{"id":12126,"date":"2024-11-25T15:16:50","date_gmt":"2024-11-25T23:16:50","guid":{"rendered":"https:\/\/www.xh86.me\/?p=12126"},"modified":"2024-11-25T15:16:50","modified_gmt":"2024-11-25T23:16:50","slug":"%e5%88%a9%e7%94%a8%e4%ba%91%e4%b8%bb%e6%9c%ba%ef%bc%8c%e7%bb%93%e5%90%88-mikrotik-%e8%b7%af%e7%94%b1%e5%99%a8%e5%bf%ab%e9%80%9f%e6%9e%84%e5%bb%ba%e5%a4%a7%e4%ba%8c%e5%b1%82%e7%bd%91%e7%bb%9c","status":"publish","type":"post","link":"https:\/\/www.xh86.me\/?p=12126","title":{"rendered":"\u5229\u7528\u4e91\u4e3b\u673a\uff0c\u7ed3\u5408 MikroTik \u8def\u7531\u5668\u5feb\u901f\u6784\u5efa\u5927\u4e8c\u5c42\u7f51\u7edc"},"content":{"rendered":"<p>&nbsp;<\/p>\n<p>\u5728\u5229\u7528 <strong>\u4e91\u7f51\u7edc<\/strong> \u548c <strong>\u4e91\u4e3b\u673a<\/strong>\uff0c\u7ed3\u5408 <strong>MikroTik \u8def\u7531\u5668<\/strong> \u5feb\u901f\u6784\u5efa <strong>\u5927\u4e8c\u5c42\u7f51\u7edc<\/strong> \u548c <strong>\u5168\u4e92\u8054 Full Mesh<\/strong> \u7684\u65b9\u6848\u4e2d\uff0c\u6838\u5fc3\u601d\u60f3\u662f\u901a\u8fc7\u96a7\u9053\u6280\u672f\uff08\u5982 <strong>WireGuard<\/strong> \u6216 <strong>GRE over IPsec<\/strong>\uff09\uff0c\u5e76\u7ed3\u5408\u4e8c\u5c42\u6269\u5c55\u6280\u672f\uff08\u5982 <strong>VXLAN<\/strong>\uff09\uff0c\u5b9e\u73b0\u8de8\u7ad9\u70b9\u7684\u9ad8\u6548\u4e92\u8054\u3002<\/p>\n<hr \/>\n<h2><strong>\u8bbe\u8ba1\u601d\u8def\u4e0e\u67b6\u6784<\/strong><\/h2>\n<ol>\n<li><strong>\u6838\u5fc3\u601d\u60f3<\/strong>\uff1a\n<ul>\n<li>\u4f7f\u7528\u4e91\u4e3b\u673a\uff08\u5982 AWS\u3001Azure\u3001GCP \u6216\u5176\u4ed6\u652f\u6301\u865a\u62df\u5316\u7684\u4e91\u670d\u52a1\uff09\u4f5c\u4e3a\u4e2d\u67a2\uff0c\u5efa\u7acb Mesh \u96a7\u9053\u3002<\/li>\n<li>\u5404\u7ad9\u70b9\u901a\u8fc7 MikroTik \u8def\u7531\u5668\u4e0e\u4e91\u7aef\u8fdb\u884c\u4e8c\u5c42\u548c\u4e09\u5c42\u901a\u4fe1\u3002<\/li>\n<li>\u501f\u52a9 VXLAN \u6280\u672f\u5b9e\u73b0\u4e8c\u5c42\u7f51\u7edc\u6269\u5c55\uff0c\u786e\u4fdd\u5e7f\u64ad\u3001ARP\u3001Multicast \u7b49\u4e8c\u5c42\u529f\u80fd\u6b63\u5e38\u5de5\u4f5c\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u5168\u4e92\u8054<\/strong>\uff1a\n<ul>\n<li>\u6784\u5efa\u4e00\u4e2a <strong>Full Mesh<\/strong> \u7f51\u7edc\u7ed3\u6784\uff0c\u901a\u8fc7\u81ea\u52a8\u5316\u914d\u7f6e\u52a8\u6001\u8def\u7531\u6216\u96a7\u9053\u3002<\/li>\n<li>\u907f\u514d\u5355\u70b9\u6545\u969c\uff0c\u63d0\u5347\u7a33\u5b9a\u6027\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<hr \/>\n<h2><strong>\u65b9\u6848\u5177\u4f53\u5b9e\u73b0<\/strong><\/h2>\n<h3><strong>1. \u4e91\u7aef\u57fa\u7840\u8bbe\u65bd\u51c6\u5907<\/strong><\/h3>\n<ul>\n<li>\u90e8\u7f72\u81f3\u5c11 1 \u53f0\u4e91\u4e3b\u673a\u4f5c\u4e3a\u6838\u5fc3\u7f51\u5173\uff1a\n<ul>\n<li>\u5efa\u8bae\u9009\u62e9\u591a\u4e2a\u5730\u7406\u533a\u57df\u7684\u4e91\u670d\u52a1\u63d0\u4f9b\u5546\uff08\u5982 AWS \u7684\u4e0d\u540c\u533a\u57df\uff09\uff0c\u4ee5\u63d0\u5347\u53ef\u7528\u6027\u3002<\/li>\n<li>\u4e91\u4e3b\u673a\u9700\u652f\u6301 