PVE+ROS折腾笔记
|其实相关的配置文件网路上,有很多,我只是来记录下,我自己折腾的一些经历。
第一次,没有设置好,出现的问题就很奇怪,就是部分网站上不去,网易的mumu模拟器无法联网。无奈之下,只能重新设置ROS。同样的配置下,就没有问题了。相当的无奈。不知道是我哪里设置的问题。
ROS系统设置
定义网口
网桥
备注 local Bridge
定义接口组
Code
/interface list
add name=WAN comment="defconf: WAN list"
add name=LAN comment="defconf: LAN list"
add name=ONU comment="onuconf: ONU list"
/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether2
IP相关配置
配置
- adddress:
192.168.100.1/24 - network:
192.168.100.0 - interface
bridge - comment
local LAN IPv4 address
配置光猫接口ip
- address:
192.168.1.2/24 - network
192.168.1.0 - interface
ether1 - comment
link IPv4 address for ONU
DHCP客户端
- 添加地址池
- Name dhcpv4-pool1
- Addresses 192.168.100.50-192.168.100.200
- Comment local LAN DHCPv4 pool
DHCP服务器设置
- Name
dhcpv4-server1 - Interface
bridge1 - Lease Time
1d 00:00:00 - Address Pool
dhcpv4-pool1 - Bootp Support
none - Comment
local LAN DHCPv4 server
Networks
配置相关参数
- Address
192.168.100.0/24 - Gateway
192.168.100.1 - Netmask
24 - DNS Server
192.168.100.1 - Comment
local LAN DHCPv4 network
DNS配置
- 223.5.5.5
- Allow Remote Requests
勾选 - Max. Concurrent Queries
150 - Cache Size
1024 - Cache Max TTL
06:00:00
防火墙规则
Code
## Filter 规则 9 条 + 虚拟规则 1 条
## NAT 规则 4 条
## Mangle 规则 2 条 + 虚拟规则 3 条
## Address-list 规则 2 条
/ip firewall address-list
add address=192.168.1.1 comment="onuconf: local ONU address" list=local_onu_ipv4
add address=192.168.100.0/24 comment="lanconf: local LAN address" list=local_lan_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes disabled=yes
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward in-interface-list=!LAN comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip settings
set max-neighbor-entries=1024 rp-filter=loose tcp-syncookies=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip proxy
set enabled=no
/ip socks
set enabled=no
/ip upnp
set enabled=no
/ip cloud
set ddns-enabled=no update-time=no
/ip ssh
set strong-crypto=yes
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool bandwidth-server
set enabled=no
黑洞路由
Code
/ip route
add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - link local" disabled=no dst-address=169.254.0.0/16
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4
服务安全加固
- 关闭不必要服务,开启只允许内网链接
- 1、除winbox外,全部关闭
- 2、修改winbox端口为5391
- 3、在允许ip地址里填写 192.168.100.0/24
系统设置
- 时间设置
- NTP Client
Enabled
ntp.tencent.com
ntp.aliyun.com
系统备份
系统联网
系统激活
ipv6配置
DHCP客户端配置
- Interface
- pppoe-out1
- Request
- prefix
- Pool Name
- dhcpv6-gua-pool1
- Pool Prefix Length
- 64
- Use Peer DNS
- 取消勾选
- Add Default Route
- 不勾选
- Comment
- local DHCPv6 client
地址配置
gla配置
- Address
- ::1/64
- From Pool
- dhcpv6-gua-pool1
- Interface
- bridge1
- Advertise
- 勾选
- Comment
- local LAN GUA IPv6 address
ula配置
登录相关网站 https://cd34.com/rfc4193/
,输入网桥ip地址,得到正确符合标准前缀
- Address
- fdac::1/64
- Interface
- bridge1
- Advertise
- 勾选
- Comment
- local LAN ULA IPv6 address
ND配置
- Prefixes
- Valid Lifetime
- 00:30:00
- Preferred Lifetime
- 00:10:00
Neighbor Discovery
- Interface
- bridge1
- RA Interval
- 300-900
- RA Lifetime
- 2700
- Hop Limit
- 64
- DNS Servers
- fdac::1
- Advertise MAC Address
- 勾选
- Advertise DNS
- 勾选
- dns
- 2400:3200::1
- 2400:3200:baba::1
firewall
Code
## Filter 规则 13 条
## NAT 规则 1 条
## Mangle 规则 1 条
## Address-list 规则 10 条
/ipv6 firewall address-list
add address=::1/128 comment="defconf: RFC6890 - loopback" list=bad_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes
/ipv6 firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
黑洞路由
首先输入 /ipv6 route
Code
add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32
小包优先
/ip firewall mangle
add action=mark-packet chain=prerouting comment=\
"Mark packet for QoS (download)" disabled=yes in-interface=pppoe-out1 \
new-packet-mark=pkt-download passthrough=yes
add action=mark-packet chain=prerouting comment=\
"Mark packet for QoS (upload)" disabled=yes new-packet-mark=pkt-upload \
passthrough=yes
add action=mark-packet chain=forward comment=General connection-mark=\
!P2p_conn disabled=yes new-packet-mark=General passthrough=yes
add action=mark-packet chain=forward comment=Small disabled=yes \
new-packet-mark=Small packet-size=0-32 passthrough=yes
add action=mark-packet chain=forward disabled=yes new-packet-mark=Small \
passthrough=yes protocol=icmp
add action=mark-packet chain=forward comment=Tcp disabled=yes dst-port=\
22,23,80,443 new-packet-mark=Tcp passthrough=yes protocol=tcp
add action=mark-packet chain=forward comment=Small_Big disabled=yes \
new-packet-mark=Small_Big packet-size=33-512 passthrough=yes
add action=mark-packet chain=forward comment=Big disabled=yes \
new-packet-mark=Big packet-size=513-1200 passthrough=yes
add action=mark-connection chain=forward comment=p2p disabled=yes \
in-interface=all-ppp new-connection-mark=P2p_conn passthrough=yes port=\
7881 protocol=tcp
add action=mark-packet chain=forward connection-mark=P2p_conn disabled=yes \
new-packet-mark=P2p passthrough=no
/queue tree
add comment="\D0\A1\B0\FC\D3\C5\CF\C8" disabled=yes limit-at=10M max-limit=\
190M name=p2p1 packet-mark=P2p parent=pppoe-out1 queue=default
add comment="\D0\A1\B0\FC\D3\C5\CF\C8" disabled=yes name=ClassA parent=global \
priority=7 queue=default
add disabled=yes name=ClassB parent=ClassA queue=default
add disabled=yes name=Leaf1 packet-mark=General parent=ClassA priority=7 \
queue=default
add disabled=yes name=Leaf2 packet-mark=Small parent=ClassB priority=3 queue=\
default
add disabled=yes name=Leaf4 packet-mark=Small_Big parent=ClassB priority=5 \
queue=default
add disabled=yes name=Leaf5 packet-mark=Big parent=ClassB priority=6 queue=\
default
add disabled=yes name=Leaf3 packet-mark=Tcp parent=ClassB priority=4 queue=\
default
备份系统

参考文章: