[niv]

Существуют ли роутеры, позволяющие создать на них VPN сервер? И сколько такое удовольствие стоит (если существует вообще?)

(с проверкой логина и пароля).

Или такое только на компе реально сделать?

 

По принципу: юзер подключается к vpn серваку (указывая логин и пароль) и только потом получает доступ в Интернет...

(как провайдеры типа корбины, qwerty и прочие работают)...

 

Причем соединение с VPN через PPTP желательно...

L2TP - не поймут...

 

P.S.И вовсе не обязательно чтоб с поддержкой wi-fi...

Для wi-fi у меня другое оборудование

Изменено 10 мая, 2008 пользователем niv

[2bit]

Советую тебе D-Link DFL-210. Дешевле и круче не найдёш.

 

VPN-сервер работает на ура. Поддерживает до 200 одновременных подключённых по VPN клиентов.

 

Есть порт DMZ, каторый можно заюзать как WAN2. Вообщем лучший подарок пионеру.

 

Минусы:

- нет динамического шейпера (тебе для каких целей)?

[niv]

Весьма неплохо! Спасибо)

Но послушаю и другие варианты.

Вдруг кто получше предложит...

[a0xff]

2bit херассе скромность

особенно по поводу "дешевле не найдёшь"

любая железка с openwrt такую функциональность имеет, начиная от planet xrt-401d за 35 $.

юзверей сколько и полоса какая указать бы неплохо

[niv]

До 50 юзеров (в начале) будет...

(безопасностью уже при проектировании сетки решил озаботиться)...

 

[a0xff]

50 много.

"домашние" роутеры такое не потянут

[woddy]

тогда писюк с линухом имхо. и вдумчиво курить маны. дешево и сердито

[niv]

50 много."домашние" роутеры такое не потянут

Домашние роутеры не потянут. Возникает вопрос закономерный: а если не домашние?

 

[woddy]

на вскидку

http://shop.nag.ru/core.asp?main=catalog&a...=1716&cat=2

http://shop.nag.ru/core.asp?main=catalog&a...=1714&cat=2

[niv]

Только вот не совсем понимаю.

1 туннель (1 соединение фактически) равен 1 юзеру?

Или нет?

 

А то ведь и на многих пишут типа: 100 туннелей

(шейпинг канала не обязателен)...

Изменено 10 мая, 2008 пользователем niv

[woddy]

> 1 туннель (1 соединение фактически) равен 1 юзеру?

да

[niv]

Ну так тогда 50 юзеров - так и можно брать простейший роутер типа Planet VRT-401 или даже

TRENDnet TW100-BRF114 (100 туннелей)

Зачем тут Линукс (хотя в определенном смысле верно - на роутере тоже линукс ведь) или дорогие роутеры провайдерского класса?

 

Или какой-то подвох всё же может быть тут?

Изменено 10 мая, 2008 пользователем niv

[woddy]

зависит от объемов и характера трафика. "100 тунелей" мало что значат. одно дело вебсерфинг по 3руб/мб на 100 клиентов. другое дело мегабитная безлимитка и торренты на те же 100 клиентов

[a0xff]

вот еще железка http://dlink.ru/products/prodview.php?type=18&id=603

а ХЗ, тут трудно что-либо советовать.

обычно для таких задач ставят писюк, для 5-10 юзверей при умеренном трафике подходят роутеры на openwrt.

а тут вроде как промежуточное звено

 

[woddy]

> вот еще железка http://dlink.ru/products/prodview.php?type=18&id=603

тестили... какая-то глючная была. отказались

 

зато сервер под линухом (дюал ксеон, 2гб) отлично прокачивает, НАТит, и обсчитывает 300гигов на 150клиентов в месяц

Изменено 10 мая, 2008 пользователем woddy

[niv]

Там где это будет использоваться - скорость 128-256 Кбит/сек на клиента (шейпинг - эт другими средствами реализован)...

Это - сельская местность.

У меня там небольшая (5 пользователей, честно платящих - не обманывающих меня админа) wi-fi сетка уже есть, но не то что бы официальная (но пока всё успешно)...

 

Соответственно у других провайдеров тарифы ужас, подключение - дорогое и так далее...

Но пока народу мало - рекламой не занимался. Хотя многих интересует...

 

Да и плюс - дачники - которым инет нужен на 2, ну на три месяца в году - wi-fi инет от меня так в самый раз им...

Изменено 10 мая, 2008 пользователем niv

[a0xff]

woddy спасибо за инфу, а как тестили?

как проблема проявлялась?

[woddy]

a0xff

к сожалению подробнее сказать не могу. тестировал год назад инженер который щас уволился.

 

впечатления были "сырая прошивка, работает через раз".

 

после очередной реконфигурации железка просто перестала загружаться. и была возвращена в СЦ длинка где её и брали для опытов

[2bit]

Кроме DFL даже ставить нечего. Домашние роутеры порвёт от одного клиента, от p2p трафика.

