【RouterOS】家用上网拨号设置DHCP和ipv6 NAT1 DDNS DNS UPNP fasttrack
PPPOE拨号
打开winbox左上角 quick set一键设置pppoe和dhcp,自动设置nat
DNS
打开winbox-IP-DNS 支持ipv4和doh
allow Remote Requests是打开dns缓存,不明白可以勾选
UPnP
打开winbox-IP-UPnP
点击Interfaces,然后在UPnP Interface Settings界面点击“+”号,添加2条配置。
- 外网 - Interface:pppoe-out1(如果是PPPOE接入外网,就填pppoe-out1接口名,静态IP接入就填WAN接口名),type:external。
- 内网 - Interface:bridge1(网桥名称,如未使用网桥则选择LAN口),type:internal。
UPnP Settings勾选 Enabled Allow To Disable External Interface
fasttrack
mikrotik原文https://wiki.mikrotik.com/wiki/Manual:IP/Fasttrack
可以极大的减少ROS的CPU使用率以及增加带宽
前置条件
-
- 没有网状,元路由器接口配置;
-
- sniffer, torch and traffic generator is not running;
-
- 没有活动的mac-ping,mac-telnet或mac-winbox会话 限制已在6.33中删除;
-
- / tool mac-scan没有被积极使用;
-
- / tool ip-scan没有被积极使用;
- 在IP /Settings 下启用了FastPath和路由缓存
启用fasttrack,打开winbox-new terminal输入
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip firewall filter add chain=forward action=accept connection-state=established,related
IPV6
winbox打开IPv6 --> DHCP Client。Interface选择PPPoE拨号连接(我这里是PPPoE);Request勾上prefix;Pool Name随便填,如ipv6 等会需要用到;Pool Prefix Length填入运营商分配的,我这里是56(一般是64,56,48这3种);勾上“Use Peer DNS”;勾上“Add Default Route”;点击OK
设置需要DHCP派发的接口
打开https://www.test-ipv6.com/测试ipv6
可选
出处https://codewindy.github.io/2020/04/18/RouterOS-Optimized/
点击查看代码
# 将默认用户名admin更改为其他名称
/user set 0 name=myros
# 设置高强度的密码(红色字体为密码请自行更改)
/user set 0 password=“d*2bBsweUBe3@”
# 设置admin用户允许通过某个IP地址进行登陆(这里允许设置单个IP或多个IP也可以是IP段)
/user set 0 allowed-address=192.168.88.0/24
# 只保留安全的服务
/ip service disable telnet,f??tp,www,api,api-ssl
??注意:该操作会禁用Telnet,FTP,WWW,API,API-SSL
# 更改默认端口,这将立即停止大多数随机SSH暴力登录尝试
/ip service set ssh port=220
# 设置Winbox允许登陆的网段
/ip service set winbox address=192.168.88.0/24
# 禁用mac-telnet服务
/tool mac-server set allowed-interface-list=none
# 禁用mac-winbox服务
/tool mac-server mac-winbox set allowed-interface-list=none
# 禁用mac-ping服务
/tool mac-server ping set enabled=no
# 邻居发现
# MikroTik邻居发现协议用于显示和识别网络中的其他MikroTik设备,禁用所有接口上的邻居发现
# 禁用IPv4 的邻居发现协议
/ip neighbor discovery-settings set discover-interface-list=none
# 禁用IPv6 的邻居发现协议
/ipv6 nd set [find] disabled=yes
# 带宽服务器用于测试两个MikroTik路由器之间的吞吐量,请在测试后禁用它。
/tool bandwidth-server set enabled=no
# DNS缓存
/ip dns set allow-remote-requests=no
# 设置更安全的SSH访问,打开SSH强加密
/ip ssh set strong-crypto=yes
# 关闭 Proxy,Socks代理
/ip proxy set enabled=no
/ip socks set enabled=no
# MikroTik UPnP服务(通用即插即用协议)
/ip upnp set enabled=no
# MikroTik自带的DDNS服务器(动态域名解析)
# 如果不是使用的话请用以下命令禁用
/ip cloud set ddns-enabled=no update-time=no
# 某些型号的RouterBOARD有LCD模块用于信息显示。
/lcd set enabled=no
# 如果你的路由器不提供VPN服务,请用以下命令关闭VPN
/interface l2tp-server server set enabled=no
/interface pptp-server server set enabled=no
/interface sstp-server server set enabled=no
/interface ovpn-server server set enabled=no
# 禁用在设备上使用Radius进行授权
/user aaa set use-radius=no
# ????????移除操作请慎用
/radius remove numbers=[/radius find]
# 清空log
/system logging action set memory memory-lines=1
/system logging action set memory memory-lines=1000
/interface/wireless/export
# jul/08/2020 22:19:41 by RouterOS 7.0beta8
# software id = xxx
#
# model = RBD52G-5HacD2HnD
# serial number = xxx
# 设置ntp服务器同步
/system ntp client
