# 2024最新版ros安装配置教程,开启你的ipv6
判断网卡类型
- 英特尔网卡默认即可
- 螃蟹网卡建议安装对应网卡驱动
注册ros账户
虚拟机安装
上传镜像
创建虚拟机
- 常规
- 名称:routeros
- 不勾选开机启动
- 操作系统
- 不使用任何介质
- 系统
- 机型:q35
- 勾选qemu代理
- 磁盘
- 删除当前磁盘
- cpu
- 核心数量:(cpu最大线程数量)
- 内存
- 最低建议:512
- 推荐设置:1024
- 网络
- 网卡类型:virtio(默认即可)
- 系统安装设置
- 磁盘挂载
qm importdisk 100 /var/lib/vz/template/iso/chr-7.13.5.img local-lvm
# XXX为虚拟机id号- 硬件设置
- 将未添加磁盘添加入虚拟机,并进行适当扩容,建议5g
- 添加对应网卡
- 启动项修改
ROS系统设置
定义网口
网桥
备注 local Bridge
定义接口组
/interface list
add Name=WAN comment=defconf: WAN list
add name=LAN comment=defconf:LAN list
add Name=ONU comment=onuconf:ONU list
/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether2IP相关配置
配置
- adddress:
192.168.100.1/24
- network:
192.168.100.0
- interface
bridge
- comment
local LAN IPv4 address
配置光猫接口ip
- address:
192.168.1.2/24
- network
192.168.1.0
- interface
ether1
- comment
link IPv4 address for ONU
DHCP客户端
- 添加地址池
- Name dhcpv4-pool1
- Addresses 192.168.100.50-192.168.100.200
- Comment local LAN DHCPv4 pool
DHCP服务器设置
- Name
dhcpv4-server1
- Interface
bridge1
- Lease Time
1d 00:00:00
- Address Pool
dhcpv4-pool1
- Bootp Support
none
- Comment
local LAN DHCPv4 server
Networks
配置相关参数
- Address
192.168.100.0/24
- Gateway
192.168.100.1
- Netmask
24
- DNS Server
192.168.100.1
- Comment
local LAN DHCPv4 network
DNS配置
- 223.5.5.5
- Allow Remote Requests
勾选
- Max. Concurrent Queries
150
- Cache Size
1024
- Cache Max TTL
06:00:00
防火墙规则
## Filter 规则 9 条 + 虚拟规则 1 条
## NAT 规则 4 条
## Mangle 规则 2 条 + 虚拟规则 3 条
## Address-list 规则 2 条
/ip firewall address-list
add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=192.168.100.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward in-interface-list=!LAN comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip proxy
set enabled=no
/ip socks
set enabled=no
/ip upnp
set enabled=no
/ip cloud
set ddns-enabled=no update-time=no
/ip ssh
set strong-crypto=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool bandwidth-server
set enabled=no黑洞路由
/ip route
add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4服务安全加固
- 关闭不必要服务,开启只允许内网链接
- 1、除winbox外,全部关闭
- 2、修改winbox端口为5391
- 3、在允许ip地址里填写 192.168.100.0/24系统设置
- 时间设置
- NTP Client
Enabled
ntp.tencent.com
ntp.aliyun.com
系统备份
系统联网
系统激活
ipv6配置
DHCP客户端配置
- Interface
- pppoe-out1
- Request
- prefix
- Pool Name
- dhcpv6-gua-pool1
- Pool Prefix Length
- 64
- Use Peer DNS
- 取消勾选
- Add Default Route
- 不勾选
- Comment
- local DHCPv6 client
地址配置
gla配置
- Address
- ::1/64
- From Pool
- dhcpv6-gua-pool1
- Interface
- bridge1
- Advertise
- 勾选
- Comment
- local LAN GUA IPv6 address
ula配置
登录相关网站 https://cd34.com/rfc4193/
,输入网桥ip地址,得到正确符合标准前缀
- Address
- fdac::1/64
- Interface
- bridge1
- Advertise
- 勾选
- Comment
- local LAN ULA IPv6 address
ND配置
- Prefixes
- Valid Lifetime
- 00:30:00
- Preferred Lifetime
- 00:10:00
Neighbor Discovery
- Interface
- bridge1
- RA Interval
- 300-900
- RA Lifetime
- 2700
- Hop Limit
- 64
- DNS Servers
- fdac::1
- Advertise MAC Address
- 勾选
- Advertise DNS
- 勾选
- dns
- 2400:3200::1
- 2400:3200:baba::1
firewall
## Filter 规则 13 条
## NAT 规则 1 条
## Mangle 规则 1 条
## Address-list 规则 10 条
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes
/ipv6 firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn黑洞路由
首先输入 /ipv6 route
add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=2001:2::/48
add blackhole comment="defconf: RFC6890 - documentation" disabled=no dst-address=2001:db8::/32
add blackhole comment="defconf: RFC4843 - ORCHID" disabled=no dst-address=2001:10::/28
add blackhole comment="defconf: RFC7343 - ORCHIDv2" disabled=no dst-address=2001:20::/28
add blackhole comment="defconf: RFC6890 - 6to4" disabled=no dst-address=2002::/16
add blackhole comment="defconf: RFC6890 - unique local" disabled=no dst-address=fc00::/7
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=fe80::/10
add blackhole comment="defconf: RFC3879 - site local" disabled=no dst-address=fec0::/10
评论区