|
本帖最后由 mantouboji 于 2024-1-17 00:23 编辑
这是作为二级路由,ether1口接移动宽带的光猫,在光猫里拨号。
包含了wireguard连接境外VPS,在VPS上还要运行bird2的OSPF协议,控制AX3 IP地址分流。
配置文件里敏感信息已经处理掉了,需要填写你自己参数的地方都是全大写字母。VPS地址写了MY_VPS_IP, 相信你会改成自己的。
更新到了最新状态,添加了container的配置,在container里跑AdGuard Home,不再需要外部小盒子跑DNS
- # 2024-01-16 16:40:17 by RouterOS 7.13.2
- #
- # model = C53UiG+5HPaxD2HPaxD
- # Network interfaces
- /interface bridge add admin-mac=AA:BB:CC:DD:EE:FF auto-mac=no comment=defconf ingress-filtering=no name=bridge1 port-cost-mode=short vlan-filtering=yes
- /interface bridge add name=dockers
- /interface vlan add comment=Guest interface=bridge1 name=vlan1_iot vlan-id=1003
- # Wifi
- /interface wifi set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=China .mode=ap .ssid=MYWIFI disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MY_WIFI_PASS
- /interface wifi set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=China .mode=ap .ssid=MYWIFI disabled=no security.authentication-types=wpa2-psk,wpa3-psk .passphrase=MY_WIFI_PASS
- /interface wifi security add authentication-types=wpa-psk,wpa2-psk name=Guest passphrase=1234567890
- /interface wifi add comment="Guest wifi 5G" configuration.mode=ap .ssid=MYWIFI_IOT datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:11:22:33 master-interface=wifi1 name=wifi3 security=Guest
- /interface wifi add comment="Guest wifi 2.4G" configuration.mode=ap .ssid=MYWIFI_IOT datapath.vlan-id=1003 disabled=no mac-address=4A:A9:8A:11:22:44 master-interface=wifi2 name=wifi4 security=Guest
- /interface list add comment=defconf name=WAN
- /interface list add comment=defconf name=LAN
- # for DHCP
- /ip pool add name=dhcp ranges=192.168.88.100-192.168.88.199
- /ip pool add name=pool_iot ranges=192.168.90.100-192.168.90.200
- /ip pool add name=virtual** ranges=192.168.89.2-192.168.89.255
- /ip dhcp-server add address-pool=dhcp interface=bridge1 lease-time=1w name=defconf
- /ip dhcp-server add address-pool=pool_iot comment=Guest interface=vlan1_iot lease-time=1w name=dhcp-iot
- #
- # Wireguard
- #
- /interface wireguard add comment=VPS listen-port=13231 mtu=1412 name=wg1 private-key="AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
- /interface wireguard add comment="My back to home" listen-port=16384 mtu=1412 name=wg2 private-key="CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC"
- /interface wireguard peers add allowed-address=0.0.0.0/0,::/0 comment=MYVPS endpoint-address=MY_VPS_IP endpoint-port=12345 interface=wg1 persistent-keepalive=25s public-key="BBBBBBBBBBBBBBBBBB"
- /interface wireguard peers add allowed-address=192.168.89.100/32,fd80:1111:2222:89::100/128 client-address=192.168.89.100/24,fd80:1111:2222:89::100/64 client-dns=192.168.89.1 client-endpoint=MY_DDNS_NAME client-keepalive=25s comment="Opiz2new z22" interface=wg2 preshared-key="auto" private-key="auto" public-key="auto"
- #
- # OSPF
- #
- /routing ospf instance add comment="VPS OSPF IPv4" disabled=no name=ospf-instance-v4 router-id=10.10.6.30
- /routing ospf instance add comment="VPS OSPF IPv6" disabled=no name=ospf-instance-v6 router-id=10.10.6.30 version=3
- /routing ospf area add comment="VPS IPv4" disabled=no instance=ospf-instance-v4 name=ospf-area-v4
- /routing ospf area add comment="VPS IPv6" disabled=no instance=ospf-instance-v6 name=ospf-area-v6
- /routing table add comment="No VPS" disabled=no fib name=DirectWAN
- #
- /system logging action set 3 remote=MY_RSYSLOG_HOST
- #
- # Coontainer
- #
- /interface veth add address=172.16.88.10/24,fd80:1111:2222:88::10/64 comment="docker mdns-repeater interface for vlan 1 and 1003" gateway=172.16.88.1 gateway6=fd80:1111:2222:88::1 name=veth-trunk
- /interface veth add address=172.16.88.2/24,fd80:1111:2222:88::2/64 gateway=172.16.88.1 gateway6=fd80:1111:2222:88::1 name=veth1
- /container add comment="AdGuard Home" dns=114.114.114.114 interface=veth1 logging=yes root-dir=/usb2-part1/adguardhome start-on-boot=yes workdir=/opt/adguardhome/work
- /container add comment="mdns-repeater for vlan 1 & 1003 " envlist=repeater_envs hostname=mdns-repeater interface=veth-trunk logging=yes root-dir=usb2-part1/mdns-repeater start-on-boot=yes
- /container config set registry-url=https://registry-1.docker.io tmpdir=usb2-part1
- /container envs add comment="mdns-repeater (FLO-254)" key=REPEATER_INTERFACES name=repeater_envs value="eth0 eth0.1003"
