Saludos lectores, en este artículo me gustaría compartir mi experiencia de configurar una red interna en la nube de Yandex y enrutar a Internet a través de RouterOS MikroTik.
Hay uno VPCque es administrado por servicios internos y distribuye ipVMs internas externas a través de una puerta de enlace de subred detrás NAT, lo cual no es muy conveniente para la administración centralizada.
El esquema de la red interna y obtener la externa ipen la nube Yandex se ve así:
ip NAT-instance forward, . / ( VPC Preview).
, IP VPC1
, :
.
:
Internal1-a – 10.1.0.0/24
Internal2-a – 10.1.1.0/24
Internal1-b – 10.1.2.0/24
Internal2-b – 10.1.3.0/24
Internal1-c – 10.1.4.0/24
Internal2-c – 10.1.5.0/24 , . . ip
Gateway – X.X.X.1
Internal DNS – X.X.X.2 RouterOS.
Cloud Marketplace -> -> Cloud Hosted Router ip
RouterOS
Ether1 – 10.1.0.254
Ether2 – 10.1.1.254 ether1 winbox. , admin rsa public key.
CLI. winbox, , ip route ..
,
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.0.1 1
1 ADC 10.1.1.0/24 10.1.1.254 ether2 0
2 ADC 10.1.0.0/24 10.1.0.254 ether1 0 ether1 10.1.0.1 NAT . ip , .
2 , 2 , distance .
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1 b c a.
firewall.
/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24
add chain=input action=accept src-address=10.1.1.0/24
add chain=input action=accept src-address=10.1.3.0/24
add chain=input action=accept src-address=10.1.2.0/24
add chain=input action=accept src-address=10.1.0.0/24
add chain=input action=accept src-address=10.1.4.0/24 ping
/ip firewall filter
add chain=input action=accept protocol=icmp
/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0
/ip firewall filter add chain=input action=drop log=no
/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"
/ip firewall filter print ip , MultiWAN. MULTIWAN ( )
WAN , route rules, 2 interface list
/interface list
add name="WAN1"
add name="WAN2"
/interface list member
add list=WAN1 interface=ether1 dynamic=no
add list=WAN2 interface=ether2 dynamic=no
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2 , ether1, ,
/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2 2 ip , .
:
Virtual Private Cloud -> -> NAT -> -> , -> : 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1 -> .
( api kubernetes) ipsec, 2
: 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
: <_>, Next hop: 10.1.0.1/10.1.1.1 , , IP , srcnat . masquerade
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0 ip . .
:
// ip :
/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050 7.7.7.1/7.7.7.2 ip .
, ipsec, , .
: ipsec
, ipsec ip
, psk, . . ip NAT, peer mikrotik, identity IP
/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer
add name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>
/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office , peer level unique, 12.1.0.0/24 12.10.0.0/24
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office firewall — fillter rules, NAT, raw, NAT
/ip firewall filter
add chain=input action=accept src-address=10.7.0.0/16
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
/ip firewall raw
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 10.7.0.0/16 — , 9.9.9.1 — ip
.
Se MikroTik RouterOSdebe comprar una licencia , de lo contrario, la velocidad del puerto será de 1 Gbps y las restricciones funcionales
https://wiki.mikrotik.com/wiki/Manual:License
¡Gracias por su atención!
Fuentes utilizadas:
UPD
Basado en comentarios y observaciones, agregó el artículo, agregó una descripciónipsec