[neperpbl3]

Пример VPN PPTP и L2TP на Cisco 3825 с использованием RADIUS сервера

 

Цитата

sh version
Cisco IOS Software, 3800 Software (C3825-ADVENTERPRISEK9-M), Version 12.4(16), RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2007 by Cisco Systems, Inc.
Compiled Wed 20-Jun-07 14:49 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T10, RELEASE SOFTWARE (fc1)

ROUTER IA uptime is 29 weeks, 2 days, 8 hours, 56 minutes
System returned to ROM by reload at 16:34:49 KRSK Mon Aug 29 2022
System restarted at 16:37:11 KRSK Mon Aug 29 2022
System image file is "flash:c3825-adventerprisek9-mz.124-16.bin"

This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

Cisco 3825 (revision 1.2) with 209920K/52224K bytes of memory.
Processor board ID FCZ130270VR
2 Gigabit Ethernet interfaces
1 Virtual Private Network (VPN) Module
DRAM configuration is 64 bits wide with parity enabled.
479K bytes of NVRAM.
62720K bytes of ATA System CompactFlash (Read/Write)

Configuration register is 0x3922

 

 

 

Конфигурация

 

Цитата

version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname CISCO3825
!
boot-start-marker
boot system flash:c3825-adventerprisek9-mz.124-16.bin
boot-end-marker
!
logging buffered 4096 errors
logging console notifications
enable secret 5 xxxxxxxxxxxxxxxxxxxxxxxx
!
aaa new-model
!
!
aaa authentication login default local
aaa authentication login tac_plus-server group tacacs+ local
aaa authentication login local_user local
aaa authentication ppp VPN_SERVER group radius
aaa authorization exec default group tacacs+ local
aaa authorization network default group radius
aaa authorization network VPN_SERVER group radius
aaa accounting network default start-stop group radius
aaa accounting system default start-stop group radius
!
aaa session-id common
memory-size iomem 20
clock timezone MSK 7
clock calendar-valid
ip cef
!
!
!
!
ip flow-cache timeout active 1
ip domain name domain.ru
ip name-server 8.8.8.8
ip name-server 4.4.4.4
ip sla monitor responder
login on-failure log
login on-success log
vpdn enable
!
vpdn-group VPDN-PPTP
! Default PPTP VPDN group
 accept-dialin
  protocol pptp
  virtual-template 1
!
vpdn-group VPDN-L2TP
! Default L2TP VPDN group
 accept-dialin
  protocol l2tp
  virtual-template 2
 no l2tp tunnel authentication
!
!
voice-card 0
 no dspfarm
!
!
!
username admin password 7 xxxxxxxxxxxxxxxxxxxxxxxx

archive
 log config
  logging enable
  notify syslog
  hidekeys
!
!
ip ssh time-out 60
no ip rcmd domain-lookup
ip rcmd rsh-enable
ip rcmd remote-host statistic 192.168.0.136 root enable
!
!
interface Tunnel2
 ip address 192.95.0.1 255.255.255.252
 tunnel source 1.2.3.1
 tunnel destination 91.142.80.11
!
interface Tunnel301
 description xxx
 ip address 172.85.43.1 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.90.163
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel303
 description xxx
 ip address 172.85.43.9 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.17
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel305
 description xxx
 ip address 172.85.43.17 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.83.73
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel307
 description xxx
 ip address 172.85.43.25 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.19
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel309
 description xxx
 ip address 172.85.43.33 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.65.214
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel311
 description xxx
 ip address 172.85.43.41 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.18
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel313
 description xxx
 ip address 172.85.43.49 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.70.196
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel315
 description xxx
 ip address 172.85.43.57 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.20
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel317
 description xxx
 ip address 172.85.43.65 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.92.134
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel319
 description xxx
 ip address 172.85.43.73 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.21
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel321
 description xxx
 ip address 172.85.43.81 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 90.189.116.119
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel323
 description xxx
 ip address 172.85.43.89 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.22
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel325
 description xxx
 ip address 172.85.43.97 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 91.232.134.203
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel327
 description xxx
 ip address 172.85.43.105 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 188.43.34.253
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel329
 description xxx
 ip address 172.85.43.113 255.255.255.252
 ip mtu 1460
 ip ospf network point-to-point
 ip ospf cost 100
 ip ospf 123 area 2
 tunnel source 74.28.42.27
 tunnel destination 95.188.88.144
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel363
 description xxx_L2tp
 ip address 172.85.43.249 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.33
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface Tunnel365
 description xxx_l2tp
 ip address 1.9.1.1 255.255.255.252
 ip mtu 1330
 ip ospf network point-to-point
 ip ospf cost 500
 ip ospf 123 area 2
 tunnel source 192.168.53.1
 tunnel destination 192.168.53.34
 tunnel mode ipip
 tunnel path-mtu-discovery
!
interface GigabitEthernet0/0
 description xxx
 no ip address
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/0.5
 encapsulation dot1Q 5
 ip address 192.168.0.105 255.255.255.0
 ip access-group ACL2 in
 no ip proxy-arp
!
interface GigabitEthernet0/0.8
 description xxx
 encapsulation dot1Q 8
 ip address 1.2.3.13 255.255.255.192
 ip access-group ACL4 in
 no cdp enable
 standby 1 ip 1.2.3.1
 standby 1 priority 150
 standby 1 preempt delay minimum 30 reload 30
 standby 1 track GigabitEthernet0/1
!
interface GigabitEthernet0/0.30
 description adjacently
 encapsulation dot1Q 30
 ip address 74.28.42.27 255.255.255.224
 ip access-group External-Pub1-in in
 ip flow ingress
 ip flow egress
 ip ospf authentication-key 7 1356434A5E55
 ip ospf hello-interval 3
 ip ospf 123 area 0
 standby 33 ip 74.28.42.26
 standby 33 priority 200
 standby 33 preempt delay minimum 60 reload 120
 standby 33 track GigabitEthernet0/1
!
interface GigabitEthernet0/1
 description xxx 192.7.0.101
 no ip address
 load-interval 30
 duplex auto
 speed auto
 media-type rj45
 no cdp enable
!
interface GigabitEthernet0/1.27
 description xxx
 encapsulation dot1Q 27
 ip address 192.95.0.29 255.255.255.248
 ip access-group ACL44 in
 no ip proxy-arp
 no cdp enable
 standby version 2
 standby 27 ip 192.95.0.25
 standby 27 priority 255
 standby 27 preempt
 standby 27 authentication Uto
!
interface GigabitEthernet0/1.40
 description adjacently-xxx
 encapsulation dot1Q 40
 ip address 192.95.0.74 255.255.255.240
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet0/1.55
 description xxx
 encapsulation dot1Q 55
 ip address 10.230.5.2 255.255.255.0
 no ip proxy-arp
 no cdp enable
 standby 55 ip 10.230.5.1
 standby 55 priority 250
 standby 55 preempt delay minimum 60 reload 120
!
interface GigabitEthernet0/1.516
 description xxx
 encapsulation dot1Q 516
 ip address 192.95.0.21 255.255.255.248
 ip access-group ACL44 in
 no ip proxy-arp
 no cdp enable
 standby version 2
 standby 516 ip 192.95.0.17
 standby 516 priority 255
 standby 516 preempt
 standby 516 authentication Pulus_me
!
interface GigabitEthernet0/1.532
 description xxx
 encapsulation dot1Q 532
 ip address 192.168.145.13 255.255.255.252
 no cdp enable
!
interface GigabitEthernet0/1.542