- /interface bridge port add bridge=dockers interface=veth1
- /interface bridge port add bridge=bridge1 comment="docker mdns-repeater interface for vlan 1 and 1003 PVID DOESN'T MATTER!" interface=veth-trunk
- #
- # Bridge
- #
- /interface bridge port add bridge=bridge1 comment=defconf interface=ether2 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 comment=defconf interface=ether3 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 comment=defconf interface=ether4 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 comment=defconf interface=ether5 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wifi1 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 comment=defconf frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=no interface=wifi2 internal-path-cost=10 path-cost=10
- /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=wifi3 internal-path-cost=10 path-cost=10 pvid=1003
- /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=wifi4 internal-path-cost=10 path-cost=10 pvid=1003
- /interface bridge port add bridge=bridge1 frame-types=admit-only-vlan-tagged interface=vlan1_iot internal-path-cost=10 path-cost=10 pvid=1003
- /interface bridge vlan add bridge=bridge1 comment=Guest tagged=bridge1,veth-trunk,wifi3,wifi4 vlan-ids=1003
- #
- # Interface list
- #
- /interface list member add comment=defconf interface=bridge1 list=LAN
- /interface list member add comment=defconf interface=ether1 list=WAN
- /interface list member add interface=wg1 list=WAN
- /interface list member add interface=vlan1_iot list=LAN
- /interface list member add interface=wg2 list=LAN
- /interface list member add interface=veth-trunk list=LAN
- /interface list member add interface=veth1 list=LAN
- #
- # IPv4 Address
- #
- /ip address add address=192.168.88.1/24 comment=defconf interface=bridge1 network=192.168.88.0
- /ip address add address=192.168.90.1/24 comment=Guest interface=vlan1_iot network=192.168.90.0
- /ip address add address=192.168.89.1/24 comment="Inner WG" interface=wg2 network=192.168.89.0
- /ip address add address=10.10.6.30/24 comment=VPS interface=wg1 network=10.10.6.0
- /ip address add address=172.16.88.1/24 interface=dockers network=172.16.88.0
- # DHCP
- /ip dhcp-client add comment=defconf interface=ether1 use-peer-dns=no
- /ip dhcp-server network add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
- /ip dhcp-server network add address=192.168.90.0/24 comment=Guest dns-server=192.168.90.1 gateway=192.168.90.1
- # DNS
- /ip dns set allow-remote-requests=yes servers=172.16.88.2
- /ip dns static add address=192.168.88.1 comment=defconf name=router.lan
- /ip dns static add address=159.69.43.243 name=dynv6.com
- #
- # IPv4 firewall
- #
- /ip firewall address-list add address=MY_VPS_IP list=vps
- /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- /ip firewall filter add action=accept chain=input comment="Allow all from inner" in-interface-list=!WAN
- /ip firewall filter add action=accept chain=input comment="Allow SSH HTTPS" dst-port=22,443 in-interface-list=WAN protocol=tcp
- /ip firewall filter add action=accept chain=input comment=OSPF protocol=ospf
- /ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
- /ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
- /ip firewall filter add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
- /ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
- /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
- /ip firewall filter add action=accept chain=forward in-interface-list=!WAN
- /ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- /ip firewall filter add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
- /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn
- /ip firewall mangle add action=mark-routing chain=prerouting dst-address-list=vps new-routing-mark=DirectWAN passthrough=yes
- /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
- /ip firewall nat add action=dst-nat chain=dstnat disabled=yes dst-port=3000 protocol=tcp to-addresses=172.16.88.2 to-ports=3000 comment="AdGuard config"
- /ip firewall nat add action=dst-nat chain=dstnat dst-port=8088 protocol=tcp to-addresses=172.16.88.2 to-ports=8088 comment="AdGuard Web"
- #
- #
- #
- /ip nat-pmp set enabled=yes
