Mikrotik 开箱与初始化

2022-05-18 1322点热度 1人点赞

想上万兆没钱怎么办,便宜的 Mikrotik 了解一下


1 、基础信息

设备型号 RB5009UG+S+IN [ 链接 ]
设备版本 Mikrotik RouterOS 7.2.3 Build 2022/05/02 15:18:17

Mikrotik RB5009UG+S+IN

Mikrotik RouterOS 因为缺乏命令耦合,在配置过程中需要自行创建关联项。
官方 Wiki 大多是命令,也缺乏联系和讲解,造成了 Mikrotik 萌新配置的高难度

Mikrotik RouterOS 使用 IPtables 对规则策略进行管控 [ 链接 ]
故而在执行操作的过程中,很喜欢 重启解决 99% 的问题(所以配置时没事断联是常有的情况)

官方 Wiki [ 链接 ]
中国经销商自建 Wiki [ 链接 ]


1.1 、设备外观体验

首先就是一个铁壳子,自带散热鳞片,很扁,拍两下能感觉到很结实

内部散热是在两个芯片上涂硅脂,比较容易热的 SFP+和两个三极管(不知道具体是什么)贴的块状硅脂垫

销售过程陈述存在一些机油,打开看里面的内容发现机油只涂在了背板的 SN 贴上,十分迷惑

端口 Eth1 是 2.5G/5G 自协商端口,遵循 IEEE-802.3bz 标准,但宣传写的都是 2.5G
然而端口链路状态灯却在没有设备的时候微亮,插线就能完全不亮(肯定有哪个电容没设计好)

网卡接口部分和铁壳子的模具并没有严丝合缝,故而个人选择用电工胶布包裹缝隙

整体一股工业赛博朋克风,铁壳子足够的厚又不防水防灰。


1.2 、 Quick Set

设备通电,第一次开机默认的 IP 地址是 http://192.168.88.1(DHCP)

刚上来的 web 页面等待登录,默认的用户名 admin 密码空

然后就需要用户配置一下新密码,当然我们可以不配置,直接跳过

网页打开,默认功能区是 WebFig/Interfaces 。这个功能区更多的是拿来看看状态,详细配置使用 WebFig

作为一个 萌新 拿到手的新设备必然先打开 Quick Set 进行默认配置看看有什么幺蛾子

Mode = Router
Port = Eth1
Address Acquisition = PPPOE
PPPoE User = ***
PPPoE Password = ***
MAC Address = ***
IP Address = 192.168.88.1
Netmask = 255.255.255.0/24
Bridge All Lan Ports = Yes
DHCP Server = Yes
NAT = Yes
Router Identity = Mikrotik

参数看完,也就知道这个设备的默认使用方式了

首先外网 Wan 口 只有 SFP1 和 ETH1 两个端口,其他均为内网口并在一个 Bridge 交换桥 下
内网 DHCP 开启,NAT 开启,内网网关 192.168.88.1,公网通过 PPPoE 连接

看完了,那作为新的网络设备,到手一定要 Reset 试试防止误配炸机(比如本人到手先删网桥秒炸)
在这里实际操作后体会到 按钮是真难按,手酸,额外官方说的灯不知道是哪个,试了十多次才成功

  • 设备断电
  • 设备端口朝上,手指甲顶在 Reset 下沿,轻按几次感受力度(省力操作)
  • 设备准备通电,并在通电前按住 Reset,保持不动(手指酸了就重来)
  • 通电过程中,观察设备的 LED 灯,在 SFP 右下角有个不起眼的小灯,开机自检时会亮一瞬,盯住它
  • 等待这个灯从 长灭-长亮-慢闪 后,再坚持个 3s,然后松手(端口灯也会闪,但请无视)
  • 设备初始化中,等待

初始化测过了,下一步就是用 Mikrotik 官方的 Winbox 工具进行测试 [ 链接 ]

