-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathros_shortcut.native.pppoe.advanced.conf
565 lines (419 loc) · 31.1 KB
/
ros_shortcut.native.pppoe.advanced.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
## 说明
# 01. 将 PPPoE 拨号的账户根据实际情况修改,并设置密码。
# 02. 将内网网段 172.16.1.0/24 和 RouterOS IPv4 地址 172.16.1.1 根据实际情况修改。
# 03. 将光猫网段 192.168.1.0/24 和 ether1 IPv4 地址 192.168.1.2 根据实际情况修改。
# 04. 系统 DNS 服务器已设置为知名公共 DNS 服务器。
# 05. 本脚本将使用 172.16.1.1 作为内网设备 DNSv4 服务器。
# 06. 新系统管理员账号 用户名、密码 需要修改,账户添加完成后,用新管理员账户执行后续命令条目。
# 07. 防火墙已默认启用 fasttrack-connection 。
# 08. QoS 使用了 Fq-CoDel 算法的 Interface Queue 。
# 09. 系统日志邮件的 发件箱、收件箱、SMTP密码 需要根据实际情况修改。
# 10. DHCPv4 中 MAC 地址绑定静态 IP ,具体参数需要根据实际情况修改。
# 11. E50UG 使用 USB 存储设备作为附加硬盘,硬盘格式化过程中会忽略后续命令,需要等待格式化完成后再执行后续命令条目。
## 第一部分 - 配置网口
/interface
set [ find name=lo ] comment="defconf: local Loopback"
/interface ethernet
set [ find default-name=ether1 ] comment="defconf: local WAN"
set [ find default-name=ether2 ] comment="defconf: local LAN"
set [ find default-name=ether3 ] comment="defconf: local LAN"
set [ find default-name=ether4 ] comment="defconf: local LAN"
set [ find default-name=ether5 ] comment="defconf: local LAN"
/interface bridge
add name=bridge1 comment="defconf: local Bridge" auto-mac=yes
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip address
add interface=bridge1 comment="defconf: local LAN IPv4" address=172.16.1.1/24 network=172.16.1.0
add interface=ether1 comment="onuconf: link IPv4 for ONU" address=192.168.1.2/24 network=192.168.1.0
/ip dhcp-client
remove numbers=[ find where interface ~ "ether1" ]
/interface pppoe-client
add name=pppoe-out1 comment="defconf: local PPPoE Client" interface=ether1 user="<your-pppoe-user-name>" password="<your-pppoe-user-password>" add-default-route=yes use-peer-dns=no disabled=yes
/interface list
add name=WAN comment="defconf: WAN list"
add name=LAN comment="defconf: LAN list"
add name=ONU comment="onuconf: ONU list"
/interface list member
add list=WAN comment="defconf: WAN member" interface=pppoe-out1
add list=LAN comment="defconf: LAN member" interface=bridge1
add list=ONU comment="onuconf: ONU member" interface=ether1
## 第一部分完成
## 第二部分 - DNS & DHCP & 静态 IPv4 地址绑定
/ip dns
set allow-remote-requests=yes cache-max-ttl=6h cache-size=24576 max-concurrent-queries=150 servers=223.5.5.5,180.184.1.1,119.29.29.29,2400:3200::1,2402:4e00::
/ip dns static
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=alt
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=bind
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=example
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=home.arpa
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=internal
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=invalid
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=lan
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=local
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=localhost
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=onion
add comment="defconf: suppress special-use domain names" match-subdomain=yes type=NXDOMAIN name=test
/ip pool
add name=dhcpv4-pool1 comment="defconf: local LAN DHCPv4 pool" ranges=172.16.1.100-172.16.1.200
/ip dhcp-server
add name=dhcpv4-server1 comment="defconf: local LAN DHCPv4 server" address-pool=dhcpv4-pool1 interface=bridge1 lease-time=1d bootp-support=none
/ip dhcp-server network
add address=172.16.1.0/24 comment="defconf: local LAN DHCPv4 network" gateway=172.16.1.1 netmask=24 domain="fox.internal" dns-server=172.16.1.1
/ip dhcp-server lease
add address=172.16.1.10 comment="<your-device-name1>" lease-time=2d mac-address=AA:BB:CC:00:00:10 server=dhcpv4-server1
## 第二部分完成
## 第三部分 - IPv4 高级防火墙
## Filter 规则 11 条 + 虚拟规则 1 条
## NAT 规则 4 条
## Mangle 规则 2 条 + 虚拟规则 3 条
## Raw 规则 40 条 + 虚拟规则 1 条
## Address-list 规则 24 条
## Blackhole 规则 13 条
/ip firewall address-list
add address=192.168.1.1 comment="onuconf: local ONU IPv4" list=local_onu_ipv4
