WilliamTai wrote:這是過去對設定PortForward的一點心得,與Nat Loopback有關.
add chain...(恕刪)
相信您會需要!!
http://www.mobile01.com/topicdetail.php?f=110&t=4351800&p=1#55418869
AKSN74 wrote:
但自從那樣以後 只要有IP配發到192.168.12.4這組 就會無法上網
我自己將設定看了看 也沒有異狀 但就是無法上網
/ip arp
add address=192.168.12.4 interface=Bridge-Lan mac-address=C8:60:00:17:F3:78
/ip dhcp-server lease
add address=192.168.12.4 client-id=1:50:2e:5c:e7:6f:28 mac-address=50:2E:5C:E7:6F:28 server=default
這兩個衝到。ARP沒特殊需求,不用自行設定。
另外,HiNet帳號密碼都在設定檔裡以plain text顯示,建議以私訊方式,不要直接公開貼出
最近正在利用 RouterOS 與 Juniper SRX240H2 做 IPSec Site-To-Site VPN
提供一下關鍵的 Config 給大家參考一下
Juniper SRX 240H2(ver.12.3X48-D10.3):
Local : 172.31.32.0/19
Remote:192.168.88.0/24
#Interface
set interface st0 unit 6 family inet
#IKE Phase1
set security ike proposal ike-proposal-A6 authentication-method pre-shared-keys
set security ike proposal ike-proposal-A6 dh-group group2
set security ike proposal ike-proposal-A6 authentication-algorithm md5
set security ike proposal ike-proposal-A6 encryption-algorithm 3des-cbc
set security ike proposal ike-proposal-A6 lifetime-seconds 28800
set security ike policy ike-policy-A6 mode main
set security ike policy ike-policy-A6 proposals ike-proposal-A6
set security ike policy ike-policy-A6 pre-shared-key ascii-text "Pre-Shared-Key"
set security ike gateway ike-gate-A6 ike-policy ike-policy-A6
set security ike gateway ike-gate-A6 address [Peer WAN IP]
set security ike gateway ike-gate-A6 no-nat-traversal
set security ike gateway ike-gate-A6 local-identity inet [Local WAN IP]
set security ike gateway ike-gate-A6 external-interface ge-0/0/0
#IPSec Phase2
set security ipsec proposal ipsec-proposal-A6 protocol esp
set security ipsec proposal ipsec-proposal-A6 authentication-algorithm hmac-md5-96
set security ipsec proposal ipsec-proposal-A6 encryption-algorithm 3des-cbc
set security ipsec proposal ipsec-proposal-A6 lifetime-seconds 3600
set security ipsec policy ipsec-policy-A6 perfect-forward-secrecy keys group2
set security ipsec policy ipsec-policy-A6 proposals ipsec-proposal-A6
set security ipsec vpn ipsec-vpn-A6 bind-interface st0.6
set security ipsec vpn ipsec-vpn-A6 ike gateway ike-gate-A6
set security ipsec vpn ipsec-vpn-A6 ike proxy-identity local 172.31.32.0/19
set security ipsec vpn ipsec-vpn-A6 ike proxy-identity remote 192.168.88.0/24
set security ipsec vpn ipsec-vpn-A6 ike proxy-identity service any
set security ipsec vpn ipsec-vpn-A6 ike ipsec-policy ipsec-policy-A6
set security ipsec vpn ipsec-vpn-A6 establish-tunnels immediately
set security flow tcp-mss all-tcp mss 1400
set security flow tcp-mss ipsec-vpn mss 1350
#Routing
set routing-options static route 192.168.88.0/24 next-hop st0.6
RouterOS(ver. 6.29):
Local:192.168.88.0/24
Remote:172.31.32.0/19
/ip ipsec policy group
add name=HM-SRX
/ip ipsec proposal
add auth-algorithms=md5 enc-algorithms=3des lifetime=1h name=Hauman-SRX-Phase2
/ip ipsec peer
add address=[Peer WAN IP]/32 dpd-interval=disable-dpd enc-algorithm=3des \
hash-algorithm=md5 lifetime=8h local-address=[Local WAN IP] nat-traversal=no \
policy-template-group=HM-SRX secret=Pre-Shared-Key
/ip ipsec policy
add dst-address=172.31.32.0/19 priority=1 proposal=Hauman-SRX-Phase2 sa-dst-address=\
[Peer WAN IP] sa-src-address=[Local WAN IP] src-address=192.168.88.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat dst-address=172.31.32.0/19 log=yes out-interface=HiNet-VDSL1 \
src-address=192.168.88.0/24 place-before=0
目前測試的建立條件如下:
1.main Mode
2.3des + md5 + dh group2
另外有試著嘗試使用高強度加密,或者使用動態 IP 建立連結,皆無法成功。
歡迎有經驗的人也提供一下建立的相關經驗,謝謝。
但這個功能我都搭配最新板的Winbox了卻都還是連不上 怪哉...
不知道有沒有大大嘗試過這部分?
另外在找RoMON相關的資料時 無意間發現Mikrotik推出新的產品了
(雖然是3月的事情就是了)
最讓我注目的是這台
RB3011系列 是RB2011的升級版
除了Ethernet還是維持10個外 最大的改變在於全Gigabit 不再是一半Giga一半100M
CPU則是大升級 使用1.2GHz ARM雙核心處理器 據官方說法是原本2倍的效能
另外USB升級為3.0 並多了mini-PCIE slot
但價格也變貴就是了 要199鎂 預計Q2上市
不過目前已經Q2尾了 還沒看到東西出來就是了
到時候上市應該會買這台取代RB2011
內文搜尋
從 APP 打開
X