2、建议不启用DHCP服务,PPPoE服务本身可以从地址池中分配地址。
3、防火墙过滤常见病毒端口,以下是小生的Firewall rule,仅供参考:
/ ip firewall rule forward
add dst-address=:135 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="" disabled=no
add dst-address=:137 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=udp action=drop comment="" disabled=no
add dst-address=:1434 protocol=udp action=drop comment="" disabled=no
add dst-address=:139 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9995 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9996 protocol=tcp action=drop comment="" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="" disabled=no
add dst-address=:69 protocol=tcp action=drop comment="" disabled=no
add dst-address=:135 protocol=udp action=drop comment="" disabled=no
add dst-address=:137 protocol=tcp action=drop comment="" disabled=no
add dst-address=:138 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=udp action=drop comment="" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1023 protocol=tcp action=drop comment="" disabled=no
/ ip firewall rule input
add dst-address=:137 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=udp action=drop comment="" disabled=no
add dst-address=:135 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1434 protocol=udp action=drop comment="" disabled=no
add dst-address=:5554 protocol=tcp action=drop comment="" disabled=no
add dst-address=:1023 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=tcp action=drop comment="" disabled=no
add dst-address=:139 protocol=tcp action=drop comment="" disabled=no
add dst-address=:69 protocol=tcp action=drop comment="" disabled=no
add dst-address=:137 protocol=tcp action=drop comment="" disabled=no
add dst-address=:135 protocol=udp action=drop comment="" disabled=no
add dst-address=:138 protocol=tcp action=drop comment="" disabled=no
add dst-address=:593 protocol=tcp action=drop comment="" disabled=no
add dst-address=:445 protocol=udp action=drop comment="" disabled=no
add dst-address=:4444 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9995 protocol=tcp action=drop comment="" disabled=no
add dst-address=:9996 protocol=tcp action=drop comment="" disabled=no
4、设置IP Firewall Mangle,解决MTU不匹配导致的个别网站无法访问。
/ ip firewall mangle
add protocol=tcp tcp-options=syn-only action=accept tcp-mss=1400 comment="" \
disabled=no
5、关闭不需要的IP Service,如果对Router OS命令行熟悉的话,可以只保留SSH;如果需要GUI的话,打开WWW服务;强烈建议关闭Telnet服务。
6、如果PPPoE用户数量较多的话,建议使用单独的Radius服务器进行用户账号的存储管理。
7、如果用户多的话,一定要对每个用户限速,以保证大多数人的正常应用。
以上是小生根据实际应用总结的几点建议,本人才疏学浅,如有不足,还请大家不吝赐教。
页:
[1]