Salam pembaca, pada artikel ini saya ingin berbagi pengalaman saya mengatur jaringan cloud Yandex internal dan merutekan ke Internet melalui RouterOS MikroTik.
Ada satu VPCyang dikelola oleh layanan internal dan mendistribusikan ipVM internal eksternal melalui gateway subnet di belakang NAT, yang sangat tidak nyaman untuk administrasi terpusat.
Skema jaringan internal dan mendapatkan yang eksternal ipdi cloud Yandex terlihat seperti ini:
ip NAT-instance forward, . / ( VPC Preview).
, IP VPC1
, :
.
:
Internal1-a – 10.1.0.0/24
Internal2-a – 10.1.1.0/24
Internal1-b – 10.1.2.0/24
Internal2-b – 10.1.3.0/24
Internal1-c – 10.1.4.0/24
Internal2-c – 10.1.5.0/24 , . . ip
Gateway – X.X.X.1
Internal DNS – X.X.X.2 RouterOS.
Cloud Marketplace -> -> Cloud Hosted Router ip
RouterOS
Ether1 – 10.1.0.254
Ether2 – 10.1.1.254 ether1 winbox. , admin rsa public key.
CLI. winbox, , ip route ..
,
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.0.1 1
1 ADC 10.1.1.0/24 10.1.1.254 ether2 0
2 ADC 10.1.0.0/24 10.1.0.254 ether1 0 ether1 10.1.0.1 NAT . ip , .
2 , 2 , distance .
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1 b c a.
firewall.
/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24
add chain=input action=accept src-address=10.1.1.0/24
add chain=input action=accept src-address=10.1.3.0/24
add chain=input action=accept src-address=10.1.2.0/24
add chain=input action=accept src-address=10.1.0.0/24
add chain=input action=accept src-address=10.1.4.0/24 ping
/ip firewall filter
add chain=input action=accept protocol=icmp
/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0
/ip firewall filter add chain=input action=drop log=no
/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"
/ip firewall filter print ip , MultiWAN. MULTIWAN ( )
WAN , route rules, 2 interface list
/interface list
add name="WAN1"
add name="WAN2"
/interface list member
add list=WAN1 interface=ether1 dynamic=no
add list=WAN2 interface=ether2 dynamic=no
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2 , ether1, ,
/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2 2 ip , .
:
Virtual Private Cloud -> -> NAT -> -> , -> : 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1 -> .
( api kubernetes) ipsec, 2
: 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
: <_>, Next hop: 10.1.0.1/10.1.1.1 , , IP , srcnat . masquerade
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0 ip . .
:
// ip :
/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050 7.7.7.1/7.7.7.2 ip .
, ipsec, , .
: ipsec
, ipsec ip
, psk, . . ip NAT, peer mikrotik, identity IP
/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer
add name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>
/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office , peer level unique, 12.1.0.0/24 12.10.0.0/24
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office firewall — fillter rules, NAT, raw, NAT
/ip firewall filter
add chain=input action=accept src-address=10.7.0.0/16
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
/ip firewall raw
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 10.7.0.0/16 — , 9.9.9.1 — ip
.
Lisensi MikroTik RouterOSharus dibeli, jika tidak kecepatan port akan menjadi 1 Gbps dan batasan fungsional
https://wiki.mikrotik.com/wiki/Manual:License
Terima kasih atas perhatian Anda!
Sumber yang digunakan:
UPD
Berdasarkan komentar dan komentar, tambah artikel, tambah deskripsiipsec