MikroTik hAP ac² - 从大陆 smart connect to HK VPN server
[i=s] 本帖最後由 角色 於 2018-6-20 15:18 編輯 [/i]从香港 smart connect to 大陆 VPN client(逆向翻墙)
现在很多大陆的家用broadband,ISP给都是private IP address,在香港根本不VPN过去,那么有什么方法?答案是利用“逆向翻墙”方法。我们可以采用MikroTik routers,如果不需要WiFi,可以使用RB750Gr3,大陆买大约人民币300元,如果需要WiFi的话,可以考虑MikroTik 2018最新的产品hAP ac^2,在大陆买大约人民币420元。
如果家里有个设备,能某个port变成CN IP port,有不同SSID,一组是去大陆,一组是香港,一组是可以同时(smart connect)上大陆和香港网站的,简单说如果是大陆IP就走大陆Gateway,不然就走香港Gateway。
么怎样set hAP ac^2呢?
Configruation 目标:
1. Ether5是CN IP port
2. Ether4是Smart IP port
3. Ether2-3是香港IP port
4. Ether1是香港 WAN port
5. SSID 1(MT-2G)是香港IP
6. SSID 2(MT-5G)是香港IP
7. SSID 3(MT-2G-CN)是大陆IP
8. SSID 4(MT-5G-CN)是大陆IP
9. SSID 5(MT-2Gs)是Smart IP
10. SSID 6(MT-5Gs)是Smart IP
address:vpn.abc.com (你香港的vpn server address)
user name:cn
password:cn-password
VPN protocol:pptp
大陆的VPN router vpn client side settings
如果大陆用MikroTik router,用pptp VPN client去连接香港的VPN server。[code]
/interface pptp-client
add connect-to=vpn.abc.com disabled=no name=pptp-hk password=cn-password user=cn
[/code].
香港的VPN router vpn server side settings
Step 1:Reset your router[code]
/system reset-configuration skip-backup=yes
[/code].
Step 2:VPN settings and MikroTik DNS[code]
/ip pool
add name=vpn ranges=192.168.89.2-192.168.89.255
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=vpn
/interface l2tp-server server
set enabled=yes ipsec-secret=vpn-password use-ipsec=yes
/interface pptp-server server
set enabled=yes
/interface sstp-server server
set default-profile=default-encryption enabled=yes
/ip cloud
set ddns-enabled=yes
/system ntp client
set enabled=yes primary-ntp=118.143.17.82
/system clock
set time-zone-name=Asia/Hong_Kong
/ip firewall filter
add chain=input protocol=ipsec-esp comment="ISsec ESP method"
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=192.168.89.0/24
/ppp secret
add name=cn password=cn-password
[/code].
move the rules under firewall filter just after the rules for ICMP and before the drop rules for the input chain.
图一:Before moving
[attach]4114[/attach]
图二:After moving
[attach]4113[/attach]
Step 3: Set the default WiFi security profile (eg. password=wifi-123)[code]
/interface wireless security-profiles
set authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key=wifi-123 [find name="default"]
[/code].
Step 4:Set 2.4GHz SSID=MT-2G, 5GHz SSID=MT-5G[code]
/interface wireless
set wlan1 ssid=MT-2G frequency=auto security-profile=default disabled=no
set wlan2 ssid=MT-5G frequency=auto security-profile=default disabled=no
[/code].
Step 5: Create new bridge named bridge-cn and bridge-smart[code]
/interface bridge
add name=bridge-cn
add name=bridge-smart
[/code].
Step 6: Create virtual APs[code]
/interface wireless
add disabled=no master-interface=wlan1 name=wlan3 ssid=MT-2G-CN
add disabled=no master-interface=wlan1 name=wlan4 ssid=MT-2Gs
add disabled=no master-interface=wlan2 name=wlan5 ssid=MT-5G-CN
add disabled=no master-interface=wlan2 name=wlan6 ssid=MT-5Gs
[/code].
Step 7: Detach (remove) ether4 and ether5 from the default bridge[code]
/interface bridge port
remove [find interface=“ether5”]
/interface bridge port
remove [find interface=“ether4”]
[/code].
Step 8: Add ether5, wlan3 and wlan5 to the new bridge “bridge-cn”[code]
/interface bridge port
add bridge=bridge-cn interface=ether5
add bridge=bridge-cn interface=wlan3
add bridge=bridge-cn interface=wlan5
[/code].
