转发一个RouterOS 路由器的安装以及折腾手记
## 说明
# 00. 使用正版授权 License 激活 RouterOS 系统。
# 01. 将 PPPoE 拨号的账户根据实际情况修改,并设置密码。
# 02. 将内网网段 172.16.1.0/24 和 RouterOS IPv4 地址 172.16.1.1 根据实际情况修改。
# 03. 将光猫网段 192.168.1.0/24 和 ether1 IPv4 地址 192.168.1.2 根据实际情况修改。
# 04. 内网没有 DNSv4 服务器 172.16.1.2 和 172.16.1.3 时,系统 DNS、DHCPv4、防火墙 DNS Redirect 需要根据实际情况修改。
# 05. DHCPv4 Options 需要根据实际情况修改。
# 06. 新系统管理员账号 用户名、密码 需要修改,账户添加完成后,用新管理员账户执行后续命令条目。
# 07. 防火墙已默认启用 fasttrack-connection 。
# 08. QoS 使用了 CAKE 算法的 Queue Tree 以及 Fq-CoDel 算法的 Interface Queue , Qos 的带宽限速需要根据签约带宽进行修改。
# 09. 系统日志邮件的 发件箱、收件箱、SMTP密码 需要根据实际情况修改。
# 10. DHCPv4 中 MAC 地址绑定静态 IP ,具体参数需要根据实际情况修改。
# 11. 将内网 IPv6 地址 fdac::/64 换成合法的 ULA 地址。
# 12. 内网没有 DNSv6 服务器 fdac::2 和 fdac::3 时,系统 DNS、IPv6 ND、防火墙 DNS Redirect 需要根据实际情况修改。
# 13. 硬盘格式化过程中会忽略后续命令,需要等待格式化完成后再执行后续命令条目。
## 第一部分 - 配置网口
/interface
set [ find name=lo ] comment="defconf: local Loopback"
/interface ethernet
set [ find default-name=ether1 ] comment="defconf: local WAN"
set [ find default-name=ether2 ] comment="defconf: local LAN"
set [ find default-name=ether3 ] comment="defconf: local LAN"
set [ find default-name=ether4 ] comment="defconf: local LAN"
set [ find default-name=ether5 ] comment="defconf: local LAN for VMs"
/interface bridge
add name=bridge1 comment="defconf: local Bridge" auto-mac=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add interface=bridge1 comment="defconf: local LAN IPv4 address" address=172.16.1.1/24 network=172.16.1.0
add interface=ether1 comment="onuconf: link IPv4 address for ONU" address=192.168.1.2/24 network=192.168.1.0
/ip dhcp-client
remove numbers=[ find where interface ~ "ether1" ]
/interface pppoe-client
add name=pppoe-out1 comment="defconf: local PPPoE Client" interface=ether1 user="<your-pppoe-user-name>" password="<your-pppoe-user-password>" add-default-route=yes use-peer-dns=no disabled=yes
/interface list
add name=WAN comment="defconf: WAN list"
add name=LAN comment="defconf: LAN list"
add name=ONU comment="onuconf: ONU list"
/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether1
## 第一部分完成
## 第二部分 - DNS & DHCP & 静态 IPv4 地址绑定
/ip dns
set allow-remote-requests=yes cache-max-ttl=6h cache-size=2048KiB max-concurrent-queries=150 servers=172.16.1.2,172.16.1.3
/ip dns static
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=alt
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=home.arpa
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=ipv4only.arpa
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=resolver.arpa
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=example
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=bind
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=invalid
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=local
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=localhost
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=onion
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=test
/ip pool
add name=dhcpv4-pool1 comment="defconf: local LAN DHCPv4 pool" ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add name=dhcpv4-server1 comment="defconf: local LAN DHCPv4 server" address-pool=dhcpv4-pool1 interface=bridge1 lease-time=1d bootp-support=none
/ip dhcp-server network
add address=172.16.1.0/24 comment="defconf: local LAN DHCPv4 network" gateway=172.16.1.1 netmask=24 domain=fox.home.arpa dns-server=172.16.1.2,172.16.1.3
/ip dhcp-server option
add code=6 name=opt-dnsv4-ha value="'172.16.1.1'"
add code=3 name=opt-bypass-gw value="'172.16.1.50'"
add code=6 name=opt-bypass-dnsv4 value="'172.16.1.50'"
/ip dhcp-server option sets
add name=opt-bypass options=opt-bypass-gw,opt-bypass-dnsv4
/ip dhcp-server lease
add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=AA:BB:CC:00:00:10 server=dhcpv4-server1
add address=172.16.1.20 comment="<your-device-name2>" dhcp-option=opt-dnsv4-ha lease-time=2d mac-address=AA:BB:CC:00:00:20 server=dhcpv4-server1
add address=172.16.1.30 comment="<your-device-name3>" dhcp-option-set=opt-bypass lease-time=2d mac-address=AA:BB:CC:00:00:30 server=dhcpv4-server1
## 第二部分完成
## 第三部分 - IPv4 高级防火墙
## Filter 规则 19 条 + 虚拟规则 1 条
## NAT 规则 6 条
## Mangle 规则 2 条 + 虚拟规则 3 条
## Raw 规则 41 条 + 虚拟规则 1 条
## Address-list 规则 29 条
## Blackhole 规则 14 条
/ip firewall address-list
add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=172.16.1.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4
add address=172.16.1.2 comment="lanconf: local DNS server" list=local_dns_ipv4
