Greetings readers, in this article I would like to share my experience of setting up an internal Yandex cloud network and routing to the Internet through RouterOS MikroTik.
There is one VPCthat is administered by internal services and distributes external ipinternal VMs through a subnet gateway behind NAT, which is not very convenient for centralized administration.
The scheme of the internal network and getting the external one ipin Yandex cloud looks like this:
ip NAT-instance forward, . / ( VPC Preview).
, IP VPC1
, :
.
:
Internal1-a β 10.1.0.0/24
Internal2-a β 10.1.1.0/24
Internal1-b β 10.1.2.0/24
Internal2-b β 10.1.3.0/24
Internal1-c β 10.1.4.0/24
Internal2-c β 10.1.5.0/24 , . . ip
Gateway β X.X.X.1
Internal DNS β X.X.X.2 RouterOS.
Cloud Marketplace -> -> Cloud Hosted Router ip
RouterOS
Ether1 β 10.1.0.254
Ether2 β 10.1.1.254 ether1 winbox. , admin rsa public key.
CLI. winbox, , ip route ..
,
/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip,
b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 10.1.0.1 1
1 ADC 10.1.1.0/24 10.1.1.254 ether2 0
2 ADC 10.1.0.0/24 10.1.0.254 ether1 0 ether1 10.1.0.1 NAT . ip , .
2 , 2 , distance .
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=2
add dst-address=10.1.2.0/24 gateway=10.1.0.1 distance=1
add dst-address=10.1.3.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.5.0/24 gateway=10.1.1.1 distance=1
add dst-address=10.1.4.0/24 gateway=10.1.0.1 distance=1 b c a.
firewall.
/ip firewall filter
add chain=input action=accept src-address=10.1.5.0/24
add chain=input action=accept src-address=10.1.1.0/24
add chain=input action=accept src-address=10.1.3.0/24
add chain=input action=accept src-address=10.1.2.0/24
add chain=input action=accept src-address=10.1.0.0/24
add chain=input action=accept src-address=10.1.4.0/24 ping
/ip firewall filter
add chain=input action=accept protocol=icmp
/ip firewall filter
add chain=forward action=accept src-address=10.1.5.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.1.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.3.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.2.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.0.0/24 \
dst-address=0.0.0.0/0
add chain=forward action=accept src-address=10.1.4.0/24 \
dst-address=0.0.0.0/0
/ip firewall filter add chain=input action=drop log=no
/ip firewall filter move numbers="[old rule no]" \
destination="[new rule no]"
/ip firewall filter print ip , MultiWAN. MULTIWAN ( )
WAN , route rules, 2 interface list
/interface list
add name="WAN1"
add name="WAN2"
/interface list member
add list=WAN1 interface=ether1 dynamic=no
add list=WAN2 interface=ether2 dynamic=no
/ip route
add dst-address=0.0.0.0/0 gateway=10.1.0.1 distance=1 routing-mark=WAN1
add dst-address=0.0.0.0/0 gateway=10.1.1.1 distance=1 routing-mark=WAN2 , ether1, ,
/ip route rule
add src-address=10.1.0.0/16 dst-address=10.1.0.0/16 action=lookup-only-in-table table=main
add src-address=10.1.3.0/24 action=lookup-only-in-table table=WAN2
add src-address=10.1.5.0/24 action=lookup-only-in-table table=WAN2 2 ip , .
:
Virtual Private Cloud -> -> NAT -> -> , -> : 0.0.0.0/0, Next hop: 10.1.0.1/10.1.1.1 -> .
( api kubernetes) ipsec, 2
: 10.1.0.0/16, Next hop: 10.1.0.1/10.1.1.1
: <_>, Next hop: 10.1.0.1/10.1.1.1 , , IP , srcnat . masquerade
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.1.0.0/16
add chain=srcnat action=masquerade src-address=10.1.0.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.1.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.2.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.3.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.4.0/24 dst-address=0.0.0.0/0
add chain=srcnat action=masquerade src-address=10.1.5.0/24 dst-address=0.0.0.0/0 ip . .
:
// ip :
/ip firewall nat
add chain=dstnat action=netmap to-addresses=10.1.5.20 \
to-ports=10050 protocol=tcp src-address=7.7.7.1 in-interface-list=WAN2 port=10055
add chain=dstnat action=netmap to-addresses=10.1.0.5 \
to-ports=3306 protocol=tcp src-address=7.7.7.2 in-interface-list=WAN1 port=11050 7.7.7.1/7.7.7.2 ip .
, ipsec, , .
: ipsec
, ipsec ip
, psk, . . ip NAT, peer mikrotik, identity IP
/ip ipsec profile
add name="office" hash-algorithm=sha512 enc-algorithm=des dh-group=modp1536 \
lifetime=8h proposal-check=obey nat-traversal=no \
dpd-interval=2m dpd-maximum-failures=5
/ip ipsec peer
add name="peer_office" address=9.9.9.1/32 local-address=10.1.1.0 \
profile=office exchange-mode=aggressive send-initial-contact=yes
/ip ipsec identity
add peer=peer_office auth-method=pre-shared-key notrack-chain="prerouting" \
secret="123123123" generate-policy=no policy-template-group=office \
my-id=address:<cloud_ext_ip_address>
/ip ipsec proposal
add name="office" auth-algorithms=sha256 \
enc-algorithms=des lifetime=1h pfs-group=modp1536
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=10.7.0.0/16 \
dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office , peer level unique, 12.1.0.0/24 12.10.0.0/24
/ip ipsec policy
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.1.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office
add peer=peer_office tunnel=yes src-address=10.1.0.0/16 src-port=any \
dst-address=12.10.0.0/24 \
dst-port=any protocol=all action=encrypt level=unique ipsec-protocols=esp \
sa-src-address=10.1.1.254 sa-dst-address=9.9.9.1 proposal=office firewall β fillter rules, NAT, raw, NAT
/ip firewall filter
add chain=input action=accept src-address=10.7.0.0/16
add chain=input action=accept protocol=ipsec-esp src-address=9.9.9.1
add chain=input action=accept protocol=udp src-address=9.9.9.1 port=500
add chain=forward action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
add chain=forward action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
/ip firewall nat
add chain=srcnat action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=srcnat action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16
/ip firewall raw
add chain=prerouting action=accept src-address=10.1.0.0/16 dst-address=10.7.0.0/16
add chain=prerouting action=accept src-address=10.7.0.0/16 dst-address=10.1.0.0/16 10.7.0.0/16 β , 9.9.9.1 β ip
.
A license MikroTik RouterOSmust be purchased for, otherwise the port speed will be 1 Gbps and functional restrictions
https://wiki.mikrotik.com/wiki/Manual:License
Thank you for attention!
Sources used:
UPD
Based on comments and remarks, added the article, added a descriptionipsec