воскресенье, 26 марта 2023 г.
Rejoin AD Domain
Переподключить компьютер в домен
$MYDOMAIN = "r.ratners.ru"
$MYCREDENTIAL = Get-Credential$MYCOMPUTER = Get-WmiObject Win32_ComputerSystem
$MYCOMPUTER.UnJoinDomainOrWorkGroup("$($MYCREDENTIAL.Password)", "$($MYCREDENTIAL.UserName)", 0)
Add-computer -Credential $MYCREDENTIAL -domainname $MYDOMAIN
$MYCOMPUTER.UnJoinDomainOrWorkGroup("$($MYCREDENTIAL.Password)", "$($MYCREDENTIAL.UserName)", 0)
Add-computer -Credential $MYCREDENTIAL -domainname $MYDOMAIN
Restart-Computer
Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090
пятница, 24 марта 2023 г.
ipsecadd
# ipsecadd_sbercloud
:local ipsecName "sbercloud";
:local ipsecComment "$ipsecName";
:local peerAddr "89.232.179.63";
:local peerLocalAddr "213.33.195.92";
:local ipsecSecret "asdfasfasdfasfasdf";
:local srcList [:toarray "192.168.1.0/24"];
:local dstList [:toarray "192.168.5.0/24"];
:if ([:len [/ip/ipsec/policy/find where comment="$ipsecName"]] > 0) do={/ip ipsec policy remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/identity/find where comment="$ipsecName"]] > 0) do={/ip ipsec identity remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/proposal/find where name="$ipsecName"]] > 0) do={/ip ipsec proposal remove $ipsecName}
:if ([:len [/ip/ipsec/peer/find where name="$ipsecName"]] > 0) do={/ip ipsec peer remove $ipsecName}
:if ([:len [/ip/ipsec/profile/find where name="$ipsecName"]] > 0) do={/ip ipsec profile remove $ipsecName}
:if ([:len [/ip/firewall/raw/find where comment="$ipsecName"]] > 0) do={/ip firewall raw remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/route/find where comment="$ipsecName"]] > 0) do={/ip route remove [find comment~"$ipsecComment"]}
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=yes name=$ipsecName
/ip ipsec peer add address=$peerAddr local-address=$peerLocalAddr name=$ipsecName profile=$ipsecName comment="$ipsecComment vrrp" exchange-mode=ike2 disabled=yes
/ip ipsec proposal add name=$ipsecName lifetime=1h auth-algorithms="" enc-algorithms=aes-128-gcm pfs-group=modp2048
/ip ipsec identity add peer=$ipsecName secret=$ipsecSecret comment=$ipsecComment
:foreach dstAddr in $dstList do={
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=0.0.0.0/0 src-address=$dstAddr place-before=*0;
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=$dstAddr src-address=0.0.0.0/0 place-before=*0;
:foreach srcAddr in $srcList do={
/ip ipsec policy add dst-address=$dstAddr level=unique peer=$ipsecName proposal=$ipsecName src-address=$srcAddr tunnel=yes comment=$ipsecComment
}
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=902-beeline comment=$ipsecName
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=main comment=$ipsecName
}
:local ipsecName "sbercloud";
:local ipsecComment "$ipsecName";
:local peerAddr "89.232.179.63";
:local peerLocalAddr "213.33.195.92";
:local ipsecSecret "asdfasfasdfasfasdf";
:local srcList [:toarray "192.168.1.0/24"];
:local dstList [:toarray "192.168.5.0/24"];
:if ([:len [/ip/ipsec/policy/find where comment="$ipsecName"]] > 0) do={/ip ipsec policy remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/identity/find where comment="$ipsecName"]] > 0) do={/ip ipsec identity remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/proposal/find where name="$ipsecName"]] > 0) do={/ip ipsec proposal remove $ipsecName}
:if ([:len [/ip/ipsec/peer/find where name="$ipsecName"]] > 0) do={/ip ipsec peer remove $ipsecName}
:if ([:len [/ip/ipsec/profile/find where name="$ipsecName"]] > 0) do={/ip ipsec profile remove $ipsecName}
:if ([:len [/ip/firewall/raw/find where comment="$ipsecName"]] > 0) do={/ip firewall raw remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/route/find where comment="$ipsecName"]] > 0) do={/ip route remove [find comment~"$ipsecComment"]}
/ip ipsec profile add dh-group=modp2048 enc-algorithm=aes-128 hash-algorithm=sha256 nat-traversal=yes name=$ipsecName
/ip ipsec peer add address=$peerAddr local-address=$peerLocalAddr name=$ipsecName profile=$ipsecName comment="$ipsecComment vrrp" exchange-mode=ike2 disabled=yes
/ip ipsec proposal add name=$ipsecName lifetime=1h auth-algorithms="" enc-algorithms=aes-128-gcm pfs-group=modp2048
/ip ipsec identity add peer=$ipsecName secret=$ipsecSecret comment=$ipsecComment
:foreach dstAddr in $dstList do={
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=0.0.0.0/0 src-address=$dstAddr place-before=*0;
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=$dstAddr src-address=0.0.0.0/0 place-before=*0;
:foreach srcAddr in $srcList do={
/ip ipsec policy add dst-address=$dstAddr level=unique peer=$ipsecName proposal=$ipsecName src-address=$srcAddr tunnel=yes comment=$ipsecComment
}
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=902-beeline comment=$ipsecName
/ip route add distance=1 dst-address=$peerAddr gateway=213.33.195.81 pref-src=$peerLocalAddr routing-table=main comment=$ipsecName
}
Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090
пятница, 17 марта 2023 г.
