , vpn =1, lte = 2,
Can not  go internet

角色 發表於 2018-6-22 00:10

You have to use policy route to tell the router to route the traffic based on routing mark.

carlchan 發表於 2018-6-22 08:44

more clear pic

角色 發表於 2018-6-22 10:05

[i=s] 本帖最後由 角色 於 2018-6-22 16:34 編輯 [/i]

我用我的hAP a^2 + Mobile Phone + USB cable,enable USB Tethering就可以。我估计你把WAN和LTE分得不太清楚所导致。等我有空的时候再写一篇关于用USB tethering,或者USB modem接入看看。

你先把LTE看一个interface,这个interface可以让你上网,跟WAN一般,你应该做的就是把Local network SRC 接 LTE interface 用 NAT masquerade方法,把Router,能上网就可以。后面的跟这幅帖子一样的,没有什么区别。

角色 發表於 2018-6-22 16:39

[quote]Use android mobile/LTE 可以上網
VPN 到家庭路由器 可以(connected)

如何設置 ether5(interface) 用這個  ...
[size=2][color=#999999]carlchan 發表於 2018-6-21 21:40[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45016&ptid=7184][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]

你说:“如何設置 ether5(interface) 用這個 VPN 上網”,这个port估计device需要香港IP吧!是吗?

角色 發表於 2018-6-22 16:50

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45022&ptid=7184]7#[/url] [i]carlchan[/i] [/b]

我记得我从来没有touch distance这个parameter,我都是policy route。

gfx86674 發表於 2018-6-22 18:27

[i=s] 本帖最後由 gfx86674 於 2018-6-22 18:29 編輯 [/i]

[quote]more clear pic
[size=2][color=#999999]carlchan 發表於 2018-6-22 08:44[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45026&ptid=7184][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]在Mobile01提問的也是您對吧;P

1.將bridge-hk給移除...用不到.
因ether5不需要綁到bridge-hk,所以請您也到bridge port的設定將ether5綁定給移除.

2.ether5開啟另一組dhcp-server (interface=ether5),請到/ip dhcp-server設置.
複製bridge-lan的做法即可.

3./ip route rule新增:
[img]https://i.imgur.com/BfaZJb3.png[/img]

4./ip route新增:
[img]https://imgur.com/iQUDzDu.png[/img]

5./ip firewall nat新增:
[img]https://imgur.com/A364Rya.png[/img]
[img]https://imgur.com/BdZTjiz.png[/img]
擺在其它chain=srcnat 更優先的位置

角色 發表於 2018-6-22 18:54

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45031&ptid=7184]13#[/url] [i]gfx86674[/i] [/b]

我用bridge-hk,主要是把WiFi也tie进去,方便日后用。

你的to-hk在哪里加入?是否在mangle那里?

角色 發表於 2018-6-22 19:10

你下面两句话:
[quote]
1.將bridge-hk給移除...用不到.
因ether5不需要綁到bridge-hk,所以請您也到bridge port的設定將ether5綁定給移除.

2.ether5開啟另一組dhcp-server (interface=ether5),請到/ip dhcp-server設置.
複製bridge-lan的做法即可.
[/quote]

那么跟多开一个bridge有什么分别呢?

carlchan 發表於 2018-6-22 19:30

Thx 各大大

Let me try try

And looking bop method

gfx86674 發表於 2018-6-22 19:53

[i=s] 本帖最後由 gfx86674 於 2018-6-22 20:06 編輯 [/i]

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45032&ptid=7184]14#[/url] [i]角色[/i] [/b]
沒有必要的情況,只有單ethernet時不使用bridge可以省軟體橋接吃掉的資源.

/ip route rule也是policy route的另一種方式 ,routing-mark名稱直接在table定義即可.
[img]https://imgur.com/G8T6mdi.png[/img]

搭/ip firewall mangle非是標記的唯一方案...
不過/ip firewall mangle可以搭address-list使用, /ip route rule就無法利用了.

權限方面/ip route rule > /ip firewall mangle
在/ip firewall mangle已標記過的,
可以透過/ip route rule ,從src-address或dst-address再限縮已標記的routing-mark範圍.
[img]https://imgur.com/3oEbKgn.png[/img]

不只是policy route ,
/ip route rule也有firewall filter的能力,
選擇action=drop或unreachable會丟棄您選擇的封包...就這樣:D
[img]https://imgur.com/gG3L5Vv.png[/img]

角色 發表於 2018-6-22 20:10

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45036&ptid=7184]17#[/url] [i]gfx86674[/i] [/b]

谢谢CHing的信息,我都好好学习一下,不同的policy route based methods。

carlchan 發表於 2018-6-23 01:32

[quote]在Mobile01提問的也是您對吧

1.將bridge-hk給移除...用不到.
因ether5不需要綁到bridge-hk,所以請您也 ...
[size=2][color=#999999]gfx86674 發表於 2018-6-22 18:27[/color] [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45031&ptid=7184][img]http://www.telecom-cafe.com/forum/images/common/back.gif[/img][/url][/size][/quote]

It is now working!
I just want to bring the l2tp client modem to site by use ether5,
I remote desktop my home computer without setting up vpn in desktop ...

Thank all big big brother ...

and now looking at the bcp connection ...
[url]http://www.telecom-cafe.com/forum/viewthread.php?tid=7087&extra=page%3D1[/url]

角色 發表於 2018-6-23 13:09

[b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45043&ptid=7184]19#[/url] [i]carlchan[/i] [/b]

你搞好就好,CHIng是否有用USB 4G modem,然后插入hAP ac的USB port?

頁: [1]

Powered by Discuz! Archiver 7.2  © 2001-2009 Comsenz Inc.