文章

RouterOS基础配置

发表于
作者 Jeff
8 分钟阅读
RouterOS基础配置

本文档介绍 RouterOS基础配置 的相关内容。

DOH和标准DNS

Doh: https://dxb-v2.jeffok.com/dns-query dns:172.17.45.2

l2tp信息

dxb-cloud:1.2.3.4 szcloud: sz:1.2.3.4 hk:1.2.3.4 user:dxb-dabiao pass:Dabiao@2024

基础上网配置

/ip firewall mangle
add action=change-mss chain=forward comment="Change MSS" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

/ip dns set allow-remote-requests=yes cache-size=2048 max-udp-packet-size=512 servers=172.17.45.2,10.100.50.222

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN

/ip address add address=192.168.55.254/24 interface=lan comment="Lan"

/ip address add address=1.2.3.4 interface=WAN

/ip route add gateway=1.2.3.4

连接对应的l2tp并配置路由使用DNS可用

/interface l2tp-client add name="l2tp-dxbcloud" connect-to=1.2.3.4 user="dxb-dabiao" password="YOUR_PASSWORD" add-default-route=no disabled=no
/interface l2tp-client add name="l2tp-szcloud" connect-to=1.2.3.4 user="dxb-dabiao" password="YOUR_PASSWORD" add-default-route=no disabled=no

/ip route add dst-address=172.17.45.2/32 gateway=l2tp-dxbcloud comment="DXB-DNS"
/ip route add dst-address=10.100.50.222/32 gateway=l2tp-szcloud comment="HK-DNS"

微信分流

/routing table add disabled=no fib name=szcloud

/ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=WeChat dst-address-type=!local new-routing-mark=szcloud passthrough=yes disabled=no

/ip firewall address-list
add address=hkshort.mixpay.wechatpay.cn list=WeChat
add address=hkshort.pay.weixin.qq.com list=WeChat
add address=hkshort.snspay.wechatpay.cn list=WeChat
add address=hkshort.weixin.qq.com list=WeChat
add address=hkshort6.weixin.qq.com list=WeChat
add address=hksupport.weixin.qq.com list=WeChat
add address=i.qq.com list=WeChat
add address=imgcache.qq.com list=WeChat
add address=live.qq.com list=WeChat
add address=long.weixin.qq.com list=WeChat
add address=mail.qq.com list=WeChat
add address=mch.weixin.qq.com list=WeChat
add address=minorlong.weixin.qq.com list=WeChat
add address=minorshort.weixin.qq.com list=WeChat
add address=mlaxshort.weixin.qq.com list=WeChat
add address=mldisas.weixin.qq.com list=WeChat
add address=mlextshort.weixin.qq.com list=WeChat
add address=mlfindershort.weixin.qq.com list=WeChat
add address=mllong.weixin.qq.com list=WeChat
add address=mlminorlong.weixin.qq.com list=WeChat
add address=mlminorshort.weixin.qq.com list=WeChat
add address=mlquic.weixin.qq.com list=WeChat
add address=mlshort.mixpay.wechatpay.cn list=WeChat
add address=mlshort.pay.weixin.qq.com list=WeChat
add address=mlshort.snspay.wechatpay.cn list=WeChat
add address=mlshort.weixin.qq.com list=WeChat
add address=mlsupport.weixin.qq.com list=WeChat
add address=mmbiz.qlogo.cn list=WeChat
add address=mmbiz.qpic.cn list=WeChat
add address=mmbizwechat.com list=WeChat
add address=mmpay.com list=WeChat
add address=mmsns.hk.wechat.com list=WeChat
add address=mmsns.qpic.cn list=WeChat
add address=mp.weixin.qq.com list=WeChat
add address=mp.weixinbridge.com list=WeChat
add address=mp.wework.cn list=WeChat
add address=mqqapi.com list=WeChat
add address=myapp.com list=WeChat
add address=myqcloud.com list=WeChat
add address=now.qq.com list=WeChat
add address=open.qq.com list=WeChat
add address=open.weixin.qq.com list=WeChat
add address=pay.qq.com list=WeChat
add address=pingfore.qq.com list=WeChat
add address=qlogo.cn list=WeChat
add address=qmail.qq.com list=WeChat
add address=qpic.cn list=WeChat
add address=qq.com list=WeChat
add address=qqmail.com list=WeChat
add address=quic.weixin.qq.com list=WeChat
add address=qyapi.weixin.qq.com list=WeChat
add address=qzone.com list=WeChat
add address=qzone.qq.com list=WeChat
add address=qzonestyle.gtimg.cn list=WeChat
add address=qzs.qq.com list=WeChat
add address=res.servicewechat.com list=WeChat
add address=res.wx.qq.com list=WeChat
add address=resstatic.servicewechat.com list=WeChat
add address=servicewechat.com list=WeChat
add address=sgaxshort.wechat.com list=WeChat
add address=sgfindershort.wechat.com list=WeChat
add address=sgilinkshort.wechat.com list=WeChat
add address=sglong.wechat.com list=WeChat
add address=sgminorshort.wechat.com list=WeChat
add address=sgquic.wechat.com list=WeChat
add address=sgshort.mixpay.wechat.com list=WeChat
add address=sgshort.pay.wechat.com list=WeChat
add address=sgshort.snspay.wechat.com list=WeChat
add address=sgshort.wechat.com list=WeChat
add address=sh.api.weixin.qq.com list=WeChat
add address=shdisas.weixin.qq.com list=WeChat
add address=shextshort.weixin.qq.com list=WeChat
add address=shminorlong.weixin.qq.com list=WeChat
add address=shmmsns.qpic.cn list=WeChat
add address=short.mixpay.wechatpay.cn list=WeChat
add address=short.pay.weixin.qq.com list=WeChat
add address=short.snspay.wechatpay.cn list=WeChat
add address=short.weixin.qq.com list=WeChat
add address=shp.qlogo.cn list=WeChat
add address=shquic.weixin.qq.com list=WeChat
add address=shshort.mixpay.wechatpay.cn list=WeChat
add address=shshort.pay.weixin.qq.com list=WeChat
add address=shshort.snspay.wechatpay.cn list=WeChat
add address=support.weixin.qq.com list=WeChat
add address=sz.api.weixin.qq.com list=WeChat
add address=szaxshort.weixin.qq.com list=WeChat
add address=szdisas.weixin.qq.com list=WeChat
add address=szextshort.weixin.qq.com list=WeChat
add address=szfindershort.weixin.qq.com list=WeChat
add address=szlong.weixin.qq.com list=WeChat
add address=szminorlong.weixin.qq.com list=WeChat
add address=szminorshort.weixin.qq.com list=WeChat
add address=szmmsns.qpic.cn list=WeChat
add address=szquic.weixin.qq.com list=WeChat
add address=szshort.mixpay.wechatpay.cn list=WeChat
add address=szshort.pay.weixin.qq.com list=WeChat
add address=szshort.snspay.wechatpay.cn list=WeChat
add address=szshort.weixin.qq.com list=WeChat
add address=szsupport.weixin.qq.com list=WeChat
add address=tencent-cloud.com list=WeChat
add address=tencent-cloud.net list=WeChat
add address=tencent.com list=WeChat
add address=tencentcs.com list=WeChat
add address=tencentmap.wechat.com list=WeChat
add address=tencentmind.com list=WeChat
add address=tenpay.com list=WeChat
add address=tenpay.qq.com list=WeChat
add address=udns.weixin.qq.com list=WeChat
add address=v.qq.com list=WeChat
add address=video.gtimg.com list=WeChat
add address=vip.qq.com list=WeChat
add address=vweixinf.tc.qq.com list=WeChat
add address=web.wechat.com list=WeChat
add address=wechat.com list=WeChat
add address=wechatlegal.net list=WeChat
add address=wechatpay.com list=WeChat
add address=weixin.com list=WeChat
add address=weixin.qq.com list=WeChat
add address=weixin110.qq.com list=WeChat
add address=weixinbridge.com list=WeChat
add address=weixinc2c.tc.qq.com list=WeChat
add address=weixinsxy.com list=WeChat
add address=weiyun.com list=WeChat
add address=wx.gtimg.com list=WeChat
add address=wx.qlogo.cn list=WeChat
add address=wx.qq.com list=WeChat
add address=wx2.qq.com list=WeChat
add address=wx8.qq.com list=WeChat
add address=wxapp.qq.com list=WeChat
add address=wxapp.tc.qq.com list=WeChat
add address=wximg.qq.com list=WeChat
add address=wxsnsdy.wxs.qq.com list=WeChat
add address=wxsnsdythumb.wxs.qq.com list=WeChat
add address=wxsnsdyvip.wxs.qq.com list=WeChat
add address=y.qq.com list=WeChat
add address=y.qqmusic.com list=WeChat