add address=172.16.1.0/24 comment="defconf: local LAN IPv4" list=local_lan_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=no_forward_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=no_forward_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=no_forward_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=no_forward_ipv4
add address=127.0.0.0/8 comment="defconf: RFC6890 - Loopback" list=bad_ipv4
add address=192.0.0.0/24 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=192.0.2.0/24 comment="defconf: RFC6890 - TEST-NET-1" list=bad_ipv4
add address=198.51.100.0/24 comment="defconf: RFC6890 - TEST-NET-2" list=bad_ipv4
add address=203.0.113.0/24 comment="defconf: RFC6890 - TEST-NET-3" list=bad_ipv4
add address=240.0.0.0/4 comment="defconf: RFC6890 - reserved" list=bad_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=not_global_ipv4
add address=10.0.0.0/8 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=100.64.0.0/10 comment="defconf: RFC6890 - shared address" list=not_global_ipv4
add address=169.254.0.0/16 comment="defconf: RFC6890 - link local" list=not_global_ipv4
add address=172.16.0.0/12 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=192.0.0.0/29 comment="defconf: RFC6890 - DS-Lite" list=not_global_ipv4
add address=192.168.0.0/16 comment="defconf: RFC6890 - private networks" list=not_global_ipv4
add address=198.18.0.0/15 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=not_global_ipv4
add address=224.0.0.0/4 comment="defconf: RFC5771 - multicast" list=bad_src_ipv4
add address=255.255.255.255/32 comment="defconf: RFC6890 - limited broadcast" list=bad_src_ipv4
add address=0.0.0.0/8 comment="defconf: RFC6890 - this network" list=bad_dst_ipv4
/ip firewall filter
add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv4
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv4
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ip firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_lan_ipv4 dst-address-list=local_onu_ipv4
/ip firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=accept chain=prerouting comment="defconf: accept local Loopback" in-interface=lo
add action=accept chain=prerouting comment="defconf: accept DHCPv4 discover" dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN protocol=udp src-address=0.0.0.0 src-port=68
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv4
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv4" src-address-list=bad_src_ipv4
add action=drop chain=prerouting comment="defconf: drop bad DST IPv4" dst-address-list=bad_dst_ipv4
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv4
add action=drop chain=prerouting comment="defconf: drop forward to local LAN from WAN" in-interface-list=WAN dst-address-list=local_lan_ipv4 log=yes log-prefix="[wan-to-lan]"
add action=drop chain=prerouting comment="onuconf: drop if not from ONU address" in-interface-list=ONU src-address-list=!local_onu_ipv4
add action=drop chain=prerouting comment="onuconf: drop forward to local LAN from ONU" in-interface-list=ONU dst-address-list=local_lan_ipv4 log=yes log-prefix="[onu-to-lan]"
add action=drop chain=prerouting comment="defconf: drop if not from default IPv4 range" in-interface-list=LAN src-address-list=!local_lan_ipv4
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMP chain" jump-target=icmp4 protocol=icmp
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=accept chain=prerouting comment="onuconf: accept everything else from ONU" in-interface-list=ONU
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=accept chain=icmp4 comment="defconf: echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp4 comment="defconf: port unreachable" icmp-options=3:3 protocol=icmp
add action=accept chain=icmp4 comment="defconf: fragmentation needed" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp4 comment="defconf: time exceeded" icmp-options=11:0-255 protocol=icmp
add action=drop chain=icmp4 comment="lanconf: drop ICMP not from LAN" protocol=icmp in-interface-list=!LAN
add action=accept chain=icmp4 comment="defconf: net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp4 comment="defconf: protocol unreachable" icmp-options=3:2 protocol=icmp
add action=accept chain=icmp4 comment="lanconf: echo to local device" icmp-options=8:0 protocol=icmp dst-address-list=local_lan_ipv4
add action=accept chain=icmp4 comment="onuconf: echo to ONU" icmp-options=8:0 protocol=icmp dst-address-list=local_onu_ipv4
add action=drop chain=icmp4 comment="lanconf: echo to non global" icmp-options=8:0 protocol=icmp dst-address-list=not_global_ipv4
add action=accept chain=icmp4 comment="lanconf: echo to WAN" icmp-options=8:0 protocol=icmp
add action=drop chain=icmp4 comment="defconf: drop all other ICMP" protocol=icmp
/ip firewall connection tracking
set tcp-syn-sent-timeout=120s
set tcp-syn-received-timeout=60s
set tcp-established-timeout=7440s
set tcp-fin-wait-timeout=120s
set tcp-close-wait-timeout=60s
set tcp-last-ack-timeout=30s
set tcp-time-wait-timeout=120s
set tcp-close-timeout=10s
set tcp-max-retrans-timeout=300s
set tcp-unacked-timeout=300s
set udp-timeout=30s
set udp-stream-timeout=120s
set icmp-timeout=30s
set generic-timeout=600s
/ip route
add blackhole comment="defconf: RFC6890 - this network" disabled=no dst-address=0.0.0.0/8
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=10.0.0.0/8
add blackhole comment="defconf: RFC6890 - shared address" disabled=no dst-address=100.64.0.0/10
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=172.16.0.0/12
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=192.0.0.0/24
add blackhole comment="defconf: RFC6890 - DS-Lite" disabled=no dst-address=192.0.0.0/29
add blackhole comment="defconf: RFC6890 - TEST-NET-1" disabled=no dst-address=192.0.2.0/24
add blackhole comment="defconf: RFC6890 - 6to4 relay" disabled=no dst-address=192.88.99.0/24
add blackhole comment="defconf: RFC6890 - private networks" disabled=no dst-address=192.168.0.0/16
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=198.18.0.0/15
add blackhole comment="defconf: RFC6890 - TEST-NET-2" disabled=no dst-address=198.51.100.0/24
add blackhole comment="defconf: RFC6890 - TEST-NET-3" disabled=no dst-address=203.0.113.0/24
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=240.0.0.0/4
## 第三部分完成
## 第四部分 - QoS 流控
/queue type
add name=fq-codel-iface kind=fq-codel fq-codel-limit=1024 fq-codel-memlimit=8M fq-codel-interval=80ms fq-codel-target=4ms
/queue interface
set ether1 queue=fq-codel-iface
set ether2 queue=fq-codel-iface
set ether3 queue=fq-codel-iface
set ether4 queue=fq-codel-iface
set ether5 queue=fq-codel-iface
## 第四部分完成
## 第五部分 - 系统参数调整
/system identity
set name=FoxRouter
/system clock
set time-zone-name=Asia/Shanghai
/system ntp client servers
add address=ntp.aliyun.com
add address=ntp.tencent.com
add address=cn.pool.ntp.org
/system ntp client
set enabled=yes
/ipv6 settings
set disable-ipv6=yes
/ip service
set telnet address=172.16.1.0/24 disabled=yes
set ftp address=172.16.1.0/24 disabled=yes
set www address=172.16.1.0/24
set ssh address=172.16.1.0/24
set www-ssl address=172.16.1.0/24
set api address=172.16.1.0/24 disabled=yes
set winbox address=172.16.1.0/24
set api-ssl address=172.16.1.0/24 disabled=yes
/ip settings
set max-neighbor-entries=2048 rp-filter=loose tcp-syncookies=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip proxy
set enabled=no
/ip socks
set enabled=no
/ip upnp
set enabled=no
/ip cloud
set back-to-home-vpn=revoked-and-disabled ddns-enabled=auto ddns-update-interval=none update-time=no
/ip ssh
set strong-crypto=yes
/ip smb
set enabled=no interfaces=bridge1
/ip smb users
set numbers=[ find where name ~ "guest" ] disabled=yes
/ip smb shares
set numbers=[ find where name ~ "pub" ] disabled=yes
/disk settings
set auto-smb-sharing=no auto-media-sharing=no auto-media-interface=none
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
/tool bandwidth-server
set enabled=no
/user group
set read policy=read,winbox,web,!local,!telnet,!ssh,!ftp,!reboot,!write,!policy,!test,!password,!sniff,!sensitive,!api,!romon,!rest-api
/user