PXE-E51
Помогло настроить порт на свиче:
interface GigabitEthernet0/2
description srv
switchport access vlan 21
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end
description srv
switchport access vlan 21
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
end
Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090
пятница, 3 марта 2023 г.
четверг, 2 марта 2023 г.
Обновление сертификата letsencrypt на микротике
Включаем доступ на порту 80 (нужен чтобы летсэнкрипт мог проверить)
Обновляем сертификат
закрываем доступ на порту 80
Для этого пометил правила в фаерволе коментарием
/ip/service/enable www
/ip/firewall/filter/enable [ find where comment="letsencrypt" ]
/certificate enable-ssl-certificate dns-name=$dnsName
/ip/service/disable www
/ip/firewall/filter/disable [ find where comment="letsencrypt" ]
Ратнер Арсений, arsenyratner@gmail.com, 7 985 273 2090
среда, 1 марта 2023 г.
Скрипт создания IPSEC тунеля на микротике
# ipsecadd_atappc
:local ipsecName "atappc";
:local ipsecComment "$ipsecName";
:local peerAddr "1.2.88.186";
:local peerLocalAddr "2.3.195.93";
:local ipsecSecret "54KD1ekHcc3uP2ChqwlKCDlTx";
:local srcList [:toarray "192.168.0.0/22,192.168.7.0/24"];
:local dstList [:toarray "192.168.126.0/24,192.168.135.0/24"];
# удаляем старое
:if ([:len [/ip/ipsec/policy/find where comment="$ipsecName"]] > 0) do={/ip ipsec policy remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/identity/find where comment="$ipsecName"]] > 0) do={/ip ipsec identity remove [find comment~"$ipsecComment"]}
:if ([:len [/ip/ipsec/proposal/find where name="$ipsecName"]] > 0) do={/ip ipsec proposal remove $ipsecName}
:if ([:len [/ip/ipsec/peer/find where name="$ipsecName"]] > 0) do={/ip ipsec peer remove $ipsecName}
:if ([:len [/ip/ipsec/profile/find where name="$ipsecName"]] > 0) do={/ip ipsec profile remove $ipsecName}
:if ([:len [/ip/firewall/raw/find where comment="$ipsecName"]] > 0) do={/ip firewall raw remove [find comment~"$ipsecComment"]}
# создаём новое
/ip ipsec profile add dh-group=modp1024 enc-algorithm=aes-256 nat-traversal=yes name=$ipsecName
/ip ipsec peer add address=$peerAddr local-address=$peerLocalAddr name=$ipsecName profile=$ipsecName comment="$ipsecComment vrrp"
/ip ipsec proposal add name=$ipsecName enc-algorithms=aes-256-cbc lifetime=1h pfs-group=modp1536
/ip ipsec identity add peer=$ipsecName secret=$ipsecSecret comment=$ipsecComment
:foreach dstAddr in $dstList do={
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=0.0.0.0/0 src-address=$dstAddr place-before=0;
/ip firewall raw add comment=$ipsecComment action=notrack chain=prerouting disabled=no dst-address=$dstAddr src-address=0.0.0.0/0 place-before=0;
:foreach srcAddr in $srcList do={
/ip ipsec policy add dst-address=$dstAddr level=unique peer=$ipsecName proposal=$ipsecName src-address=$srcAddr tunnel=yes comment=$ipsecComment;
}
}
Подписаться на:
Сообщения (Atom)