Mikrotik 开箱与初始化

2022-05-18 84点热度 0人点赞 0条评论

想上万兆没钱怎么办,便宜的 Mikrotik 了解一下


1、基础信息

设备型号 RB5009UG+S+IN [ 链接 ]
设备版本 Mikrotik RouterOS 7.2.3 Build 2022/05/02 15:18:17

Mikrotik RB5009UG+S+IN

Mikrotik RouterOS 因为缺乏命令耦合,在配置过程中需要自行创建关联项。
官方 Wiki 大多是命令,也缺乏联系和讲解,造成了 Mikrotik 萌新配置的高难度

Mikrotik RouterOS 使用 IPtables 对规则策略进行管控 [ 链接 ]
故而在执行操作的过程中,很喜欢 重启解决 99% 的问题(所以配置时没事断联是常有的情况)

官方 Wiki [ 链接 ]
中国经销商自建 Wiki [ 链接 ]


1.1、设备外观体验

首先就是一个铁壳子,自带散热鳞片,很扁,拍两下能感觉到很结实

内部散热是在两个芯片上涂硅脂,比较容易热的 SFP+和两个三极管(不知道具体是什么)贴的块状硅脂垫

销售过程陈述存在一些机油,打开看里面的内容发现机油只涂在了背板的 SN 贴上,十分迷惑

端口 Eth1 是 2.5G/5G 自协商端口,遵循 IEEE-802.3bz 标准,但宣传写的都是 2.5G
然而端口链路状态灯却在没有设备的时候微亮,插线就能完全不亮(肯定有哪个电容没设计好)

网卡接口部分和铁壳子的模具并没有严丝合缝,故而个人选择用电工胶布包裹缝隙

整体一股工业赛博朋克风,铁壳子足够的厚又不防水防灰。


1.2、Quick Set

设备通电,第一次开机默认的 IP 地址是 http://192.168.88.1(DHCP)

刚上来的 web 页面等待登录,默认的用户名 admin 密码空

然后就需要用户配置一下新密码,当然我们可以不配置,直接跳过

网页打开,默认功能区是 WebFig/Interfaces 。这个功能区更多的是拿来看看状态,详细配置使用 WebFig

作为一个 萌新 拿到手的新设备必然先打开 Quick Set 进行默认配置看看有什么幺蛾子

Mode = Router
Port = Eth1
Address Acquisition = PPPOE
PPPoE User = ***
PPPoE Password = ***
MAC Address = ***
IP Address = 192.168.88.1
Netmask = 255.255.255.0/24
Bridge All Lan Ports = Yes
DHCP Server = Yes
NAT = Yes
Router Identity = Mikrotik

参数看完,也就知道这个设备的默认使用方式了

首先外网 Wan 口 只有 SFP1 和 ETH1 两个端口,其他均为内网口并在一个 Bridge 交换桥 下
内网 DHCP 开启,NAT 开启,内网网关 192.168.88.1,公网通过 PPPoE 连接

看完了,那作为新的网络设备,到手一定要 Reset 试试防止误配炸机(比如本人到手先删网桥秒炸)
在这里实际操作后体会到 按钮是真难按,手酸,额外官方说的灯不知道是哪个,试了十多次才成功

  • 设备断电
  • 设备端口朝上,手指甲顶在 Reset 下沿,轻按几次感受力度(省力操作)
  • 设备准备通电,并在通电前按住 Reset,保持不动(手指酸了就重来)
  • 通电过程中,观察设备的 LED 灯,在 SFP 右下角有个不起眼的小灯,开机自检时会亮一瞬,盯住它
  • 等待这个灯从 长灭-长亮-慢闪 后,再坚持个 3s,然后松手(端口灯也会闪,但请无视)
  • 设备初始化中,等待

初始化测过了,下一步就是用 Mikrotik 官方的 Winbox 工具进行测试 [ 链接 ]