add address=172.16.1.3 comment="lanconf: local DNS server" list=local_dns_ipv4
add address=172.16.1.50 comment="lanconf: local DNS server" list=local_dns_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=no_forward_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890 - loopback" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 - TEST-NET-1" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 - TEST-NET-2" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 - TEST-NET-3" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890 - shared address" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890 - DS-Lite" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=bad_src_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=bad_dst_ipv4
add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_targets_ipv4
add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_attackers_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=no
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack
add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=64,64,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv4 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv4]"
add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=320,320,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv4 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[ddos-ipv4]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv4
add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv4
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv4 src-address-list=ddos_attackers_ipv4
add action=accept chain=prerouting comment="defconf: accept DHCPv4 discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv4" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bad DST IPv4" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local LAN from WAN" in-interface-list=WAN dst-address-list=local_lan_ipv4 log=yes log-prefix="[wan-to-lan]"
add action=drop chain=prerouting comment="onuconf: drop if not from ONU address" in-interface-list=ONU src-address-list=!local_onu_ipv4
add action=drop chain=prerouting comment="onuconf: drop forward to local LAN from ONU" in-interface-list=ONU dst-address-list=local_lan_ipv4 log=yes log-prefix="[onu-to-lan]"
add action=drop chain=prerouting comment="defconf: drop if not from default IPv4 range" in-interface-list=LAN src-address-list=!local_lan_ipv4
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="onuconf: accept everything else from ONU" in-interface-list=ONU
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
add action=drop chain=icmp4 comment="onuconf: drop other ICMP from ONU" protocol=icmp in-interface-list=ONU log=yes log-prefix="[onu-icmp]"
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="lanconf: drop other ICMP from WAN" protocol=icmp in-interface-list=WAN
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_lan_ipv4
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
/ip firewall connection tracking
set tcp-syn-sent-timeout=120s
set tcp-syn-received-timeout=60s
set tcp-established-timeout=7440s
set tcp-fin-wait-timeout=120s
set tcp-close-wait-timeout=60s
set tcp-last-ack-timeout=30s
set tcp-time-wait-timeout=120s
set tcp-close-timeout=10s
set tcp-max-retrans-timeout=300s
set tcp-unacked-timeout=300s
set udp-timeout=30s
set udp-stream-timeout=120s
set icmp-timeout=30s
set generic-timeout=600s
/ip route
add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4
## 第三部分完成
## 第四部分 - QoS 流控
/queue type
add name=cake-rx kind=cake cake-diffserv=diffserv4 cake-flowmode=triple-isolate cake-memlimit=32.0MiB cake-rtt=50ms cake-overhead-scheme=ethernet cake-nat=no
add name=cake-tx kind=cake cake-diffserv=diffserv4 cake-flowmode=triple-isolate cake-memlimit=32.0MiB cake-rtt=50ms cake-overhead-scheme=ethernet cake-nat=yes cake-ack-filter=filter
/queue tree
add name=cake-download comment="qosconf: download queue with CAKE" bucket-size=0.05 max-limit=500M packet-mark=no-mark parent=bridge1 queue=cake-rx
add name=cake-upload comment="qosconf: upload queue with CAKE" bucket-size=0.03 max-limit=50M packet-mark=no-mark parent=pppoe-out1 queue=cake-tx
/queue type
add name=fq-codel-interface kind=fq-codel fq-codel-limit=1024
/queue interface
set ether1 queue=fq-codel-interface
set ether2 queue=fq-codel-interface
set ether3 queue=fq-codel-interface
set ether4 queue=fq-codel-interface
set ether5 queue=fq-codel-interface