VXLAN \u548c\u96a7\u9053\u534f\u8bae\uff08\u5982 WireGuard\u3001GRE\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n<li>\u5206\u914d\u9759\u6001\u516c\u7f51 IP\uff0c\u786e\u4fdd\u6240\u6709\u7ad9\u70b9\u80fd\u7a33\u5b9a\u8fde\u63a5\u5230\u4e91\u4e3b\u673a\u3002<\/li>\n<\/ul>\n<hr \/>\n<h3><strong>2. \u914d\u7f6e\u7ad9\u70b9\u4e0e\u4e91\u7684\u96a7\u9053\uff08Full Mesh \u96a7\u9053\uff09<\/strong><\/h3>\n<h4>\u65b9\u6848 1\uff1a\u4f7f\u7528 WireGuard\uff08\u63a8\u8350\uff09<\/h4>\n<p>WireGuard \u662f\u4e00\u79cd\u9ad8\u6548\u3001\u5b89\u5168\u7684\u96a7\u9053\u534f\u8bae\uff0c\u975e\u5e38\u9002\u5408\u6784\u5efa\u8de8\u7ad9\u70b9 Mesh\u3002<\/p>\n<ol>\n<li><strong>\u5728\u4e91\u4e3b\u673a\u4e0a\u914d\u7f6e WireGuard<\/strong>\uff1a\n<pre><code class=\"language-bash\">\/interface wireguard add name=wg-cloud listen-port=51820 private-key=\"CLOUD_PRIVATE_KEY\"\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u5728\u6bcf\u4e2a\u7ad9\u70b9\u914d\u7f6e WireGuard<\/strong>\uff1a\n<ul>\n<li>\u8bbe\u7f6e\u5230\u4e91\u4e3b\u673a\u7684\u96a7\u9053\u3002<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">\/interface wireguard add name=wg-site1 listen-port=51820 private-key=\"SITE1_PRIVATE_KEY\"\r\n\/interface wireguard peers add interface=wg-site1 public-key=\"CLOUD_PUBLIC_KEY\" allowed-address=0.0.0.0\/0 endpoint=\"CLOUD_IP:51820\"\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u5168\u4e92\u8054 WireGuard<\/strong>\uff1a\n<ul>\n<li>\u5728\u4e91\u4e3b\u673a\u4e0a\u914d\u7f6e\u6240\u6709\u7ad9\u70b9\u7684 Peer\u3002<\/li>\n<\/ul>\n<pre><code class=\"language-bash\">\/interface wireguard peers add interface=wg-cloud public-key=\"SITE1_PUBLIC_KEY\" allowed-address=10.10.1.0\/24\r\n\/interface wireguard peers add interface=wg-cloud public-key=\"SITE2_PUBLIC_KEY\" allowed-address=10.10.2.0\/24\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<h4>\u65b9\u6848 2\uff1a\u4f7f\u7528 GRE over IPsec<\/h4>\n<p>GRE over IPsec \u63d0\u4f9b\u52a0\u5bc6\u7684\u4e8c\u5c42\u6269\u5c55\u652f\u6301\u3002<\/p>\n<ol>\n<li><strong>\u914d\u7f6e GRE \u96a7\u9053<\/strong>\uff1a\n<pre><code class=\"language-bash\">\/interface gre add name=gre-cloud remote-address=CLOUD_IP local-address=SITE1_IP\r\n<\/code><\/pre>\n<\/li>\n<li><strong>\u542f\u7528 IPsec \u52a0\u5bc6<\/strong>\uff1a\n<pre><code class=\"language-bash\">\/ip ipsec peer add address=CLOUD_IP secret=\"sharedsecret\" enc-algorithm=aes-256\r\n<\/code><\/pre>\n<\/li>\n<\/ol>\n<hr \/>\n<h3><strong>3. \u914d\u7f6e\u4e8c\u5c42\u7f51\u7edc\u6269\u5c55 (VXLAN)<\/strong><\/h3>\n<h4>a. \u521b\u5efa VXLAN \u63a5\u53e3<\/h4>\n<ul>\n<li>\u5728\u4e91\u4e3b\u673a\u4e0a\uff1a\n<pre><code class=\"language-bash\">\/interface vxlan add name=vxlan-cloud vxlan-id=42 remote-address=0.0.0.0 local-address=CLOUD_INTERNAL_IP\r\n<\/code><\/pre>\n<\/li>\n<li>\u5728\u7ad9\u70b9 MikroTik \u4e0a\uff1a\n<pre><code class=\"language-bash\">\/interface vxlan add name=vxlan-site1 vxlan-id=42 remote-address=CLOUD_INTERNAL_IP local-address=SITE1_INTERNAL_IP\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n<h4>b. \u914d\u7f6e\u6865\u63a5<\/h4>\n<ul>\n<li>\u5c06 VXLAN \u63a5\u53e3\u52a0\u5165\u4e8c\u5c42\u6865\uff1a\n<ul>\n<li>\u5728\u4e91\u4e3b\u673a\uff1a\n<pre><code class=\"language-bash\">\/interface bridge add name=bridge-cloud\r\n\/interface bridge port add bridge=bridge-cloud interface=vxlan-cloud\r\n<\/code><\/pre>\n<\/li>\n<li>\u5728\u7ad9\u70b9\uff1a\n<pre><code class=\"language-bash\">\/interface bridge add name=bridge-site1\r\n\/interface bridge port add bridge=bridge-site1 interface=vxlan-site1\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<h4>c. \u9a8c\u8bc1\u4e8c\u5c42\u8fde\u901a\u6027<\/h4>\n<ul>\n<li>\u786e\u4fdd\u7ad9\u70b9\u4e4b\u95f4\u53ef\u4ee5\u76f8\u4e92 ping \u4e8c\u5c42\u5730\u5740\uff08\u5982 VXLAN \u7684\u5185\u7f51 IP\uff09\u3002<\/li>\n<\/ul>\n<hr \/>\n<h3><strong>4. \u5168\u4e92\u8054\u4f18\u5316<\/strong><\/h3>\n<h4>a. \u542f\u7528\u52a8\u6001\u8def\u7531\u534f\u8bae<\/h4>\n<p>\u5229\u7528\u52a8\u6001\u8def\u7531\u534f\u8bae\uff08\u5982 BGP\uff09\u5b9e\u73b0\u81ea\u52a8\u5316\u8def\u7531\u66f4\u65b0\u548c\u5168\u4e92\u8054\u3002<\/p>\n<ul>\n<li>\u5728\u4e91\u4e3b\u673a\u4e0a\u914d\u7f6e BGP\uff1a\n<pre><code class=\"language-bash\">\/routing bgp instance add name=bgp-cloud as=65000\r\n\/routing bgp peer add name=peer1 remote-address=10.10.1.1 as=65001\r\n\/routing bgp peer add name=peer2 remote-address=10.10.2.1 as=65002\r\n<\/code><\/pre>\n<\/li>\n<li>\u5728\u7ad9\u70b9\u914d\u7f6e BGP\uff1a\n<pre><code class=\"language-bash\">\/routing bgp instance add name=bgp-site as=65001\r\n\/routing bgp peer add name=peer-cloud remote-address=10.10.0.1 as=65000\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n<h4>b. \u5197\u4f59\u6027<\/h4>\n<p>\u4e3a\u96a7\u9053\u914d\u7f6e\u591a\u8def\u5f84\u5197\u4f59\uff08\u5982 WireGuard \u591a\u7aef\u70b9\u6216 BGP \u591a\u8def\u5f84\uff09\u3002<\/p>\n<h4>c. \u8c03\u6574 MTU<\/h4>\n<p>\u6839\u636e VXLAN \u548c\u96a7\u9053\u5c01\u88c5\u7684\u5f00\u9500\uff0c\u8c03\u6574 MTU \u9632\u6b62\u5206\u7247\u95ee\u9898\uff1a<\/p>\n<ul>\n<li>WireGuard \u63a5\u53e3 MTU\uff1a<code>1400<\/code><\/li>\n<li>VXLAN \u63a5\u53e3 MTU\uff1a<code>1350<\/code><\/li>\n<\/ul>\n<hr \/>\n<h3><strong>5. \u51fa\u53e3\u6d41\u91cf\u4f18\u5316<\/strong><\/h3>\n<ul>\n<li>\u5728\u4e91\u4e3b\u673a\u8bbe\u7f6e NAT\uff1a\n<pre><code class=\"language-bash\">\/ip firewall nat add chain=srcnat out-interface=ether1 action=masquerade\r\n<\/code><\/pre>\n<\/li>\n<li>\u786e\u4fdd\u7ad9\u70b9\u6d41\u91cf\u901a\u8fc7 VXLAN \u96a7\u9053\u51fa\u53e3\uff1a\n<ul>\n<li>\u9ed8\u8ba4\u8def\u7531\u6307\u5411\u4e91\u4e3b\u673a\u3002\n<pre><code class=\"language-bash\">\/ip route add dst-address=0.0.0.0\/0 gateway=CLOUD_VXLAN_IP\r\n<\/code><\/pre>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<hr \/>\n<h2><strong>\u9002\u5408\u7684\u5e94\u7528\u573a\u666f<\/strong><\/h2>\n<ol>\n<li><strong>\u4f01\u4e1a\u7ea7\u5206\u652f\u4e92\u8054<\/strong>\uff1a\n<ul>\n<li>\u5728\u5168\u7403\u591a\u4e2a\u5206\u652f\u673a\u6784\u4e4b\u95f4\u5b9e\u73b0\u65e0\u7f1d\u4e8c\u5c42\u6269\u5c55\u3002<\/li>\n<li>\u9002\u7528\u4e8e\u5e7f\u64ad\u9700\u6c42\uff08\u5982 DHCP\u3001ARP\u3001iSCSI\uff09\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u9ad8\u6548\u707e\u5907\u4e0e\u540c\u6b65<\/strong>\uff1a\n<ul>\n<li>\u63d0\u4f9b\u5927\u4e8c\u5c42\u7f51\u7edc\uff0c\u652f\u6301\u4e3b\u5907\u6570\u636e\u4e2d\u5fc3\u7684\u5b9e\u65f6\u540c\u6b65\u3002<\/li>\n<\/ul>\n<\/li>\n<li><strong>\u5bb9\u5668\u548c\u865a\u62df\u5316\u73af\u5883<\/strong>\uff1a\n<ul>\n<li>\u652f\u6301\u591a\u5730\u57df\u865a\u62df\u673a\u96c6\u7fa4\u7684\u4e8c\u5c42\u4e92\u8054\u3002<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n<hr \/>\n<h2><strong>\u4f18\u52bf\u4e0e\u4f18\u5316\u5efa\u8bae<\/strong><\/h2>\n<ul>\n<li><strong>\u4f4e\u5ef6\u8fdf\u3001\u9ad8\u53ef\u7528<\/strong>\uff1a\u901a\u8fc7 WireGuard \u5b9e\u73b0\u4f4e\u5ef6\u8fdf\u96a7\u9053\uff0c\u7ed3\u5408\u52a8\u6001\u8def\u7531\u63d0\u4f9b\u9ad8\u53ef\u7528\u6027\u3002<\/li>\n<li><strong>\u5b89\u5168\u6027<\/strong>\uff1a\u96a7\u9053\u52a0\u5bc6\u786e\u4fdd\u6570\u636e\u4f20\u8f93\u5b89\u5168\u3002<\/li>\n<li><strong>\u7075\u6d3b\u6269\u5c55<\/strong>\uff1a\u901a\u8fc7\u4e91\u7aef\u7ba1\u7406\uff0c\u5feb\u901f\u6dfb\u52a0\u65b0\u7ad9\u70b9\u3002<\/li>\n<li><strong>\u96c6\u4e2d\u7ba1\u7406<\/strong>\uff1a\u5229\u7528\u52a8\u6001\u8def\u7531\u548c\u76d1\u63a7\u5de5\u5177\uff08\u5982 The Dude\uff09\u7ba1\u7406\u5168\u7f51\u6d41\u91cf\u3002<\/li>\n<\/ul>\n<hr \/>\n<p>\u8fd9\u662f\u4e00\u4e2a\u9ad8\u6548\u7684\u65b9\u6848\uff0c\u5c24\u5176\u9002\u7528\u4e8e\u9700\u8981\u5feb\u901f\u90e8\u7f72\u5927\u89c4\u6a21\u4e8c\u5c42\u7f51\u7edc\u7684\u8de8\u5730\u57df\u573a\u666f\u3002<\/p>\n","protected":false},"excerpt":{"rendered":"<p>&nbsp; \u5728\u5229\u7528 \u4e91\u7f51\u7edc \u548c \u4e91\u4e3b\u673a\uff0c\u7ed3\u5408 MikroTik \u8def\u7531\u5668 \u5feb\u901f\u6784\u5efa \u5927\u4e8c\u5c42\u7f51\u7edc \u548c \u5168\u4e92\u8054 F [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9,2],"tags":[],"class_list":["post-12126","post","type-post","status-publish","format-standard","hentry","category-mikrotik","category-network"],"_links":{"self":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12126","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=12126"}],"version-history":[{"count":1,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12126\/revisions"}],"predecessor-version":[{"id":12127,"href":"https:\/\/www.xh86.me\/index.php?rest_route=\/wp\/v2\/posts\/12126\/revisions\/12127"}],"wp:attachment":[{"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=12126"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=12126"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.xh86.me\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=12126"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}