add name="<your-ros-user-name>" password="<your-ros-user-password>" group=full address=172.16.1.0/24 comment="defconf: system admin user"
set admin group=read address=172.16.1.0/24 comment="defconf: system default user"
## 第五部分完成
## 第六部分 - 定时任务
/tool e-mail
set server="<smtp.xxx.com>" from="<[email protected]>" port=465 tls=yes user="<[email protected]>" password="<your-smtp-password>"
/system scheduler
add comment="sysconf: system log email" interval=45m name=system-log-timer on-event="/system script run email-log-worker" policy=read,write,policy,test start-time=00:00:00
add comment="sysconf: system resource email" interval=6h name=system-res-timer on-event="/system script run email-res-worker" policy=read,write,policy,test start-time=00:05:00
add comment="sysconf: system auto upgrade" interval=1d name=system-upgrade-timer on-event="/system script run sys-upgrade-worker" policy=reboot,read,write,policy,password start-time=02:55:00
add comment="sysconf: system certs update" interval=15d name=certs-update-timer on-event="/system script run certs-update-worker" policy=reboot,read,write,policy,password start-time=03:30:00
add comment="pppoeconf: disable pppoe-out1" interval=3d name=disable-pppoe-timer on-event="/interface disable pppoe-out1" policy=write start-time=04:00:00
add comment="pppoeconf: enable pppoe-out1" interval=3d name=enable-pppoe-timer on-event="/interface enable pppoe-out1" policy=write start-time=04:00:10
/system script
add comment="sysconf: system log email" dont-require-permissions=no name=email-log-worker policy=read,write,policy,test source=""
add comment="sysconf: system resource email" dont-require-permissions=no name=email-res-worker policy=read,write,policy,test source=""
add comment="sysconf: system auto upgrade" dont-require-permissions=no name=sys-upgrade-worker policy=reboot,read,write,policy,password source=""
add comment="sysconf: system certs update" dont-require-permissions=no name=certs-update-worker policy=reboot,read,write,policy,password source=""
## 第六部分完成
## 第七部分 - 设置 IPv6
## Filter 规则 13 条
## NAT 规则 3 条
## Mangle 规则 1 条
## Raw 规则 48 条
## Address-list 规则 17 条
## Blackhole 规则 14 条
/ipv6 settings
set disable-ipv6=no min-neighbor-entries=512 soft-max-neighbor-entries=1024 max-neighbor-entries=2048
/ipv6 dhcp-client
add interface=pppoe-out1 comment="defconf: local DHCPv6 Client" request=prefix pool-name=dhcpv6-gua-pool1 pool-prefix-length=64 use-peer-dns=no add-default-route=no
/ipv6 address
add interface=bridge1 comment="defconf: local LAN IPv6 GUA" address=::1/64 from-pool=dhcpv6-gua-pool1 advertise=yes
/ipv6 nd prefix default
set preferred-lifetime=45m valid-lifetime=90m
/ipv6 nd
set [ find default=yes ] disabled=yes
add interface=bridge1 ra-interval=300s-900s ra-lifetime=45m hop-limit=64 advertise-mac-address=yes advertise-dns=no
/ipv6 firewall address-list
add address=fe80::/10 comment="defconf: RFC6890 - link local" list=no_forward_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=no_forward_ipv6
add address=::1/128 comment="defconf: RFC6890 - Loopback" list=bad_ipv6
add address=0000::/96 comment="defconf: RFC4291 - IPv4 compatible" list=bad_ipv6
add address=::ffff:0:0/96 comment="defconf: RFC6890 - IPv4 mapped" list=bad_ipv6
add address=2001::/23 comment="defconf: RFC6890 - reserved" list=bad_ipv6
add address=2001:db8::/32 comment="defconf: RFC6890 - documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: RFC4843 - ORCHID" list=bad_ipv6
add address=2001:20::/28 comment="defconf: RFC7343 - ORCHIDv2" list=bad_ipv6
add address=100::/64 comment="defconf: RFC6890 - discard-only" list=not_global_ipv6
add address=2001::/32 comment="defconf: RFC6890 - TEREDO" list=not_global_ipv6
add address=2001:2::/48 comment="defconf: RFC6890 - benchmarking" list=not_global_ipv6
add address=fc00::/7 comment="defconf: RFC6890 - unique local" list=not_global_ipv6
add address=fec0::/10 comment="defconf: RFC3879 - site local" list=not_global_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_src_ipv6