注意 Winbox 和 HTTP 使用不同的端口和 UI 界面,不要搞混

Winbox 的连接有两种方式,分别是 IP/域名 和 MAC 地址
工具本身自带二层扫描设备发现,所以建议优先使用该工具配置


1.3 、默认配置的查阅命令如下

[admin@MikroTik] > /system default-configuration print
            script: #| Welcome to RouterOS!
                    #|    1) Set a strong router password in the System > Users menu
                    #|    2) Upgrade the software in the System > Packages menu
                    #|    3) Enable firewall on untrusted networks
                    #| -----------------------------------------------------------------------------
                    #| RouterMode:
                    #|  * WAN port is protected by firewall and enabled DHCP client
                    #|  * Ethernet interfaces (except WAN port/s) are part of LAN bridge
                    #| LAN Configuration:
                    #|     IP address 192.168.88.1/24 is set on bridge (LAN port)
                    #|     DHCP Server: enabled;
                    #|     DNS: enabled;
                    #| WAN (gateway) Configuration:
                    #|     gateway:  ether1 ;
                    #|     ip4 firewall:  enabled;
                    #|     ip6 firewall:  enabled;
                    #|     NAT:   enabled;
                    #|     DHCP Client: enabled;
                    #| Login
                    #|     admin user protected by password
                    
                    :global defconfMode;
                    :log info "Starting defconf script";
                    #-------------------------------------------------------------------------------
                    # Apply configuration.
                    # these commands are executed after installation or configuration reset
                    #-------------------------------------------------------------------------------
                    :if ($action = "apply") do={
                      # wait for interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count +1); 
                      };
                      :local count 0;
                      :while ([/interface wireless print count-only] < 0) do={ 
                        :set count ($count +1);
                        :if ($count = 40) do={
                          :log warning "DefConf: Unable to find wireless interface(s)"; 
                          /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
                          /quit
                        }
                        :delay 1s;
                      };
                     /interface list add name=WAN comment="defconf"
                     /interface list add name=LAN comment="defconf"
                     /interface bridge
                       add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
                     :local bMACIsSet 0;
                     :foreach k in=[/interface find where !(slave=yes   || name="ether1" || name~"bridge")] do={
                       :local tmpPortName [/interface get $k name];
                       :if ($bMACIsSet = 0) do={
                         :if ([/interface get $k type] = "ether") do={
                           /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
                           :set bMACIsSet 1;
                         }
                       }
                         :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
                           /interface bridge port
                             add bridge=bridge interface=$tmpPortName comment=defconf;
                         }
                       }
                       /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
                       /ip dhcp-server
                         add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
                       /ip dhcp-server network
                         add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
                      /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
                     /ip dns {
                         set allow-remote-requests=yes
                         static add name=router.lan address=192.168.88.1 comment=defconf
                     }
                    
                       /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
                     /interface list member add list=LAN interface=bridge comment="defconf"
                     /interface list member add list=WAN interface=ether1 comment="defconf"
                     /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
                     /ip firewall {
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
                       filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
                       filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
                       filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
                     }
                     /ipv6 firewall {
                       address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
                       address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
                       address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
                       address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
                       address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
                       address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
                       address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
                       address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
                       address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
                       filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
                       filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
                       filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                       filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
                       filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
                       filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
                       filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
                       filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
                       filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
                       filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
                       filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
                       filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
                       filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
                       filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
                       filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
                     }
                       /ip neighbor discovery-settings set discover-interface-list=LAN
                       /tool mac-server set allowed-interface-list=LAN
                       /tool mac-server mac-winbox set allowed-interface-list=LAN
                     :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
                       /user set admin password=$defconfPassword
                       :delay 0.5
                       /user expire-password admin 
                     }
                    }
                    #-------------------------------------------------------------------------------
                    # Revert configuration.
                    # these commands are executed if user requests to remove default configuration
                    #-------------------------------------------------------------------------------
                    :if ($action = "revert") do={
                    /user set admin password=""
                     /system routerboard mode-button set enabled=no
                     /system routerboard mode-button set on-event=""
                     /system script remove [find comment~"defconf"]
                     /ip firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall filter remove [find comment~"defconf"]
                     /ipv6 firewall address-list remove [find comment~"defconf"]
                     /ip firewall nat remove [find comment~"defconf"]
                     /interface list member remove [find comment~"defconf"]
                     /interface detect-internet set detect-interface-list=none
                     /interface detect-internet set lan-interface-list=none
                     /interface detect-internet set wan-interface-list=none
                     /interface detect-internet set internet-interface-list=none
                     /interface list remove [find comment~"defconf"]
                     /tool mac-server set allowed-interface-list=all
                     /tool mac-server mac-winbox set allowed-interface-list=all
                     /ip neighbor discovery-settings set discover-interface-list=!dynamic
                       :local o [/ip dhcp-server network find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
                       :local o [/ip dhcp-server find name="defconf" !disabled]
                       :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
                       /ip pool {
                         :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
                         :if ([:len $o] != 0) do={ remove $o }
                       }
                       :local o [/ip dhcp-client find comment="defconf"]
                       :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                     /ip dns {
                       set allow-remote-requests=no
                       :local o [static find comment="defconf"]
                       :if ([:len $o] != 0) do={ static remove $o }
                     }
                     /ip address {
                       :local o [find comment="defconf"]
                       :if ([:len $o] != 0) do={ remove $o }
                     }
                     :foreach iface in=[/interface ethernet find] do={
                       /interface ethernet set $iface name=[get $iface default-name]
                     }
                     /interface bridge port remove [find comment="defconf"]
                     /interface bridge remove [find comment="defconf"]
                     /interface bonding remove [find comment="defconf"]
                     /interface wireless cap set enabled=no interfaces="" caps-man-addresses=""
                      /caps-man manager set enabled=no
                      /caps-man manager interface remove [find comment="defconf"]
                      /caps-man manager interface set [ find default=yes ] forbid=no
                      /caps-man provisioning remove [find comment="defconf"]
                      /caps-man configuration remove [find comment="defconf"]
                      /caps-man security remove [find comment="defconf"]
                    }
                    :log info Defconf_script_finished;
                    :set defconfMode;
                    
