Salutations lecteurs, dans cet article, je voudrais partager mon expérience de la mise en place d'un réseau cloud interne Yandex et du routage vers Internet via RouterOS MikroTik.
Il y en a un VPC
qui est administré par des services internes et distribue des ip
VM internes externes via une passerelle de sous-réseau derrière NAT
'th, ce qui n'est pas très pratique pour une administration centralisée.
Le schéma du réseau interne et l'obtention du réseau externe ip
dans le cloud Yandex ressemble à ceci:
ip
NAT-instance
forward
, . / ( VPC
Preview).
, IP
VPC1
, :
.
:
Internal1-a – 10.1.0.0/24
Internal2-a – 10.1.1.0/24
Internal1-b – 10.1.2.0/24
Internal2-b – 10.1.3.0/24
Internal1-c – 10.1.4.0/24
Internal2-c – 10.1.5.0/24
, . . ip
Gateway – X.X.X.1
Internal DNS – X.X.X.2
RouterOS
.
Cloud Marketplace -> -> Cloud Hosted Router
ip
RouterOS
Ether1 – 10.1.0.254
Ether2 – 10.1.1.254
ether1
winbox
. , admin
rsa public key
.
CLI
. winbox
, , ip
route
..
,
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.0.1 1
1 ADC 10.1.1.0/24 10.1.1.254 ether2 0
2 ADC 10.1.0.0/24 10.1.0.254 ether1 0
ether1
10.1.0.1
NAT
. ip
, .
2 , 2 , distance
.
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1
b
c
a
.
firewall
.
/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24
add chain=input action=accept src-address=10.1.1.0/24
add chain=input action=accept src-address=10.1.3.0/24
add chain=input action=accept src-address=10.1.2.0/24
add chain=input action=accept src-address=10.1.0.0/24
add chain=input action=accept src-address=10.1.4.0/24
ping
/ip firewall filter
add chain=input action=accept protocol=icmp
/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0
/ip firewall filter add chain=input action=drop log=no
/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"
/ip firewall filter print
ip
, MultiWAN
. MULTIWAN
( )
WAN
, route rules
, 2 interface list
/interface list
add name="WAN1"
add name="WAN2"
/interface list member
add list=WAN1 interface=ether1 dynamic=no
add list=WAN2 interface=ether2 dynamic=no
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2
, ether1
, ,
/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2
2 ip
, .
:
Virtual Private Cloud
->
->
NAT
->
-> , ->
: 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1
-> .
( api kubernetes
) ipsec
, 2
: 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
: <_>, Next hop: 10.1.0.1/10.1.1.1
, , IP
, srcnat
. masquerade
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0
ip
. .
:
// ip
:
/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050
7.7.7.1/7.7.7.2 ip
.
, ipsec
, , .
: ipsec
, ipsec
ip
, psk
, . . ip
NAT
, peer
mikrotik
, identity
IP
/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer
add name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>
/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
, peer
level
unique
, 12.1.0.0/24 12.10.0.0/24
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
firewall
— fillter rules
, NAT
, raw
, NAT
/ip firewall filter
add chain=input action=accept src-address=10.7.0.0/16
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
/ip firewall raw
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
10.7.0.0/16
— , 9.9.9.1
— ip
.
Une licence MikroTik RouterOS
doit être achetée pour, sinon la vitesse du port sera de 1 Gbps et les restrictions fonctionnelles
https://wiki.mikrotik.com/wiki/Manual:License
Merci de votre attention!
Sources utilisées:
UPD
Basé sur les commentaires et remarques, a ajouté l'article, a ajouté une descriptionipsec