- /ip nat-pmp interfaces add interface=ether1 type=external
- /ip nat-pmp interfaces add interface=bridge1 type=internal
- /ip nat-pmp interfaces add interface=vlan1_iot type=internal
- /ip route add gateway=ether1 routing-table=DirectWAN
- /ip service set telnet disabled=yes
- /ip service set ftp disabled=yes
- /ip service set www disabled=yes
- /ip service set www-ssl certificate=letsencrypt-autogen_2024-01-11T16:54:10Z disabled=no
- /ip service set api disabled=yes
- /ip service set api-ssl certificate=letsencrypt-autogen_2024-01-11T16:54:10Z
- /ip ssh set host-key-type=ed25519 strong-crypto=yes
- # uPnP
- /ip upnp set enabled=yes
- /ip upnp interfaces add interface=bridge1 type=internal
- /ip upnp interfaces add interface=ether1 type=external
- /ip upnp interfaces add interface=vlan1_iot type=internal
- #
- # IPv6
- /ipv6 settings set accept-router-advertisements=yes
- /ipv6 dhcp-client add add-default-route=yes interface=ether1 pool-name=v6pool prefix-hint=::/62 request=address,prefix script=dynv6 use-peer-dns=no
- /ipv6 address add address=fd80:1111:2222::30 comment=VPS interface=wg1
- /ipv6 address add address=::1 from-pool=v6pool interface=bridge1
- /ipv6 address add address=::1 from-pool=v6pool interface=vlan1_iot
- /ipv6 address add address=fd80:1111:2222:89::1 interface=wg2
- /ipv6 address add address=fd80:1111:2222:88::1 interface=dockers
- /ipv6 dhcp-server add address-pool=v6pool interface=bridge1 name=local
- #
- # IPv6 Firewall
- #
- /ipv6 firewall address-list add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
- /ipv6 firewall address-list add address=::1/128 comment="defconf: lo" list=bad_ipv6
- /ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
- /ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
- /ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
- /ipv6 firewall address-list add address=100::/64 comment="defconf: discard only " list=bad_ipv6
- /ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
- /ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
- /ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
- /ipv6 firewall address-list add address=2409:801e:2000::2/128 list=dns
- /ipv6 firewall address-list add address=2409:801e:2000::1/128 list=dns
- /ipv6 firewall filter add action=accept chain=forward comment="Allow all from LAN" in-interface-list=LAN
- /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- /ipv6 firewall filter add action=accept chain=input comment="Accept all from inner" in-interface-list=!WAN
- /ipv6 firewall filter add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
- /ipv6 firewall filter add action=accept chain=input comment="allow WWW" disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp
- /ipv6 firewall filter add action=accept chain=input comment="Allow SSH,HTTPS" dst-port=22,443 in-interface-list=WAN protocol=tcp
- /ipv6 firewall filter add action=accept chain=input comment="Inner WG" dst-port=16384 protocol=udp
- /ipv6 firewall filter add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
- /ipv6 firewall filter add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10
- /ipv6 firewall filter add action=accept chain=input comment=OSPF protocol=ospf
- /ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
- /ipv6 firewall filter add action=accept chain=forward comment="Allow SSH WWW HTTPS from WAN" dst-port=22,80,443 in-interface-list=WAN protocol=tcp
- /ipv6 firewall filter add action=drop chain=output comment="block china DNS server" dst-address-list=dns
- /ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
- /ipv6 firewall filter add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
- /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
- /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
- /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
- /ipv6 firewall filter add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
- /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
- /ipv6 firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN passthrough=yes protocol=tcp tcp-flags=syn
- /ipv6 firewall nat add action=masquerade chain=srcnat out-interface=wg1
- /ipv6 firewall nat add action=masquerade chain=srcnat comment="local WG out" out-interface=ether1 src-address=fd80::/16