注意 Winbox 和 HTTP 使用不同的端口和 UI 界面,不要搞混

Winbox 的连接有两种方式,分别是 IP/域名 和 MAC 地址
工具本身自带二层扫描设备发现,所以建议优先使用该工具配置


1.3、默认配置的查阅命令如下

[[email protected]] > /system default-configuration print
            script: #| Welcome to RouterOS!
                    #|    1) Set a strong router password in the System > Users menu
                    #|    2) Upgrade the software in the System > Packages menu
                    #|    3) Enable firewall on untrusted networks
                    #| -----------------------------------------------------------------------------
                    #| RouterMode:
                    #|  * WAN port is protected by firewall and enabled DHCP client
                    #|  * Ethernet interfaces (except WAN port/s) are part of LAN bridge
                    #| LAN Configuration:
                    #|     IP address 192.168.88.1/24 is set on bridge (LAN port)
                    #|     DHCP Server: enabled;
                    #|     DNS: enabled;
                    #| WAN (gateway) Configuration:
                    #|     gateway:  ether1 ;
                    #|     ip4 firewall:  enabled;
                    #|     ip6 firewall:  enabled;
                    #|     NAT:   enabled;
                    #|     DHCP Client: enabled;
                    #| Login
                    #|     admin user protected by password
                    
                    :global defconfMode;
                    :log info "Starting defconf script";
                    #-------------------------------------------------------------------------------
                    # Apply configuration.
                    # these commands are executed after installation or configuration reset
                    #-------------------------------------------------------------------------------
                    :if ($action = "apply") do={
                      # wait for interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count +1); 
                      };
                      :local count 0;
                      :while ([/interface wireless print count-only] < 0) do={ 
                        :set count ($count +1);
                        :if ($count = 40) do={
                          :log warning "DefConf: Unable to find wireless interface(s)"; 
                          /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
                          /quit
                        }
                        :delay 1s;
                      };
                     /interface list add name=WAN comment="defconf"
                     /interface list add name=LAN comment="defconf"
                     /interface bridge
                       add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
                     :local bMACIsSet 0;
                     :foreach k in=[/interface find where !(slave=yes   || name="ether1" || name~"bridge")] do={
                       :local tmpPortName [/interface get $k name];
                       :if ($bMACIsSet = 0) do={
                         :if ([/interface get $k type] = "ether") do={
                           /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
                           :set bMACIsSet 1;
                         }
                       }
                         :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
                           /interface bridge port
                             add bridge=bridge interface=$tmpPortName comment=defconf;
                         }
                       }
                       /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
                       /ip dhcp-server
                         add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
                       /ip dhcp-server network
                         add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
                      /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
                     /ip dns {
                         set allow-remote-requests=yes
                         static add name=router.lan address=192.168.88.1 comment=defconf
                     }
                    
                       /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
                     /interface list member add list=LAN interface=bridge comment="defconf"
                     /interface list member add list=WAN interface=ether1 comment="defconf"
                     /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
                     /ip firewall {
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
                       filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
                       filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
                       filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
                     }
                     /ipv6 firewall {
                       address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
                       address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
                       address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
                       address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
                       address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
                       address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
                       address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
                       address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
                       address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
                       filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
                       filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
                       filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
                       filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
                       filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
                       filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                     }
                       /ip neighbor discovery-settings set discover-interface-list=LAN
                       /tool mac-server set allowed-interface-list=LAN
                       /tool mac-server mac-winbox set allowed-interface-list=LAN
                     :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
                       /user set admin password=$defconfPassword
                       :delay 0.5
                       /user expire-password admin 
                     }
                    }
                    #-------------------------------------------------------------------------------
                    # Revert configuration.
                    # these commands are executed if user requests to remove default configuration
                    #-------------------------------------------------------------------------------
                    :if ($action = "revert") do={
                    /user set admin password=""
                     /system routerboard mode-button set enabled=no
                     /system routerboard mode-button set on-event=""
                     /system script remove [find comment~"defconf"]
                     /ip firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall address-list remove [find comment~"defconf"]
                     /ip firewall nat remove [find comment~"defconf"]
                     /interface list member remove [find comment~"defconf"]
                     /interface detect-internet set detect-interface-list=none
                     /interface detect-internet set lan-interface-list=none
                     /interface detect-internet set wan-interface-list=none
                     /interface detect-internet set internet-interface-list=none
                     /interface list remove [find comment~"defconf"]
                     /tool mac-server set allowed-interface-list=all
                     /tool mac-server mac-winbox set allowed-interface-list=all
                     /ip neighbor discovery-settings set discover-interface-list=!dynamic
                       :local o [/ip dhcp-server network find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
                       :local o [/ip dhcp-server find name="defconf" !disabled]
                       :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
                       /ip pool {
                         :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
                         :if ([:len $o] != 0) do={ remove $o }
                       }
                       :local o [/ip dhcp-client find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                     /ip dns {
                       set allow-remote-requests=no
                       :local o [static find comment="defconf"]
                       :if ([:len $o] != 0) do={ static remove $o }
                     }
                     /ip address {
                       :local o [find comment="defconf"]
                       :if ([:len $o] != 0) do={ remove $o }
                     }
                     :foreach iface in=[/interface ethernet find] do={
                       /interface ethernet set $iface name=[get $iface default-name]
                     }
                     /interface bridge port remove [find comment="defconf"]
                     /interface bridge remove [find comment="defconf"]
                     /interface bonding remove [find comment="defconf"]
                     /interface wireless cap set enabled=no interfaces="" caps-man-addresses=""
                      /caps-man manager set enabled=no
                      /caps-man manager interface remove [find comment="defconf"]
                      /caps-man manager interface set [ find default=yes ] forbid=no
                      /caps-man provisioning remove [find comment="defconf"]
                      /caps-man configuration remove [find comment="defconf"]
                      /caps-man security remove [find comment="defconf"]
                    }
                    :log info Defconf_script_finished;
                    :set defconfMode;
                    