  caps-mode-script: #-------------------------------------------------------------------------------
                    # Note: script will not execute at all (will throw a syntax error) if
                    #       dhcp or wireless-fp packages are not installed
                    #-------------------------------------------------------------------------------
                    
                    #| CAP configuration
                    #|
                    #|   Wireless interfaces are set to be managed by CAPsMAN.
                    #|   All ethernet interfaces and CAPsMAN managed interfaces are bridged.
                    #|   DHCP client is set on bridge interface.
                    
                    # bridge port name
                    :global brName  "bridgeLocal";
                    :global logPref "defconf:";
                    
                    
                    :global action;
                    
                    :log info $action
                    
                    :if ($action = "apply") do={
                    
                      # wait for ethernet interfaces
                      :local count 0;
                      :while ([/interface ethernet find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find ethernet interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      :local macSet 0;
                      :local tmpMac "";
                    
                      :foreach k in=[/interface ethernet find] do={
                        # first ethernet is found; add bridge and set mac address of the ethernet port
                        :if ($macSet = 0) do={
                          :set tmpMac [/interface ethernet get $k mac-address];
                          /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
                          :set macSet 1;
                        }
                        # add bridge ports
                        /interface bridge port add bridge=$brName interface=$k comment="defconf"
                      }
                    
                      # try to add dhcp client on bridge interface (may fail if already exist)
                      :do {
                        /ip dhcp-client add interface=$brName disabled=no comment="defconf"
                      } on-error={ :log warning "$logPref unable to add dhcp client";}
                    
                    
                      # try to configure caps (may fail if for example specified interfaces are missing)
                      :local interfacesList "";
                      :local bFirst 1;
                    
                      # wait for wireless interfaces
                      :while ([/interface wireless find] = "") do={
                        :if ($count = 30) do={
                          :log warning "DefConf: Unable to find wireless interfaces";
                          /quit;
                        }
                        :delay 1s; :set count ($count + 1);
                      }
                    
                      # delay just to make sure that all wireless interfaces are loaded
                      :delay 5s;
                      :foreach i in=[/interface wireless find] do={
                        if ($bFirst = 1) do={
                          :set interfacesList [/interface wireless get $i name];
                          :set bFirst 0;
                        } else={
                          :set interfacesList "$interfacesList,$[/interface wireless get $i name]";
                        }
                      }
                      :do {
                        /interface wireless cap
                          set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
                      } on-error={ :log warning "$logPref unable to configure caps";}
                    
                    }
                    
                    :if ($action = "revert") do={
                      :do {
                        /interface wireless cap
                          set enabled=no interfaces="" discovery-interfaces="" bridge=none
                      } on-error={ :log warning "$logPref unable to unset caps";}
                    
                      :local o [/ip dhcp-client find comment="defconf"]
                      :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
                    
                      /interface bridge port remove [find comment="defconf"]
                      /interface bridge remove [find comment="defconf"]
                    
                    }
     custom-script: 

2 、基础网络配置

Mikrotik 初始化玩过了,我们就需要自己进行配置了。默认的配置当然不适合 萌新 管控,所以要清空

进入 System - Reset Configuration 进行初始化参数配置,选择 Keep User 和 No Default Configuration

然后执行初始化即可,设备将不再有任何默认配置,全看用户一把梭

以下内容全为命令行格式,对应 Web 配置自行判断即可
以下内容 Wan 口 SFP1/Ether1 ,VPN 口主机 WG ,Lan 口主机 Ether5,其余 2-8 都为 Lan

2.1 、网桥+端口+端口组

先定义网桥,网桥对应 OSI 层级为二层,演示步骤为新增网桥 L-bridge 并关联所有 Lan 口
(如果使用 IP 管理会断联,建议使用 MAC 地址在本步骤管理设备)
注意 mtu/bridge 发生变动,会让整个设备的二层断联,多次无法重连只能重置。

/interface bridge
add auto-mac=no name=L-bridge protocol-mode=none
/interface bridge port
#add bridge=L-bridge interface=sfp-sfpplus1 (Remove)
#add bridge=L-bridge interface=ether1 (Remove)
add bridge=L-bridge interface=ether2
add bridge=L-bridge interface=ether3
add bridge=L-bridge interface=ether4
add bridge=L-bridge interface=ether5 trusted=yes
add bridge=L-bridge interface=ether6
add bridge=L-bridge interface=ether7
add bridge=L-bridge interface=ether8

关联网桥后,核对外网接口不在该网桥中,然后进行下一步端口配置

先有端口,然后定义端口列表,最后分配相关联的端口的端口列表身份
注意端口列表为其他配置中汇总而来,端口的配置只是修改端口属性。
这里创建了 WG 和 pppoe-CUCC 两个端口,对应 Wireguard VPN 和 PPPOE 宽带拨号,但仍需要在其他地方配好才可使用这两个端口。

/interface ethernet
set [ find default-name=ether4 ] mtu=1492
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=3600 \
    name=pppoe-CUCC user=dl88055088@163 password=123456
/interface wireguard
add listen-port=13231 mtu=1400 name=WG \
    private-key="gFFwaP1qKr+F+rFYIvAhuTqEFeO5slDmlk5TkA6XAXg="
/interface list
add name=WAN
add name=LAN
add name=VPN
/interface list member
add interface=bridge list=LAN
add interface=sfp-sfpplus1 list=WAN
add interface=ether1 list=WAN
#add interface=WG list=VPN
#add interface=pppoe-CUCC list=WAN

一切配置好后我们就可以进行下一步配置了,端口部分常用的配置已经结束。


2.2 、 IPV4 Address + DHCPv4 + DNS + Route

一个路由设备的基础,就是要配置 联通网络 的基础配置

想联通网络,网络地址,地址分配,DNS,路由 是必不可少的


2.2.1 、 IP 地址部分

/ip address
add address=192.168.2.254/24 interface=L-bridge network=192.168.2.0
add address=10.0.0.2/30 interface=WG network=10.0.0.0

2.2.2 、配置 DHCP 部分

配置地址池相关命令
先创建池,然后创建服务,最后配置服务下发信息

/ip pool
add name=Pool-First ranges=192.168.2.100-192.168.2.199

/ip dhcp-server
add address-pool=Pool-First interface=bridge lease-time=1w name=DHCP-First

/ip dhcp-server network
add address=192.168.2.0/24 dns-server=192.168.2.254 gateway=192.168.2.254 \
    ntp-server=192.168.2.254

配置静态分配以及 MAC-IP 绑定相关命令

/ip dhcp-server lease
add address=192.168.2.100 comment=Computer mac-address=BF:33:74:9B:47:D8 server=\
    DHCP-First use-src-mac=yes