## 第四部分完成
## 第五部分 - 系统参数调整
/system identity
set name=FoxRouter
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client
set enabled=yes
/system ntp client servers
add address=ntp.aliyun.com
add address=ntp.tencent.com
/ipv6 settings
set disable-ipv6=yes
/ip service
set telnet address=172.16.1.0/24 disabled=yes
set ftp address=172.16.1.0/24 disabled=yes
set www address=172.16.1.0/24
set ssh address=172.16.1.0/24
set www-ssl address=172.16.1.0/24
set api address=172.16.1.0/24 disabled=yes
set winbox address=172.16.1.0/24
set api-ssl address=172.16.1.0/24 disabled=yes
/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip proxy
set enabled=no
/ip socks
set enabled=no
/ip upnp
set enabled=no
/ip cloud
set ddns-enabled=no update-time=no
/ip ssh
set strong-crypto=yes
/ip smb
set enabled=no interfaces=bridge1
/ip smb users
remove numbers=[ find where name ~ "guest" ]
/ip smb shares
remove numbers=[ find where name ~ "pub" ]
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool bandwidth-server
set enabled=no
/user group
set read policy=read,winbox,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!sniff,!sensitive,!api,!romon,!rest-api
/user
add name="<your-ros-user-name>" password="<your-ros-user-password>" group=full address=172.16.1.0/24 comment="defconf: system admin user"
set admin group=read address=172.16.1.0/24 comment="defconf: system default user"
## 第五部分完成
## 第六部分 - 定时任务
/tool e-mail
set server="<smtp.xxx.com>" from="<your-email-x@xxx.com>" port=465 tls=yes user="<your-email-x@xxx.com>" password="<your-smtp-password>"
/system scheduler
add comment="sysconf: system alert log email" interval=45m name=system-log-timer on-event="/system script run email-log-worker" policy=read,write,policy,test start-time=00:00:00
add comment="sysconf: system resource email" interval=6h name=system-res-timer on-event="/system script run email-res-worker" policy=read,write,policy,test start-time=00:05:00
add comment="sysconf: system os auto upgrade" interval=1d name=system-upgrade-timer on-event="/system script run sys-upgrade-worker" policy=reboot,read,write,policy,password start-time=02:55:00
add comment="pppoeconf: system disable PPPoE" interval=3d name=disable-pppoe-timer on-event="/interface disable pppoe-out1" policy=write start-time=04:00:00
add comment="pppoeconf: system enable PPPoE" interval=3d name=enable-pppoe-timer on-event="/interface enable pppoe-out1" policy=write start-time=04:00:10
/system script
add comment="sysconf: system alert log email" dont-require-permissions=no name=email-log-worker policy=read,write,policy,test source=""
add comment="sysconf: system resource email" dont-require-permissions=no name=email-res-worker policy=read,write,policy,test source=""
add comment="sysconf: system os auto upgrade" dont-require-permissions=no name=sys-upgrade-worker policy=reboot,read,write,policy,password source=""
## 第六部分完成
## 第七部分 - 设置 IPv6
## Filter 规则 21 条
## NAT 规则 6 条
## Mangle 规则 1 条
## Raw 规则 48 条
## Address-list 规则 22 条
## Blackhole 规则 14 条
/ip dns
set allow-remote-requests=yes cache-max-ttl=6h cache-size=2048KiB max-concurrent-queries=150 servers=172.16.1.2,172.16.1.3,fdac::2,fdac::3
/ipv6 settings
set disable-ipv6=no max-neighbor-entries=1024
/ipv6 dhcp-client
add interface=pppoe-out1 comment="defconf: local DHCPv6 Client" request=prefix pool-name=dhcpv6-gua-pool1 pool-prefix-length=64 use-peer-dns=no add-default-route=no
/ipv6 address
add interface=bridge1 comment="defconf: local LAN GUA IPv6 address" address=::1 from-pool=dhcpv6-gua-pool1 advertise=yes
add interface=bridge1 comment="defconf: local LAN ULA IPv6 address" address=fdac::1 advertise=yes
/ipv6 nd prefix default
set preferred-lifetime=45m valid-lifetime=90m
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1 ra-interval=300s-900s ra-lifetime=45m hop-limit=64 advertise-mac-address=yes advertise-dns=yes dns=fdac::2,fdac::3
/ipv6 firewall address-list
add address=fdac::/64 comment="lanconf: local LAN address" list=local_lan_ipv6
add address=fdac::2 comment="lanconf: local DNS server" list=local_dns_ipv6
add address=fdac::3 comment="lanconf: local DNS server" list=local_dns_ipv6
add address=fe80::/10 comment="defconf: RFC6890 - link local" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 - TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 - unique local" list=not_global_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=not_global_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=bad_src_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_dst_ipv6
add address=::/128 comment="ddosconf: DDoS" list=ddos_targets_ipv6
add address=::/128 comment="ddosconf: DDoS" list=ddos_attackers_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack
add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=64,64,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv6 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv6]"
add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos
add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=320,320,src-and-dst-addresses/10s
add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv6 address-list-timeout=10m
add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[ddos-ipv6]"
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes
add action=masquerade chain=srcnat comment="lanconf: masquerade ULA IPv6" out-interface-list=WAN src-address-list=local_lan_ipv6
add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv6
add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv6
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ipv6 firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv6 src-address-list=ddos_attackers_ipv6
add action=drop chain=prerouting comment="defconf: drop IPv6 extension headers types 0,43" headers=hop,route:contains
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop bad DST IPv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=accept chain=icmp6 comment="defconf: rfc4890 DST unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 time exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 parameter problem" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo request" icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo response" icmp-options=129:0-255 protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 log=yes log-prefix="[ipv6-hop-limit]"
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener query only LAN" src-address=fe80::/10 icmp-options=130:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report only LAN" src-address=fe80::/10 icmp-options=131:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener done only LAN" src-address=fe80::/10 icmp-options=132:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report v2 only LAN" src-address=fe80::/10 icmp-options=143:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path solicitation only LAN" hop-limit=equal:255 icmp-options=148:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path advertisement only LAN" hop-limit=equal:255 icmp-options=149:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router advertisement only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=151:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router solicitation only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=152:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router termination only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=153:0-255 in-interface-list=LAN protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop all other ICMPv6" protocol=icmpv6
/ipv6 route
add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=2001:2::/48
add blackhole comment="defconf: RFC6890 - documentation" disabled=no dst-address=2001:db8::/32
add blackhole comment="defconf: RFC4843 - ORCHID" disabled=no dst-address=2001:10::/28
add blackhole comment="defconf: RFC7343 - ORCHIDv2" disabled=no dst-address=2001:20::/28
add blackhole comment="defconf: RFC6890 - 6to4" disabled=no dst-address=2002::/16
add blackhole comment="defconf: RFC6890 - unique local" disabled=no dst-address=fc00::/7
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=fe80::/10
add blackhole comment="defconf: RFC3879 - site local" disabled=no dst-address=fec0::/10
## 第七部分完成
## 第八部分 - 设置系统日志
## 格式化过程缓慢需要等待
/disk
format-drive slot1 mbr-partition-table=no file-system=ext4 label=logdrive ## Waiting
/system logging action
add disk-file-count=100 disk-file-name=/slot1/offline-log name=syslog target=disk
/system logging
add action=syslog topics=critical
add action=syslog topics=error
add action=syslog topics=warning
add action=syslog topics=system
add action=syslog topics=script
add action=syslog topics=firewall
add action=syslog topics=interface
## 第八部分完成
## 第九部分
# 1.检查系统 License 。
# 2.设置系统邮件和自动升级脚本内容。
# 3.检查系统账户权限。
# 4.检查不必要的 IPv4 DHCP Client 。
# 5.启用 PPPoE 拨号。
# 6.备份系统。
# 7.重启系统。
## 第九部分完成
大佬这个适用于四口软路由吗?pve + ros