  caps-mode-script: #-------------------------------------------------------------------------------
                    # Note: script will not execute at all (will throw a syntax error) if
                    #       dhcp or wireless-fp packages are not installed
                    #-------------------------------------------------------------------------------
                    
                    #| CAP configuration
                    #|
                    #|   Wireless interfaces are set to be managed by CAPsMAN.
                    #|   All ethernet interfaces and CAPsMAN managed interfaces are bridged.
                    #|   DHCP client is set on bridge interface.
                    
                    # bridge port name
                    :global brName  "bridgeLocal";
                    :global logPref "defconf:";
                    
                    
                    :global action;
                    
                    :log info $action
                    
                    :if ($action = "apply") do={
                    
                      # wait for ethernet interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      :local macSet 0;
                      :local tmpMac "";
                    
                      :foreach k in=[/interface ethernet find] do={
                        # first ethernet is found; add bridge and set mac address of the ethernet port
                        :if ($macSet = 0) do={
                          :set tmpMac [/interface ethernet get $k mac-address];
                          /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
                          :set macSet 1;
                        }
                        # add bridge ports
                        /interface bridge port add bridge=$brName interface=$k comment="defconf"
                      }
                    
                      # try to add dhcp client on bridge interface (may fail if already exist)
                      :do {
                        /ip dhcp-client add interface=$brName disabled=no comment="defconf"
                      } on-error={ :log warning "$logPref unable to add dhcp client";}
                    
                    
                      # try to configure caps (may fail if for example specified interfaces are missing)
                      :local interfacesList "";
                      :local bFirst 1;
                    
                      # wait for wireless interfaces
                      :while ([/interface wireless find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find wireless interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      # delay just to make sure that all wireless interfaces are loaded
                      :delay 5s;
                      :foreach i in=[/interface wireless find] do={
                        if ($bFirst = 1) do={
                          :set interfacesList [/interface wireless get $i name];
                          :set bFirst 0;
                        } else={
                          :set interfacesList "$interfacesList,$[/interface wireless get $i name]";
                        }
                      }
                      :do {
                        /interface wireless cap
                          set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
                      } on-error={ :log warning "$logPref unable to configure caps";}
                    
                    }
                    
                    :if ($action = "revert") do={
                      :do {
                        /interface wireless cap
                          set enabled=no interfaces="" discovery-interfaces="" bridge=none
                      } on-error={ :log warning "$logPref unable to unset caps";}
                    
                      :local o [/ip dhcp-client find comment="defconf"]
                      :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                    
                      /interface bridge port remove [find comment="defconf"]
                      /interface bridge remove [find comment="defconf"]
                    
                    }
     custom-script: 

2、基础网络配置

Mikrotik 初始化玩过了,我们就需要自己进行配置了。默认的配置当然不适合 萌新 管控,所以要清空

进入 System - Reset Configuration 进行初始化参数配置,选择 Keep User 和 No Default Configuration

然后执行初始化即可,设备将不再有任何默认配置,全看用户一把梭

以下内容全为命令行格式,对应 Web 配置自行判断即可
以下内容 Wan 口 SFP1/Ether1 ,VPN 口主机 WG ,Lan 口主机 Ether5,其余 2-8 都为 Lan

2.1、网桥+端口+端口组

先定义网桥,网桥对应 OSI 层级为二层,演示步骤为新增网桥 L-bridge 并关联所有 Lan 口
(如果使用 IP 管理会断联,建议使用 MAC 地址在本步骤管理设备)
注意 mtu/bridge 发生变动,会让整个设备的二层断联,多次无法重连只能重置。

