chrisintaipei wrote:
firewall f...(恕刪)
derliang wrote:
我的一按下去就馬上更...(恕刪)
謝謝兩位,Cloud已成功更新!
的確是firewall filter的問題,將81.198.87.240 開放就正常了.
/ip firewall filter
add chain=input src-address=81.198.87.240
ROS DDNS難記的問題,透過goo.gl轉換看各位會不會覺得改善些...
Mikrotik官網有提到這是Road Warrior服務
http://wiki.mikrotik.com/wiki/Manual:IP/IPsec
但跟著Mikrotik官網操作Android或iOS裝置卻只連接家中的區域網路電腦,無法進一步翻網.
所以我嘗試修改幾個步驟,最終竟也試成了! 接下來依著說明操作即可
不過要注意當您打開IPSec Xauth PSK Server ,
IPSec挪作用途後勢必影響,L2TP/IPSec PSK將暫時無法使用
1./ip pool 建立ipsec-RW Pool
2./ip ipsec mode-config 建立Road Warrior設定檔
3./ip ipsec policy group 建立RoadWarrior群組
4./ip ipsec policy 建立IPSec政策
5./ip ipsec user 建立IPSec用戶帳號/密碼
6./ip ipsec proposal 設定IPSec加密協定
7./ip ipsec peer 建立peer 及預先共用金鑰
8.沒有<步驟8>啦,直接看Android手機連線成果
補充:
因變更過/ip ipsec proposal的default加密選項,
所以L2TP/IPSec PSK的peer也要跟著修正,以方便日後再利用.
/ip ipsec peer是可存在多個設定的
所以您想要用L2TP/IPSec PSK連線,您只要將Road Warrior關閉就好;
反之您想使用IPSec Xauth PSK ,只要再將Road Warrior打開便可
--------------------------------------------
遺憾的是iOS裝置,
經上述引導操作IPSec雖然可以連線,但最終不會有什麼相關影響發生.
比較<步驟2>與Mikrotik IPSec官網介紹,您會發現差在split-include這個設定.
split-include官網原是要指定ROS Server網域(個人是192.168.88.0/24),
但我用0.0.0.0/0取代.
如果依Mikrotik官網設定split-include=192.168.88.0/24 ,Android或iOS裝置VPN都可以連線的,
但連線只能連接家中的網域電腦,網際網路走的仍是原本的路由,所以瀏覽網際網路時並不會翻網.
--------------------------------------------
<<檢測!!>>
當split-include=0.0.0.0/0 時,
Android IPSec Xauth PSK連線是完全正常的;但iOS則是完全沒效果.
到/ip ipsec policy可查尋IPSec Xauth PSK連線資訊:
Android手機為172.19.15.5
iOS手機為172.19.15.7
用電腦 或ROS嘗試Ping 172.19.15.5(Android)
172.19.15.7(iOS)也是有反應,但相對於Android慢了許多
漏抓了ROS Ping 172.19.15.7(iOS)照片,
但印象反應如同電腦Ping的結果,平均比Android連線慢了近100ms
再到/ip firewall connection查詢連線狀況:
172.19.15.5(Android)當開啟手機網頁時有遞送出connections
172.19.15.7(iOS) connections則是空白
問題在於既然Ping的到iOS裝置,但為何iOS就不能連線;
Android則是展現好的一面,完全沒有問題...真是怪啊
menchieh wrote:
版上各位大大您好:小...(恕刪)
會不會被攻擊了,匯入新防火牆Rule做防護看看.
/ip firewall address-list
add list=dns-server address=168.95.192.1
add list=dns-server address=168.95.1.1
add list=dns-server address=8.8.8.8
add list=dns-server address=8.8.4.4
/ipv6 firewall address-list
add list=dns-server address=2001:b000:168::1
add list=dns-server address=2001:b000:168::2
add list=dns-server address=2001:4860:4860::8888
add list=dns-server address=2001:4860:4860::8844
/ip firewall filter
add action=drop chain=input dst-address-type=!local
add action=drop chain=input connection-state=invalid
add action=drop chain=forward connection-state=invalid
add action=drop chain=input src-address-type=!unicast
add action=drop chain=input connection-limit=10,32 protocol=tcp
add action=drop chain=input protocol=tcp src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input protocol=udp src-address-list=!dns-server src-port=53
add action=drop chain=forward protocol=udp src-address-list=!dns-server src-port=53
/ipv6 firewall filter
add action=drop chain=forward connection-state=invalid
add action=drop chain=input protocol=udp src-address-list=!dns-server src-port=53
add action=drop chain=forward protocol=udp src-address-list=!dns-server src-port=53
內文搜尋
從 APP 打開
X