{"id":914,"date":"2013-08-06T22:03:43","date_gmt":"2013-08-06T20:03:43","guid":{"rendered":"http:\/\/diablo.craem.net\/wordpress\/?p=914"},"modified":"2013-08-06T22:03:43","modified_gmt":"2013-08-06T20:03:43","slug":"policy-based-routing-cisco-y-mikrotik-tunnel-ipip-y-nat-2","status":"publish","type":"post","link":"https:\/\/diablo.craem.net\/?p=914","title":{"rendered":"Policy Based Routing Cisco y Mikrotik, tunnel IPIP y NAT (2)"},"content":{"rendered":"<p>En esta ocasi\u00f3n, vamos a configurar la mikrotik RouterOS, como cliente, mediante un tunnel PPTP.<br \/>\nNecesito que mi Debian Server, con la IP 192.168.2.1, salga a trav\u00e9s del tunnel PPTP y el resto de equipos de la red, por mi conexi\u00f3n normal, para no malgastar recursos de mi buen proveedor.<br \/>\n<code><br \/>\n\/ppp profile<br \/>\nset 0 change-tcp-mss=yes name=default only-one=default use-compression=<br \/>\n    default use-encryption=default use-ipv6=yes use-mpls=default<br \/>\n    use-vj-compression=default<br \/>\nset 1 change-tcp-mss=yes name=default-encryption only-one=default<br \/>\n    remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes<br \/>\n    use-ipv6=yes use-mpls=default use-vj-compression=default<br \/>\n\/interface pptp-client<br \/>\nadd add-default-route=no allow=pap,chap,mschap1,mschap2 connect-to=<br \/>\n    3.3.3.3 dial-on-demand=no disabled=no max-mru=1460 max-mtu=1460 mrru=<br \/>\n    disabled name=pptp_provider password=password profile=default-encryption<br \/>\n    user=usuarioPPTP<br \/>\n<\/code><br \/>\nY ahora las reglas de NAT y el pre-routing para marcar los paquetes:<br \/>\n<code><br \/>\n\/ip firewall mangle<br \/>\nadd action=mark-routing chain=prerouting disabled=no new-routing-mark=<br \/>\n    tunnel_provider passthrough=no src-address=192.168.2.1<br \/>\n\/ip firewall nat<br \/>\nadd action=masquerade chain=srcnat disabled=no out-interface=pptp_provider<br \/>\nadd action=masquerade chain=srcnat disabled=no out-interface=outside<br \/>\n<\/code><br \/>\nLa primera regla sirve para marcar los paquetes que queramos que salgan por el tunnel PPTP.<br \/>\nY ahora las rutas:<br \/>\n<code><br \/>\n\/ip route<br \/>\nadd disabled=no distance=1 dst-address=0.0.0.0\/0 gateway=pptp_provider<br \/>\n    routing-mark=tunnel_provider scope=30 target-scope=10<br \/>\nadd comment=red_guifi disabled=no distance=1 dst-address=10.0.0.0\/8 gateway=<br \/>\n    172.26.2.251 scope=30 target-scope=10<br \/>\nadd disabled=no distance=1 dst-address=0.0.0.0\/0 gateway=172.26.2.20 scope=30<br \/>\n    target-scope=10<br \/>\n<\/code><br \/>\nLa primera ruta, indica que los paquetes marcados con el pre-routing \/ tunnel_provider, saldr\u00e1n por aqu\u00ed\u00ad.<br \/>\nLa segunda ruta, para indicar que todos los paquetes para la red 10.0.0.0\/8 de <em>Guifi.net<\/em>, saldr\u00e1n por mi antenita. \ud83d\ude42<br \/>\nLa tercera, para el resto.<br \/>\nEn el siguiente POST, explicaremos el tema del NAT, para asignar las ip&#8217;s locales a p\u00fablicas.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>En esta ocasi\u00f3n, vamos a configurar la mikrotik RouterOS, como cliente, mediante un tunnel PPTP. Necesito que mi Debian Server, con la IP 192.168.2.1, salga a trav\u00e9s del tunnel PPTP y el resto de equipos de la red, por mi conexi\u00f3n normal, para no malgastar recursos de mi buen proveedor. \/ppp profile set 0 change-tcp-mss=yes [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,6,8],"tags":[41,90,107],"class_list":["post-914","post","type-post","status-publish","format-standard","hentry","category-cisco","category-mikrotik","category-varios","tag-cisco","tag-ipip","tag-mikrotik"],"_links":{"self":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/914","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=914"}],"version-history":[{"count":0,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=\/wp\/v2\/posts\/914\/revisions"}],"wp:attachment":[{"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=914"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=914"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/diablo.craem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=914"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}