日志
RouterOS命令解释
##---------------------------------------------
#1、未解释的命令为系统初始默认设置。
#2、所有命令为实际环境测试并使用的,保证没有问题,包括VPN部分和PPPoE的设置也可正常使用。
#3、使用这些命令时,要根据自己网络环境做相应修改,特别是ADSL拨号部分和手动设置IP部分要做相应改变。
#4、注意这里没有管理员密码修改命令,请注意管理员密码。
#5、为了保护隐私,有些设置项用“*”号代替,请根据实际需要修改或补充完整。
#---------------------------------------------
# jan/14/2009 08:46:50 by RouterOS 2.9.27
# software id = FQM8-46T
#
#---------------------------------------------
## 设置内网外网接口名称、启用内网外网接口、内网接口ARP模式为只回应(配合ARP绑定避免ARP欺骗)。
/ interface ethernet
set wan name="wan" mtu=1500 mac-address=00:0A:EB:43:FA:F0 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set lan name="lan" mtu=1500 mac-address=00:E0:4C:9E:5B:23 arp=reply-only \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
#---------------------------------------------
#设置L2TP服务,因为XP连接此服务需要对XP注册表进行修改,所以不推荐使用L2TP服务。
/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
#---------------------------------------------
#设置PPPoE服务,客户机使用路由器中的PPPoE服务进行上网,可避免ARP欺骗,并且可进行简单的用户认证。
/ interface pppoe-server server
add service-name="pppoe-service1" interface=lan max-mtu=1488 max-mru=1488 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=no max-sessions=0 \
default-profile=pppoe-service-profile disabled=no
#---------------------------------------------
#添加PPTP服务器接口,远程办公人员可通过PPTP服务器接口连接到公司网络,它是VPN连接的一种方式。
/ interface pptp-server
add name="pptp-in1" user="" disabled=no
#---------------------------------------------
#设置PPTP服务器
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=120 \
default-profile=default-encryption
#---------------------------------------------
#配置外网接口为ADSL拨号
/ interface pppoe-client
add name="pppoe-out1" max-mtu=1480 max-mru=1480 interface=wan \
user="nj***********@nj1.201" password="********" profile=default \
service-name="" ac-name="" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
#---------------------------------------------
#建立多个IP地址池,这些IP地址池被DHCP服务、PPPOE服务、L2TP服务和PPTP服务使用。
/ ip pool
add name="dhcp ip pool" ranges=192.168.0.181-192.168.0.190
add name="pppoe-service-pool" ranges=10.0.1.181-10.0.1.190
add name="l2tp-service-pool" ranges=10.0.3.181-10.0.3.190
add name="pptp-server-pool" ranges=10.0.2.181-10.0.2.190
#---------------------------------------------
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id="" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
#---------------------------------------------
#修改路由器的服务端口
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=2121 address=0.0.0.0/0 disabled=no
set www port=8080 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
#---------------------------------------------
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
#---------------------------------------------
#绑定ARP
/ ip arp
add address=192.168.0.3 mac-address=00:15:F2:CF:F7:8A interface=lan comment="" \
disabled=no
add address=192.168.0.10 mac-address=00:1D:60:8D:40:65 interface=lan \
comment="" disabled=no
add address=192.168.0.12 mac-address=00:E0:A0:13:9B:97 interface=lan \
comment="" disabled=no
add address=192.168.0.18 mac-address=00:13
4:C5:5C:60 interface=lan \
comment="" disabled=no
add address=192.168.0.26 mac-address=00:15:F2:3A:E7:B2 interface=lan \
comment="" disabled=no
add address=192.168.0.32 mac-address=00:1D:608:67:19 interface=lan \
comment="" disabled=no
add address=192.168.0.250 mac-address=00:0B:6A:89:F7:CE interface=lan \
comment="" disabled=no
add address=192.168.0.251 mac-address=00:E0:4C:71:BD:4B interface=lan \
comment="" disabled=no
add address=192.168.0.244 mac-address=00:0E:A6:8A:9C:83 interface=lan \
comment="" disabled=no
add address=192.168.0.1 mac-address=00:1A:92:EF:B1:9D interface=lan comment="" \
disabled=no
add address=192.168.0.14 mac-address=00:15:F2:EB:F7:CC interface=lan \
comment="" disabled=no
add address=192.168.0.30 mac-address=00:15:F2:90:5C3 interface=lan \
comment="" disabled=no
add address=192.168.0.37 mac-address=00:1D:608:68:EE interface=lan \
comment="" disabled=no
add address=192.168.0.44 mac-address=00:1B:FC:5B:0E:3D interface=lan \
comment="" disabled=no
add address=192.168.0.49 mac-address=00:1343:13:24 interface=lan \
comment="" disabled=no
add address=192.168.0.53 mac-address=00:15:F2:EB:F8:5B interface=lan \
comment="" disabled=no
