转发一个RouterOS 路由器的安装以及折腾手记

2024/03/03 19:30 无线路由类 60 1

## 说明

# 00. 使用正版授权 License 激活 RouterOS 系统。

# 01. 将 PPPoE 拨号的账户根据实际情况修改，并设置密码。

# 02. 将内网网段 172.16.1.0/24 和 RouterOS IPv4 地址 172.16.1.1 根据实际情况修改。

# 03. 将光猫网段 192.168.1.0/24 和 ether1 IPv4 地址 192.168.1.2 根据实际情况修改。

# 04. 内网没有 DNSv4 服务器 172.16.1.2 和 172.16.1.3 时，系统 DNS、DHCPv4、防火墙 DNS Redirect 需要根据实际情况修改。

# 05. DHCPv4 Options 需要根据实际情况修改。

# 06. 新系统管理员账号用户名、密码需要修改，账户添加完成后，用新管理员账户执行后续命令条目。

# 07. 防火墙已默认启用 fasttrack-connection 。

# 08. QoS 使用了 CAKE 算法的 Queue Tree 以及 Fq-CoDel 算法的 Interface Queue ， Qos 的带宽限速需要根据签约带宽进行修改。

# 09. 系统日志邮件的发件箱、收件箱、SMTP密码需要根据实际情况修改。

# 10. DHCPv4 中 MAC 地址绑定静态 IP ，具体参数需要根据实际情况修改。

# 11. 将内网 IPv6 地址 fdac::/64 换成合法的 ULA 地址。

# 12. 内网没有 DNSv6 服务器 fdac::2 和 fdac::3 时，系统 DNS、IPv6 ND、防火墙 DNS Redirect 需要根据实际情况修改。

# 13. 硬盘格式化过程中会忽略后续命令，需要等待格式化完成后再执行后续命令条目。

## 第一部分 - 配置网口

/interface

set [ find name=lo ] comment="defconf: local Loopback"

/interface ethernet

set [ find default-name=ether1 ] comment="defconf: local WAN"

set [ find default-name=ether2 ] comment="defconf: local LAN"

set [ find default-name=ether3 ] comment="defconf: local LAN"

set [ find default-name=ether4 ] comment="defconf: local LAN"

set [ find default-name=ether5 ] comment="defconf: local LAN for VMs"

/interface bridge

add name=bridge1 comment="defconf: local Bridge" auto-mac=yes

/interface bridge port

add bridge=bridge1 interface=ether2

add bridge=bridge1 interface=ether3

add bridge=bridge1 interface=ether4

add bridge=bridge1 interface=ether5

/ip address

add interface=bridge1 comment="defconf: local LAN IPv4 address" address=172.16.1.1/24 network=172.16.1.0

add interface=ether1 comment="onuconf: link IPv4 address for ONU" address=192.168.1.2/24 network=192.168.1.0

/ip dhcp-client

remove numbers=[ find where interface ~ "ether1" ]

/interface pppoe-client

add name=pppoe-out1 comment="defconf: local PPPoE Client" interface=ether1 user="<your-pppoe-user-name>" password="<your-pppoe-user-password>" add-default-route=yes use-peer-dns=no disabled=yes

/interface list

add name=WAN comment="defconf: WAN list"

add name=LAN comment="defconf: LAN list"

add name=ONU comment="onuconf: ONU list"

/interface list member

add list=WAN comment="defconf: WAN member" interface=pppoe-out1

add list=LAN comment="defconf: LAN member" interface=bridge1

add list=ONU comment="onuconf: ONU member" interface=ether1

## 第一部分完成

## 第二部分 - DNS & DHCP & 静态 IPv4 地址绑定

/ip dns

set allow-remote-requests=yes cache-max-ttl=6h cache-size=2048KiB max-concurrent-queries=150 servers=172.16.1.2,172.16.1.3

/ip dns static

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=alt

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=home.arpa

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=ipv4only.arpa

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=resolver.arpa

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=example

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=bind

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=invalid

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=local

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=localhost

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=onion

add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=test

/ip pool

add name=dhcpv4-pool1 comment="defconf: local LAN DHCPv4 pool" ranges=172.16.1.100-172.16.1.200

/ip dhcp-server

add name=dhcpv4-server1 comment="defconf: local LAN DHCPv4 server" address-pool=dhcpv4-pool1 interface=bridge1 lease-time=1d bootp-support=none

/ip dhcp-server network

add address=172.16.1.0/24 comment="defconf: local LAN DHCPv4 network" gateway=172.16.1.1 netmask=24 domain=fox.home.arpa dns-server=172.16.1.2,172.16.1.3

/ip dhcp-server option

add code=6 name=opt-dnsv4-ha value="'172.16.1.1'"

add code=3 name=opt-bypass-gw value="'172.16.1.50'"

add code=6 name=opt-bypass-dnsv4 value="'172.16.1.50'"

/ip dhcp-server option sets

add name=opt-bypass options=opt-bypass-gw,opt-bypass-dnsv4

/ip dhcp-server lease

add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=AA:BB:CC:00:00:10 server=dhcpv4-server1

add address=172.16.1.20 comment="<your-device-name2>" dhcp-option=opt-dnsv4-ha lease-time=2d mac-address=AA:BB:CC:00:00:20 server=dhcpv4-server1

add address=172.16.1.30 comment="<your-device-name3>" dhcp-option-set=opt-bypass lease-time=2d mac-address=AA:BB:CC:00:00:30 server=dhcpv4-server1

## 第二部分完成

## 第三部分 - IPv4 高级防火墙

## Filter 规则 19 条 + 虚拟规则 1 条

## NAT 规则 6 条

## Mangle 规则 2 条 + 虚拟规则 3 条

## Raw 规则 41 条 + 虚拟规则 1 条

## Address-list 规则 29 条

## Blackhole 规则 14 条

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4

add address=172.16.1.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4

add address=172.16.1.2 comment="lanconf: local DNS server" list=local_dns_ipv4

add address=172.16.1.3 comment="lanconf: local DNS server" list=local_dns_ipv4

add address=172.16.1.50 comment="lanconf: local DNS server" list=local_dns_ipv4

add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=no_forward_ipv4

add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=no_forward_ipv4

add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=no_forward_ipv4

add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=no_forward_ipv4

add address=127.0.0.0/8 comment="defconf: RFC6890 - loopback" list=bad_ipv4

add address=192.0.0.0/24 comment="defconf: RFC6890 - reserved" list=bad_ipv4

add address=192.0.2.0/24 comment="defconf: RFC6890 - TEST-NET-1" list=bad_ipv4

add address=198.51.100.0/24 comment="defconf: RFC6890 - TEST-NET-2" list=bad_ipv4

add address=203.0.113.0/24 comment="defconf: RFC6890 - TEST-NET-3" list=bad_ipv4

add address=240.0.0.0/4 comment="defconf: RFC6890 - reserved" list=bad_ipv4

add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=not_global_ipv4

add address=10.0.0.0/8 comment="defconf: RFC6890 - private networks" list=not_global_ipv4

add address=100.64.0.0/10 comment="defconf: RFC6890 - shared address" list=not_global_ipv4

add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=not_global_ipv4

add address=172.16.0.0/12 comment="defconf: RFC6890 - private networks" list=not_global_ipv4

add address=192.0.0.0/29 comment="defconf: RFC6890 - DS-Lite" list=not_global_ipv4

add address=192.168.0.0/16 comment="defconf: RFC6890 - private networks" list=not_global_ipv4

add address=198.18.0.0/15 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv4

add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=not_global_ipv4

add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=bad_src_ipv4

add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=bad_src_ipv4

add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=bad_dst_ipv4

add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_targets_ipv4

add address=0.0.0.0 comment="ddosconf: DDoS" list=ddos_attackers_ipv4

/ip firewall filter

add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=no

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"

add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"

add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4

add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4

add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack

add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=64,64,src-and-dst-addresses/10s

add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv4 address-list-timeout=10m

add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv4]"

add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos

add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=320,320,src-and-dst-addresses/10s

add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv4 address-list-timeout=10m

add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv4 address-list-timeout=10m log=yes log-prefix="[ddos-ipv4]"

/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN

add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4

add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv4

add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv4

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53

/ip firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4

/ip firewall raw

add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes

add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv4 src-address-list=ddos_attackers_ipv4

add action=accept chain=prerouting comment="defconf: accept DHCPv4 discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68

add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv4

add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv4

add action=drop chain=prerouting comment="defconf: drop bad SRC IPv4" src-address-list=bad_src_ipv4

add action=drop chain=prerouting comment="defconf: drop bad DST IPv4" dst-address-list=bad_dst_ipv4

add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4

add action=drop chain=prerouting comment="defconf: drop forward to local LAN from WAN" in-interface-list=WAN dst-address-list=local_lan_ipv4 log=yes log-prefix="[wan-to-lan]"

add action=drop chain=prerouting comment="onuconf: drop if not from ONU address" in-interface-list=ONU src-address-list=!local_onu_ipv4

add action=drop chain=prerouting comment="onuconf: drop forward to local LAN from ONU" in-interface-list=ONU dst-address-list=local_lan_ipv4 log=yes log-prefix="[onu-to-lan]"

add action=drop chain=prerouting comment="defconf: drop if not from default IPv4 range" in-interface-list=LAN src-address-list=!local_lan_ipv4

add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"

add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp

add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp

add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN

add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN

add action=accept chain=prerouting comment="onuconf: accept everything else from ONU" in-interface-list=ONU

add action=drop chain=prerouting comment="defconf: drop the rest"

add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"

add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack

add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn

add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst

add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack

add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg

add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst

add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg

add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp

add action=drop chain=icmp4 comment="onuconf: drop other ICMP from ONU" protocol=icmp in-interface-list=ONU log=yes log-prefix="[onu-icmp]"

add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp

add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp

add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp

add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp

add action=drop chain=icmp4 comment="lanconf: drop other ICMP from WAN" protocol=icmp in-interface-list=WAN

add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp

add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp

add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_lan_ipv4

add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4

add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4

add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp

add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp

/ip firewall connection tracking

set tcp-syn-sent-timeout=120s

set tcp-syn-received-timeout=60s

set tcp-established-timeout=7440s

set tcp-fin-wait-timeout=120s

set tcp-close-wait-timeout=60s

set tcp-last-ack-timeout=30s

set tcp-time-wait-timeout=120s

set tcp-close-timeout=10s

set tcp-max-retrans-timeout=300s

set tcp-unacked-timeout=300s

set udp-timeout=30s

set udp-stream-timeout=120s

set icmp-timeout=30s

set generic-timeout=600s

/ip route

add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8

add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8

add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10

add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16

add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12

add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24

add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29

add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24

add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24

add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16

add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15

add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24

add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24

add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4

## 第三部分完成

## 第四部分 - QoS 流控

/queue type

add name=cake-rx kind=cake cake-diffserv=diffserv4 cake-flowmode=triple-isolate cake-memlimit=32.0MiB cake-rtt=50ms cake-overhead-scheme=ethernet cake-nat=no

add name=cake-tx kind=cake cake-diffserv=diffserv4 cake-flowmode=triple-isolate cake-memlimit=32.0MiB cake-rtt=50ms cake-overhead-scheme=ethernet cake-nat=yes cake-ack-filter=filter

/queue tree

add name=cake-download comment="qosconf: download queue with CAKE" bucket-size=0.05 max-limit=500M packet-mark=no-mark parent=bridge1 queue=cake-rx

add name=cake-upload comment="qosconf: upload queue with CAKE" bucket-size=0.03 max-limit=50M packet-mark=no-mark parent=pppoe-out1 queue=cake-tx

/queue type

add name=fq-codel-interface kind=fq-codel fq-codel-limit=1024

/queue interface

set ether1 queue=fq-codel-interface

set ether2 queue=fq-codel-interface

set ether3 queue=fq-codel-interface

set ether4 queue=fq-codel-interface

set ether5 queue=fq-codel-interface

## 第四部分完成

## 第五部分 - 系统参数调整

/system identity

set name=FoxRouter

/system clock

set time-zone-name=Asia/Shanghai

/system ntp client

set enabled=yes

/system ntp client servers

add address=ntp.aliyun.com

add address=ntp.tencent.com

/ipv6 settings

set disable-ipv6=yes

/ip service

set telnet address=172.16.1.0/24 disabled=yes

set ftp address=172.16.1.0/24 disabled=yes

set www address=172.16.1.0/24

set ssh address=172.16.1.0/24

set www-ssl address=172.16.1.0/24

set api address=172.16.1.0/24 disabled=yes

set winbox address=172.16.1.0/24

set api-ssl address=172.16.1.0/24 disabled=yes

/ip settings

set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes

/ip neighbor discovery-settings

set discover-interface-list=none

/ip proxy

set enabled=no

/ip socks

set enabled=no

/ip upnp

set enabled=no

/ip cloud

set ddns-enabled=no update-time=no

/ip ssh

set strong-crypto=yes

/ip smb

set enabled=no interfaces=bridge1

/ip smb users

remove numbers=[ find where name ~ "guest" ]

/ip smb shares

remove numbers=[ find where name ~ "pub" ]

/tool mac-server

set allowed-interface-list=none

/tool mac-server mac-winbox

set allowed-interface-list=none

/tool mac-server ping

set enabled=no

/tool bandwidth-server

set enabled=no

/user group

set read policy=read,winbox,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!sniff,!sensitive,!api,!romon,!rest-api

/user

add name="<your-ros-user-name>" password="<your-ros-user-password>" group=full address=172.16.1.0/24 comment="defconf: system admin user"

set admin group=read address=172.16.1.0/24 comment="defconf: system default user"

## 第五部分完成

## 第六部分 - 定时任务

/tool e-mail

set server="<smtp.xxx.com>" from="<your-email-x@xxx.com>" port=465 tls=yes user="<your-email-x@xxx.com>" password="<your-smtp-password>"

/system scheduler

add comment="sysconf: system alert log email" interval=45m name=system-log-timer on-event="/system script run email-log-worker" policy=read,write,policy,test start-time=00:00:00

add comment="sysconf: system resource email" interval=6h name=system-res-timer on-event="/system script run email-res-worker" policy=read,write,policy,test start-time=00:05:00

add comment="sysconf: system os auto upgrade" interval=1d name=system-upgrade-timer on-event="/system script run sys-upgrade-worker" policy=reboot,read,write,policy,password start-time=02:55:00

add comment="pppoeconf: system disable PPPoE" interval=3d name=disable-pppoe-timer on-event="/interface disable pppoe-out1" policy=write start-time=04:00:00

add comment="pppoeconf: system enable PPPoE" interval=3d name=enable-pppoe-timer on-event="/interface enable pppoe-out1" policy=write start-time=04:00:10

/system script

add comment="sysconf: system alert log email" dont-require-permissions=no name=email-log-worker policy=read,write,policy,test source=""

add comment="sysconf: system resource email" dont-require-permissions=no name=email-res-worker policy=read,write,policy,test source=""

add comment="sysconf: system os auto upgrade" dont-require-permissions=no name=sys-upgrade-worker policy=reboot,read,write,policy,password source=""

## 第六部分完成

## 第七部分 - 设置 IPv6

## Filter 规则 21 条

## NAT 规则 6 条

## Mangle 规则 1 条

## Raw 规则 48 条

## Address-list 规则 22 条

## Blackhole 规则 14 条

/ip dns

set allow-remote-requests=yes cache-max-ttl=6h cache-size=2048KiB max-concurrent-queries=150 servers=172.16.1.2,172.16.1.3,fdac::2,fdac::3

/ipv6 settings

set disable-ipv6=no max-neighbor-entries=1024

/ipv6 dhcp-client

add interface=pppoe-out1 comment="defconf: local DHCPv6 Client" request=prefix pool-name=dhcpv6-gua-pool1 pool-prefix-length=64 use-peer-dns=no add-default-route=no

/ipv6 address

add interface=bridge1 comment="defconf: local LAN GUA IPv6 address" address=::1 from-pool=dhcpv6-gua-pool1 advertise=yes

add interface=bridge1 comment="defconf: local LAN ULA IPv6 address" address=fdac::1 advertise=yes

/ipv6 nd prefix default

set preferred-lifetime=45m valid-lifetime=90m

/ipv6 nd

set [ find default=yes ] disabled=yes

add interface=bridge1 ra-interval=300s-900s ra-lifetime=45m hop-limit=64 advertise-mac-address=yes advertise-dns=yes dns=fdac::2,fdac::3

/ipv6 firewall address-list

add address=fdac::/64 comment="lanconf: local LAN address" list=local_lan_ipv6

add address=fdac::2 comment="lanconf: local DNS server" list=local_dns_ipv6

add address=fdac::3 comment="lanconf: local DNS server" list=local_dns_ipv6

add address=fe80::/10 comment="defconf: RFC6890 - link local" list=no_forward_ipv6

add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=no_forward_ipv6

add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6

add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6

add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6

add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6

add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6

add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6

add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6

add address=100::/64 comment="defconf: RFC6890 - discard-only" list=not_global_ipv6

add address=2001::/32 comment="defconf: RFC6890 - TEREDO" list=not_global_ipv6

add address=2001:2::/48 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv6

add address=fc00::/7 comment="defconf: RFC6890 - unique local" list=not_global_ipv6

add address=fec0::/10 comment="defconf: RFC3879 - site local" list=not_global_ipv6

add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_src_ipv6

add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=bad_src_ipv6

add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_dst_ipv6

add address=::/128 comment="ddosconf: DDoS" list=ddos_targets_ipv6

add address=::/128 comment="ddosconf: DDoS" list=ddos_attackers_ipv6

/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid

add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp

add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"

add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked

add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid

add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6

add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6

add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6

add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6

add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=jump chain=forward comment="ddosconf: DDoS SYN-ACK" protocol=tcp tcp-flags=syn,ack jump-target=detect-syn-ack

add action=return chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" dst-limit=64,64,src-and-dst-addresses/10s

add action=add-dst-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_targets_ipv6 address-list-timeout=10m

add action=add-src-to-address-list chain=detect-syn-ack comment="ddosconf: DDoS SYN-ACK" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[sa-flood-ipv6]"

add action=jump chain=forward comment="ddosconf: DDoS" connection-state=new jump-target=detect-ddos

add action=return chain=detect-ddos comment="ddosconf: DDoS" dst-limit=320,320,src-and-dst-addresses/10s

add action=add-dst-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_targets_ipv6 address-list-timeout=10m

add action=add-src-to-address-list chain=detect-ddos comment="ddosconf: DDoS" address-list=ddos_attackers_ipv6 address-list-timeout=10m log=yes log-prefix="[ddos-ipv6]"

/ipv6 firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes

add action=masquerade chain=srcnat comment="lanconf: masquerade ULA IPv6" out-interface-list=WAN src-address-list=local_lan_ipv6

add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp src-address-list=local_dns_ipv6

add action=accept chain=dstnat comment="lanconf: accept local DNS server's query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp src-address-list=local_dns_ipv6

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53

/ipv6 firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ipv6 firewall raw

add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes

add action=drop chain=prerouting comment="ddosconf: DDoS" dst-address-list=ddos_targets_ipv6 src-address-list=ddos_attackers_ipv6

add action=drop chain=prerouting comment="defconf: drop IPv6 extension headers types 0,43" headers=hop,route:contains

add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 src-address=::/128

add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv6

add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6

add action=drop chain=prerouting comment="defconf: drop bad SRC IPv6" src-address-list=bad_src_ipv6

add action=drop chain=prerouting comment="defconf: drop bad DST IPv6" dst-address-list=bad_dst_ipv6

add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6

add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"

add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp

add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6

add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16

add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8