/ip dhcp-server option
add code=6 name=OnePoint-DNS-6 value=\
    "'114.114.114.114''119.29.29.29''223.5.5.5''1.0.0.1'"

如果是作为 DHCP 客户端进而获取地址,则需要配置客户端相关

/ip dhcp-client
add interface=sfp-sfpplus1 use-peer-dns=yes use-peer-ntp=yes add-default-route=yes

2.2.3 、 DNS 部分

/ip dns
set allow-remote-requests=yes servers=1.0.0.1,8.8.4.4,119.29.29.29 \
use-doh-server=https://1.1.1.1/dns-query verify-doh-cert=yes

/ip dns static
add address=192.168.2.254 name=router.lan
add address=10.0.0.1 name=router.lan
add address=192.168.2.254 name=time.windows.com
add address=10.0.0.1 name=time.windows.com

2.2.4 、 Route 部分

首先需要指定路由表名,这里改名为 main
注意仅有唯一路由表时才能使用硬件转发功能

/routing table
add disabled=yes fib name=main

然后配置路由,可以双路由负载均衡,也可以主备,也可以浮动。

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\
10.0.0.1 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10
add check-gateway=ping disabled=no distance=5 dst-address=8.8.4.4/32 gateway=\
10.0.0.5 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10

check-gateway=路由探针检测
distance=优先级 小数优先
dst-address=目的地址
gateway=下一跳地址
pref-src=源地址设定(用于 VPN 等需要指定源地址才可访问对端设备)
suppress-hw-offload=禁止使用硬件转发
scope/target-scope=范围/目标范围(用于多路由防环使用,默认为 30/10 )


2.2.5 、 NTP

配置时区,配置客户端,配置时间同步服务器,配置服务端

/system clock
set time-zone-name=Asia/Shanghai

/system ntp client
set enabled=yes

/system ntp client servers
add address=pool.ntp.org
add address=cn.pool.ntp.org
add address=ntp.aliyun.com
add address=ntp.tencent.com
add address=edu.ntp.org.cn
add address=time.edu.cn
add address=ntp.ustc.edu.cn
add address=ntp.neu.edu.cn
add address=time.windows.com
add address=time.apple.com
add address=ntp.ntsc.ac.cn

/system ntp server
set enabled=yes multicast=yes

2.3 、 IPV6 Address + DHCPv6 + IPV6 ND

如果你是 PPPOE 拨号获得 IPV6 地址,则一定不要给 DHCPv6 配置 Add Default Route [ 链接 ]

/ipv6 address
add address=fc00:10::2 advertise=no interface=WG

下面是 PPPOE 获得 IPV6 地址 并向下分配
1 、配置 DHCP 客户端,指定端口,指定获取方式为前缀(非地址),获取到的前缀放入指定地址池 ( /60 )
2 、配置路由器地址,后缀为 ::1,前缀从指定地址池获得
3 、配置路由器允许 RA 公告,路由器也可以通过 SLAAC 获得地址
4 、配置路由器的 ND 发布,前缀将由此发送给客户端

/ipv6 dhcp-client
add interface=pppoe-CUCC request=prefix pool-name=pppoe-CUCC-v6pool \
    use-peer-dns=no use-interface-duid=no rapid-commit=yes \
    add-default-route=no
/ipv6 address
add address=::1 from-pool=pppoe-CUCC-v6pool interface=bridge
/ipv6 settings
set accept-router-advertisements=yes
/ipv6 nd
set [ find default=yes ] disabled=yes
ipv6 nd add ra-interval=200-600 ra-delay=3 ra-preference=medium \
    advertise-dns=yes advertise-mac-address=yes \
    ra-lifetime=1800 mtu=1480
/ipv6 nd prefix default
set preferred-lifetime=3d valid-lifetime=1w

注意部分地区配置完毕后可能无效,需要变动的地方如下 ( /ipv6 dhcp-client )
1 、 request=prefix 中,request 指定 address 和 prefix 有三种可能,需要都尝试一次
2 、 use-interface-duid 开启,此时 ::1 后缀会自动变成路由器自身的 DUID 地址,实现路由器上网。