/interface bridge
add auto-mac=no name=L-bridge protocol-mode=none
/interface bridge port
#add bridge=L-bridge interface=sfp-sfpplus1 (Remove)
#add bridge=L-bridge interface=ether1 (Remove)
add bridge=L-bridge interface=ether2
add bridge=L-bridge interface=ether3
add bridge=L-bridge interface=ether4
add bridge=L-bridge interface=ether5 trusted=yes
add bridge=L-bridge interface=ether6
add bridge=L-bridge interface=ether7
add bridge=L-bridge interface=ether8

关联网桥后,核对外网接口不在该网桥中,然后进行下一步端口配置

先有端口,然后定义端口列表,最后分配相关联的端口的端口列表身份
注意端口列表为其他配置中汇总而来,端口的配置只是修改端口属性。
这里创建了 WG 和 pppoe-CUCC 两个端口,对应 Wireguard VPN 和 PPPOE 宽带拨号,但仍需要在其他地方配好才可使用这两个端口。

/interface ethernet
set [ find default-name=ether4 ] mtu=1492
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=3600 \
    name=pppoe-CUCC [email protected] password=123456
/interface wireguard
add listen-port=13231 mtu=1400 name=WG \
    private-key="gFFwaP1qKr+F+rFYIvAhuTqEFeO5slDmlk5TkA6XAXg="
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=ether1 list=WAN
#add interface=WG list=VPN
#add interface=pppoe-CUCC list=WAN

一切配置好后我们就可以进行下一步配置了,端口部分常用的配置已经结束。


2.2、IPV4 Address + DHCPv4 + DNS + Route

一个路由设备的基础,就是要配置 联通网络 的基础配置

想联通网络,网络地址,地址分配,DNS,路由 是必不可少的


2.2.1、IP 地址部分

/ip address
add address=192.168.2.254/24 interface=L-bridge network=192.168.2.0
add address=10.0.0.2/30 interface=WG network=10.0.0.0

2.2.2、配置 DHCP 部分

配置地址池相关命令
先创建池,然后创建服务,最后配置服务下发信息

/ip pool
add name=Pool-First ranges=192.168.2.100-192.168.2.199

/ip dhcp-server
add address-pool=Pool-First interface=bridge lease-time=1w name=DHCP-First

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254 \
    ntp-server=192.168.2.254

配置静态分配以及 MAC-IP 绑定相关命令

/ip dhcp-server lease
add address=192.168.2.100 comment=Computer mac-address=BF:33:74:9B:47:D8 server=\
    DHCP-First use-src-mac=yes

/ip dhcp-server option
add code=6 name=OnePoint-DNS-6 value=\
    "'114.114.114.114''119.29.29.29''223.5.5.5''1.0.0.1'"

如果是作为 DHCP 客户端进而获取地址,则需要配置客户端相关

/ip dhcp-client
add interface=sfp-sfpplus1 use-peer-dns=yes use-peer-ntp=yes add-default-route=yes

2.2.3、DNS 部分

/ip dns
set allow-remote-requests=yes servers=1.0.0.1,8.8.4.4,119.29.29.29 \
use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

/ip dns static
add address=192.168.2.254 name=router.lan
add address=10.0.0.1 name=router.lan
add address=192.168.2.254 name=time.windows.com
add address=10.0.0.1 name=time.windows.com

2.2.4、Route 部分

首先需要指定路由表名,这里改名为 main
注意仅有唯一路由表时才能使用硬件转发功能

/routing table
add disabled=yes fib name=main

然后配置路由,可以双路由负载均衡,也可以主备,也可以浮动。

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\
10.0.0.1 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\
10.0.0.5 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10

check-gateway=路由探针检测
distance=优先级 小数优先
dst-address=目的地址
gateway=下一跳地址
pref-src=源地址设定(用于 VPN 等需要指定源地址才可访问对端设备)
suppress-hw-offload=禁止使用硬件转发
scope/target-scope=范围/目标范围(用于多路由防环使用,默认为 30/10 )


2.2.5、NTP

配置时区,配置客户端,配置时间同步服务器,配置服务端

/system clock
set time-zone-name=Asia/Shanghai

/system ntp client
set enabled=yes

/system ntp client servers
add address=cn.ntp.org.cn
add address=ntp.ntsc.ac.cn
add address=ntp.aliyun.com
add address=time.windows.com

/system ntp server
set enabled=yes multicast=yes

2.3、IPV6 Address + DHCPv6 + IPV6 ND

如果你是 PPPOE 拨号获得 IPV6 地址,则一定不要给 DHCPv6 配置 Add Default Route [ 链接 ]

/ipv6 address
add address=fc00:10::2 advertise=no interface=WG

下面是 PPPOE 获得 IPV6 地址 并向下分配
1、配置 DHCP 客户端,指定端口,指定获取方式为前缀(非地址),获取到的前缀放入指定地址池 ( /60 )
2、配置路由器地址,后缀为 ::1,前缀从指定地址池获得
3、配置路由器允许 RA 公告,路由器也可以通过 SLAAC 获得地址
4、配置路由器的 ND 发布,前缀将由此发送给客户端

/ipv6 dhcp-client
add interface=pppoe-CUCC request=prefix pool-name=pppoe-CUCC-v6pool \
    use-peer-dns=no use-interface-duid=no rapid-commit=yes \
    add-default-route=no
/ipv6 address
add address=::1 from-pool=pppoe-CUCC-v6pool interface=bridge
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
ipv6 nd add ra-interval=200-600 ra-delay=3 ra-preference=medium \
    advertise-dns=yes advertise-mac-address=yes \
    ra-lifetime=1800 mtu=1480
/ipv6 nd prefix default
set preferred-lifetime=3d valid-lifetime=1w

注意部分地区配置完毕后可能无效,需要变动的地方如下 ( /ipv6 dhcp-client )
1、request=prefix 中,request 指定 address 和 prefix 有三种可能,需要都尝试一次
2、use-interface-duid 开启,此时 ::1 后缀会自动变成路由器自身的 DUID 地址,实现路由器上网。


2.4、Firewall

2.4.1、会话保持

如果由于某些原因,会话总是中断重连,可以修改路由器自身的会话保持时间 [ 链接 ]

/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m \
tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=\
2m tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s

2.4.2、Filter 规则

首先默认规则在之前已经有了,额外做的就是在 drop 前插入自己的规则
Input 是访问路由器的规则
Forward 是路由器转发的规则

/ip firewall filter
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
# ***Input Here***
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN \
protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=!WAN \
protocol=udp
add action=accept chain=input comment=VPN-Manage dst-port=8291 \
in-interface-list=VPN protocol=tcp

2.4.3、NAT 规则

首先是对外访问的 NAT 规则,只需要指定外网区域,流量源地址会自动转换为外网端口地址

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

然后创建端口映射规则,注意 TCP/UDP 不能同时创建,每次只能创建一个端口的规则

/ip firewall nat
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.2.100

2.5、Wireguard

Wireguard 是需要拆分配置的,分别为本机配置和对端配置以及路由配置。

/interface wireguard
add listen-port=13232 mtu=1400 name=Wireguard-Server \
    private-key="OIQzZ/abaoKNX1ol/FKrQcaV0/7I53sVG0LUW644UG8=
"

/interface wireguard peers
add allowed-address=10.0.0.1/32,10.0.0.0/8 \
    endpoint-address=1.2.3.4 endpoint-port=51820 interface=Wireguard-Server \
    public-key="5boJppau+rAGL9nK4To2ftveQ31CDw9bK+O4wt8VWX4="

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=10.0.0.0/32 gateway=\
10.0.0.1 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10

2.6、服务

2.6.1、内置服务

/ip service
set winbox disabled=no
set www disabled=no
set www-ssl disabled=no certificate=https-cert tls-version=only-1.2
set telnet disabled=yes
set ssh disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Winbox=winbox 软件调试接口
www=http 访问
www-ssl=https 访问,注意必须要先配置证书

配置 www-ssl 的证书命令如下

/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

2.6.2、UPNP

先设置 UPNP 的端口,然后开启 UPNP

/ip upnp interfaces
add interface=L-bridge type=internal
add interface=pppoe-CUCC type=external
/ip upnp
set allow-disable-external-interface=yes enabled=yes

2.6.3、DDNS

配置 DDNS 只能通过 Mikrotik 官方的域名来使用

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

2.6.4、LLDP

/ip neighbor discovery-settings
set discover-interface-list=LAN

2.6.5、服务检查

netwatch 是普通的网络检查
watchdog 是网络检查的升级版,一旦检测外网通讯故障,则重启设备

/tool netwatch
add disabled=no host=1.2.3.4
/system watchdog
set watchdog-timer=no