 description ACL-83
 encapsulation dot1Q 542
 ip address 10.55.113.251 255.255.255.248
 ip access-group ACL-83 in
 no ip proxy-arp
 no cdp enable
 standby version 2
 standby 542 ip 10.55.113.250
 standby 542 priority 255
 standby 542 preempt
 standby 542 authentication SibTTK_V
!
interface GigabitEthernet0/1.919
 encapsulation dot1Q 919
 ip address 10.110.20.43 255.255.255.248
 ip access-group MTS_VoIP_SIP in
 no ip proxy-arp
 no cdp enable
 standby version 2
 standby 919 ip 10.110.20.42
 standby 919 priority 255
 standby 919 preempt
 standby 919 authentication MTS_VoIP
!
interface GigabitEthernet0/1.2554
 encapsulation dot1Q 2554
 ip address 172.17.1.6 255.255.255.252
 ip access-group ACL-88 in
 no ip proxy-arp
 no cdp enable
!
interface GigabitEthernet0/1.3889
 encapsulation dot1Q 3889
 ip address 10.240.0.33 255.255.255.240
 no ip proxy-arp
 no cdp enable
!
interface Virtual-Template1
 ip unnumbered GigabitEthernet0/0.30
 ip access-group ONLY-3-IN in
 ip mtu 1350
 peer default ip address pool POOL-PPTP
 ppp authentication ms-chap ms-chap-v2 VPN_SERVER
 ppp multilink
!
interface Virtual-Template2
 ip address 192.168.53.1 255.255.255.252
 ip mtu 1350
 peer default ip address pool POOL-PPTP
 ppp authentication ms-chap ms-chap-v2 VPN_SERVER
!
router ospf 123
 router-id 74.28.42.27
 log-adjacency-changes
 area 0 authentication
 redistribute connected subnets
 redistribute static subnets
 passive-interface default
 no passive-interface GigabitEthernet0/0.30
 no passive-interface Tunnel301
 no passive-interface Tunnel303
 no passive-interface Tunnel305
 no passive-interface Tunnel307
 no passive-interface Tunnel363
 no passive-interface Tunnel365
 network 172.85.43.0 0.0.0.3 area 2
 network 172.85.43.8 0.0.0.3 area 2
 network 172.85.43.16 0.0.0.3 area 2
 network 172.85.43.24 0.0.0.3 area 2
 network 172.85.43.128 0.0.0.3 area 2
 network 172.85.43.136 0.0.0.3 area 2
 network 10.240.0.32 0.0.0.15 area 2
 network 192.168.0.0 0.0.0.255 area 0
 network 1.2.3.0 0.0.0.63 area 0
 network 74.28.42.0 0.0.0.31 area 0
 maximum-paths 1
 distance ospf intra-area 220 external 220
!
router bgp 123
 bgp router-id 74.28.42.27
 bgp log-neighbor-changes
 bgp bestpath as-path multipath-relax
 neighbor 192.95.0.68 remote-as 123
 neighbor 192.95.0.68 description Cisco
 neighbor 192.95.0.69 remote-as 123
 neighbor 192.95.0.69 description Cisco
 neighbor 192.95.0.70 remote-as 123
 neighbor 192.95.0.70 description Cisco
 neighbor 192.95.0.72 remote-as 123
 neighbor 192.95.0.72 description Mikrotik
 neighbor 192.95.0.73 remote-as 123
 neighbor 192.95.0.73 description Mikrotik
 neighbor 74.28.42.1 remote-as 123
 neighbor 74.28.42.1 description A
 neighbor 74.28.42.2 remote-as 123
 neighbor 74.28.42.2 description B
 neighbor 74.28.42.3 remote-as 123
 neighbor 74.28.42.3 description G
 neighbor 74.28.42.11 remote-as 123
 neighbor 74.28.42.11 description Cisco
 neighbor 74.28.42.12 remote-as 123
 neighbor 74.28.42.12 description Cisco
 neighbor 74.28.42.13 remote-as 123
 neighbor 74.28.42.13 description Cisco
 maximum-paths 2
 !
 address-family ipv4
  neighbor 192.95.0.68 activate
  neighbor 192.95.0.68 soft-reconfiguration inbound
  neighbor 192.95.0.69 activate
  neighbor 192.95.0.69 soft-reconfiguration inbound
  neighbor 192.95.0.70 activate
  neighbor 192.95.0.70 soft-reconfiguration inbound
  neighbor 192.95.0.72 activate
  neighbor 192.95.0.72 soft-reconfiguration inbound
  neighbor 192.95.0.73 activate
  neighbor 192.95.0.73 soft-reconfiguration inbound
  neighbor 74.28.42.1 activate
  neighbor 74.28.42.1 soft-reconfiguration inbound
  neighbor 74.28.42.1 route-map FROM_A in
  neighbor 74.28.42.1 maximum-prefix 18000 90 warning-only
  neighbor 74.28.42.2 activate
  neighbor 74.28.42.2 soft-reconfiguration inbound
  neighbor 74.28.42.2 maximum-prefix 18000 90 warning-only
  neighbor 74.28.42.3 activate
  neighbor 74.28.42.3 soft-reconfiguration inbound
  neighbor 74.28.42.3 maximum-prefix 18000 90 warning-only
  neighbor 74.28.42.11 activate
  neighbor 74.28.42.11 soft-reconfiguration inbound
  neighbor 74.28.42.12 activate
  neighbor 74.28.42.12 soft-reconfiguration inbound
  neighbor 74.28.42.13 activate
  neighbor 74.28.42.13 soft-reconfiguration inbound
  maximum-paths 2
  no auto-summary
  no synchronization
  network 1.2.3.0 mask 255.255.255.192
  network 10.230.5.0 mask 255.255.255.0
 exit-address-family
 !
 address-family nsap
  maximum-paths 2
  no synchronization
 exit-address-family
!
ip local pool POOL-PPTP 10.230.9.2 10.230.9.200
ip route 172.24.83.10 255.255.255.255 10.230.9.5
ip route 172.24.83.11 255.255.255.255 10.230.9.5
ip route 172.24.83.204 255.255.255.255 10.230.9.129
ip route 172.24.83.228 255.255.255.255 10.230.9.137
ip route 172.24.83.229 255.255.255.255 10.230.9.137
ip route 172.24.83.230 255.255.255.255 10.230.9.135
ip route 172.24.83.232 255.255.255.255 10.230.9.142
ip route 172.24.83.233 255.255.255.255 10.230.9.141
ip route 172.24.83.237 255.255.255.255 10.230.9.116
ip route 172.24.83.238 255.255.255.255 10.230.9.116
ip route 172.24.83.239 255.255.255.255 10.230.9.75
ip route 172.24.83.240 255.255.255.255 10.230.9.109
ip route 172.24.83.241 255.255.255.255 10.230.9.109
ip route 172.24.83.242 255.255.255.255 10.230.9.105
ip route 172.24.83.243 255.255.255.255 10.230.9.96
ip route 172.24.83.245 255.255.255.255 10.230.9.96
ip route 172.24.83.246 255.255.255.255 10.230.9.97
ip route 172.24.83.247 255.255.255.255 10.230.9.95
ip route 172.24.83.250 255.255.255.255 10.230.9.93
ip route 172.24.83.253 255.255.255.255 10.230.9.140
