Set nat source rule 10 translation address 'masquerade' Set nat source rule 10 outbound-interface 'eth0' Set vpn l2tp remote-access authentication local-users username password Optional: Create NAT rules for L2TP customers:
Set vpn l2tp remote-access authentication mode local
Set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret Set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret Set vpn l2tp remote-access dns-servers server-1 '1.1.1.1' Set vpn l2tp remote-access client-ip-pool stop 192.168.255.254 Set vpn l2tp remote-access client-ip-pool start 192.168.255.1 Set vpn l2tp remote-access outside-address 'x.x.x.x' Set vpn ipsec ipsec-interfaces interface 'dum0' Set vpn ipsec nat-networks allowed-network 0.0.0.0/0 Set nat destination rule 20 translation address 'x.x.x.x' Configure L2TP and IPSec: Set nat destination rule 20 inbound-interface 'eth0' Set interfaces dummy dum0 address 'x.x.x.x/32' Create DNAT rules: Set public IP addresses on the dummy interface: In this case we can use a simple solution with a dummy interface and DNAT rules on VyOS routers. I am currently using Mellanox and I may stay with them as long as the support is good, plus they're very affordable right now on eBay.All instances on AWS are located behind 1-to-1 NAT and this affectly IPSec negatively. I have heard not so great things about Intel 10Gb support on RouterOSv6, and limited throughput issues. As for the NICs, I would need several SFP+. I am already a big fan of 10GTek, so for transceivers I may be going that route. The second part is deciding on SFP+ hardware. The part I am not sure about, is if RouterOS is more reliant on clock speed or core count, or if it really doesn't even matter.
I have been planning on using the first gen LGA 2011 platform, and dual CPU would be easy enough. I currently have a CSS326 after the hEX S to handle the 10gig, and it works fine. In the future at some point, I will need several SFP+, for testing and for other devices. I have been thinking of replacing my little hEX S soon here, and I kind of want to build something instead of buy, because it sounds cool and this in the realm of my profession/hobby.
0 kommentar(er)
