人,总要学会成长。男人,活着,就要做好两件事情:其一:好好爱着你的家人和你一辈子最爱的女人;其二:脚踏实地的去做好一件事,把这件事情当作你的CAREER来做,寻求人生更大的发展空间……
查看文章 |
ROS 3.0 的企业应用日记--龙恩工作日志记录
2007年08月10日 星期五 上午 00:34
ROS 3.0的软路由应用及安全HOTSPOT的真实应用 第一章:SYSTEM 和基础管理 —————————————————————————————————— 第一步:安装後的系统测试备份: [admin@MikroTik] system backup> save name=test [admin@MikroTik] > file print To load the saved backup file test: [admin@MikroTik] system backup> load name=test Restore and reboot? [y/N]: y ... ++++++++ 第二步:网络的配置: [admin@MikroTik] /system resource> /interface print Flags: X - disabled, D - dynamic, R - running # NAME TYPE MTU 0 R ether1 ether 1500 1 R ether2 ether 1500 2 R ether3 ether 1500 3 R bridge-interface bridge 1500 [admin@MikroTik] > ip address print [admin@MikroTik] ip address> add address=10.10.10.1/24 interface=ether2 ++++++++++ 第三步:WINBOX的链接测试和链接 +++++++ 第四步:测试带宽: Server Configuration Submenu level: /tool bandwidth-server [admin@MikroTik] /tool> bandwidth-test address: 192.168.10.99 status: connecting duration: 0s rx-current: 0bps rx-10-second-average: 0bps rx-total-average: 0bps lost-packets: 0 random-data: no direction: receive rx-size: 1500 status: authentication failed duration: 0s rx-current: 0bps rx-10-second-average: 0bps rx-total-average: 0bps lost-packets: 0 random-data: no direction: receive rx-size: 1500 echo: system,error,critical login failure for user admin via bandwidth-test To run 15-second long bandwidth-test to the 10.0.0.211 host sending and receiving 1000-byte UDP packets and using username admin to connect [admin@MikroTik] tool> bandwidth-test 10.0.0.211 duration=15s direction=both \ \... size=1000 protocol=udp user=admin status: done testing duration: 15s tx-current: 3.62Mbps tx-10-second-average: 3.87Mbps tx-total-average: 3.53Mbps rx-current: 3.33Mbps rx-10-second-average: 3.68Mbps rx-total-average: 3.49Mbps +++++++++++ 第五步:System Resource Management Document revision: 2.3 (Thu Jul 13 16:45:28 GMT 2006) [admin@MikroTik] /system resource> print uptime: 47m40s version: "3.0beta10" free-memory: 253824kB total-memory: 281184kB cpu: "Intel(R)" cpu-count: 1 cpu-frequency: 2401MHz cpu-load: 1 free-hdd-space: 2975524kB total-hdd-space: 3085584kB write-sect-since-reboot: 3429 write-sect-total: 3429 [admin@MikroTik] /system resource> monitor cpu-used: 0 free-memory: 253824 cpu-used: 0 free-memory: 253836 cpu-used: 0 free-memory: 253836 ##################### IRQ Usage Monitor Command name: /system resource irq print ################## PCI Monitor [admin@MikroTik] /system resource> pci print ################### USB Port Information Command name: /system resource usb print ############## Reboot Command name: /system reboot ########## [admin@MikroTik] /system identity> print name: "MikroTik" [admin@MikroTik] /system identity> set name="LongtelChina-3.0" [admin@LongtelChina-3.0] /system identity> print name: "LongtelChina-3.0" ############# SYSTEM DATE: [admin@LongtelChina-3.0] /system clock> set time=23:32:00 [admin@LongtelChina-3.0] /system clock> print time: 23:32:01 date: aug/10/2007 time-zone-name: "manual" gmt-offset: +00:00 ############## System Note Submenu level: /system note +++++++++++++++++++++++++++ 第六步:Support Output File 输出文件 To make a Support Output File: [admin@MikroTik] > system sup-output creating supout.rif file, might take a while ................... Done! [Kevin@MikroTik] > file print # NAME TYPE SIZE CREATION-TIME 0 hotspot directory apr/14/2007 00:56:42 1 hotspot/md5.js .js file 7218 apr/14/2007 00:56:42 2 hotspot/redirect.html .html file 213 apr/14/2007 00:56:42 3 hotspot/status.html .html file 3082 apr/14/2007 00:56:42 4 hotspot/errors.txt .txt file 3615 apr/14/2007 00:56:42 5 hotspot/radvert.html .html file 1481 apr/14/2007 00:56:42 6 hotspot/login.html .html file 3384 apr/14/2007 00:56:42 7 hotspot/logout.html .html file 1813 apr/14/2007 00:56:42 8 hotspot/alogin.html .html file 1293 apr/14/2007 00:56:42 9 hotspot/error.html .html file 898 apr/14/2007 00:56:42 10 hotspot/rlogin.html .html file 739 apr/14/2007 00:56:42 11 hotspot/xml directory apr/14/2007 00:56:42 12 hotspot/xml/flogout... .html file 361 apr/14/2007 00:56:42 13 hotspot/xml/WISPAcc... .xsd file 4251 apr/14/2007 00:56:42 14 hotspot/xml/login.html .html file 437 apr/14/2007 00:56:42 15 hotspot/xml/error.html .html file 416 apr/14/2007 00:56:42 16 hotspot/xml/alogin.... .html file 532 apr/14/2007 00:56:42 17 