ip route 172.24.83.254 255.255.255.255 10.230.9.172
ip route 10.131.9.211 255.255.255.255 192.95.0.18
ip route 10.131.9.218 255.255.255.255 192.95.0.18
ip route 94.73.193.10 255.255.255.255 10.240.0.1
ip route 10.230.54.176 255.255.255.252 10.230.24.10
ip route 172.17.250.2 255.255.255.255 192.95.0.71
ip route 172.20.26.250 255.255.255.255 192.95.0.2
ip route 172.31.254.33 255.255.255.255 192.168.0.121
ip route 172.31.254.39 255.255.255.255 172.17.1.5
ip route 192.168.8.2 255.255.255.255 192.168.8.2
ip route 192.168.13.2 255.255.255.255 192.168.145.10
ip route 194.67.15.128 255.255.255.128 10.90.10.121
ip route 213.33.173.12 255.255.255.255 10.90.10.121
ip route 213.33.173.13 255.255.255.255 192.168.145.14
ip route 213.87.184.64 255.255.255.240 10.110.20.41
!
ip flow-export source GigabitEthernet0/0.30
ip flow-export version 9
ip flow-export destination 192.168.0.249 10135
ip flow-export destination 192.168.0.247 10135
ip flow-top-talkers
 top 20
 sort-by packets
!
no ip http server
no ip http secure-server
ip nat inside source static 192.168.0.97 interface GigabitEthernet0/0.11
!
ip access-list standard CONSOLE-ACCESS
 permit 192.168.0.0 0.0.0.255
 permit 192.168.7.0 0.0.0.255
 permit 192.168.88.0 0.0.0.255
 permit 1.2.3.0 0.0.0.63
 permit 5.4.8.128 0.0.0.127
 permit 74.28.42.0 0.0.0.31
!
ip access-list extended ACL4
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 1.2.3.0 0.0.0.255 any
 permit ip 10.186.144.112 0.0.0.7 1.2.3.0 0.0.0.15
 permit ip host 10.186.0.102 1.2.3.0 0.0.0.15
 permit ip host 10.186.0.103 1.2.3.0 0.0.0.15
 deny   udp any any eq 5060
 deny   tcp any any eq 5060
 permit ip host 91.142.80.11 any
 deny   tcp any any eq 1720
 permit udp any host 1.2.3.1 eq 1701
ip access-list extended ACL44
 permit ip any host 1.2.3.5
 permit ip any host 1.2.3.6
 permit icmp any any
 deny   ip any any
ip access-list extended External-Pub1-in
 permit ospf any any
 permit icmp any any
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 192.168.88.0 0.0.0.255 any
 permit ip 192.168.7.0 0.0.0.255 any
 permit ip 192.168.20.0 0.0.0.255 any
 permit ip 74.28.42.0 0.0.0.31 any
 permit ip 5.4.8.128 0.0.0.127 any
 permit ip 1.2.3.0 0.0.0.63 any
 permit ip host 1.2.3.238 any
 permit ipinip any any
 permit udp any host 74.28.42.26 eq 1701
 permit tcp any host 74.28.42.26 eq 1723
 permit gre any host 74.28.42.26
 permit udp any host 1.2.3.1 eq 1701
 permit tcp any host 1.2.3.1 eq 1723
 permit gre any host 1.2.3.1
 deny   ip any host 74.28.42.26
 deny   ip any host 74.28.42.27
 deny   ip any host 1.2.3.1
 deny   ip any host 1.2.3.2
 deny   ip any host 1.2.3.13
 permit ip any any
ip access-list extended str
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.94
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.94
 deny   ip any host 10.230.5.94 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.93
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.93
 deny   ip any host 10.230.5.93 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.74
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.74
 deny   ip any host 10.230.5.74 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.72
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.72
 deny   ip any host 10.230.5.72 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.73
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.73
 deny   ip any host 10.230.5.73 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.71
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.71
 deny   ip any host 10.230.5.71 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.76
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.76
 deny   ip any host 10.230.5.76 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.78
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.78
 deny   ip any host 10.230.5.78 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.79
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.79
 deny   ip any host 10.230.5.79 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.81
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.81
 deny   ip any host 10.230.5.81 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.82
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.82
 deny   ip any host 10.230.5.82 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.83
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.83
 deny   ip any host 10.230.5.83 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.84
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.84
 deny   ip any host 10.230.5.84 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.86
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.86
 deny   ip any host 10.230.5.86 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.65
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.65
 deny   ip any host 10.230.5.65 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.90
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.90
 deny   ip any host 10.230.5.90 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.80
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.80
 deny   ip any host 10.230.5.80 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.85
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.85
 deny   ip any host 10.230.5.85 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.87
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.87
 deny   ip any host 10.230.5.87 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.88