2.4 、 Firewall

2.4.1 、会话保持

如果由于某些原因,会话总是中断重连,可以修改路由器自身的会话保持时间 [ 链接 ]

/ip firewall connection tracking
set icmp-timeout=30s tcp-close-wait-timeout=1m tcp-fin-wait-timeout=2m \
tcp-last-ack-timeout=30s tcp-syn-received-timeout=1m tcp-syn-sent-timeout=\
2m tcp-time-wait-timeout=2m udp-stream-timeout=2m udp-timeout=30s

2.4.2 、 Filter 规则

首先默认规则在之前已经有了,额外做的就是在 drop 前插入自己的规则
Input 是访问路由器的规则
Forward 是路由器转发的规则

/ip firewall filter
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
# ***Input Here***
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=!WAN \
protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=!WAN \
protocol=udp
add action=accept chain=input comment=VPN-Manage dst-port=8291 \
in-interface-list=VPN protocol=tcp

2.4.3 、 NAT 规则

首先是对外访问的 NAT 规则,只需要指定外网区域,流量源地址会自动转换为外网端口地址

/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN

然后创建端口映射规则,注意 TCP/UDP 不能同时创建,每次只能创建一个端口的规则

/ip firewall nat
add action=dst-nat chain=dstnat comment=HTTP dst-port=80 \
    in-interface-list=WAN protocol=tcp to-addresses=192.168.2.100

2.5 、 Wireguard

Wireguard 是需要拆分配置的,分别为本机配置和对端配置以及路由配置。

/interface wireguard
add listen-port=13232 mtu=1400 name=Wireguard-Server \
    private-key="OIQzZ/abaoKNX1ol/FKrQcaV0/7I53sVG0LUW644UG8=
"

/interface wireguard peers
add allowed-address=10.0.0.1/32,10.0.0.0/8 \
    endpoint-address=1.2.3.4 endpoint-port=51820 interface=Wireguard-Server \
    public-key="5boJppau+rAGL9nK4To2ftveQ31CDw9bK+O4wt8VWX4="

/ip route
add check-gateway=ping disabled=no distance=5 dst-address=10.0.0.0/32 gateway=\
10.0.0.1 pref-src=0.0.0.0 routing-table=main \
suppress-hw-offload=no scope=30 target-scope=10

2.6 、服务

2.6.1 、内置服务

/ip service
set winbox disabled=no
set www disabled=no
set www-ssl disabled=no certificate=https-cert tls-version=only-1.2
set telnet disabled=yes
set ssh disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes

Winbox=winbox 软件调试接口
www=http 访问
www-ssl=https 访问,注意必须要先配置证书

配置 www-ssl 的证书命令如下

/certificate
add name=root-cert common-name=MyRouter days-valid=3650 key-usage=key-cert-sign,crl-sign
sign root-cert
add name=https-cert common-name=MyRouter days-valid=3650
sign ca=root-cert https-cert
/ip service
set www-ssl certificate=https-cert disabled=no
set www disabled=yes

2.6.2 、 UPNP

先设置 UPNP 的端口,然后开启 UPNP

/ip upnp interfaces
add interface=L-bridge type=internal
add interface=pppoe-CUCC type=external
/ip upnp
set allow-disable-external-interface=yes enabled=yes

2.6.3 、 DDNS

配置 DDNS 只能通过 Mikrotik 官方的域名来使用

/ip cloud
set ddns-enabled=yes ddns-update-interval=1m

2.6.4 、 LLDP

/ip neighbor discovery-settings
set discover-interface-list=LAN

2.6.5 、服务检查

netwatch 是普通的网络检查
watchdog 是网络检查的升级版,一旦检测外网通讯故障,则重启设备

/tool netwatch
add disabled=no host=1.2.3.4
/system watchdog
set watchdog-timer=no

2.6.6 、定期命令

这里放两个常用的命令
1 、定时重启 PPPOE 端口
2 、定时清理 UPNP 映射表

/system scheduler
add interval=2d name="Reboot PPPoE" on-event="/interface/disable pppoe-CUCC;\r\
\n/delay 3000ms;\r\
\n/interface/enable pppoe-CUCC;" policy=reboot,read,write start-date=\
jan/01/2022 start-time=04:40:00
/system scheduler
add interval=1d name="Clear Upnp" on-event=\
"/ip upnp set enabled=no;\r\
\n/delay 3000ms;\r\
\n/ip upnp set enabled=yes;" policy=reboot,read,write start-date=\
jun/02/2022 start-time=04:40:00