hotspot/xml/logout.... .html file 359 apr/14/2007 00:56:42 18 hotspot/xml/rlogin.... .html file 530 apr/14/2007 00:56:42 19 autosupout.rif .rif file 252338 jul/19/2007 13:42:50 20 supout.rif .rif file 284486 aug/09/2007 23:49:19 21 cnc_route.rsc script 19406 jul/24/2007 01:41:58 22 console-dump.txt .txt file 751194 may/19/2007 09:32:31 23 hotspot/lv directory apr/14/2007 00:56:42 24 hotspot/lv/status.html .html file 2760 apr/14/2007 00:56:42 25 hotspot/lv/radvert.... .html file 1475 apr/14/2007 00:56:42 26 hotspot/lv/errors.txt .txt file 3810 apr/14/2007 00:56:42 27 hotspot/lv/login.html .html file 3408 apr/14/2007 00:56:42 28 hotspot/lv/alogin.html .html file 1303 apr/14/2007 00:56:42 29 hotspot/lv/logout.html .html file 1843 apr/14/2007 00:56:42 30 hotspot/img directory apr/14/2007 00:56:42 31 hotspot/img/logobot... .png file 4317 apr/14/2007 00:56:42 +++++++++++++++++++ 第七部分:RouterBoard-specific functions的功能 There are some features used to configure specific functions exist only in RouterBOARD series embedded routers: * BIOS upgrading * BIOS configuration * Health monitoring (RouterBOARD 200 series only) * LED control (may be used in scripting) * Fan voltage control (on/off) (RouterBOARD 200 series only) * Console reset jumper (RouterBOARD 200 series only) Submenu level: /system routerboard, /system health ———————————————————————————— 第二章:网络配置的深入; 第一步:DNS CLIENT AND CACHE DNS Client and Cache DNS cache is used to minimize DNS requests to an external DNS Server as well as to minimize DNS resolution time, This is a simple recurisive DNS server with local items. [admin@LongtelChina-3.0] /ip dns static> add name=www.huangxiaolong.com address=61.51.18.130 ttl=57 [admin@LongtelChina-3.0] /ip dns static> print Flags: D - dynamic, X - disabled # NAME ADDRESS TTL 0 www.huangxiaolong.com 61.51.18.130 57s [admin@LongtelChina-3.0] /ip dns static> ############# Flushing DNS cache Command name: /ip dns cache flush 清除缓存 ++++++++++++++++++++++++ 第二步:HotSpot Gateway HotSpot Gateway features: * authentication of clients using local client database, or RADIUS server * accounting using local database, or RADIUS server * Walled-garden system (accessing some web pages without authorization) Walled-Garden facility, [admin@LongtelChina-3.0] /ip hotspot> print Flags: X - disabled, I - invalid, S - HTTPS # NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT [admin@LongtelChina-3.0] /ip hotspot> active [admin@LongtelChina-3.0] /ip hotspot active> print Flags: R - radius, B - blocked # USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT [admin@LongtelChina-3.0] /ip hotspot active> [admin@LongtelChina-3.0] /ip hotspot profile> set default http-cookie-lifetime=1d [admin@LongtelChina-3.0] /ip hotspot profile> print Flags: * - default 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=1d split-user-domain=no use-radius=no ############## HTTP-level Walled Garden Submenu level: /ip hotspot walled-garden [admin@LongtelChina-3.0] /ip hotspot walled-garden> add path="/index.php"\ \... dst-host="www.huangxiaolong.com" [admin@LongtelChina-3.0] /ip hotspot walled-garden> print Flags: X - disabled, D - dynamic # SERVER METHOD DST-HOST DST-PORT PATH ACTION HITS 0 www.huangxiaolong.com /index.php allow 0 Description Walled garden is a system which allows unauthorized use of some resources, but requires authorization to access other resources. ############ IP-level Walled Garden Submenu level: /ip hotspot walled-garden ip、 This menu is manages Walled Garden for generic IP requests. See the previous section for managing HTTP and HTTPS protocol specific properties ######## One-to-one NAT static address bindings Submenu level: /ip hotspot ip-binding Description You can setup NAT translations statically based on either the original IP address (or IP network), or the original MAC address. You can also allow some addresses to bypass HotSpot authentication (i.e., they will be able work without having to log in to the network first) and completely block some addresses. ########## Active Host List Submenu level: /ip hotspot host Description This menu shows all active network hosts that are connected to the HotSpot gateway. This list includes all one-to-one NAT translations ################# Service Port Submenu level: /ip hotspot service-port Description Just like for classic NAT, the HotSpot embedded