作者归档:vibbow

RouterOS IPv6 实用脚本

IPv6 地址更新脚本

用于当 RouterOS IPv6 更新时,主动向客户端广播旧地址过期

:local poolname "pool6"
:local ifname "bridge"

:global oldprefix;
:local newprefix;

:set newprefix [/ipv6 pool used get [find info="bridge"] prefix];

:if ([ :typeof $oldprefix ] = "nothing") do {
  :set $oldprefix $newprefix
}

:if ($newprefix != $oldprefix) do {
  :log info "Kill IPv6 prefix, old prefix: $oldprefix, new prefix: $newprefix";
  :ipv6 nd prefix add prefix=$oldprefix interface=$ifname on-link=yes autonomous=yes preferred-lifetime=0s valid-lifetime=0s;
  :delay 5;
  :ipv6 nd prefix remove [/ipv6 nd prefix find prefix=$oldprefix];
  :set $oldprefix $newprefix;
}

IPv6 DHCP Rebinding 脚本

用于修复当 PPPoE 重新拨号时 IPv6 DHCP 卡在 Rebinding 状态

:local wan "pppoe-telecom"
:if ( [ /ipv6 dhcp-client get [ find interface=$wan ] status ] = "rebinding..." ) do={ 
    /ipv6 dhcp-client release [ find interface=$wan ] 
}

将 RouterOS L4 授权转换为 CHR P1 授权方法

1 在 RouterOS -> System -> License 中点击 Renew License,输入自己的 Mikrotik 账号,然后点击 Start。

2 访问 Mikrotik 个人账户页面 https://mikrotik.com/client ,点击左侧的 all CHR keys,列表中会显示上一步 RouterOS 的 System ID,点击 Upgrade。

3 选择要使用的授权等级,点击 Upgrade。

4 点击 Pay using Prepaid Key (1),如果括号里的数字不是1,则说明你没有空闲的 L4/L5 授权

5 升级完成,授权等级信息里已经没有 (Trial) 的字样了

RouterOS 默认防火墙规则

Mikrotik 的 RouterBoard 硬件产品默认都有带有配置良好的防火墙规则,x86/CHR 设备默认不带防火墙规则。 如果你不小心删掉了防火墙规则,或者需要还原默认防火墙规则,可以导入以下配置:

第一部分: Interface List,所有设备均需要导入,请根据自己情况适当修改

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=pppoe-out1 list=WAN

第二部分:IPv4 防火墙规则,推荐所有设备都导入

/ip firewall filter
add action=accept chain=input comment="accept ping" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

第三部分:IPv6 防火墙规则,需要启用 IPv6 package 后再导入

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=::224.0.0.0/100 comment="defconf: other" list=bad_ipv6
add address=::127.0.0.0/104 comment="defconf: other" list=bad_ipv6
add address=::/104 comment="defconf: other" list=bad_ipv6
add address=::255.0.0.0/104 comment="defconf: other" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/16
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

RouterOS 定时重连 PPPoE 脚本

因为中国电信会不定时的强行中断 PPPoE 连接,为了避免白天被中断的情况,可以在半夜不用的时候自己主动重连一次 PPPoE,以避免白天被强行中断。

/system scheduler
add name="restart pppoe" on-event="/interface pppoe-client enable pppoe-telecom" \
start-time=06:00:00 interval=1d

只需将上述代码中的 pppoe-telecom 更换为你 PPPoE 连接的名称,start-time 修改为你想重连的时间即可。