top100011 wrote:余老師的書(有電子書) 買來看 ....(RouterOS 入門到精通 v6.3.12e)
想再請教一下大大我一(恕刪)
剛剛看 設定 跟 書上不一樣!!
小笨賢 wrote:ovpn確定可以,你自己做的即bcp啦!
剛剛看書一下
OVPN 跟 SSTP 好像沒有 BCP協議耶!只有 pptp l2tp
https://www.mobile01.com/topicdetail.php?f=110&t=5964738&p=1#75624531
至於sstp bcp,我自己在本樓寫過教學
top100011 wrote:想再請教一下大大我一(恕刪)v6.28版本太舊,作法與6.43後的差太多...
這是早期6.x的教學,看您能不能利用
RouterA :192.168.1.0/24 (1.1.1.1 / aaa.changeip.org)
RouterB :192.168.2.0/24 (2.2.2.2 / bbb.changeip.org)
RouterA:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc
/ip ipsec peer
add address=2.2.2.2/32 comment=site-to-site enc-algorithm=aes-128 \
local-address=1.1.1.1 nat-traversal=no secret=sts
#sts是私人ipsce密碼,可置換
/ip ipsec policy
add comment=site-to-site dst-address=192.168.2.0/24 sa-dst-address=2.2.2.2 \
sa-src-address=1.1.1.1 src-address=192.168.1.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.1.0/24 \
dst-address=192.168.2.0/24
script:
:local localip [/ip address get [find interface=pppoe-out1] address]
:set localip [:pick $localip 0 [:find $localip "/"]]
:local remoteip [:resolve bbb.changeip.org]
:local peerA [/ip ipsec peer find comment=site-to-site]
:local policyA [/ip ipsec policy find comment=site-to-site]
:if ([/ip ipsec peer get $peerA address]!="$remoteip/32" \
|| [/ip ipsec peer get $peerA local-address]!=$localip \
|| [/ip ipsec policy get $policyA sa-dst-address]!=$remoteip \
|| [/ip ipsec policy get $policyA sa-src-address]!=$localip) \
do={/ip ipsec peer set $peerA address="$remoteip/32" local-address=$localip
/ip ipsec policy set $policyA sa-dst-address=$remoteip sa-src-address=$localip}
RouterB:
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des,aes-128-cbc
/ip ipsec peer
add address=1.1.1.1/32 comment=site-to-site enc-algorithm=aes-128 \
local-address=2.2.2.2 nat-traversal=no secret=sts
#私人ipsce密碼,要與RouterA同
/ip ipsec policy
add comment=site-to-site dst-address=192.168.1.0/24 sa-dst-address=1.1.1.1 \
sa-src-address=2.2.2.2 src-address=192.168.2.0/24 tunnel=yes
/ip firewall nat
add chain=srcnat action=accept place-before=0 src-address=192.168.2.0/24 \
dst-address=192.168.1.0/24
script:
:local localip [/ip address get [find interface=pppoe-out1] address]
:set localip [:pick $localip 0 [:find $localip "/"]]
:local remoteip [:resolve aaa.changeip.org]
:local peerA [/ip ipsec peer find comment=site-to-site]
:local policyA [/ip ipsec policy find comment=site-to-site]
:if ([/ip ipsec peer get $peerA address]!="$remoteip/32" \
|| [/ip ipsec peer get $peerA local-address]!=$localip \
|| [/ip ipsec policy get $policyA sa-dst-address]!=$remoteip \
|| [/ip ipsec policy get $policyA sa-src-address]!=$localip) \
do={/ip ipsec peer set $peerA address="$remoteip/32" local-address=$localip
/ip ipsec policy set $policyA sa-dst-address=$remoteip sa-src-address=$localip}
目前想針對宿舍網路(中華電信的光世代100/40)做控管
使用者用PPPoE server的方式登入
另外想讓網內的同學有一定的流量品質
有設定一些封包的標記和流量控制
但不知道這樣是否正確,謝謝
分兩個網段,
1、管理階層:ether2~4、wlan1、wlan2
2、使用層(同學):ether5
管理層直接走DHCP模式,不受PCQ控制
使用層走PPPoE的模式,可以HTB+PCQ的搭配
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf disabled=yes interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
流量的話,除了優先權標示外,還可以針對登入的帳號數量做頻寬的分配,大家公平使用
如果有人流量過大、使用下載軟體之類的,可以進行降速,讓其他使用者維持品質
/queue type
add kind=pcq name=pppoe-download pcq-burst-rate=90M pcq-burst-threshold=30M \
pcq-burst-time=30s pcq-classifier=dst-address pcq-limit=1000KiB pcq-rate=\
6M pcq-total-limit=15000KiB
add kind=pcq name=pppoe-upload pcq-burst-rate=35M pcq-burst-threshold=30M \
pcq-burst-time=30s pcq-classifier=src-address pcq-limit=1000KiB pcq-rate=\
2M pcq-total-limit=15000KiB
/queue simple
add name=PCQ queue=pppoe-upload/pppoe-download target=10.0.0.0/24
/queue tree
add name=pppoe_downlad packet-mark=pppoe_download parent=global queue=\
pppoe-download
add name=DNS_download packet-mark=pppoe_download_dns parent=pppoe_downlad \
priority=1 queue=pppoe-download
add name=FTP_download packet-mark=pppoe_download_ftp parent=pppoe_downlad \
priority=7 queue=pppoe-download
add name=HTTP_download packet-mark=pppoe_download_https parent=pppoe_downlad \
priority=4 queue=pppoe-download
add name=ICMP_download packet-mark=pppoe_download_icmp parent=pppoe_downlad \
priority=1 queue=pppoe-download
add name=Other_download packet-mark=pppoe_download_other parent=pppoe_downlad \
queue=pppoe-download
add name=pppoe_upload packet-mark=pppoe_upload parent=global queue=\
pppoe-upload
add name=DNS_upload packet-mark=pppoe_upload_dns parent=pppoe_upload \
priority=1 queue=pppoe-upload
add name=FTP_upload packet-mark=pppoe_upload_ftp parent=pppoe_upload \
priority=7 queue=pppoe-upload
add name=HTTP_upload packet-mark=pppoe_upload_https parent=pppoe_upload \
priority=4 queue=pppoe-upload
add name=ICMP_upload packet-mark=pppoe_upload_icmp parent=pppoe_upload \
priority=1 queue=pppoe-upload
add name=Other_upload packet-mark=pppoe_upload_other parent=pppoe_upload \
queue=pppoe-upload
不知道這樣設定是否正確?
或是針對宿舍網路設定有其他的建議可以優化的設定?
謝謝
內文搜尋
從 APP 打開
X