想上万兆没钱怎么办,便宜的 Mikrotik 了解一下
1 、基础信息
设备型号 RB5009UG+S+IN [ 链接 ]
设备版本 Mikrotik RouterOS 7.2.3 Build 2022/05/02 15:18:17
Mikrotik RouterOS 因为缺乏命令耦合,在配置过程中需要自行创建关联项。
官方 Wiki 大多是命令,也缺乏联系和讲解,造成了 Mikrotik 萌新配置的高难度
Mikrotik RouterOS 使用 IPtables 对规则策略进行管控 [ 链接 ]
故而在执行操作的过程中,很喜欢 重启解决 99% 的问题(所以配置时没事断联是常有的情况)
官方 Wiki [ 链接 ]
中国经销商自建 Wiki [ 链接 ]
1.1 、设备外观体验
首先就是一个铁壳子,自带散热鳞片,很扁,拍两下能感觉到很结实
内部散热是在两个芯片上涂硅脂,比较容易热的 SFP+和两个三极管(不知道具体是什么)贴的块状硅脂垫
销售过程陈述存在一些机油,打开看里面的内容发现机油只涂在了背板的 SN 贴上,十分迷惑
端口 Eth1 是 2.5G/5G 自协商端口,遵循 IEEE-802.3bz 标准,但宣传写的都是 2.5G
然而端口链路状态灯却在没有设备的时候微亮,插线就能完全不亮(肯定有哪个电容没设计好)
网卡接口部分和铁壳子的模具并没有严丝合缝,故而个人选择用电工胶布包裹缝隙
整体一股工业赛博朋克风,铁壳子足够的厚又不防水防灰。
1.2 、 Quick Set
设备通电,第一次开机默认的 IP 地址是 http://192.168.88.1(DHCP)
刚上来的 web 页面等待登录,默认的用户名 admin 密码空
然后就需要用户配置一下新密码,当然我们可以不配置,直接跳过
网页打开,默认功能区是 WebFig/Interfaces 。这个功能区更多的是拿来看看状态,详细配置使用 WebFig
作为一个 萌新 拿到手的新设备必然先打开 Quick Set 进行默认配置看看有什么幺蛾子
Mode = Router Port = Eth1 Address Acquisition = PPPOE PPPoE User = *** PPPoE Password = *** MAC Address = *** IP Address = 192.168.88.1 Netmask = 255.255.255.0/24 Bridge All Lan Ports = Yes DHCP Server = Yes NAT = Yes Router Identity = Mikrotik
参数看完,也就知道这个设备的默认使用方式了
首先外网 Wan 口 只有 SFP1 和 ETH1 两个端口,其他均为内网口并在一个 Bridge 交换桥 下
内网 DHCP 开启,NAT 开启,内网网关 192.168.88.1,公网通过 PPPoE 连接
看完了,那作为新的网络设备,到手一定要 Reset 试试防止误配炸机(比如本人到手先删网桥秒炸)
在这里实际操作后体会到 按钮是真难按,手酸,额外官方说的灯不知道是哪个,试了十多次才成功
- 设备断电
- 设备端口朝上,手指甲顶在 Reset 下沿,轻按几次感受力度(省力操作)
- 设备准备通电,并在通电前按住 Reset,保持不动(手指酸了就重来)
- 通电过程中,观察设备的 LED 灯,在 SFP 右下角有个不起眼的小灯,开机自检时会亮一瞬,盯住它
- 等待这个灯从 长灭-长亮-慢闪 后,再坚持个 3s,然后松手(端口灯也会闪,但请无视)
- 设备初始化中,等待
初始化测过了,下一步就是用 Mikrotik 官方的 Winbox 工具进行测试 [ 链接 ]
注意 Winbox 和 HTTP 使用不同的端口和 UI 界面,不要搞混
Winbox 的连接有两种方式,分别是 IP/域名 和 MAC 地址
工具本身自带二层扫描设备发现,所以建议优先使用该工具配置
1.3 、默认配置的查阅命令如下
[admin@MikroTik] > /system default-configuration print
script: #| Welcome to RouterOS!
#| 1) Set a strong router password in the System > Users menu
#| 2) Upgrade the software in the System > Packages menu
#| 3) Enable firewall on untrusted networks
#| -----------------------------------------------------------------------------
#| RouterMode:
#| * WAN port is protected by firewall and enabled DHCP client
#| * Ethernet interfaces (except WAN port/s) are part of LAN bridge
#| LAN Configuration:
#| IP address 192.168.88.1/24 is set on bridge (LAN port)
#| DHCP Server: enabled;
#| DNS: enabled;
#| WAN (gateway) Configuration:
#| gateway: ether1 ;
#| ip4 firewall: enabled;
#| ip6 firewall: enabled;
#| NAT: enabled;
#| DHCP Client: enabled;
#| Login
#| admin user protected by password
:global defconfMode;
:log info "Starting defconf script";
#-------------------------------------------------------------------------------
# Apply configuration.
# these commands are executed after installation or configuration reset
#-------------------------------------------------------------------------------
:if ($action = "apply") do={
# wait for interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s; :set count ($count +1);
};
:local count 0;
:while ([/interface wireless print count-only] < 0) do={
:set count ($count +1);
:if ($count = 40) do={
:log warning "DefConf: Unable to find wireless interface(s)";
/ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
/quit
}
:delay 1s;
};
/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface bridge
add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
:local bMACIsSet 0;
:foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge")] do={
:local tmpPortName [/interface get $k name];
:if ($bMACIsSet = 0) do={
:if ([/interface get $k type] = "ether") do={
/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
:set bMACIsSet 1;
}
}
:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
/interface bridge port
add bridge=bridge interface=$tmpPortName comment=defconf;
}
}
/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server
add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
/ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
/ip dns {
set allow-remote-requests=yes
static add name=router.lan address=192.168.88.1 comment=defconf
}
/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
:if (!($defconfPassword = "" || $defconfPassword = nil)) do={
/user set admin password=$defconfPassword
:delay 0.5
/user expire-password admin
}
}
#-------------------------------------------------------------------------------
# Revert configuration.
# these commands are executed if user requests to remove default configuration
#-------------------------------------------------------------------------------
:if ($action = "revert") do={
/user set admin password=""
/system routerboard mode-button set enabled=no
/system routerboard mode-button set on-event=""
/system script remove [find comment~"defconf"]
/ip firewall filter remove [find comment~"defconf"]
/ipv6 firewall filter remove [find comment~"defconf"]
/ipv6 firewall address-list remove [find comment~"defconf"]
/ip firewall nat remove [find comment~"defconf"]
/interface list member remove [find comment~"defconf"]
/interface detect-internet set detect-interface-list=none
/interface detect-internet set lan-interface-list=none
/interface detect-internet set wan-interface-list=none
/interface detect-internet set internet-interface-list=none
/interface list remove [find comment~"defconf"]
/tool mac-server set allowed-interface-list=all
/tool mac-server mac-winbox set allowed-interface-list=all
/ip neighbor discovery-settings set discover-interface-list=!dynamic
:local o [/ip dhcp-server network find comment="defconf"]
:if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
:local o [/ip dhcp-server find name="defconf" !disabled]
:if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
/ip pool {
:local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
:if ([:len $o] != 0) do={ remove $o }
}
:local o [/ip dhcp-client find comment="defconf"]
:if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
/ip dns {
set allow-remote-requests=no
:local o [static find comment="defconf"]
:if ([:len $o] != 0) do={ static remove $o }
}
/ip address {
:local o [find comment="defconf"]
:if ([:len $o] != 0) do={ remove $o }
}
:foreach iface in=[/interface ethernet find] do={
/interface ethernet set $iface name=[get $iface default-name]
}
/interface bridge port remove [find comment="defconf"]
/interface bridge remove [find comment="defconf"]
/interface bonding remove [find comment="defconf"]
/interface wireless cap set enabled=no interfaces="" caps-man-addresses=""
/caps-man manager set enabled=no
/caps-man manager interface remove [find comment="defconf"]
/caps-man manager interface set [ find default=yes ] forbid=no
/caps-man provisioning remove [find comment="defconf"]
/caps-man configuration remove [find comment="defconf"]
/caps-man security remove [find comment="defconf"]
}
:log info Defconf_script_finished;
:set defconfMode;
caps-mode-script: #-------------------------------------------------------------------------------
# Note: script will not execute at all (will throw a syntax error) if
# dhcp or wireless-fp packages are not installed
#-------------------------------------------------------------------------------
#| CAP configuration
#|
#| Wireless interfaces are set to be managed by CAPsMAN.
#| All ethernet interfaces and CAPsMAN managed interfaces are bridged.
#| DHCP client is set on bridge interface.
# bridge port name
:global brName "bridgeLocal";
:global logPref "defconf:";
:global action;
:log info $action
:if ($action = "apply") do={
# wait for ethernet interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s; :set count ($count + 1);
}
:local macSet 0;
:local tmpMac "";
:foreach k in=[/interface ethernet find] do={
# first ethernet is found; add bridge and set mac address of the ethernet port
:if ($macSet = 0) do={
:set tmpMac [/interface ethernet get $k mac-address];
/interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
:set macSet 1;
}
# add bridge ports
/interface bridge port add bridge=$brName interface=$k comment="defconf"
}
# try to add dhcp client on bridge interface (may fail if already exist)
:do {
/ip dhcp-client add interface=$brName disabled=no comment="defconf"
} on-error={ :log warning "$logPref unable to add dhcp client";}
# try to configure caps (may fail if for example specified interfaces are missing)
:local interfacesList "";
:local bFirst 1;
# wait for wireless interfaces
:while ([/interface wireless find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find wireless interfaces";
/quit;
}
:delay 1s; :set count ($count + 1);
}
# delay just to make sure that all wireless interfaces are loaded
:delay 5s;
:foreach i in=[/interface wireless find] do={
if ($bFirst = 1) do={
:set interfacesList [/interface wireless get $i name];
:set bFirst 0;
} else={
:set interfacesList "$interfacesList,$[/interface wireless get $i name]";
}
}
:do {
/interface wireless cap
set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
} on-error={ :log warning "$logPref unable to configure caps";}
}
:if ($action = "revert") do={
:do {
/interface wireless cap
set enabled=no interfaces="" discovery-interfaces="" bridge=none
} on-error={ :log warning "$logPref unable to unset caps";}
:local o [/ip dhcp-client find comment="defconf"]
:if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
/interface bridge port remove [find comment="defconf"]
/interface bridge remove [find comment="defconf"]
}
custom-script:
2 、基础网络配置
Mikrotik 初始化玩过了,我们就需要自己进行配置了。默认的配置当然不适合 萌新 管控,所以要清空
进入 System - Reset Configuration 进行初始化参数配置,选择 Keep User 和 No Default Configuration
然后执行初始化即可,设备将不再有任何默认配置,全看用户一把梭
以下内容全为命令行格式,对应 Web 配置自行判断即可
以下内容 Wan 口 SFP1/Ether1 ,VPN 口主机 WG ,Lan 口主机 Ether5,其余 2-8 都为 Lan
2.1 、网桥+端口+端口组
先定义网桥,网桥对应 OSI 层级为二层,演示步骤为新增网桥 L-bridge 并关联所有 Lan 口
(如果使用 IP 管理会断联,建议使用 MAC 地址在本步骤管理设备)
注意 mtu/bridge 发生变动,会让整个设备的二层断联,多次无法重连只能重置。
/interface bridge add auto-mac=no name=L-bridge protocol-mode=none
/interface bridge port #add bridge=L-bridge interface=sfp-sfpplus1 (Remove) #add bridge=L-bridge interface=ether1 (Remove) add bridge=L-bridge interface=ether2 add bridge=L-bridge interface=ether3 add bridge=L-bridge interface=ether4 add bridge=L-bridge interface=ether5 trusted=yes add bridge=L-bridge interface=ether6 add bridge=L-bridge interface=ether7 add bridge=L-bridge interface=ether8
关联网桥后,核对外网接口不在该网桥中,然后进行下一步端口配置
先有端口,然后定义端口列表,最后分配相关联的端口的端口列表身份
注意端口列表为其他配置中汇总而来,端口的配置只是修改端口属性。
这里创建了 WG 和 pppoe-CUCC 两个端口,对应 Wireguard VPN 和 PPPOE 宽带拨号,但仍需要在其他地方配好才可使用这两个端口。
/interface ethernet set [ find default-name=ether4 ] mtu=1492
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=3600 \
name=pppoe-CUCC user=dl88055088@163 password=123456
/interface wireguard
add listen-port=13231 mtu=1400 name=WG \
private-key="gFFwaP1qKr+F+rFYIvAhuTqEFeO5slDmlk5TkA6XAXg="
/interface list add name=WAN add name=LAN add name=VPN
/interface list member add interface=bridge list=LAN add interface=sfp-sfpplus1 list=WAN add interface=ether1 list=WAN #add interface=WG list=VPN #add interface=pppoe-CUCC list=WAN
一切配置好后我们就可以进行下一步配置了,端口部分常用的配置已经结束。
2.2 、 IPV4 Address + DHCPv4 + DNS + Route
一个路由设备的基础,就是要配置 联通网络 的基础配置
想联通网络,网络地址,地址分配,DNS,路由 是必不可少的
2.2.1 、 IP 地址部分
/ip address add address=192.168.2.254/24 interface=L-bridge network=192.168.2.0 add address=10.0.0.2/30 interface=WG network=10.0.0.0
2.2.2 、配置 DHCP 部分
配置地址池相关命令
先创建池,然后创建服务,最后配置服务下发信息
/ip pool
add name=Pool-First ranges=192.168.2.100-192.168.2.199
/ip dhcp-server
add address-pool=Pool-First interface=bridge lease-time=1w name=DHCP-First
/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254 \
ntp-server=192.168.2.254
配置静态分配以及 MAC-IP 绑定相关命令
/ip dhcp-server lease
add address=192.168.2.100 comment=Computer mac-address=BF:33:74:9B:47:D8 server=\
DHCP-First use-src-mac=yes
/ip dhcp-server option
add code=6 name=OnePoint-DNS-6 value=\
"'114.114.114.114''119.29.29.29''223.5.5.5''1.0.0.1'"
如果是作为 DHCP 客户端进而获取地址,则需要配置客户端相关
/ip dhcp-client add interface=sfp-sfpplus1 use-peer-dns=yes use-peer-ntp=yes add-default-route=yes
2.2.3 、 DNS 部分
/ip dns set allow-remote-requests=yes servers=1.0.0.1,8.8.4.4,119.29.29.29 \ use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes /ip dns static add address=192.168.2.254 name=router.lan add address=10.0.0.1 name=router.lan add address=192.168.2.254 name=time.windows.com add address=10.0.0.1 name=time.windows.com
2.2.4 、 Route 部分
首先需要指定路由表名,这里改名为 main
注意仅有唯一路由表时才能使用硬件转发功能
/routing table add disabled=yes fib name=main
然后配置路由,可以双路由负载均衡,也可以主备,也可以浮动。
/ip route add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\ 10.0.0.1 pref-src=0.0.0.0 routing-table=main \ suppress-hw-offload=no scope=30 target-scope=10 add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\ 10.0.0.5 pref-src=0.0.0.0 routing-table=main \ suppress-hw-offload=no scope=30 target-scope=10
check-gateway=路由探针检测
distance=优先级 小数优先
dst-address=目的地址
gateway=下一跳地址
pref-src=源地址设定(用于 VPN 等需要指定源地址才可访问对端设备)
suppress-hw-offload=禁止使用硬件转发
scope/target-scope=范围/目标范围(用于多路由防环使用,默认为 30/10 )
2.2.5 、 NTP
配置时区,配置客户端,配置时间同步服务器,配置服务端
/system clock set time-zone-name=Asia/Shanghai /system ntp client set enabled=yes /system ntp client servers add address=pool.ntp.org add address=cn.pool.ntp.org add address=ntp.aliyun.com add address=ntp.tencent.com add address=edu.ntp.org.cn add address=time.edu.cn add address=ntp.ustc.edu.cn add address=ntp.neu.edu.cn add address=time.windows.com add address=time.apple.com add address=ntp.ntsc.ac.cn /system ntp server set enabled=yes multicast=yes
2.3 、 IPV6 Address + DHCPv6 + IPV6 ND
如果你是 PPPOE 拨号获得 IPV6 地址,则一定不要给 DHCPv6 配置 Add Default Route [ 链接 ]
/ipv6 address add address=fc00:10::2 advertise=no interface=WG
下面是 PPPOE 获得 IPV6 地址 并向下分配
1 、配置 DHCP 客户端,指定端口,指定获取方式为前缀(非地址),获取到的前缀放入指定地址池 ( /60 )
2 、配置路由器地址,后缀为 ::1,前缀从指定地址池获得
3 、配置路由器允许 RA 公告,路由器也可以通过 SLAAC 获得地址
4 、配置路由器的 ND 发布,前缀将由此发送给客户端
/ipv6 dhcp-client
add interface=pppoe-CUCC request=prefix pool-name=pppoe-CUCC-v6pool \
use-peer-dns=no use-interface-duid=no rapid-commit=yes \
add-default-route=no
/ipv6 address add address=::1 from-pool=pppoe-CUCC-v6pool interface=bridge
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
ipv6 nd add ra-interval=200-600 ra-delay=3 ra-preference=medium \
advertise-dns=yes advertise-mac-address=yes \
ra-lifetime=1800 mtu=1480
/ipv6 nd prefix default set preferred-lifetime=3d valid-lifetime=1w
注意部分地区配置完毕后可能无效,需要变动的地方如下 ( /ipv6 dhcp-client )
1 、 request=prefix 中,request 指定 address 和 prefix 有三种可能,需要都尝试一次
2 、 use-interface-duid 开启,此时 ::1 后缀会自动变成路由器自身的 DUID 地址,实现路由器上网。
2.4 、 Firewall
2.4.1 、会话保持
如果由于某些原因,会话总是中断重连,可以修改路由器自身的会话保持时间 [ 链接 ]
/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m \
tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=\
2m tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s
2.4.2 、 Filter 规则
首先默认规则在之前已经有了,额外做的就是在 drop 前插入自己的规则
Input 是访问路由器的规则
Forward 是路由器转发的规则
/ip firewall filter "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 # ***Input Here*** add action=drop chain=input comment="defconf: drop all not coming from LAN" \ in-interface-list=!LAN
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN \ protocol=udp add action=accept chain=input comment=NTP dst-port=123 in-interface-list=!WAN \ protocol=udp add action=accept chain=input comment=VPN-Manage dst-port=8291 \ in-interface-list=VPN protocol=tcp
2.4.3 、 NAT 规则
首先是对外访问的 NAT 规则,只需要指定外网区域,流量源地址会自动转换为外网端口地址
/ip firewall nat add action=masquerade chain=srcnat out-interface-list=WAN
然后创建端口映射规则,注意 TCP/UDP 不能同时创建,每次只能创建一个端口的规则
/ip firewall nat
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.2.100
2.5 、 Wireguard
Wireguard 是需要拆分配置的,分别为本机配置和对端配置以及路由配置。
/interface wireguard
add listen-port=13232 mtu=1400 name=Wireguard-Server \
private-key="OIQzZ/abaoKNX1ol/FKrQcaV0/7I53sVG0LUW644UG8=
"
/interface wireguard peers
add allowed-address=10.0.0.1/32,10.0.0.0/8 \
endpoint-address=1.2.3.4 endpoint-port=51820 interface=Wireguard-Server \
public-key="5boJppau+rAGL9nK4To2ftveQ31CDw9bK+O4wt8VWX4="
/ip route
add check-gateway=ping disabled=no distance=5 dst-address=10.0.0.0/32 gateway=\
10.0.0.1 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10
2.6 、服务
2.6.1 、内置服务
/ip service
set winbox disabled=no
set www disabled=no
set www-ssl disabled=no certificate=https-cert tls-version=only-1.2
set telnet disabled=yes
set ssh disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
Winbox=winbox 软件调试接口
www=http 访问
www-ssl=https 访问,注意必须要先配置证书
配置 www-ssl 的证书命令如下
/certificate add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign sign root-cert add name=https-cert common-name=MyRouter days-valid=3650 sign ca=root-cert https-cert
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes
2.6.2 、 UPNP
先设置 UPNP 的端口,然后开启 UPNP
/ip upnp interfaces
add interface=L-bridge type=internal
add interface=pppoe-CUCC type=external
/ip upnp
set allow-disable-external-interface=yes enabled=yes
2.6.3 、 DDNS
配置 DDNS 只能通过 Mikrotik 官方的域名来使用
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
2.6.4 、 LLDP
/ip neighbor discovery-settings
set discover-interface-list=LAN
2.6.5 、服务检查
netwatch 是普通的网络检查
watchdog 是网络检查的升级版,一旦检测外网通讯故障,则重启设备
/tool netwatch add disabled=no host=1.2.3.4
/system watchdog
set watchdog-timer=no
2.6.6 、定期命令
这里放两个常用的命令
1 、定时重启 PPPOE 端口
2 、定时清理 UPNP 映射表
/system scheduler add interval=2d name="Reboot PPPoE" on-event="/interface/disable pppoe-CUCC;\r\ \n/delay 3000ms;\r\ \n/interface/enable pppoe-CUCC;" policy=reboot,read,write start-date=\ jan/01/2022 start-time=04:40:00
/system scheduler add interval=1d name="Clear Upnp" on-event=\ "/ip upnp set enabled=no;\r\ \n/delay 3000ms;\r\ \n/ip upnp set enabled=yes;" policy=reboot,read,write start-date=\ jun/02/2022 start-time=04:40:00
2.6.7 、日志
日志可以有很多分类,当找不到问题时第一时间开日志看。
这里看的是 DNS 解析日志,并保存到本地磁盘
/system logging
add action=disk disabled=no topics=dns
3 、问题
3.1 、 bridge 和 二层交换机 并不相同
如果是企业级三层交换机,比如 H3C S10500 那种,我们将端口从二层切换三层,并不会影响其他业务的运行。但是 Mikrotik 是用三层虚拟的二层,也就意味着如果想动 bridge,会把所有的接口都重载,业务那必须断线。如果想着有硬件转发就不会断,那会好好的上一课。而且当 bridge 被清空,mikrotik 是真的不会给隐藏 bridge 来访问设备,意味着设备秒变砖头。三层必须有一个 bridge 来支持,才会响应二层 mac 报文。
3.2 、硬件转发限制多多
routing table 想加一个?HW 没了,bridge 想加几个?HW 没了,MTU 想改一改?HW 没了
嗯,就是这样的硬件转发,如果你不查官方指定型号设备的 HW 支持详情,你甚至都意识不到 HW 根本就没开,只看着延迟在骚动,还觉得性能烂。
3.3 、 PCC 均衡并不是 LACP 那样
如果我们想着拿一堆线做个聚合,交换机常见的就是静态双线链路聚合,多线 LACP 动态聚合,聚合后流量会根据某种方式分流,并在对端自动合并再传输。但是 PCC 不是这样的,PCC 本身创建了两条链路,交叉链路还能断线?而 PCC 的描述很容易产生两条链路断一条就会自动漂移,但实际上并不是,一旦某个链路断了,流量就拥塞了,宁死也不会走另一个。而为什么呢?原因居然是 PCC 没有和 路由 联动,他只是配好了组,但是流量在路由层面已经认准了一条路走到黑。按道理三层的东西二层肯定能分流,PCC 就是不分。也就意味着 PCC 实际上是个三层分流策略,和三层路由属于同级,也就根本不是用来替代 LACP 的。那我既然有路由负载均衡了,我为什么还要用 PCC 这种配置繁琐还复杂又不能动态调整的东西呢?
3.4 、发现问题找谁呢
官方论坛会有人,但是大多数都是路人贡献者,开发人员偶尔会上,而且大概率也不会关注萌新问题区。
国内经销商也只是因销售而略懂的厂家工程师,实际上稍微一挖某个功能就打穿知识面了。
最后还得是自己找,还好 Mikrotik 大多的问题都可以在论坛,或者看日志来分析解决。
当然,解决不了的就是解决不了了。毕竟国外品牌,售后基本为无。
3.5 、 IPV4 和 IPV6 黏在一起
现在你的 IPV4 已经配好了,你只是想动动 IPV6 。
如果是 Linux,你只是需要 reload 一次,IPV6 就可以自动重载并完成整个功能,期间 IPV4 完全不受影响
如果是企业路由器,就算是 N 年前的二手 Disco 你在端口配 IPV6 也不会掉 IPV4
到了 Mikrotik ,你会发现,但凡你动 IPV4/IPV6 一下,它都会 Down/Up 一次
深刻贯彻落实 ” 重启解决 99% 的问题 “ 的优良传统。
能与之相匹配的也就是 Windows 了,但 Windows 还可以用 启用禁用 IPV6 栈 来重载。
如果正巧你动的也是个外网接口,那每动一次,断一次网,恢复等个一阵子,再动再断,如此往复
心态犹如花个大把上天戴着 gopro 跳伞,然后落地发现 gopro 因震动坏了???运动相机??
3.6 、 Sock5 速度慢如牛
Mikrotik 既然支持 RouterOS Sock5 服务端,那肯定要试一下
Enable,Access,改个端口,就算配完了
拿 Firefox 试一下,打开 baidu 需要 3 秒,打开 qq 主页需要 12 秒。
很好很强大,梦回 2012,甚至还能再快一点。