2.6.7 、日志

日志可以有很多分类,当找不到问题时第一时间开日志看。
这里看的是 DNS 解析日志,并保存到本地磁盘

/system logging
add action=disk disabled=no topics=dns

3 、问题

3.1 、 bridge 和 二层交换机 并不相同

如果是企业级三层交换机,比如 H3C S10500 那种,我们将端口从二层切换三层,并不会影响其他业务的运行。但是 Mikrotik 是用三层虚拟的二层,也就意味着如果想动 bridge,会把所有的接口都重载,业务那必须断线。如果想着有硬件转发就不会断,那会好好的上一课。而且当 bridge 被清空,mikrotik 是真的不会给隐藏 bridge 来访问设备,意味着设备秒变砖头。三层必须有一个 bridge 来支持,才会响应二层 mac 报文。

3.2 、硬件转发限制多多

routing table 想加一个?HW 没了,bridge 想加几个?HW 没了,MTU 想改一改?HW 没了
嗯,就是这样的硬件转发,如果你不查官方指定型号设备的 HW 支持详情,你甚至都意识不到 HW 根本就没开,只看着延迟在骚动,还觉得性能烂。

3.3 、 PCC 均衡并不是 LACP 那样

如果我们想着拿一堆线做个聚合,交换机常见的就是静态双线链路聚合,多线 LACP 动态聚合,聚合后流量会根据某种方式分流,并在对端自动合并再传输。但是 PCC 不是这样的,PCC 本身创建了两条链路,交叉链路还能断线?而 PCC 的描述很容易产生两条链路断一条就会自动漂移,但实际上并不是,一旦某个链路断了,流量就拥塞了,宁死也不会走另一个。而为什么呢?原因居然是 PCC 没有和 路由 联动,他只是配好了组,但是流量在路由层面已经认准了一条路走到黑。按道理三层的东西二层肯定能分流,PCC 就是不分。也就意味着 PCC 实际上是个三层分流策略,和三层路由属于同级,也就根本不是用来替代 LACP 的。那我既然有路由负载均衡了,我为什么还要用 PCC 这种配置繁琐还复杂又不能动态调整的东西呢?

3.4 、发现问题找谁呢

官方论坛会有人,但是大多数都是路人贡献者,开发人员偶尔会上,而且大概率也不会关注萌新问题区。
国内经销商也只是因销售而略懂的厂家工程师,实际上稍微一挖某个功能就打穿知识面了。
最后还得是自己找,还好 Mikrotik 大多的问题都可以在论坛,或者看日志来分析解决。
当然,解决不了的就是解决不了了。毕竟国外品牌,售后基本为无。

3.5 、 IPV4 和 IPV6 黏在一起

现在你的 IPV4 已经配好了,你只是想动动 IPV6 。
如果是 Linux,你只是需要 reload 一次,IPV6 就可以自动重载并完成整个功能,期间 IPV4 完全不受影响
如果是企业路由器,就算是 N 年前的二手 Disco 你在端口配 IPV6 也不会掉 IPV4
到了 Mikrotik ,你会发现,但凡你动 IPV4/IPV6 一下,它都会 Down/Up 一次
深刻贯彻落实 ” 重启解决 99% 的问题 “ 的优良传统。
能与之相匹配的也就是 Windows 了,但 Windows 还可以用 启用禁用 IPV6 栈 来重载。
如果正巧你动的也是个外网接口,那每动一次,断一次网,恢复等个一阵子,再动再断,如此往复
心态犹如花个大把上天戴着 gopro 跳伞,然后落地发现 gopro 因震动坏了???运动相机??

3.6 、 Sock5 速度慢如牛

Mikrotik 既然支持 RouterOS Sock5 服务端,那肯定要试一下
Enable,Access,改个端口,就算配完了
拿 Firefox 试一下,打开 baidu 需要 3 秒,打开 qq 主页需要 12 秒。
很好很强大,梦回 2012,甚至还能再快一点。

StarryVoid

Have a good time