add address=ff00::/8 comment="defconf: RFC3513 - multicast" list=bad_src_ipv6
add address=::/128 comment="defconf: RFC6890 - unspecified" list=bad_dst_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp dst-address=fe80::/10 log=yes log-prefix="[ipv6-pd]"
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop bad forward IPs" src-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: drop bad forward IPs" dst-address-list=no_forward_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6 after RAW" protocol=icmpv6
add action=drop chain=forward comment="defconf: drop all not from LAN" in-interface-list=!LAN
/ipv6 firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade IPv6" out-interface-list=WAN disabled=yes
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53
/ipv6 firewall mangle
add action=change-mss chain=forward comment="defconf: fix IPv6 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
/ipv6 firewall raw
add action=accept chain=prerouting comment="defconf: enable for transparent firewall" disabled=yes
add action=drop chain=prerouting comment="defconf: drop IPv6 extension headers types 0,43" headers=hop,route:contains
add action=accept chain=prerouting comment="defconf: accept local Loopback" in-interface=lo
add action=accept chain=prerouting comment="defconf: RFC4291, section 2.7.1" dst-address=ff02:0:0:0:0:1:ff00::/104 icmp-options=135 protocol=icmpv6 src-address=::/128
add action=drop chain=prerouting comment="defconf: drop bogon IPs" src-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bogon IPs" dst-address-list=bad_ipv6
add action=drop chain=prerouting comment="defconf: drop bad SRC IPv6" src-address-list=bad_src_ipv6
add action=drop chain=prerouting comment="defconf: drop bad DST IPv6" dst-address-list=bad_dst_ipv6
add action=drop chain=prerouting comment="defconf: drop non global from WAN" in-interface-list=WAN src-address-list=not_global_ipv6
add action=drop chain=prerouting comment="defconf: drop UDP port 0" port=0 protocol=udp log=yes log-prefix="[udp-port-0]"
add action=jump chain=prerouting comment="defconf: jump to TCP chain" jump-target=bad-tcp protocol=tcp
add action=jump chain=prerouting comment="defconf: jump to ICMPv6 chain" jump-target=icmp6 protocol=icmpv6
add action=accept chain=prerouting comment="defconf: accept local multicast scope" dst-address=ff02::/16
add action=drop chain=prerouting comment="defconf: drop other multicast destinations" dst-address=ff00::/8
add action=accept chain=prerouting comment="defconf: accept everything else from LAN" in-interface-list=LAN
add action=accept chain=prerouting comment="defconf: accept everything else from WAN" in-interface-list=WAN
add action=drop chain=prerouting comment="defconf: drop the rest"
add action=drop chain=bad-tcp comment="defconf: drop TCP port 0" port=0 protocol=tcp log=yes log-prefix="[tcp-port-0]"
add action=drop chain=bad-tcp comment="defconf: TCP flag filter" protocol=tcp tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,syn" protocol=tcp tcp-flags=fin,syn
add action=drop chain=bad-tcp comment="defconf: drop flags fin,rst" protocol=tcp tcp-flags=fin,rst
add action=drop chain=bad-tcp comment="defconf: drop flags fin,!ack" protocol=tcp tcp-flags=fin,!ack
add action=drop chain=bad-tcp comment="defconf: drop flags fin,urg" protocol=tcp tcp-flags=fin,urg
add action=drop chain=bad-tcp comment="defconf: drop flags syn,rst" protocol=tcp tcp-flags=syn,rst
add action=drop chain=bad-tcp comment="defconf: drop flags rst,urg" protocol=tcp tcp-flags=rst,urg
add action=accept chain=icmp6 comment="defconf: rfc4890 DST unreachable" icmp-options=1:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 packet too big" icmp-options=2:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 time exceeded" icmp-options=3:0-1 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 parameter problem" icmp-options=4:0-2 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo request" icmp-options=128:0-255 protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 echo response" icmp-options=129:0-255 protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 hop-limit=not-equal:255 protocol=icmpv6 log=yes log-prefix="[ipv6-hop-limit]"