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.88
 deny   ip any host 10.230.5.88 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.89
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.89
 deny   ip any host 10.230.5.89 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.70
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.70
 deny   ip any host 10.230.5.70 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.91
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.91
 deny   ip any host 10.230.5.91 log-input
 permit ip 192.168.0.0 0.0.0.255 host 10.230.5.92
 permit ip 192.168.88.0 0.0.0.255 host 10.230.5.92
 deny   ip any host 10.230.5.92 log-input
 permit ip any any
ip access-list extended ACL2
 permit icmp any host 1.2.3.10
 permit ip host 93.170.101.23 host 1.2.3.10
 permit ip host 10.24.24.133 host 1.2.3.10
 permit ip host 85.158.185.185 host 1.2.3.10
 permit ip host 94.73.193.10 host 1.2.3.10
 permit ip host 89.31.108.6 host 1.2.3.10
 permit ip host 84.22.140.61 host 1.2.3.10
 deny   ip any host 1.2.3.10
 permit ip host 192.168.0.5 any
 permit ip host 192.168.0.6 any
 permit ip host 192.168.0.67 any
 permit ip any host 1.2.3.5
 permit ip any host 1.2.3.6
 permit ip host 192.168.0.76 host 10.90.10.68
 deny   udp any any eq 5060 log-input
 deny   tcp any any eq 5060 log-input
 deny   tcp any any eq 1720
 permit ip any any
ip access-list extended MTS_VoIP_SIP
 permit ip 10.110.20.40 0.0.0.7 any
 permit ip any 10.110.20.40 0.0.0.7
 permit ip 213.87.184.64 0.0.0.15 1.2.3.0 0.0.0.15
 deny   ip any any
ip access-list extended ONLY-3-IN
 permit gre any any
 permit ip 10.230.9.0 0.0.0.255 host 1.2.3.6
 permit ip 10.230.9.0 0.0.0.255 host 1.2.3.5
 permit ip 10.230.9.0 0.0.0.255 host 1.2.3.3
 permit ip 10.230.9.0 0.0.0.255 host 1.2.3.4
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.6
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.77
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.88
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.3
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.4
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.5
 permit ip 10.230.9.0 0.0.0.255 192.168.0.96 0.0.0.7
 permit ip host 10.230.9.37 host 10.230.5.25
 permit ip 10.230.9.0 0.0.0.255 192.168.88.0 0.0.0.255
 permit ip 10.230.9.0 0.0.0.255 host 1.2.3.8
 permit ip 10.230.9.0 0.0.0.255 host 217.10.68.152
 permit ip 10.230.9.0 0.0.0.255 host 192.168.0.28
 permit ip 10.230.9.0 0.0.0.255 host 10.7.1.1
 permit ip 172.24.83.0 0.0.0.255 any
 permit udp 10.230.9.0 0.0.0.255 host 1.2.3.10
 permit icmp 10.230.9.0 0.0.0.255 host 1.2.3.10
 permit ip host 10.230.9.150 any
 deny   ip any any
ip access-list extended ACL-OUT4
 permit gre any any
 permit ip host 1.2.3.6 10.230.9.0 0.0.0.255
 permit ip host 192.168.0.6 10.230.9.0 0.0.0.255
 permit ip host 192.168.0.77 10.230.9.0 0.0.0.255
 permit ip host 192.168.0.88 10.230.9.0 0.0.0.255
 permit tcp host 192.168.0.250 eq 3389 10.230.9.0 0.0.0.255
 permit ip host 10.230.5.25 host 10.230.9.37
 deny   ip any any
ip access-list extended ACL-88
 permit udp host 172.31.254.39 host 1.2.3.10
 permit udp host 10.240.0.1 host 1.2.3.10
 permit udp host 192.95.0.9 host 1.2.3.10
 permit icmp any host 1.2.3.10
 permit icmp any host 10.240.0.2
 deny   ip any any
ip access-list extended ACL-83
 permit ip any 224.0.0.0 15.255.255.255
 permit ip 1.2.3.0 0.0.0.15 10.55.113.248 0.0.0.7
 permit ip 10.55.113.248 0.0.0.7 1.2.3.0 0.0.0.15
 deny   ip any any
ip access-list extended ACL-34
 permit udp host 192.95.0.9 host 1.2.3.10
 permit udp host 192.95.0.9 host 192.168.0.6
 permit icmp any host 1.2.3.10
 permit icmp any host 192.168.0.6
 permit icmp any host 192.95.0.10
 permit ip host 192.95.0.9 host 192.168.0.136
 permit ip host 192.95.0.9 host 192.168.0.97
 permit ip host 192.95.0.9 host 192.168.0.99
 deny   ip any any
ip access-list extended ACL-32
 permit ip 192.168.0.0 0.0.0.255 any
 permit ip 1.2.3.0 0.0.0.255 any
 permit ip 10.230.9.0 0.0.0.255 any
 permit ip 172.24.83.0 0.0.0.255 any
 permit ip 74.28.42.16 0.0.0.7 any
 permit ip 74.28.42.0 0.0.0.63 any
 permit icmp any host 1.2.3.10
 deny   ip any host 1.2.3.10
 deny   udp any any eq 5060
 deny   tcp any any eq 5060
 deny   tcp any any eq 1720
 permit ip any any
ip access-list extended ACL-322
 deny   ip any host 209.126.97.238
!
!
ip prefix-list ANY seq 5 permit 0.0.0.0/0 le 32
!
ip prefix-list DEFAULT seq 5 permit 0.0.0.0/0
logging trap debugging
logging facility local6
logging 192.168.0.111
snmp-server community energy RO
!
route-map FROM_A permit 500
 match ip address prefix-list DEFAULT
 set local-preference 110
!
route-map FROM_A permit 600
 match ip address prefix-list ANY
!
!
!
tacacs-server host 192.168.0.97 timeout 5
tacacs-server host 192.168.0.99 timeout 5
tacacs-server directed-request
tacacs-server key 7 011608074912161B
radius-server host 192.168.0.99 auth-port 1812 acct-port 1813
radius-server host 192.168.0.97 auth-port 1812 acct-port 1813
radius-server timeout 10
radius-server key 7 1315051B1D0D102F3D2B2123
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
dial-peer cor custom
!
!
!
!
!
!
line con 0
 login authentication local_user
 stopbits 1
 speed 115200
line aux 0
 stopbits 1
line vty 0 4
 access-class CONSOLE-ACCESS in
 exec-timeout 60 0
 login authentication tac_plus-server
 transport input telnet
line vty 5 15
 access-class CONSOLE-ACCESS in
 login authentication tac_plus-server
 transport input ssh
!
no scheduler allocate
ntp clock-period 17180171
ntp server 192.168.0.97
ntp server 192.168.0.99 prefer
!
end

 

 

Настройка RADIUS

Цитата

/etc/freeradius/3.0/clients.conf

client 192.168.0.10 {
        ipaddr          = 192.168.0.10
        secret          = PassWorddd
        shortname       = router
        nastype         = cisco
}

client 192.168.0.13 {
        secret          = server
        shortname       = server
        nastype         = cisco
        
        secret = PassWorddd

 

 

/etc/freeradius/3.0/sql.conf
database = mysql
login = freeradius
password = freeradius
readclients = yes

 

 

 

СКРИПТ listusers.pl

Цитата

СКРИПТ listusers.pl
#!/usr/bin/perl

use DBI;

$dbhost = "localhost";
$dbname = "radiusdb";
$dbuser = "freeradius";
$dbpass = "freeradius";

        print "Connecting to Database...\n";

        my $mysql = DBI->connect("DBI:mysql:$dbname:$dbhost",$dbuser,$dbpass);

        print "Connection established!\n";

        $query = "select rc.UserName, rc.Value as Password, rr.Value as IP from radcheck \
        rc inner join radreply rr on rc.UserName=rr.UserName where rc.Attribute='Cleartext-Password' and \
        rr.Attribute='Framed-IP-Address'";

        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table usergroup...\n");

        print "=================================================================\n";

        while (@row = $sth->fetchrow_array) {
             print "username = $row[0]\t password = $row[1]\t ip = $row[2]\n";
          }

        print "=================================================================\n";

        $sth->finish();

        print "Disconnecting...\n";

        $mysql->disconnect();

 

 

 

СКРИПТ adduser.pl

Цитата

СКРИПТ adduser.pl
#!/usr/bin/perl

use DBI;

$dbhost = "localhost";
$dbname = "radiusdb";
$dbuser = "freeradius";
$dbpass = "freeradius";

$num_args = $#ARGV + 1;

if ($num_args == 3) {

    $user = $ARGV[0];
    $pass = $ARGV[1];
    $ip = $ARGV[2];

    if ($ip =~ /192\.168\.0\.\d{1,3}/){

        print "Connecting to Database...\n";

        my $mysql = DBI->connect("DBI:mysql:$dbname:$dbhost",$dbuser,$dbpass);

        print "Connection established!\n";
        print "Trying to add user...\n";

        $query = "insert into radusergroup set UserName='$user', GroupName='PPTP-User', priority=1";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table radusergroup...\n");

        $query = "insert into radcheck set UserName='$user', Attribute='Auth-Type', op=':=', Value='MS-CHAP'";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table radcheck...\n");

        $query = "insert into radcheck set UserName='$user', Attribute='Cleartext-Password', op=':=', Value='$pass'";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table radcheck...\n");

        $query = "insert into radreply set UserName='$user', Attribute='Framed-IP-Address', op=':=', Value='$ip'";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table radreply...\n");

        $query = "insert into radreply set UserName='$user', Attribute='Framed-MTU', op=':=', Value=1350";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while adding the user! See table radreply...\n");

        $sth->finish();

        print "User $user successfully added to VPN users Database!\n";

        $mysql->disconnect();
    }
    else {
        print "Invalid vpn_ip_address.\n\n";
        print "vpn_ip_address - from 192.168.0.2 to 192.168.0.200\n\n";
    }
}
else {
    print "\nUsage: ./adduser.pl username password vpn_ip_address\n\n";
    print "vpn_ip_address - from 192.168.0.2 to 192.168.0.200\n\n";
}

 

 

 

СКРИПТ rmuser.pl

Цитата

СКРИПТ rmuser.pl
#!/usr/bin/perl

use DBI;
#use IO::Prompt;

$dbhost = "localhost";
$dbname = "radiusdb";
$dbuser = "freeradius";
$dbpass = "freeradius";

$num_args = $#ARGV + 1;

if ($num_args == 1) {

            $user = $ARGV[0];

                print "Connecting to Database...\n";

                my $mysql = DBI->connect("DBI:mysql:$dbname:$dbhost",$dbuser,$dbpass);

                print "Connection established!\n";
                print "Trying to remove user...\n";

                $query = "delete from radusergroup where UserName='$user'";
                $sth = $mysql->prepare($query);
                $sth->execute() or die("Error occured while removing the user! See table usergroup...\n");

                $query = "delete from radcheck where UserName='$user'";
                $sth = $mysql->prepare($query);
                $sth->execute() or die("Error occured while removing the user! See table radcheck...\n");

                $query = "delete from radreply where UserName='$user'";
                $sth = $mysql->prepare($query);
                $sth->execute() or die("Error occured while removing the user! See table radreply...\n");

                $sth->finish();

                print "User $user successfully removed from VPN users Database!\n";

                $mysql->disconnect();
}
else {
    print "\nUsage: ./rmuser.pl username\n\n";
}

 

 

 

 

СКРИПТ updateuser.pl

Цитата

СКРИПТ updateuser.pl
#!/usr/bin/perl

use DBI;

$dbhost = "localhost";
$dbname = "radiusdb";
$dbuser = "freeradius";
$dbpass = "freeradius";

$num_args = $#ARGV + 1;

if ($num_args == 3) {

    $user = $ARGV[0];
    $pass = $ARGV[1];
    $ip = $ARGV[2];

    if ($ip =~ /192\.168\.0\.\d{1,3}/){

        print "Connecting to Database...\n";

        my $mysql = DBI->connect("DBI:mysql:$dbname:$dbhost",$dbuser,$dbpass);

        print "Connection established!\n";
        print "Trying to update user...\n";

        $query = "update radcheck set Value='$pass' where UserName='$user' and Attribute='Cleartext-Password'";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while updating the user! See table radcheck...\n");

        $query = "update radreply set Value='$ip' where UserName='$user' and Attribute='Framed-IP-Address'";
        $sth = $mysql->prepare($query);
        $sth->execute() or die("Error occured while updating the user! See table radreply...\n");

        $sth->finish();

        print "User $user successfully updated!\n";

        $mysql->disconnect();
    }
    else {
        print "Invalid vpn_ip_address.\n\n";
        print "vpn_ip_address - from 192.168.0.2 to 192.168.0.200\n\n";
    }
}
else {
    print "\nUsage: ./adduser.pl username password vpn_ip_address\n\n";
    print "vpn_ip_address - from 192.168.0.2 to 192.168.0.200\n\n";
}
root@services:/home/vpn#

 

 

Пример работы

./listusers.pl
Connecting to Database...
Connection established!
=================================================================
username = 123    password = 33333     ip = 1.2.3.3
=================================================================



./adduser.pl
Usage: ./adduser.pl username password vpn_ip_address

vpn_ip_address - from 192.168.0.2 to 192.168.0.200

./adduser.pl  username password 192.168.0.240
Connecting to Database...
Connection established!
Trying to add user...
User username successfully added to VPN users Database!




./rmuser.pl
Usage: ./rmuser.pl username

./rmuser.pl username
Connecting to Database...
Connection established!
Trying to remove user...
User username successfully removed from VPN users Database!

 

Изменено 22 марта, 2023 пользователем neperpbl3

[sirmax]

14 лет, Карл. Новое поколение инженеров выросло

[Saab95]

Микротик еще не предлагали - уже дешевле вообще не найти, настраивается парой кликов мышки и работает стабильнее некуда.

[sirmax]

1 час назад, Saab95 сказал:

Микротик еще не предлагали - уже дешевле вообще не найти, настраивается парой кликов мышки и работает стабильнее некуда.

Ага особенно опнвпн по udp 

[sdy_moscow]

@sirmax похоже, что @neperpbl3 очередной бот, только поумнее что-ли - видать ГПТ атакует.

[sirmax]

22 минуты назад, sdy_moscow сказал:

@sirmax похоже, что @neperpbl3 очередной бот, только поумнее что-ли - видать ГПТ атакует.

Да похоже. Эту штуку я тестил, если не в теме предмета  то пишет правдоподобно, самка собаки. И так весь интернет засран гавном, теперь вообще ппц будет. Собственно это заслуживает отдельной темы 😞