one-to-one NAT 'breaks' some protocols that are incompatible with address translation. To leave these protocols consistent, helper modules must be used. For the one-to-one NAT the only such a module is for FTP protocol. ################## Customizing HotSpot: Firewall Section Description Apart from the obvious dynamic entries in the /ip hotspot submenu itsel [admin@LongtelChina-3.0] /ip firewall nat> add chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=647 82 [admin@LongtelChina-3.0] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=dstnat action=accept 1 chain=dstnat action=jump jump-target=hotspot 2 chain=hotspot action=redirect to-ports=64782 dst-port=53 protocol=udp Redirect all DNS requests to the HotSpot service. The 64872 port provides DNS service for all HotSpot users. If you want HotSpot server to listen also to another port, add rules here the same way, changing dst-port property 3 D chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect to-ports=64873 Redirect all HTTP login requests to the HTTP login servlet. The 64873 is HotSpot HTTP servlet port. 4 D chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect to-ports=64875 Redirect all HTTPS login requests to the HTTPS login servlet. The 64875 is HotSpot HTTPS servlet port. 5 D chain=hotspot protocol=tcp action=jump hotspot=!auth jump-target=hs-unauth All other packets except DNS and login requests from unauthorized clients should pass through the hs-unauth chain 6 D chain=hotspot protocol=tcp action=jump hotspot=auth jump-target=hs-auth nd packets from the authorized clients - through the hs-auth chain 7 D ;;; www.mikrotik.com chain=hs-unauth dst-address=159.148.147.196 protocol=tcp dst-port=80 action=return First in the hs-unauth chain is put everything that affects TCP protocol in the /ip hotspot walled-garden ip submenu (i.e., everything where either protocol is not set, or set to TCP). Here we are excluding www.mikrotik.com from being redirected to the login page. 8 D chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874 All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port. If there is an allow entry in the /ip hotspot walled-garden menu for an HTTP request, it is being forwarded to the destination. Otherwise, the request will be automatically redirected to the HotSpot login servlet (port 64873). 9 D chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874 10 D chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874 HotSpot by default assumes that only these ports may be used for HTTP proxy requests. These two entries are used to "catch" client requests to unknown proxies. I.e., to make it possible for the clients with unknown proxy settings to work with the HotSpot system. This feature is called "Universal Proxy". If it is detected that a client is using some proxy server, the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem, as we will see later on. Note that the port used (64874) is the same as for HTTP requests in the rule #8 (so both HTTP and HTTP proxy requests are processed by the same code). 11 D chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875 HTTPS proxy is listening on the 64875 port 12 D chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it is, a redirect rule will be put in the hs -smtp chain. This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider's (your) SMTP server instead of going to [possibly unavailable outside their network of origin] the SMTP server users have configured in their computers. 13 D chain=hs-auth protocol=tcp hotspot=http action=redirect to-ports=64874 Providing HTTP proxy service for authorized users. Authenticated user requests may need to be subject to the transparent proxying (the "Universal Proxy" technique and for the advertisement feature). This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy (the one that is listening on the 64874 port) to be HTTP proxy requests to unknown proxy servers. This is done so that users that have some proxy settings would use the HotSpot gateway instead of the [possibly unavailable outside their network of origin] proxy server users have configured in their computers. The mark is as well put on any HTTP requests done form the users whoose profile is configured to transparently proxy their requests. 14 D chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp |
最近读者:
