Из этой статьи вы узнаете что такое рекурсивная маршрутизация, как она настраивается на MikroTik и для чего используется.
Архив метки: Mikrotik
MikroTik User Manager RADIUS Installation on RouterOS 7
The User Manager is a MikroTik provided RADIUS Server packages. It can be used to manage users for small or medium level business. User Manger is not a default RouterOS packages. So, we have to install user manager as an extra package in RouterOS 7.
RouterOS 7 has brought a massive change on User Manager package. The most important change is managing User Manager from Winbox while in RouterOS 6 the User Manager package can only be managed from Web interfaces.
Before going to use User Manager RADIUS Server, you have to know how to install extra packages in RouterOS 7 because User Manager is an extra package in RouterOS. In this article, I will show how to install the User Manger package in RouterOS 7 as an extra package.
Installing User Manager RADIUS Server in RouterOS 7
It is always better to use stable or long term RouterOS version. At the time of writing this article, the stable version of MikroTik RouterOS is 7.3.1. So, I am expecting that your RouterOS version is either equal or greater than from my RouterOS version. MikroTik has a lot of architectures. So, before installing extra packages, you have to also know your Router’s architecture name.
To find your router’s architecture name, go to System > Resources menu item from Winbox. You will find architecture name in appeared Resources window.
From the above picture you can see my architecture name is x86_64 that means I am using a PC Router. Your architecture name may be different from mine. Note down your Version and Architecture Name because to download and install extra package, this two information will be required.
Now go to MikroTik Download page or Download Archive page and choose your RouterOS Version. Choose your Architecture Name and the download extra packages. A zip file named all_packages-(architecture_name)-(version).zip will be downloaded.
Extract the downloaded ZIP file. In the extracted folder, you will find the user-manager-(version).npk file. Upload or drag and drop it to the Files directory. Your Uploaded package will look like the following image.
Now reboot the router from System > Reboot menu item. While rebooting, the User Manager package will be installed and you will find a new menu Item named User Manager.
Click on the User Manager menu item. A new window (like the following image) will be appeared where we can configure and manage RADIUS clients, Users and other features.
User Manager package installation in RouterOS 7 will be successful if you get the above window. Now we can configure RADIUS clients, can create profiles and profile limitations and then can create users who will be authenticated through the User Manager RADIUS Server.
In the upcoming tutorials, we will know how to manage User Manger RADIUS server and how to use User Manager RADIUS Server with our popular RouterOS Services like Login, Hotspot, PPP, Wireless and so on.
Following the above steps you will be able to install User Manager Package in RouterOS 7. But if you feel confusion, watch the following video.
How to download and install User Manager RADIUS Server in MikroTik RouterOS 7 has been discussed in this article. I hope you will now be able to install User Manager in your RouterOS v7. However, if you face any confusion to install User Manger in your RouterOS 7, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
2022-07-05T22:08:47
MikroTik Router Tutorials & Guides
OpenVPN Client Configuration in Windows 10/11
OpenVPN is an excellent VPN solution for transmitting data securely over public network. Configuring an OpenVPN Server either on MikroTik RouterOS or Ubuntu Server, we can access local servers or devices from remote place using Windows 10/11, Android or MacOS.
How to configure OpenVPN Server in Ubuntu Server was discussed in the previous article. In that article, I also discussed how to create a new OpenVPN client (for Windows OS) who will be able to connect the OpenVPN Server. So, in this article I am going to show how to install and configure OpenVPN client in Windows 10/11 and how to connect OpenVPN Server from this Windows Client PC.
Installing OpenVPN Client Software in Windows 10/11
OpenVPN Client Software for Windows 10/11 can be downloaded from OpenVPN’s download page. So, Go to OpenVPN’s Community Download Page and download the software that matches with your Operating System. For OpenVPN 2.5.7, the download option looks like the following image.
I will install OpenVPN client for Windows 10. So, I am downloading Windows 64-bit MSI installer.
After downloading installer package, install the software in your windows operating system. The software installation is as simple as installing other software in Windows Operating System.
After OpenVPN client software installation, two OpenVPN network adapters will be installed like the following image. If these two adapters do not appear, OpenVPN client will not work.
After successful installation, you will find a OpenVPN GUI icon on your Desktop. Double click on it to run OpenVPN client. If OpenVPN GUI runs successfully, a small connection icon will be found in task bar or under hidden icons bar like the following image.
Click mouse right button on the OpenVPN GUI. First time it will ask to import the client config file that was generated while installing OpenVPN Server. If you yet don’t download the OpenVPN client config file from the Ubuntu Server where OpenVPN Server has been installed, download it and then import the config file.
As soon as the config file will be uploaded, it will ask to connect the client clicking the Connect option. So, click the Connect option and if everything is OK, the OpenVPN connection will be established and the OpenVPN GUI icon will turn into green color.
You will also find the assigned IP address in your OpenVPN adapter if you keep mouse pointer on OpenVPN GUI or you can see IP information from Network and Sharing Center.
Note: If you try OpenVPN Server in your LAB or local environment, don’t forget to edit IP address in Client Config File because by default OpenVPN script will assigned public IP address. Otherwise, your test will be failure.
How to download and install OpenVPN client software in Windows 10/11 and how to configure OpenVPN client to connect OpenVPN Server have been discussed in this article. I hope you will now be able to install and configure OpenVPN client in Windows Operating System without any confusion. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
2022-06-29T20:20:17
MikroTik VPN Configuration with Winbox
OpenVPN Configuration over Port 443 on Ubuntu Linux
OpenVPN provides a secure and encrypted VPN tunnel across public network. Unlike PPTP and L2TP VPN Services which can be blocked, OpenVPN can highly be customized and even can be run over so popular TCP Port 443. So, OpenVPN cannot easily be blocked. OpenVPN uses SSL/TLS Certificates. So, OpenVPN Tunnel is a trusted tunnel to send and receive data across public network.
OpenVPN Server can easily install on Ubuntu Server. Installing OpenVPN Server on Ubuntu Server, we can connect Windows, Linux, MacOS or MikroTik RouterOS as OpenVPN client and can transmit data securely over public network.
The goal of this article is to configure OpenVPN Server over TCP or UDP port 443 and then connect Windows, Linux, RouterOS, MacOS and Android OpenVPN client for transmitting data securely over public network.
Installing OpenVPN Server on Ubuntu Server 20.04
OpenVPN Server installation and configuration on Ubuntu Server is not so difficult but we have to have UpToDate Ubuntu Server Installed. If you have Ubuntu Server installed before, issue the following command to update your Ubuntu Server.
$ sudo apt update
$ sudo apt upgrade
We also should have proper network configuration in Ubuntu Server. To access OpenVPN Server globally, we have to have Public IP address but for demo purpose I am using Private IP address. But it will not affect our configuration. Just replace your Public IP address with my Private IP address. There will be no issue logically.
To show configured IP address, issue the following command and remember or write-down the IP address.
$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.22.2.100 netmask 255.255.255.0 broadcast 172.22.2.255
inet6 fe80::250:56ff:fe9d:d9fe prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9d:d9:fe txqueuelen 1000 (Ethernet)
RX packets 13748273 bytes 2464567366 (2.4 GB)
RX errors 0 dropped 20681 overruns 0 frame 0
TX packets 58393 bytes 4758690 (4.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
The above command is showing that my IP address is 172.22.2.100. So, you find out your IP address and write-down it for upcoming configuration.
For OpenVPN configuration we will use a GitHub script which will help to install and configure OpenVPN Server within five minutes. So, issue the following command to download GitHub script in your Server Machine.
$ wget https://git.io/vpn -O openvpn-install.sh
Note: if find that wget utility is not installed in your system, install it first and then run the above command.
The script file is now in your working directory but before run the script we need to provide execute permission. So, issue the following command to provide execute permission.
$ sudo chmod +x openvpn-install.sh
The script is now executable and ready to run. So, issue the following command to run the script.
$ sudo bash openvpn-install.sh
The above command will ask the following configuration information. Put that information according to your need.
- Protocol: Protocol that will be used by OpenVPN Server. It will be either UDP or TCP. Default and recommended is UDP but we will use TCP because we will configure OpenVPN over TCP/443.
- Port: OpenVPN listening port. Default is 1194 but we will use 443.
- DNS Servers: DNS Servers for the clients. Default is current system resolvers but I am using Google’s DNS Server which is safe.
- First Client: First client name. A client configuration file for this client will be generated. We will download that generated file and upload for client configuration. As our first client will be a Windows machine, I am naming it as windows but you can name it whatever you like.
OpenVPN script is now ready to install and ask to press any key to continue. So, press any key to continue OpenVPN Server installation on Ubuntu Server.
Within minute the OpenVPN Server will be installed and a client configuration file for the given name will be generated in /root/ directory.
OpenVPN Server Administration
The default OpenVPN Server instance is Server and its configuration file is /etc/openvpn/server/server.conf . There is no need to change the default configuration but if require we can change the configuration from this file.
If you change configuration file or need to restart the OpenVPN Server, issue the following command.
$ sudo systemctl restart openvpn-server@server.service
If you need to stop the OpenVPN Server, issue the following stop command.
$ sudo systemctl stop openvpn-server@server.service
And to start the OpenVPN Server, issue the start command.
$ sudo systemctl start openvpn-server@server.service
Similarly we can show the OpenVPN Server status with the status command.
$ sudo systemctl status openvpn-server@server.service
Firewall Configuration for OpenVPN Server
If you use host base firewall like Firewalld or UFW in your Ubuntu Server, you have to open TCP port 443 because we have configured OpenVPN Server on TCP/443 port. Otherwise, OpenVPN client cannot communicate with OpenVPN Server.
Downloading OpenVPN Client Configuration File from Ubuntu Server
OpenVPN configuration script generates first client configuration file while installing OpenVPN Server in /root directory. So, we have to download this file from this location before configuring OpenVPN client because this file has to be uploaded in OpenVPN client software.
As /root directory cannot be accessed without super user, first switch to super user and copy file to current user’s desktop and then download the client configuration file with FTP or WinSCP or OpenSSH client software.
Adding New OpenVPN Client
If we need to create more clients, we can do it just running the script again like the following command.
$ sudo bash openvpn-install.sh
The above command will now open the following menu item.
OpenVPN is already installed.
Select an option:
1) Add a new client
2) Revoke an existing client
3) Remove OpenVPN
4) Exit
Option:
All the options are self-explanatory. So, to add a new client, select the first option. It will now ask to provide the client name.
Provide a name for the client:
Name: android
Provide the client name that you wish and the script will generate another client file in /root directory. Similarly we can create as many clients as we required.
OpenVPN Server on Ubuntu Server is now ready and we can connect Windows, Linux, MacOS, RouterOS and Android client and can communicate securely across public network.
In the next tutorial, we will configure OpenVPN client in the following Operating System.
- OpenVPN Client Configuration on Windows 10/11
- OpenVPN Client Configuration on Linux
- OpenVPN Client Configuration on Android
- OpenVPN Client Configuration on MacOS
- OpenVPN Client Configuration on RouterOS.
How to install and configure OpenVPN Server on Ubuntu Server has been discussed in this article. I hope you will now be able to install and configure OpenVPN Server in Ubuntu Server without any difficulty. However, if you face any confusion, feel free to discuss in comment or contact me from Contact page. I will try my best to stay with you.
2022-06-20T12:22:21
MikroTik VPN Configuration with Winbox
Объединение сетей с помощью L2TP/IPsec на Mikrotik и Keenetic Ultra II
Появилась задача подключить к локальной сети два дополнительных удалённых офиса. Про настройку OpenVPN сервера для желающим поработать из дома или в командировке я уже рассказывал, однако перспектива выдачи каждому пользователю сети отдельного сертификата с последующей настройкой соединения меня совсем не радовала. Потому для подключения филиалов было решено пойти другим путём.