配置静态路由

/system script
add dont-require-permissions=no name=zzip_update owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/f\
    ile remove [find name=\"szcloud_router.rsc\"]\r\
    \n/tool fetch mode=http url=\"https://mirrors.jeffok.com/software/ispip/szcloud_router.rsc\"\\\r\
    \ndst-path=szcloud_router.rsc\r\
    \n:log info ([/file get szcloud_router.rsc contents])\r\
    \n/ip route remove  [/ip route find comment=CN]\r\
    \n/im file=szcloud_router.rsc"

IP地址相关

/ip firewall address-list

add address=192.168.100.1 comment=”modemconf: Modem Address” list=modem_ipv4 add address=172.16.1.0/24 comment=”lanconf: Local Address” list=local_subnet_ipv4

add address=172.16.1.1 comment=”lanconf: Local DNS Address” list=local_dns_ipv4 add address=172.16.1.2 comment=”lanconf: Local DNS Address” list=local_dns_ipv4 add address=172.16.1.3 comment=”lanconf: Local DNS Address” list=local_dns_ipv4

add address=0.0.0.0/8 comment=”defconf: RFC6890” list=no_forward_ipv4 add address=1.2.3.4/16 comment=”defconf: RFC6890” list=no_forward_ipv4 add address=1.2.3.4/4 comment=”defconf: multicast” list=no_forward_ipv4 add address=1.2.3.4/32 comment=”defconf: RFC6890” list=no_forward_ipv4

add address=127.0.0.0/8 comment=”defconf: RFC6890” list=bad_ipv4 add address=1.2.3.4/24 comment=”defconf: RFC6890” list=bad_ipv4 add address=1.2.3.4/24 comment=”defconf: RFC6890 documentation” list=bad_ipv4 add address=1.2.3.4/24 comment=”defconf: RFC6890 documentation” list=bad_ipv4 add address=1.2.3.4/24 comment=”defconf: RFC6890 documentation” list=bad_ipv4 add address=1.2.3.4/4 comment=”defconf: RFC6890 reserved” list=bad_ipv4

add address=0.0.0.0/8 comment=”defconf: RFC6890” list=not_global_ipv4 add address=10.0.0.0/8 comment=”defconf: RFC6890” list=not_global_ipv4 add address=1.2.3.4/10 comment=”defconf: RFC6890” list=not_global_ipv4 add address=1.2.3.4/16 comment=”defconf: RFC6890” list=not_global_ipv4 add address=172.16.0.0/12 comment=”defconf: RFC6890” list=not_global_ipv4 add address=1.2.3.4/29 comment=”defconf: RFC6890” list=not_global_ipv4 add address=192.168.0.0/16 comment=”defconf: RFC6890” list=not_global_ipv4 add address=1.2.3.4/15 comment=”defconf: RFC6890 benchmark” list=not_global_ipv4 add address=1.2.3.4/32 comment=”defconf: RFC6890” list=not_global_ipv4

add address=1.2.3.4/4 comment=”defconf: multicast” list=bad_src_ipv4 add address=1.2.3.4/32 comment=”defconf: RFC6890” list=bad_src_ipv4

add address=0.0.0.0/8 comment=”defconf: RFC6890” list=bad_dst_ipv4 add address=1.2.3.4/4 comment=”defconf: RFC6890” list=bad_dst_ipv4

add comment=”ddosconf: DDoS” list=ddos_targets_ipv4 add comment=”ddosconf: DDoS” list=ddos_attackers_ipv4

防火墙

/ip firewall filter

add action=accept chain=input comment=”defconf: accept ICMP after RAW” protocol=icmp add action=accept chain=input comment=”defconf: accept established,related,untracked” connection-state=established,related,untracked add action=drop chain=input comment=”defconf: drop all not coming from LAN” in-interface-list=!LAN add action=accept chain=forward comment=”defconf: accept all that matches IPSec policy” ipsec-policy=in,ipsec disabled=yes

add action=fasttrack-connection chain=forward comment=”defconf: fasttrack” connection-state=established,related disabled=yes add action=accept chain=forward comment=”defconf: fasttrack accept established,related” connection-state=established,related disabled=yes

add action=drop chain=forward comment=”defconf: drop invalid” connection-state=invalid

add action=drop chain=forward comment=”defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=fw_wan_not_DSTNATed add action=drop chain=forward comment=”modemconf: drop all from MODEM not DSTNATed” connection-nat-state=!dstnat connection-state=new in-interface-list=MODEM log=yes log-prefix=fw_modem_not_DSTNATed

add action=drop chain=forward src-address-list=no_forward_ipv4 comment=”defconf: drop bad forward IPs” add action=drop chain=forward dst-address-list=no_forward_ipv4 comment=”defconf: drop bad forward IPs”

add action=jump chain=forward connection-state=new jump-target=detect_ddos comment=”ddosconf: DDoS” add action=return chain=detect_ddos dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack comment=”ddosconf: SYN-ACK Flood” log=yes log-prefix=fw_syn_ack_detected add action=return chain=detect_ddos dst-limit=64,128,src-and-dst-addresses/10s comment=”ddosconf: DDoS” add action=add-dst-to-address-list chain=detect_ddos address-list=ddos_targets_ipv4 address-list-timeout=10m comment=”ddosconf: DDoS” log=yes log-prefix=fw_ddos_targets_detected add action=add-src-to-address-list chain=detect_ddos address-list=ddos_attackers_ipv4 address-list-timeout=10m comment=”ddosconf: DDoS” log=yes log-prefix=fw_ddos_attackers_detected

NAT配置

/ip firewall nat

add action=accept chain=srcnat comment=”defconf: accept all that matches IPSec policy” ipsec-policy=out,ipsec disabled=yes add action=masquerade chain=srcnat comment=”defconf: masquerade” out-interface-list=WAN

add action=masquerade chain=srcnat out-interface-list=MODEM src-address-list=local_subnet_ipv4 dst-address-list=modem_ipv4 comment=”modemconf: Access To Modem”

add action=accept chain=dstnat dst-port=53 in-interface-list=”LAN” protocol=udp src-address-list=local_dns_ipv4 comment=”lanconf: Accept Local DNS Startup Query(UDP)” log=yes log-prefix=fw_dnsv4_udp add action=accept chain=dstnat dst-port=53 in-interface-list=”LAN” protocol=tcp src-address-list=local_dns_ipv4 comment=”lanconf: Accept Local DNS Startup Query(TCP)” log=yes log-prefix=fw_dnsv4_tcp

add action=redirect chain=dstnat dst-address-list=!local_dns_ipv4 dst-port=53 in-interface-list=”LAN” protocol=udp to-addresses=172.16.1.1 to-ports=53 comment=”lanconf: DNS Redirect to DNS Server(UDP)” add action=redirect chain=dstnat dst-address-list=!local_dns_ipv4 dst-port=53 in-interface-list=”LAN” protocol=tcp to-addresses=172.16.1.1 to-ports=53 comment=”lanconf: DNS Redirect to DNS Server(TCP)”

标记配置

/ip firewall mangle

add action=change-mss chain=forward comment=”defconf: Fix IPv4 MSS For PPPoE” new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn add action=accept chain=prerouting src-address-list=local_subnet_ipv4 dst-address-list=modem_ipv4 comment=”modemconf: Access To Modem”

RAW配置

/ip firewall raw

add action=accept chain=prerouting comment=”defconf: enable for transparent firewall” disabled=yes

add action=drop chain=prerouting dst-address-list=ddos_targets_ipv4 src-address-list=ddos_attackers_ipv4 comment=”ddosconf: DDoS”

add action=accept chain=prerouting comment=”defconf: accept DHCP discover” dst-address=1.2.3.4 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68

add action=drop chain=prerouting comment=”defconf: drop bogon IP’s” src-address-list=bad_ipv4 add action=drop chain=prerouting comment=”defconf: drop bogon IP’s” dst-address-list=bad_ipv4 add action=drop chain=prerouting comment=”defconf: drop bogon IP’s” src-address-list=bad_src_ipv4 add action=drop chain=prerouting comment=”defconf: drop bogon IP’s” dst-address-list=bad_dst_ipv4

add action=drop chain=prerouting comment=”defconf: drop non global from WAN” src-address-list=not_global_ipv4 in-interface-list=WAN add action=drop chain=prerouting comment=”defconf: drop forward to local lan from WAN” in-interface-list=WAN dst-address-list=local_subnet_ipv4 log=yes log-prefix=fw_wan_to_lan_forward

add action=drop chain=prerouting comment=”modemconf: drop if not from modem IP” in-interface-list=MODEM src-address-list=!modem_ipv4 log=yes log-prefix=fw_not_from_modem_address add action=drop chain=prerouting comment=”modemconf: drop forward to local lan from MODEM” in-interface-list=MODEM dst-address-list=local_subnet_ipv4 log=yes log-prefix=fw_modem_to_lan_forward

add action=drop chain=prerouting comment=”defconf: drop local if not from default IP range” in-interface-list=LAN src-address-list=!local_subnet_ipv4

add action=drop chain=prerouting comment=”defconf: drop bad UDP” port=0 protocol=udp

add action=jump chain=prerouting comment=”defconf: jump to ICMP chain” jump-target=icmp4 protocol=icmp add action=jump chain=prerouting comment=”defconf: jump to TCP chain” jump-target=bad_tcp protocol=tcp

add action=accept chain=prerouting comment=”defconf: accept everything else from LAN” in-interface-list=LAN add action=accept chain=prerouting comment=”defconf: accept everything else from WAN” in-interface-list=WAN add action=accept chain=prerouting comment=”modemconf: accept everything else from MODEM” in-interface-list=MODEM

add action=drop chain=prerouting comment=”defconf: drop the rest”

add action=drop chain=bad_tcp comment=”defconf: TCP flag filter” protocol=tcp tcp-flags=!fin,!syn,!rst,!ack add action=drop chain=bad_tcp comment=”defconf: tcp-flags=fin,syn” protocol=tcp tcp-flags=fin,syn add action=drop chain=bad_tcp comment=”defconf: tcp-flags=fin,rst” protocol=tcp tcp-flags=fin,rst add action=drop chain=bad_tcp comment=”defconf: tcp-flags=fin,!ack” protocol=tcp tcp-flags=fin,!ack add action=drop chain=bad_tcp comment=”defconf: tcp-flags=fin,urg” protocol=tcp tcp-flags=fin,urg add action=drop chain=bad_tcp comment=”defconf: tcp-flags=syn,rst” protocol=tcp tcp-flags=syn,rst add action=drop chain=bad_tcp comment=”defconf: tcp-flags=rst,urg” protocol=tcp tcp-flags=rst,urg add action=drop chain=bad_tcp comment=”defconf: TCP port 0 drop” port=0 protocol=tcp

add action=accept chain=icmp4 comment=”lanconf: Accept echo reply from WAN” icmp-options=0:0 limit=5,10:packet protocol=icmp in-interface-list=WAN add action=accept chain=icmp4 comment=”lanconf: Accept net unreachable from WAN” icmp-options=3:0 protocol=icmp in-interface-list=WAN add action=accept chain=icmp4 comment=”lanconf: Accept fragmentation needed from WAN” icmp-options=3:4 protocol=icmp in-interface-list=WAN add action=accept chain=icmp4 comment=”lanconf: Accept time exceeded from WAN” icmp-options=11:0-255 protocol=icmp in-interface-list=WAN add action=drop chain=icmp4 comment=”lanconf: Drop other icmp from WAN” protocol=icmp in-interface-list=WAN

add action=accept chain=icmp4 comment=”modemconf: Accept echo reply from Modem” icmp-options=0:0 limit=5,10:packet protocol=icmp in-interface-list=MODEM add action=drop chain=icmp4 comment=”modemconf: Drop other icmp from Modem” protocol=icmp in-interface-list=MODEM log=yes log-prefix=fw_drop_modem_icmp

add action=accept chain=icmp4 comment=”defconf: echo reply” icmp-options=0:0 limit=5,10:packet protocol=icmp in-interface-list=LAN log=yes log-prefix=fw_lan_ehco_reply add action=accept chain=icmp4 comment=”defconf: net unreachable” icmp-options=3:0 protocol=icmp in-interface-list=LAN add action=accept chain=icmp4 comment=”defconf: host unreachable” icmp-options=3:1 protocol=icmp in-interface-list=LAN add action=accept chain=icmp4 comment=”defconf: protocol unreachable” icmp-options=3:2 protocol=icmp in-interface-list=LAN add action=accept chain=icmp4 comment=”defconf: port unreachable” icmp-options=3:3 protocol=icmp in-interface-list=LAN add action=accept chain=icmp4 comment=”defconf: fragmentation needed” icmp-options=3:4 protocol=icmp in-interface-list=LAN

add action=accept chain=icmp4 comment=”defconf: echo to Modem” icmp-options=8:0 limit=5,10:packet protocol=icmp in-interface-list=LAN dst-address-list=modem_ipv4 add action=accept chain=icmp4 comment=”defconf: echo to Local Device” icmp-options=8:0 limit=5,10:packet protocol=icmp in-interface-list=LAN dst-address-list=local_subnet_ipv4 add action=drop chain=icmp4 comment=”defconf: echo to Not Global” icmp-options=8:0 limit=5,10:packet protocol=icmp in-interface-list=LAN dst-address-list=not_global_ipv4 add action=accept chain=icmp4 comment=”defconf: echo to WAN” icmp-options=8:0 limit=5,10:packet protocol=icmp in-interface-list=LAN add action=accept chain=icmp4 comment=”defconf: time exceeded” icmp-options=11:0-255 protocol=icmp in-interface-list=LAN add action=drop chain=icmp4 comment=”defconf: drop all other icmp” protocol=icmp

其它配置

/ip settings set tcp-syncookies=yes max-neighbor-entries=1024

/ip neighbor discovery-settings set discover-interface-list=none

/ip proxy set enabled=no

/ip socks set enabled=no

/ip upnp set enabled=no

/ip cloud set ddns-enabled=no update-time=no

/ip ssh set strong-crypto=yes

/tool mac-server set allowed-interface-list=none

/tool mac-server mac-winbox set allowed-interface-list=none

/tool mac-server ping set enabled=no

/tool bandwidth-server set enabled=no 作者:狐狸Nomad https://www.bilibili.com/read/cv17785151/ 出处:bilibili

Network, RouterOS
RouterOS 网络 DNS
本文由作者按照 CC BY 4.0 进行授权