add address=192.168.0.247 mac-address=00:0F:1F:81:73:21 interface=lan \
comment="" disabled=no
add address=192.168.0.252 mac-address=00:02:B3:38:3A:C5 interface=lan \
comment="" disabled=no
add address=192.168.0.201 mac-address=00:1B:FC:92:1D:F8 interface=lan \
comment="" disabled=no
add address=192.168.0.225 mac-address=00:17:31:42:F5:BF interface=lan \
comment="" disabled=no
add address=192.168.0.227 mac-address=00:1A:4D:95:EB:0D interface=lan \
comment="" disabled=no
add address=192.168.0.36 mac-address=00:1A:92:98:98:3B interface=lan \
comment="" disabled=no
add address=192.168.0.43 mac-address=00:1A:926:CE:2E interface=lan \
comment="" disabled=no
add address=192.168.0.62 mac-address=00:1F:C6:22:34:BB interface=lan \
comment="" disabled=no
add address=192.168.0.64 mac-address=00:15:F2:EB:F9:3D interface=lan \
comment="" disabled=no
add address=192.168.0.253 mac-address=00:0F:CB:73:24:20 interface=lan \
comment="" disabled=no
add address=192.168.0.22 mac-address=00:15:F2:EB:F8:5F interface=lan \
comment="" disabled=no
add address=192.168.0.58 mac-address=00:1F:C6:C8:EC:07 interface=lan \
comment="" disabled=no
add address=192.168.0.66 mac-address=00:1D:60:45:6C:30 interface=lan \
comment="" disabled=no
add address=192.168.0.48 mac-address=00:1A:92:98:98:A2 interface=lan \
comment="" disabled=no
add address=192.168.0.57 mac-address=00:15:F2:3A:E7:C6 interface=lan \
comment="" disabled=no
add address=192.168.0.59 mac-address=00:1E:8C:26:13:5D interface=lan \
comment="" disabled=no
add address=192.168.0.202 mac-address=00:118:C4:A7:0B interface=lan \
comment="" disabled=no
add address=192.168.0.203 mac-address=00:E0:4C:39:1C:B0 interface=lan \
comment="" disabled=no
add address=192.168.0.204 mac-address=00:18:F3:FE:B8:14 interface=lan \
comment="" disabled=no
add address=192.168.0.206 mac-address=00:1F:C6:AB:F7:9F interface=lan \
comment="" disabled=no
add address=192.168.0.207 mac-address=00:0C:6E:3F:78:E2 interface=lan \
comment="" disabled=no
add address=192.168.0.208 mac-address=00:1A:92:EF:B0:39 interface=lan \
comment="" disabled=no
add address=192.168.0.209 mac-address=00:134:C5:5B:68 interface=lan \
comment="" disabled=no
add address=192.168.0.210 mac-address=00:15:F2:EB:F8:C4 interface=lan \
comment="" disabled=no
add address=192.168.0.215 mac-address=00:1B:FC:92:1C:6D interface=lan \
comment="" disabled=no
add address=192.168.0.221 mac-address=00:22:15:C5:CE:FF interface=lan \
comment="" disabled=no
add address=192.168.0.222 mac-address=00:0C:6E:0B:8A:25 interface=lan \
comment="" disabled=no
add address=192.168.0.223 mac-address=00:118:75:E32 interface=lan \
comment="" disabled=no
add address=192.168.0.224 mac-address=00:118:42:80:88 interface=lan \
comment="" disabled=no
add address=192.168.0.234 mac-address=00:E0:18:95:62:A9 interface=lan \
comment="" disabled=no
add address=192.168.0.245 mac-address=00:15:F2:EB:F8:85 interface=lan \
comment="" disabled=no
add address=192.168.0.230 mac-address=00:1F:C6:C8:EC:53 interface=lan \
comment="" disabled=no
add address=192.168.0.11 mac-address=00:15:F2:EB:F7:CA interface=lan \
comment="" disabled=no
add address=192.168.0.17 mac-address=00:1D:60:4A:B7:3A interface=lan \
comment="" disabled=no
add address=192.168.0.29 mac-address=00:22:15:81:8C:5E interface=lan \
comment="" disabled=no
add address=192.168.0.4 mac-address=00:0B:6A:90:20:3F interface=lan comment="" \
disabled=no
add address=192.168.0.231 mac-address=00:1B:FC:92:1C:69 interface=lan \
comment="" disabled=no
add address=192.168.0.9 mac-address=00:1D:60:8D:40:19 interface=lan comment="" \
disabled=no
add address=192.168.0.13 mac-address=00:15:F2:EB:F8:57 interface=lan \
comment="" disabled=no
add address=192.168.0.15 mac-address=00:22:15:A1:31:55 interface=lan \
comment="" disabled=no
add address=192.168.0.19 mac-address=00:1D:608:66:FB interface=lan \
comment="" disabled=no
add address=192.168.0.23 mac-address=00:15:F2:EB:F8:53 interface=lan \
comment="" disabled=no
add address=192.168.0.24 mac-address=00:1B:FC:5B:0E:23 interface=lan \
comment="" disabled=no
add address=192.168.0.25 mac-address=00:15:F2:EB:F8:51 interface=lan \
comment="" disabled=no
add address=192.168.0.35 mac-address=00:15:F2:EB:F8:78 interface=lan \
comment="" disabled=no