Step 9: Add ether4, wlan4 and 6 to the new bridge “bridge-smart”[code]
/interface bridge port
add bridge=bridge-smart interface=ether4
add bridge=bridge-smart interface=wlan4
add bridge=bridge-smart interface=wlan6
[/code].
Step 10: Assign an IP address range 192.168.80.1/24 to the bridge-cn interface[code]
/ip address
add address=192.168.80.1/24 interface=bridge-cn
[/code].
Step 11: Assign an IP address range 192.168.81.1/24 to the bridge-smart interface[code]
/ip address
add address=192.168.81.1/24 interface=bridge-smart
[/code].
Step 12: Set up a DHCP server for bridge-cn[code]
/ip dhcp-server setup
[/code]複製代碼
.
Based on the following screen dump, inupt the correct bridge name “bridge-cn” and the DNS servers: 8.8.8.8 and 8.8.4.4[code]
[admin@MikroTik]
/ip address>
/ip dhcp-server setup
Select interface to run DHCP server on
dhcp server interface: bridge-cn
Select network for DHCP addresses
dhcp address space: 192.168.80.0/24
Select gateway for given network
gateway for dhcp network: 192.168.80.1
Select pool of ip addresses given out by DHCP server
addresses to give out: 192.168.80.2-192.168.80.254
Select DNS servers
dns servers: 8.8.8.8,8.8.4.4
Select lease time
lease time: 10m
[admin@MikroTik] /ip address>
[/code].
Step 12: Set up a DHCP server for bridge-smart[code]
/ip dhcp-server setup
[/code].
Same as bridge-cn and replace bridge-cn by bridge-smart
Step 13: blank
.
Step 14: Input China IP address list[code]
/tool fetch url=http://www.iwik.org/ipcountry/mikrotik/CN
[/code].
Step 15: Import the list to CN file[code]
/import file-name=CN
[/code].
Step 16: Mangling packets for policy route by applying different routing marks[code]
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=bridge-cn new-routing-mark=cn-gateway passthrough=no
add action=mark-routing chain=prerouting in-interface=bridge-smart dst-address-list=CN new-routing-mark=cn-gateway passthrough=no
[/code].
Step 17: Apply masquerade to the out-interface "pptp-cn"[code]
/ip firewall nat
add action=masquerade chain=srcnat out-interface=<pptp-cn>
[/code].
Step 18: 下面的rules,一般搬到Fasttrack之前。[code]
/ip firewall filter
add action=accept chain=forward in-interface=bridge-cn
add action=accept chain=forward out-interface=bridge-cn
add action=accept chain=forward in-interface=bridge-smart
add action=accept chain=forward out-interface=bridge-smart
[/code].
在最初的时候那些rules都放在最后,用drag and move方式把它们放到FastTrack Rules之前。
图一:刚安装
(参考别的图)
图二:移动后
(参考别的图)
Step 19: Policy route based on the new mark routing-mark “cn-gateway"[code]
/ip route
add distance=1 gateway=<pptp-cn> routing-mark=cn-gateway
[/code].
Step 20: Reboot the router[code]
/system reboot
[/code]. 估计有些members对这条thread有兴趣。 我要重做大陸那邊的VPN,因為在LTAP上,不能用BCP。要SSTP加 SSID HK,全Route到 香港,SSID smart, Policy route 到香港。看到你的Setting,是在香港Router 還是中國的Route。L2TP VPN 用來是做什麼? 其實除了google 的 DNS 8.8.8.8,還有其他的 DNS 在中國好用多。 [b]回復 [url=http://www.telecom-cafe.com/forum/redirect.php?goto=findpost&pid=45776&ptid=7185]3#[/url] [i]yiucsw[/i] [/b]
在大陆route去ppp link (linked to HK VPN router)。
L2TP over IPSec OR PPTP OR SSTP都是一样,不同的是方法不一样。 我猜是SSTP 同PPTP 的方法不一样。
SSTP server 是没有 default route/IP assign 到Client 端。
IP route 到 Server 端,是没法 IP forward 回 Client..
我不太想加 IP 地址到 SSTP。。。 问问还有什么方法? 我记得我用PPTP和SSTP都可以,最主要是先建立一条PPP link,然后再跟着一般的做法就可以,server那一边不需要做什么。
頁:
[1]