set enabled=yes
/system ntp client servers
add address=139.199.215.251
# 203.107.6.88 alibaba
# 开启dhcp 服务器
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1h name=dhcp1
/ip dhcp-server network
add address=192.168.2.0/24 gateway=192.168.2.2 netmask=24
# 优化hap ac2无线参数
# C- is center of frequency e - is extension channel example : frequency is 5100 and in eCee will be see (5080-e,5100-C,5120-e,5140-e)
# fragmentation-threshold命令用来配置指定射频模板中的报文分段门限参数。缺省情况下,报文分段门限参数为2346Byte。应用场景配置合理的报文分段门限参数可以提高信道带宽的利用率。报文分段门限的设置需要用户根据实际情况进行选择,根据目前的发展趋势,建议用户采用较大值的门限。当报文分段门限设置过小时,报文就被分为多段传输,而在无线传输中,每传送一次都有较大的额外开销,因此信道利用率低,当报文分段门限设置过大时,长报文就不容易被分段,导致传输的时间长,出错的概率大,而一旦出错就要重传,因此会造成信道带宽的浪费。
# ts-cts模式:当AP向某个客户端发送数据的时候,AP会向客户端发送一个RTS报文,这样在AP覆盖范围内的所有设备在收到RTS后都会在指定的时间内不发送数据。目的客户端收到RTS后,发送一个CTS报文,这样在该客户端覆盖范围内所有的设备都会在指定的时间内不发送数据。使用rts-cts方式实现冲突避免需要发送两个报文,报文开销较大。
/interface wireless
set [ find default-name=wlan1 ] country=china mode=ap-bridge ssid=tpy wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik \
wpa-pre-shared-key=a1234567 wpa2-pre-shared-key=a1234567
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" group-key-update=1h mode=dynamic-keys name=eda supplicant-identity="" \
wpa-pre-shared-key=a1234567 wpa2-pre-shared-key=a1234567
/interface wireless
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-onlyac channel-width=20/40/80mhz-eeCe country=malaysia disabled=no \
distance=indoors frequency=5300 hw-fragmentation-threshold=2346 hw-protection-mode=rts-cts installation=indoor keepalive-frames=disabled mode=\
ap-bridge multicast-buffering=disabled multicast-helper=full security-profile=eda ssid=eda wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan2 enable-polling=no
# masquerade NAT 地址转换
/ip firewall nat
add action=masquerade chain=srcnat
# 支持Wi-Fi隐藏
[admin@jd] > interface/wireless/export
# sep/27/2020 22:17:52 by RouterOS 7.1beta2
# software id = U01C-6QKJ
#
# model = RBD52G-5HacD2HnD
# serial number = CB390C02DA3C
/interface wireless
set [ find default-name=wlan1 ] country=china mode=ap-bridge ssid=tpy \
wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods="" \
group-key-update=1h mode=dynamic-keys supplicant-identity=MikroTik \
wpa-pre-shared-key=a1234567 wpa2-pre-shared-key=a1234567
add authentication-types=wpa2-psk disable-pmkid=yes eap-methods="" \
group-key-update=1h mode=dynamic-keys name=eda supplicant-identity="" \
wpa-pre-shared-key=a1234567 wpa2-pre-shared-key=wifipwd
/interface wireless
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode \
band=5ghz-onlyac channel-width=20/40/80mhz-eeCe country=malaysia \
disabled=no distance=indoors frequency=5300 hide-ssid=yes \
hw-fragmentation-threshold=2346 hw-protection-mode=rts-cts installation=\
indoor keepalive-frames=disabled mac-address=44:F9:71:8F:74:D9 mode=\
ap-bridge multicast-buffering=disabled multicast-helper=full \
security-profile=eda ssid=emoji wireless-protocol=802.11 wps-mode=disabled
/interface wireless nstreme
set wlan2 enable-polling=no
[admin@jd] >
# kid control和hotspot 透传三层设备
将斐讯等totalstub终端设备当成上面的kid control 和hotspot设备来使用,配置相应的mac地址和规则,实现有效限制上网的功能