Объединять сети будем через VPN туннели по технологии L2TP/IPsec без поднятия дополнительных серверов и использования дорогостоящего оборудования, непосредственно на роутерах Mikrotik и Keenetic Ultra II. Поводом для такого объединения, помимо удобства пользователей и моей лени, послужила некорректная работа встроенного L2TP/IPsec клиента в Windows.
Как видно из схемы, пользователи в филиалах должны иметь доступ к терминальному серверу, расположенному за роутером Keenetic Ultra II. Так как на «Кинетике» уже был настроен и благополучно работал L2TP/IPsec сервер, то «Микротикам» досталась роль клиентов. Кроме того, такой вариант существенно проще в настройке, по сравнению с поднятием VPN сервера на «микротике».
Обязательное условие: адреса объединяемых сетей не должны пересекаться между собой.
Настройка L2TP VPN-сервера на роутере Keenetic
С подробностями настройки L2TP/IPsec сервера на Keenetic Ultra можно ознакомиться перейдя по этой ссылке. Там всё просто, потому не буду повторяться. В дополнение к той статье, необходимо остановиться на паре существенных моментов, без которых не возможна нормальная работа VPN туннелей:
- Отключить NAT для клиентов, оно тут будет только мешать;
- Снять галочку, напротив поля «Множественный вход», если она там стояла. Это позволит точно указать IP адрес, выдаваемый клиенту L2TP сервером при подключении;
- Настроить статическую маршрутизацию.
Для удалённых филиалов я выбрал имена office_01 и оffice_02 и назначил им соответсенно статические адреса 172.16.2.35 и 172.16.2.35. Эти адреса, указываются в качестве шлюзов при создании статических маршрутов для сетей, расположенных за ними. У office_01 внутренняя сеть 192.168.11.0/24, office_02 — 192.168.0.0/24
Настройка Mikrotik в качестве клиента L2TP/IPsec
Настройку удаленного клиента начнём с добавления нового интерфейса L2TP Client в разделе интерфейсов. Указываем IP-адрес L2TP сервера, свои учётные данные и общий ключ шифрования IPSec.
Если вы думаете, что этого достаточно для успешной установки соединения с сервером, поднятом на Keenetic Ultra II, то глубоко заблуждаетесь, ибо настройка «микротов» это всегда боль и страдания. Складывается впечатление, что компания Mikrotik намеренно лишает себя прибыли. Я не понимаю, что мешает выпустить нормальные пошаговые руководства по настройке своих железок и стать ведущим игроком на рынке.
Далее требуется указать нужные алгоритмы шифрования SA (Security Association) в настройках IP->IPsec->Proposals и изменить значение параметра PFS Group с modp1024 на none.
Аббревиатура PFS расшифровывается как Perfect Forward Secrecy — что-то связанное со второй фазой обмена ключами в IPsec. Честно говоря, так глубоко в эту тему не вникал и если не ошибаюсь, то на устройствах от Apple данный параметр в настройках IPsec по умолчанию тоже выключен. В общем, чтобы канал до Keenetic Ultra II поднялся, значение параметра PFS Group должно быть none.
Также скорректируем и профиль шифрования по-умолчанию IP->IPsec->Profiles:
Нажимаем «Применить», и если мы всё сделали правильно, соединение должно быть установлено.
Туннель у нас поднялся. Осталась самая малость, чтобы компьютеры за роутером получили доступ в удалённую сеть 192.168.99.0/24, где находится терминальный сервер. Для этого необходимо добавить правило маскарада и новый статический маршрут.
Переходим во вкладку IP->Firewall->NAT:
На вкладке IP->Routes в качестве шлюза указываем созданный интерфейс l2tpMainOffice, а в поле Pref. Source – наш IP-адрес в виртуальной сети:
Аналогичным образом настраивается и клиент для второй сети.
Источник: https://mdex-nn.ru/page/l2tp-ipsec-tunnel-mikrotik-i-keenetik.html
2022-06-14T00:03:42
Network
MIkrotik. OSPF на примере 4 роутеров
В этой статье мы будем использовать MIkroTik с RouterOS версии 7.2 для изучения протокола динамической маршрутизации OSPF.