OpenVPN между Mikrotik 3011

Обсуждение оборудования и его настройки
Ответить
z1k
Сообщения: 10
Зарегистрирован: 09 авг 2017, 02:49

Здравствуйте. Настроил OpenVPN между микротиками, но пинг через туннель больше в два раза, чем пинг через ip выданные провайдером каждому микротику. Понимаю что шифрование и все дела, но не на столько. Суть проблемы в том что через туннель идёт voip трафик и телефоны на другом конце подключаются и через пару секунд начинают пере подключаться. Направьте что сделал не так, и что исправить:

Офис 1 в нём сервер voip:

Код: Выделить всё

# jun/27/2018 02:05:34 by RouterOS 6.42
# software id = 6ESD-JJ22
#
# model = RouterBOARD 3011UiAS
# serial number = 780E0675B9D2
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=sfp1 ] disabled=yes
/interface sstp-server
add name="OpenVPN for Stroymarket" user=Stroymarket
/interface vlan
add interface=ether2 name=vlan100_2 vlan-id=100
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ppp profile
add name=ovpn use-encryption=required
/queue simple
add max-limit=10M/10M name=queue1 queue=\
    pcq-upload-default/pcq-download-default target=bridge1
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan100_2
/interface list member
add interface=ether1-Wan list=WAN
add list=LAN
/interface ovpn-server server
set certificate=server.crt_0 cipher=aes128 default-profile=ovpn enabled=yes \
    require-client-certificate=yes
/ip address
add address=188.170.23х.хх/30 interface=ether1-Wan network=188.170.23х.хх
add address=10.10.40.1/24 interface=ether4 network=10.10.40.0
add address=10.10.10.3/24 interface=bridge1 network=10.10.10.0
/ip dhcp-server network
add address=10.10.40.0/24 gateway=10.10.40.1
/ip dns
set allow-remote-requests=yes servers=83.149.52.хх,83.149.53.хх
/ip firewall filter
add action=accept chain=input comment="Accept Established & Related" \
    connection-state=established,related
add action=drop chain=output comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=accept chain=input comment="Accept OpenVPN" dst-port=1194 \
    in-interface=ether1-Wan protocol=tcp
add action=drop chain=input comment="Drop all Wan" in-interface=ether1-Wan
add action=accept chain=forward comment="Accept Established &Related" \
    connection-state=established,related
add action=accept chain=forward comment="Internet from Lan" in-interface=\
    bridge1
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop all from Wan except DST-NAT" \
    connection-nat-state=!dstnat in-interface=ether1-Wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=all-ppp
add action=masquerade chain=srcnat out-interface=ether1-Wan
add action=dst-nat chain=dstnat dst-port=80 in-interface=ether1-Wan protocol=\
    tcp to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1-Wan \
    protocol=tcp to-ports=443
/ip route
add distance=1 gateway=188.170.23х.хх
add distance=1 dst-address=10.20.0.0/16 gateway=10.0.0.2 pref-src=10.0.0.1
add distance=1 dst-address=172.16.0.0/16 gateway=10.10.10.1
add distance=1 dst-address=172.17.0.0/16 gateway=10.0.0.2
add distance=1 dst-address=172.20.128.0/24 gateway=10.10.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=10.0.0.1 name=Stroymarket password=ххх profile=ovpn \
    remote-address=10.0.0.2 service=ovpn
/system clock
set time-zone-autodetect=no time-zone-name=Etc/GMT-11
/system identity
set name=Olimpik
/system ntp client
set enabled=yes primary-ntp=89.175.20.7 secondary-ntp=85.30.248.246
/system routerboard settings
set silent-boot=no
Офис 2 удалённый:

Код: Выделить всё

# jun/27/2018 02:06:39 by RouterOS 6.42
# software id = WI1A-QVYA
#
# model = RouterBOARD 3011UiAS
# serial number = 783D085D2D16
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] name=ether1-Wan
set [ find default-name=ether9 ] name="ether9(WiFi)"
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=ether2 name=vlan100_2 vlan-id=100
/interface ovpn-client
add certificate=client.crt_0 cipher=aes128 connect-to=188.170.23х.хх \
    mac-address=02:71:47:92:26:F2 name=ovpn-out1 password=ххх user=\
    Stroymarket
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=10.20.200.50-10.20.200.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface="ether9(WiFi)" name=dhcp1
/queue simple
add max-limit=10M/10M name=queue1 queue=\
    pcq-upload-default/pcq-download-default target=bridge1
add max-limit=1M/1M name=queue2 queue=pcq-upload-default/pcq-download-default \
    target="ether9(WiFi)"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=vlan100_2
/interface l2tp-server server
set enabled=yes
/interface list member
add interface=ether1-Wan list=WAN
add list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=10.20.10.2/24 interface=ether2 network=10.20.10.0
add address=188.170.23х.хх/30 interface=ether1-Wan network=188.170.23х.хх
add address=10.20.200.1/24 interface="ether9(WiFi)" network=10.20.200.0
/ip dhcp-server network
add address=10.20.200.0/24 gateway=10.20.200.1
/ip dns
set allow-remote-requests=yes servers=83.149.52.хх,83.149.53.хх
/ip firewall filter
add action=accept chain=input comment="Accept Establishe & Related" \
    connection-state=established,related
add action=drop chain=output comment="Drop Invalid" connection-state=invalid
add action=accept chain=input comment="Accept ICMP" protocol=icmp
add action=drop chain=input comment="Drop all Wan" in-interface=ether1-Wan
add action=accept chain=forward comment="Accept Estabished & Related" \
    connection-state=established,related
add action=accept chain=forward comment="Internet from WiFi" in-interface=\
    "ether9(WiFi)"
add action=accept chain=forward in-interface=bridge1
add action=drop chain=forward comment="Drop Invalid"
add action=drop chain=forward comment="Drop all from Wan except DST-NAT" \
    connection-nat-state=!dstnat in-interface=ether1-Wan
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-Wan
add action=masquerade chain=srcnat disabled=yes out-interface=ovpn-out1
/ip route
add check-gateway=ping distance=1 gateway=188.170.23х.хх
add distance=1 dst-address=10.10.0.0/16 gateway=10.0.0.1 pref-src=10.0.0.2
add distance=1 dst-address=172.16.0.0/16 gateway=10.0.0.1
add distance=1 dst-address=172.17.0.0/16 gateway=10.20.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ppp secret
add local-address=10.20.200.50 name=iam password=iam remote-address=\
    10.20.200.254
/system clock
set time-zone-autodetect=no time-zone-name=Etc/GMT-11
/system identity
set name=StroyMarket
/system ntp client
set enabled=yes primary-ntp=89.175.20.7 secondary-ntp=85.30.248.246
/system routerboard settings
set silent-boot=no

Как настраивалась сеть изначально указано в этом посту: viewtopic.php?f=3&t=8861


Ответить