- /ipv6 firewall nat add action=dst-nat chain=dstnat dst-port=8088 protocol=tcp to-address=fd80:1111:2222:88::2/128
- /ipv6 nd set [ find default=yes ] advertise-dns=no hop-limit=64 managed-address-configuration=yes reachable-time=10m
- /ipv6 nd prefix add interface=ether1
- #
- # Routing
- #
- /routing igmp-proxy interface add interface=ether1 upstream=yes
- /routing igmp-proxy interface add interface=bridge1
- /routing igmp-proxy interface add interface=vlan1_iot
- /routing ospf interface-template add area=ospf-area-v4 comment="VPS IPv4" disabled=no interfaces=wg1 type=ptp
- /routing ospf interface-template add area=ospf-area-v6 comment="VPS IPv6" disabled=no interfaces=wg1 type=ptp
- /routing rule add action=lookup-only-in-table disabled=no interface=ether1 routing-mark=DirectWAN table=DirectWAN
- #
- # System
- #
- /system clock set time-zone-name=Asia/Shanghai
- /system identity set name=MikroTikAx3
- /system logging add action=remote topics=critical
- /system logging add action=remote topics=warning
- /system logging add action=remote topics=script
- /system logging add action=remote topics=info
- /system logging add action=remote topics=netwatch
- /system scheduler add comment="Change wireguard port to avoid QoS" interval=5h58m name=change-wg on-event=change-port policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-12 start-time=12:00:00
- /system scheduler add comment=DynV6 interval=6h name=dynv6 on-event=dynv6 policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-25 start-time=11:12:41
- /system scheduler add comment="Auto Backup" interval=12h name=autobackup on-event="/file remove autoback.bak \
- \n/system/backup save name autoback " policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=2023-05-25 start-time=11:14:22
- /system script add comment="Change WG port to avoid QoS" dont-require-permissions=yes name=change-port owner=MY_USERNAME policy=read,write,policy,test,password,sensitive source="# Change both VPS and local port to avoid UDP QoS\
- \n\
- \n:local WGIF "wg1"\
- \n\
- \n:local vpsuser "MY_USERNAME"\
- \n:local vpsport 22\
- \n\
- \n:local logstr\
- \n\
- \n:log info "Change WG Port"\
- \n\
- \n:if [ /interface get \$WGIF running ] do={\
- \n :local peerno [/interface wireguard peers find interface=\$WGIF ]\
- \n :local vps [/interface wireguard peers get \$peerno endpoint-address ] \
- \n :local newport [ :rndnum from=45000 to=55000 ]\
- \n\
- \n :if ( [ ping count=1 address=\$vps as-value ]->"status"!="timeout" ) do={\
- \n :if [ /system/ssh-exec user=\$vpsuser port=\$vpsport address=\$vps command="sudo wg set wg0 listen-port \$newport " as-value ] do={\
- \n /interface/wireguard/peers/set \$peerno endpoint-address=\$vps endpoint-port=\$newport\
- \n :set logstr "Change \$WGIF wireguard port to \$vps:\$newport"\
- \n } else={\
- \n :set logstr "Change port failed"\
- \n }\
- \n } else={\
- \n :set logstr "Ping \$vps failed"\
- \n }\
- \n} else={\
- \n :set logstr "WG disabled"\
- \n}\
- \n\
- \n:log info \$logstr\
- \n\
- \n:put \$logstr\
- \n"
- /system script add comment="Update dynv6 name" dont-require-permissions=no name=dynv6 owner=MY_USERNAME policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="# Change dynv6 ip\
- \n:local TOKEN "MY_IPV6_TOKEN"\
- \n:local DDNSHOST MY_DDNS.dynv6.net\
- \n:local theinterface ether1\
- \n\
- \n\
- \n# IPv4\
- \n:local test [ /ip address get [/ip address find interface=\$theinterface ] address ]\
- \n:local ipv4 [ :pick \$test 0 [find \$test "/"]]\
- \n\
- \n:set test [/ipv6/address get [:pick [find global interface=\$theinterface ] 0 ] address ]\
- \n:local ipv6 [:pick \$test 0 [:find \$test "/"]]\
- \n\
- \n:if ([ :typeof \$ipv6 ] = nil ) do={\
- \n :log info ("Dynv6: No ip address on \$theinterface .")\
- \n} else={\
- \n :local str1 "zone=\$DDNSHOST&token=\$TOKEN&ipv6=\$ipv6"\
- \n \
- \n :do {\
- \n :set test ([/tool fetch url="https://dynv6.com/api/update\?\$str1" as-value output=user]->"data")\
- \n :put \$test\
- \n } while=( \$test != "addresses updated")\
- \n\
- \n :local logstr "DynV6: IP updated to \$ipv6 "\
- \n :log info \$logstr\
- \n :put \$logstr\
- \n}\
- \n\
- \n"
- /tool netwatch add comment=CheckVPS disabled=no down-script=change-port host=10.10.6.1 interval=2m test-script="" type=simple up-script=""
复制代码
|
|