Introduce task must provide stable cover seamless Internet and Wi-Fi a building area of 300 m 2 with a possible design load up to 100 people. At first glance, it looks like a fault. But just add a couple of details, and the task becomes more complicated:
the building is located in a forested area where there are no optics, so our option is mobile communications;
you need to ensure regular video broadcasts, that is, to achieve a stable Internet with a single GSM provider;
the budget is limited.
Total: losses and dumps from the base station sneak up at the most inopportune time.
I have encountered such problems at call centers without dedicated communication channels, mobile reporter complexes, critical remote systems. Difficulties can arise not only in the case of VoIP and video streaming, but also with any request for a guaranteed delivery channel for loss-sensitive traffic. Unfortunately, it is not always possible to supply optics and purchase expensive equipment.
, " " β . β .
, , . LTE- Cat4 Cat6 β β Cat12 , β . , LTE-. .
: , bonding, TCP-OpenVPN- .
" " β CLOUD HOSTED ROUTER (CHR) Router OS;
L2TP- IPsec;
L2TP over IPsec EoIP-;
EoIP- bonding-;
β TCP- OpenVPN-.
:
- R1 . , MikroTik CCR, , . β , (VRRP ).
OpenVPN UDP 7- RouterOS, TCP.
, . LTE- , .
. R1 ( ) β β R2 ().
R1
IP -. CHR Edge VMware, Edge UDP 1701, 500 4500 NAT-T β IPSec Network Address Translator Traversal. Edge.
firewall filter UDP 1701, 500 4500. IP Edge, NAT Traversal !
IPsec-:
/ip ipsec profile set [ find default=yes ] dh-group=modp1024 enc-algorithm=3de
L2TP-:
/ppp profile add change-tcp-mss=no name=profile01 use-compression=no use-encryption=no use-mpls=no use
:
/ppp secret add local-address=172.16.0.1 name=l2tp_R1-R2_ISP1 password=ros7.elements.forever profile=profile01 remote-address=172.16.0.2 service=l2tp add local-address=172.16.0.5 name=l2tp_R1-R2_ISP2 password=ros7.elements.forever profile=profile01 remote-address=172.16.0.6 service=l2tp
L2TP- IPsec:
/interface l2tp-server server set authentication=mschap2 caller-id-type=number default-profile=profile01 enabled=yes ipsec-secret= use-ipsec=yes
EoIP- L2TP/IPsec-:
/interface eoip add keepalive=1s,5 local-address=172.16.0.1 mac-address=00:00:00:00:00:A1 name=eoip-tun1_over_l2tp_R1-R2_ISP1 remote-address=172.16.0.2 tunnel-id=1 add keepalive=1s,5 local-address=172.16.0.5 mac-address=00:00:00:00:00:B1 name=eoip-tun2_over_l2tp_R1-R2_ISP2 remote-address=172.16.0.6 tunnel-id=2
keepalive timeout 1 EoIP- ID.
bonding IP-:
/interface bonding add lacp-rate=1sec mii-interval=1ms mode=broadcast name=bonding1 slaves=eoip-tun1_over_l2tp_R1-R2_ISP1,eoip-tun2_over_l2tp_R1-R2_ISP2
/ip address add address=172.16.1.1/30 interface=bonding1
, mode ( bonding-) broadcast, . bonding-. , .
OpenVPN-
OpenVPN , CHR. . /ppp profile /ppp secret OpenVPN:
/ppp profile
add change-tcp-mss=no name=profile02 use-compression=no use-encryption=no use-mpls=no use
/ppp secret
add local-address=172.16.2.1 name=ovpn_over_bonding1 password=ros7.elements.forever profile=profile02 remote-address=172.16.2.2 service=ovpn
/interface ovpn-server server
set auth=sha1 certificate=server.crt_0 cipher=aes256 default-profile=profile02 enabled=yes keepalive-timeout=30 port=1194 require-client-certificate=yes
nat- R2, R1:
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.1.0/24
R2 OpenVPN-:
/ip route
add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=172.16.2.2
R2
LTE- IP- -. output :
/ip route add distance=1 dst-address= 198.51.100.10/32 gateway=lte1 add distance=1 dst-address= 198.51.100.20/32 gateway=lte2 /ip firewall filter add action=drop chain=output dst-address= 198.51.100.10 out-interface=lte2 add action=drop chain=output dst-address= 198.51.100.20 out-interface=lte1
R1 /ip ipsec profile:
/ip ipsec profile set [ find default=yes ] dh-group=modp1024 enc-algorithm=3de
/ppp profile:
L2TP/IPsec- - :
/ppp profile add change-tcp-mss=no name=profile01 use-compression=no use-encryption=no use-mpls=no use /interface l2tp-client add allow=mschap2 connect-to= 198.51.100.10 disabled=no ipsec-secret= ros7.elements.forever keepalive-timeout=30 name=l2tp_to_R1_over_ISP1 password=ros7.elements.forever profile=profile01 use-ipsec=yes user=l2tp_R1-R2_ISP1 add allow=mschap2 connect-to= 198.51.100.20 disabled=no ipsec-secret= ros7.elements.forever keepalive-timeout=30 name=l2tp_to_R1_over_ISP2 password=ros7.elements.forever profile=profile01 use-ipsec=yes user=l2tp_R1-R2_ISP2
EoIP- R1, local remote IP L2TP/IPsec- R2. Bonding- , R1:
/interface eoip add keepalive=1s,5 local-address=172.16.0.2 mac-address=00:00:00:00:00:A2 name=eoip-tun1_over_l2tp_R1-R2_ISP1 remote-address=172.16.0.1 tunnel-id=1 add keepalive=1s,5 local-address=172.16.0.6 mac-address=00:00:00:00:00:B2 name=eoip-tun2_over_l2tp_R1-R2_ISP2 remote-address=172.16.0.5 tunnel-id=2 /interface bonding add lacp-rate=1sec mii-interval=1ms mode=broadcast name=bonding1 slaves=eoip-tun1_over_l2tp_R1-R2_ISP1,eoip-tun2_over_l2tp_R1-R2_ISP2 /ip address add address=172.16.1.2/30 interface=bonding1
, :
OpenVPN- R2:
/ppp profile add change-tcp-mss=no name=profile02 use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no /interface ovpn-client add certificate=client.crt_0 cipher=aes256 connect-to=172.16.1.1 mac-address=00:00:00:00:00:C2 name=ovpn_over_bonding1 password= profile=profile02 use-peer-dns=no user="ovpn_over_bonding1 " verify-server-certificate=yes
R, EoIP β RS. OpenVPN . β OpenVPN-. /ip firewall mangle :
/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=google_sites dst-port=1935 new-routing-mark=pc_to_stream-youtube_over_R1 passthrough=yes protocol=tcp src-address=192.168.1.1
OpenVPN- :
/ip route add check-gateway=ping distance=1 gateway=172.16.2.1 routing-mark=pc_to_stream-youtube_over_R1
!
L2TP OpenVPN-. , , , L2TP OpenVPN, .
RouterOS /tools . /tools Packet Sniffer + Wireshark.
" mtu", .
. RSRP, RSRQ SINR , . .
! L2TP, EoIP, : OpenVPN SSTP.
, . LTE- : random.
-, ( , .). , LTE-. , .
QOS β , LTE, VoIP. , .
, L2TP IPsec R1. IP LTE- firewall . NAT , . IP , MikroTik ip β cloud, DNS- IP, DDNS.
, , : peplink MAX HD4 LTE , β . .
:
, , MPTCP (Multipath TCP).