RouterOS IPv6 实用脚本

IPv6 地址更新脚本

用于当 RouterOS IPv6 更新时,主动向客户端广播旧地址过期

:local poolname "pool6"
:local ifname "bridge"

:global oldprefix;
:local newprefix;

:set $newprefix [/ipv6 pool used get [find info="bridge"] prefix];

:if ([ :typeof $oldprefix ] = "nothing") do {
  :set $oldprefix $newprefix
}

:if ($newprefix != $oldprefix) do {
  :log info "Kill IPv6 prefix, old prefix: $oldprefix, new prefix: $newprefix";
  :ipv6 nd prefix add prefix=$oldprefix interface=$ifname on-link=yes autonomous=yes preferred-lifetime=0s valid-lifetime=0s;
  :delay 5;
  :ipv6 nd prefix remove [/ipv6 nd prefix find prefix=$oldprefix];
  :set $oldprefix $newprefix;
}

IPv6 DHCP Rebinding 脚本

用于修复当 PPPoE 重新拨号时 IPv6 DHCP 卡在 Rebinding 状态

:local wan "pppoe-telecom"
:if ( [ /ipv6 dhcp-client get [ find interface=$wan ] status ] = "rebinding..." ) do={ 
    /ipv6 dhcp-client release [ find interface=$wan ] 
}

IPv6 自动更新当前 Prefix 到 Prefix Hint

如果提供了 IPv6 prefix hint,那么有可能拿到 hint 里的 prefix

:local interfaceName "pppoe-telecom";

:local oldIP6Prefix [ /ipv6 dhcp-client get [find interface=$interfaceName] prefix-hint ]

:local ip6Prefix [ /ipv6 dhcp-client get [find interface=$interfaceName] prefix ]
:set ip6Prefix [ :pick $ip6Prefix 0 [ :find $ip6Prefix "," ] ] ;

:if ($oldIP6Prefix != $ip6Prefix) \
do={
    /ipv6 dhcp-client set prefix-hint=$ip6Prefix [find interface=$interfaceName] 
    :log info ("Update IPv6 Prefix Hint: " . $ip6Prefix);
}

IPv6 自动修改 MSS

可以极大缓解 IPv6 网页打不开的问题

/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

将 RouterOS L4 授权转换为 CHR P1 授权方法

1 在 RouterOS -> System -> License 中点击 Renew License,输入自己的 Mikrotik 账号,然后点击 Start。

2 访问 Mikrotik 个人账户页面 https://mikrotik.com/client ,点击左侧的 all CHR keys,列表中会显示上一步 RouterOS 的 System ID,点击 Upgrade。

3 选择要使用的授权等级,点击 Upgrade。

4 点击 Pay using Prepaid Key (1),如果括号里的数字不是1,则说明你没有空闲的 L4/L5 授权

5 升级完成,授权等级信息里已经没有 (Trial) 的字样了

RouterOS 默认防火墙规则

Mikrotik 的 RouterBoard 硬件产品默认都有带有配置良好的防火墙规则,x86/CHR 设备默认不带防火墙规则。 如果你不小心删掉了防火墙规则,或者需要还原默认防火墙规则,可以导入以下配置:。

/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN

/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN

规则提取自 RouterOS 7.1.1,更新于 2021年12月31日。

RouterOS 定时重连 PPPoE 脚本

因为中国电信会不定时的强行中断 PPPoE 连接,为了避免白天被中断的情况,可以在半夜不用的时候自己主动重连一次 PPPoE,以避免白天被强行中断。

/system scheduler
add name="restart pppoe" on-event="/interface pppoe-client enable pppoe-telecom" \
start-time=06:00:00 interval=1d 

只需将上述代码中的 pppoe-telecom 更换为你 PPPoE 连接的名称,start-time 修改为你想重连的时间即可。