我要投稿如果你有好的文章,欢迎分享给我们,我们会给与适当的补贴

PVE+ROS折腾笔记

| 2025-02-04 | 数码生活 | No Comments

其实相关的配置文件网路上,有很多,我只是来记录下,我自己折腾的一些经历。

第一次,没有设置好,出现的问题就很奇怪,就是部分网站上不去,网易的mumu模拟器无法联网。无奈之下,只能重新设置ROS。同样的配置下,就没有问题了。相当的无奈。不知道是我哪里设置的问题。

ROS系统设置

定义网口

网桥

备注 local Bridge

定义接口组

Code

/interface list
add name=WAN comment="defconf: WAN list"
add name=LAN comment="defconf: LAN list"
add name=ONU comment="onuconf: ONU list"

/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether2

IP相关配置

配置

  • adddress:
    192.168.100.1/24
  • network:
    192.168.100.0
  • interface
    bridge
  • comment
    local LAN IPv4 address

配置光猫接口ip

  • address:
    192.168.1.2/24
  • network
    192.168.1.0
  • interface
    ether1
  • comment
    link IPv4 address for ONU

DHCP客户端

  • 添加地址池
    • Name dhcpv4-pool1
    • Addresses 192.168.100.50-192.168.100.200
    • Comment local LAN DHCPv4 pool

DHCP服务器设置

  • Name
    dhcpv4-server1
  • Interface
    bridge1
  • Lease Time
    1d 00:00:00
  • Address Pool
    dhcpv4-pool1
  • Bootp Support
    none
  • Comment
    local LAN DHCPv4 server

Networks

配置相关参数

  • Address
    192.168.100.0/24
  • Gateway
    192.168.100.1
  • Netmask
    24
  • DNS Server
    192.168.100.1
  • Comment
    local LAN DHCPv4 network

DNS配置

  • 223.5.5.5
  • Allow Remote Requests
    勾选
  • Max. Concurrent Queries
    150
  • Cache Size
    1024
  • Cache Max TTL
    06:00:00

防火墙规则

Code

##       Filter 规则  9 条 + 虚拟规则 1 条
##          NAT 规则  4 条
##       Mangle 规则  2 条 + 虚拟规则 3 条
## Address-list 规则  2 条

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=192.168.100.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4


/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward in-interface-list=!LAN comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"


/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4



/ip firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4




/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes

/ip neighbor discovery-settings
set discover-interface-list=none

/ip proxy
set enabled=no

/ip socks
set enabled=no

/ip upnp
set enabled=no

/ip cloud
set ddns-enabled=no update-time=no

/ip ssh
set strong-crypto=yes

/tool mac-server
set allowed-interface-list=none

/tool mac-server mac-winbox
set allowed-interface-list=none

/tool mac-server ping
set enabled=no

/tool bandwidth-server
set enabled=no

黑洞路由

Code

/ip route

add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4

服务安全加固

- 关闭不必要服务,开启只允许内网链接
- 1、除winbox外,全部关闭
- 2、修改winbox端口为5391
- 3、在允许ip地址里填写 192.168.100.0/24

系统设置

  • 时间设置
  • NTP Client
    Enabled
    ntp.tencent.com
    ntp.aliyun.com

系统备份

系统联网

系统激活

ipv6配置

DHCP客户端配置

  • Interface
    • pppoe-out1
  • Request
    • prefix
  • Pool Name
    • dhcpv6-gua-pool1
  • Pool Prefix Length
    • 64
  • Use Peer DNS
    • 取消勾选
  • Add Default Route
    • 不勾选
  • Comment
    • local DHCPv6 client

地址配置

gla配置

  • Address
    • ::1/64
  • From Pool
    • dhcpv6-gua-pool1
  • Interface
    • bridge1
  • Advertise
    • 勾选
  • Comment
    • local LAN GUA IPv6 address

ula配置

登录相关网站 https://cd34.com/rfc4193/
,输入网桥ip地址,得到正确符合标准前缀

  • Address
    • fdac::1/64
  • Interface
    • bridge1
  • Advertise
    • 勾选
  • Comment
    • local LAN ULA IPv6 address

ND配置

  • Prefixes
  • Valid Lifetime
    • 00:30:00
  • Preferred Lifetime
    • 00:10:00

Neighbor Discovery

  • Interface
    • bridge1
  • RA Interval
    • 300-900
  • RA Lifetime
    • 2700
  • Hop Limit
    • 64
  • DNS Servers
    • fdac::1
  • Advertise MAC Address
    • 勾选
  • Advertise DNS
    • 勾选
  • dns
    • 2400:3200::1
    • 2400:3200:baba::1

firewall

Code

##       Filter 规则 13 条
##          NAT 规则  1 条
##       Mangle 规则  1 条
## Address-list 规则 10 条

/ipv6 firewall address-list

add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=bad_ipv6


/ipv6 firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN


/ipv6 firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes



/ipv6 firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn

黑洞路由

首先输入 /ipv6 route

Code



add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32

小包优先

/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
    "Mark packet for QoS (download)" disabled=yes in-interface=pppoe-out1 \
    new-packet-mark=pkt-download passthrough=yes
add action=mark-packet chain=prerouting comment=\
    "Mark packet for QoS (upload)" disabled=yes new-packet-mark=pkt-upload \
    passthrough=yes
add action=mark-packet chain=forward comment=General connection-mark=\
    !P2p_conn disabled=yes new-packet-mark=General passthrough=yes
add action=mark-packet chain=forward comment=Small disabled=yes \
    new-packet-mark=Small packet-size=0-32 passthrough=yes
add action=mark-packet chain=forward disabled=yes new-packet-mark=Small \
    passthrough=yes protocol=icmp
add action=mark-packet chain=forward comment=Tcp disabled=yes dst-port=\
    22,23,80,443 new-packet-mark=Tcp passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=Small_Big disabled=yes \
    new-packet-mark=Small_Big packet-size=33-512 passthrough=yes
add action=mark-packet chain=forward comment=Big disabled=yes \
    new-packet-mark=Big packet-size=513-1200 passthrough=yes
add action=mark-connection chain=forward comment=p2p disabled=yes \
    in-interface=all-ppp new-connection-mark=P2p_conn passthrough=yes port=\
    7881 protocol=tcp
add action=mark-packet chain=forward connection-mark=P2p_conn disabled=yes \
    new-packet-mark=P2p passthrough=no
/queue tree
add comment="\D0\A1\B0\FC\D3\C5\CF\C8" disabled=yes limit-at=10M max-limit=\
    190M name=p2p1 packet-mark=P2p parent=pppoe-out1 queue=default
add comment="\D0\A1\B0\FC\D3\C5\CF\C8" disabled=yes name=ClassA parent=global \
    priority=7 queue=default
add disabled=yes name=ClassB parent=ClassA queue=default
add disabled=yes name=Leaf1 packet-mark=General parent=ClassA priority=7 \
    queue=default
add disabled=yes name=Leaf2 packet-mark=Small parent=ClassB priority=3 queue=\
    default
add disabled=yes name=Leaf4 packet-mark=Small_Big parent=ClassB priority=5 \
    queue=default
add disabled=yes name=Leaf5 packet-mark=Big parent=ClassB priority=6 queue=\
    default
add disabled=yes name=Leaf3 packet-mark=Tcp parent=ClassB priority=4 queue=\
    default

备份系统

参考文章:

Tags:, ,

Related Posts

About The Author

黄大少

生活苦不苦,嚼嚼咽了。

Add a Comment

Your email address will not be published. Required fields are marked *