下载 Mikrotik ROS 系统

普通系统可以从这里下载: https://mikrotik.com/download
如果是虚拟机从这里下载: https://mikrotik.com/download/archive

虚拟机版本可以使用账号激活正版使用60天,过期后也可以继续使用。参考: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=18350234

基础设置

设置Bridge

1
2
3
4
5
6
7
8
/interface bridge
add name=bridge1 comment="defconf: local Bridge" auto-mac=yes

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether5

定义 PPPoE 接口组

1
2
3
4
5
6
7
8
9
10
/interface list
add name=WAN comment="defconf: extranet list"
add name=LAN comment="defconf: intranet list"
add name=ONU comment="onuconf: ONU list"

/interface list member
// add list=WAN comment="defconf: extranet member" interface=ether4
add list=WAN comment="defconf: extranet member" interface=pppoe-out1
add list=LAN comment="defconf: intranet member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether4

iPV4防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
##       Filter 规则 19 条 + 虚拟规则 1 条
##          NAT 规则  6 条
##       Mangle 规则  2 条 + 虚拟规则 3 条
##          Raw 规则 41 条 + 虚拟规则 1 条
## Address-list 规则 29 条

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=10.0.0.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4

add address=10.0.0.1 comment="lanconf: local DNS server" list=local_dns_ipv4

add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=no_forward_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=no_forward_ipv4

add address=127.0.0.0/8 comment="defconf: RFC6890 - loopback" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 - TEST-NET-1" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 - TEST-NET-2" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 - TEST-NET-3" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 - reserved" list=bad_ipv4

add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890 - shared address" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890 - DS-Lite" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=not_global_ipv4

add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=bad_src_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=bad_dst_ipv4

add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_targets_ipv4
add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_attackers_ipv4


/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
## add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4

add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack
add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=64,64,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv4 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv4]"

add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=256,256,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv4 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[ddos-ipv4]"


/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4

add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv4
add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv4
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53


/ip firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4


/ip firewall raw

add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes

add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv4 src-address-list=ddos_attackers_ipv4

add action=accept chain=prerouting comment="defconf: accept DHCPv4 discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68

add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv4" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bad DST IPv4" dst-address-list=bad_dst_ipv4

add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local LAN from WAN" in-interface-list=WAN dst-address-list=local_lan_ipv4 log=yes log-prefix="[wan-to-lan]"

add action=drop chain=prerouting comment="onuconf: drop if not from ONU address" in-interface-list=ONU src-address-list=!local_onu_ipv4
add action=drop chain=prerouting comment="onuconf: drop forward to local LAN from ONU" in-interface-list=ONU dst-address-list=local_lan_ipv4 log=yes log-prefix="[onu-to-lan]"

add action=drop chain=prerouting comment="defconf: drop if not from default IPv4 range" in-interface-list=LAN src-address-list=!local_lan_ipv4

add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"

add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp

add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="onuconf: accept everything else from ONU" in-interface-list=ONU

add action=drop chain=prerouting comment="defconf: drop the rest"

add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg

add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp

add action=drop chain=icmp4 comment="onuconf: drop other ICMP from ONU" protocol=icmp in-interface-list=ONU log=yes log-prefix="[onu-icmp]"

add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp

add action=drop chain=icmp4 comment="lanconf: drop other ICMP from WAN" protocol=icmp in-interface-list=WAN

add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp

add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_lan_ipv4
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp

add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp


/ip firewall connection tracking

set tcp-syn-sent-timeout=120s
set tcp-syn-received-timeout=60s
set tcp-established-timeout=7440s
set tcp-fin-wait-timeout=120s
set tcp-close-wait-timeout=60s
set tcp-last-ack-timeout=30s
set tcp-time-wait-timeout=120s
set tcp-close-timeout=10s
set tcp-max-retrans-timeout=300s
set tcp-unacked-timeout=300s
set udp-timeout=30s
set udp-stream-timeout=120s
set icmp-timeout=30s
set generic-timeout=600s


/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes

/ip neighbor discovery-settings
set discover-interface-list=none

/ip proxy
set enabled=no

/ip socks
set enabled=no

/ip upnp
set enabled=no

/ip cloud
set ddns-enabled=no update-time=no

/ip ssh
set strong-crypto=yes

/tool mac-server
## set allowed-interface-list=none

/tool mac-server mac-winbox
## set allowed-interface-list=none

/tool mac-server ping
## 安全设置关闭
set enabled=no

/tool bandwidth-server
set enabled=no

设置 IPv4 黑洞路由

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/ip route

add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4

iPV6防火墙

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
##       Filter 规则 13 条
##          NAT 规则  3 条
##       Mangle 规则  1 条
##          Raw 规则 47 条
## Address-list 规则 17 条

/ipv6 firewall address-list

add address=fe80::/10 comment="defconf: RFC6890 - link local" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=no_forward_ipv6

add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6

add address=100::/64 comment="defconf: RFC6890 - discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 - TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 - unique local" list=not_global_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=not_global_ipv6

add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=bad_src_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_dst_ipv6


/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
## add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN


/ipv6 firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53


/ipv6 firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn


/ipv6 firewall raw

add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes

add action=drop chain=prerouting comment="defconf: drop IPv6 extension headers types 0,43" headers=hop,route:contains

add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 src-address=::/128

add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop bad DST IPv6" dst-address-list=bad_dst_ipv6

add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6

add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"

add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6

add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8

add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN

add action=drop chain=prerouting comment="defconf: drop the rest"

add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg

add action=accept chain=icmp6 comment="defconf: rfc4890 DST unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 time exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 parameter problem" icmp-options=4:0-2 protocol=icmpv6

add action=accept chain=icmp6 comment="defconf: rfc4890 echo request" icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo response" icmp-options=129:0-255 protocol=icmpv6

add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 log=yes log-prefix="[ipv6-hop-limit]"

add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener query only LAN" src-address=fe80::/10 icmp-options=130:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report only LAN" src-address=fe80::/10 icmp-options=131:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener done only LAN" src-address=fe80::/10 icmp-options=132:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report v2 only LAN" src-address=fe80::/10 icmp-options=143:0-255 in-interface-list=LAN protocol=icmpv6

add action=accept chain=icmp6 comment="defconf: rfc4890 router solic only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN protocol=icmpv6

add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path solicitation only LAN" hop-limit=equal:255 icmp-options=148:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path advertisement only LAN" hop-limit=equal:255 icmp-options=149:0-255 in-interface-list=LAN protocol=icmpv6

add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router advertisement only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=151:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router solicitation only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=152:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router termination only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=153:0-255 in-interface-list=LAN protocol=icmpv6

add action=drop chain=icmp6 comment="defconf: drop all other ICMPv6" protocol=icmpv6

设置 IPv6 黑洞路由```

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/ipv6 route

add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=2001:2::/48
add blackhole comment="defconf: RFC6890 - documentation" disabled=no dst-address=2001:db8::/32
add blackhole comment="defconf: RFC4843 - ORCHID" disabled=no dst-address=2001:10::/28
add blackhole comment="defconf: RFC7343 - ORCHIDv2" disabled=no dst-address=2001:20::/28
add blackhole comment="defconf: RFC6890 - 6to4" disabled=no dst-address=2002::/16
add blackhole comment="defconf: RFC6890 - unique local" disabled=no dst-address=fc00::/7
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=fe80::/10
add blackhole comment="defconf: RFC3879 - site local" disabled=no dst-address=fec0::/10
1
2
3
4
5
6
7
8
9
/interface list
add name=WAN comment="defconf: WAN list" 
add name=LAN comment="defconf: LAN list" 
add name=ONU comment="onuconf: ONU list"

/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether4

IP相关配置

配置

  • address: 192.168.100.1/24
  • network: 192.168.100.0
  • interface bridge
  • comment local LAN IPv4 address

配置光猫接口ip

  • address: 192.168.1.2/24
  • network 192.168.1.0
  • interface ether1
  • comment link IPv4 address for ONU

DHCP客户端

  • 添加地址池
  • Name dhcpv4-pool1
  • Addresses 192.168.100.50-192.168.100.200
  • Comment local LAN DHCPv4 pool
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
##       Filter 规则  9 条 + 虚拟规则 1 条
##          NAT 规则  2 条
##       Mangle 规则  2 条 + 虚拟规则 3 条
## Address-list 规则  2 条

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=10.0.1.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4


/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward in-interface-list=!LAN comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
  

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4  


/ip firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4


/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes

/ip neighbor discovery-settings
set discover-interface-list=none

/ip proxy
set enabled=no

/ip socks
set enabled=no

/ip upnp
set enabled=no

/ip cloud
set ddns-enabled=no update-time=no

/ip ssh
set strong-crypto=yes

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no

/tool bandwidth-server
set enabled=no
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
/ip route

add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4

ipv6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
##       Filter 规则 13 条
##          NAT 规则  1 条
##       Mangle 规则  1 条
## Address-list 规则 10 条

/ipv6 firewall address-list

add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=bad_ipv6

  

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN

  

/ipv6 firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes

/ipv6 firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
License

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

快来参与讨论吧~