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener query only LAN" src-address=fe80::/10 icmp-options=130:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report only LAN" src-address=fe80::/10 icmp-options=131:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener done only LAN" src-address=fe80::/10 icmp-options=132:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast listener report v2 only LAN" src-address=fe80::/10 icmp-options=143:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router solic only LAN" hop-limit=equal:255 icmp-options=133:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 router advert only LAN" hop-limit=equal:255 icmp-options=134:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor solic only LAN" hop-limit=equal:255 icmp-options=135:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 neighbor advert only LAN" hop-limit=equal:255 icmp-options=136:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND solic only LAN" hop-limit=equal:255 icmp-options=141:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 inverse ND advert only LAN" hop-limit=equal:255 icmp-options=142:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path solicitation only LAN" hop-limit=equal:255 icmp-options=148:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 certificate path advertisement only LAN" hop-limit=equal:255 icmp-options=149:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router advertisement only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=151:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router solicitation only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=152:0-255 in-interface-list=LAN protocol=icmpv6
add action=accept chain=icmp6 comment="defconf: rfc4890 multicast router termination only LAN" src-address=fe80::/10 hop-limit=equal:1 icmp-options=153:0-255 in-interface-list=LAN protocol=icmpv6
add action=drop chain=icmp6 comment="defconf: drop all other ICMPv6" protocol=icmpv6
/ipv6 route
add blackhole comment="defconf: RFC6890 - unspecified" disabled=no dst-address=::/128
add blackhole comment="defconf: RFC4291 - IPv4 compatible" disabled=no dst-address=0000::/96
add blackhole comment="defconf: RFC6890 - IPv4 mapped" disabled=no dst-address=::ffff:0:0/96
add blackhole comment="defconf: RFC6890 - discard-only" disabled=no dst-address=100::/64
add blackhole comment="defconf: RFC6890 - reserved" disabled=no dst-address=2001::/23
add blackhole comment="defconf: RFC6890 - TEREDO" disabled=no dst-address=2001::/32
add blackhole comment="defconf: RFC6890 - benchmarking" disabled=no dst-address=2001:2::/48
add blackhole comment="defconf: RFC6890 - documentation" disabled=no dst-address=2001:db8::/32
add blackhole comment="defconf: RFC4843 - ORCHID" disabled=no dst-address=2001:10::/28
add blackhole comment="defconf: RFC7343 - ORCHIDv2" disabled=no dst-address=2001:20::/28
add blackhole comment="defconf: RFC6890 - 6to4" disabled=no dst-address=2002::/16
add blackhole comment="defconf: RFC6890 - unique local l0" disabled=no dst-address=fc00::/8
add blackhole comment="defconf: RFC6890 - unique local l1" disabled=no dst-address=fd00::/8
add blackhole comment="defconf: RFC3879 - site local" disabled=no dst-address=fec0::/10
## 第七部分完成
## 第八部分 - 设置系统日志
## 格式化过程缓慢需要等待
/disk
format-drive usb1 mbr-partition-table=no file-system=ext4 label=logdrive ## Waiting
/system logging action
add disk-file-count=100 disk-file-name=/usb1/offline-log name=syslog target=disk
/system logging
add action=syslog topics=critical
add action=syslog topics=error
add action=syslog topics=warning
add action=syslog topics=system
add action=syslog topics=script
add action=syslog topics=firewall
add action=syslog topics=interface
## 第八部分完成
## 第九部分
# 1.设置系统邮件和自动升级脚本内容。
# 2.检查系统账户权限。
# 3.检查不必要的 IPv4 DHCP Client 。
# 4.启用 PPPoE 拨号。
# 5.备份系统。
# 6.重启系统。
## 第九部分完成