2.6.6、定期命令

这里放两个常用的命令
1、定时重启 PPPOE 端口
2、定时清理 UPNP 映射表

/system scheduler
add interval=2d name="Reboot PPPoE" on-event="/interface/disable pppoe-CUCC;\r\
\n/delay 3000ms;\r\
\n/interface/enable pppoe-CUCC;" policy=reboot,read,write start-date=\
jan/01/2022 start-time=04:40:00
/system scheduler
add interval=1d name="Clear Upnp" on-event=\
"/ip upnp set enabled=no;\r\
\n/delay 3000ms;\r\
\n/ip upnp set enabled=yes;" policy=reboot,read,write start-date=\
jun/02/2022 start-time=04:40:00

2.6.7、日志

日志可以有很多分类,当找不到问题时第一时间开日志看。
这里看的是 DNS 解析日志,并保存到本地磁盘

/system logging
add action=disk disabled=no topics=dns

3、问题

3.1、bridge 和 二层交换机 并不相同

如果是企业级三层交换机,比如 H3C S10500 那种,我们将端口从二层切换三层,并不会影响其他业务的运行。但是 Mikrotik 是用三层虚拟的二层,也就意味着如果想动 bridge,会把所有的接口都重载,业务那必须断线。如果想着有硬件转发就不会断,那会好好的上一课。而且当 bridge 被清空,mikrotik 是真的不会给隐藏 bridge 来访问设备,意味着设备秒变砖头。三层必须有一个 bridge 来支持,才会响应二层 mac 报文。

3.2、硬件转发限制多多

routing table 想加一个?HW 没了,bridge 想加几个?HW 没了,MTU 想改一改?HW 没了
嗯,就是这样的硬件转发,如果你不查官方指定型号设备的 HW 支持详情,你甚至都意识不到 HW 根本就没开,只看着延迟在骚动,还觉得性能烂。

3.3、PCC 均衡并不是 LACP 那样

如果我们想着拿一堆线做个聚合,交换机常见的就是静态双线链路聚合,多线 LACP 动态聚合,聚合后流量会根据某种方式分流,并在对端自动合并再传输。但是 PCC 不是这样的,PCC 本身创建了两条链路,交叉链路还能断线?而 PCC 的描述很容易产生两条链路断一条就会自动漂移,但实际上并不是,一旦某个链路断了,流量就拥塞了,宁死也不会走另一个。而为什么呢?原因居然是 PCC 没有和 路由 联动,他只是配好了组,但是流量在路由层面已经认准了一条路走到黑。按道理三层的东西二层肯定能分流,PCC 就是不分。也就意味着 PCC 实际上是个三层分流策略,和三层路由属于同级,也就根本不是用来替代 LACP 的。那我既然有路由负载均衡了,我为什么还要用 PCC 这种配置繁琐还复杂又不能动态调整的东西呢?

3.4、发现问题找谁呢

官方论坛会有人,但是大多数都是路人贡献者,开发人员偶尔会上,而且大概率也不会关注萌新问题区。
国内经销商也只是因销售而略懂的厂家工程师,实际上稍微一挖某个功能就打穿知识面了。
最后还得是自己找,还好 Mikrotik 大多的问题都可以在论坛,或者看日志来分析解决。
当然,解决不了的就是解决不了了。毕竟国外品牌,售后基本为无。

3.5、IPV4 和 IPV6 黏在一起

现在你的 IPV4 已经配好了,你只是想动动 IPV6。
如果是 Linux,你只是需要 reload 一次,IPV6 就可以自动重载并完成整个功能,期间 IPV4 完全不受影响
如果是企业路由器,就算是 N 年前的二手 Disco 你在端口配 IPV6 也不会掉 IPV4
到了 Mikrotik ,你会发现,但凡你动 IPV4/IPV6 一下,它都会 Down/Up 一次
深刻贯彻落实 ” 重启解决 99% 的问题 “ 的优良传统。
能与之相匹配的也就是 Windows 了,但 Windows 还可以用 启用禁用 IPV6 栈 来重载。
如果正巧你动的也是个外网接口,那每动一次,断一次网,恢复等个一阵子,再动再断,如此往复
心态犹如花个大把上天戴着 gopro 跳伞,然后落地发现 gopro 因震动坏了???运动相机??

3.6、Sock5 速度慢如牛

Mikrotik 既然支持 RouterOS Sock5 服务端,那肯定要试一下
Enable,Access,改个端口,就算配完了
拿 Firefox 试一下,打开 baidu 需要 3 秒,打开 qq 主页需要 12 秒。
很好很强大,梦回 2012,甚至还能再快一点。

StarryVoid

Have a good time