add address=192.168.0.65 mac-address=00:1D:60:8D:35:B1 interface=lan \
comment="" disabled=no
add address=192.168.0.67 mac-address=00:1D:60:1D:1E:E4 interface=lan \
comment="" disabled=no
add address=192.168.0.120 mac-address=00:1D:60:8D:27:46 interface=lan \
comment="" disabled=no
add address=192.168.0.246 mac-address=00:0C:6E:A0:7B:63 interface=lan \
comment="" disabled=no
add address=192.168.0.214 mac-address=00:1B:FC:92:1C:6F interface=lan \
comment="" disabled=no
add address=192.168.0.21 mac-address=00:01:01:01:01:01 interface=lan \
comment="" disabled=no
add address=192.168.0.237 mac-address=00:E0:18:08:A5:E8 interface=lan \
comment="" disabled=no
add address=192.168.0.20 mac-address=00:13:46:9C:67:5E interface=lan \
comment="" disabled=no
add address=192.168.0.211 mac-address=00:1B:FC:92:1E:06 interface=lan \
comment="" disabled=no
add address=192.168.0.212 mac-address=00:1B:FC:92:1C:98 interface=lan \
comment="" disabled=no
add address=192.168.0.217 mac-address=00:1B:FC:92:1C:94 interface=lan \
comment="" disabled=no
add address=192.168.0.249 mac-address=00:1A:92:98:98:A9 interface=lan \
comment="" disabled=no
add address=192.168.0.68 mac-address=00:1D:608:67:EB interface=lan \
comment="" disabled=no
add address=192.168.0.46 mac-address=00:1F:C6:428:2B interface=lan \
comment="" disabled=no
add address=192.168.0.228 mac-address=00:1A:92:EF:B1:95 interface=lan \
comment="" disabled=no
add address=192.168.0.226 mac-address=00:15:F2:3A:E7:F4 interface=lan \
comment="" disabled=no
add address=192.168.0.70 mac-address=00:1F:C6:22:343 interface=lan \
comment="" disabled=no
add address=192.168.0.216 mac-address=00:1E:8C:34:6F:2C interface=lan \
comment="" disabled=no
add address=192.168.0.73 mac-address=00:1F:C6:420:A1 interface=lan \
comment="" disabled=no
add address=192.168.0.74 mac-address=00:1D:60:4A:B8:A2 interface=lan \
comment="" disabled=no
add address=192.168.0.229 mac-address=00:1E:8C:1A:E5:CC interface=lan \
comment="" disabled=no
add address=192.168.0.243 mac-address=00:118:75:E2:EF interface=lan \
comment="" disabled=no
add address=192.168.0.232 mac-address=00:1F:C6:AB:F7:E3 interface=lan \
comment="" disabled=no
add address=192.168.0.242 mac-address=00:0E:A6:30:C5:2C interface=lan \
comment="" disabled=no
add address=192.168.0.69 mac-address=00:1D:608:67:71 interface=lan \
comment="" disabled=no
add address=192.168.0.218 mac-address=00:22:15:18:06:94 interface=lan \
comment="" disabled=no
add address=192.168.0.75 mac-address=00:22:15:18:06:74 interface=lan \
comment="" disabled=no
add address=192.168.0.241 mac-address=00:22:15:18:06:6B interface=lan \
comment="" disabled=no
add address=192.168.0.213 mac-address=00:0E:A6:30:C7:61 interface=lan \
comment="" disabled=no
add address=192.168.0.220 mac-address=00:0C:6E:0B:89:F2 interface=lan \
comment="" disabled=no
add address=192.168.0.76 mac-address=00:23:54:0F:80:93 interface=lan \
comment="" disabled=no
add address=192.168.0.233 mac-address=00:23:54:0F:77:4A interface=lan \
comment="" disabled=no
#---------------------------------------------
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
#---------------------------------------------
#设置路由器DNS,此命令仅对路由器自身有作用,对客户机没有任何影响。
/ ip dns
set primary-dns=218.2.135.1 secondary-dns=202.102.24.35 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
#---------------------------------------------
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
#---------------------------------------------
#设置内网接口的IP,外网因为是ADSL拨号所以不用手动设置IP.
/ ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=lan comment="" disabled=no
#---------------------------------------------
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
#---------------------------------------------
#开启或关闭一些网络接口的邻居发现协议。
/ ip neighbor discovery
set wan discover=yes
set lan discover=yes
set pppoe-out1 discover=no
set pppoe-in1 discover=no
set l2tp-in1 discover=no
set pptp-in1 discover=no
#---------------------------------------------
#添加路由,因为外网接口是ADSL拨号,所以缺省路由会动态添加、无需手动添加。
/ ip route
#---------------------------------------------.
/ ip firewall mangle
#---------------------------------------------
#添加网络地址转换。第一作用是对192.168.0.0/24网段(内网网段)的地址进行伪装。第二条作用是对10.0.0.0/8网段(ppptp、l2tp连接时用到的网段)的地址进行伪装。第三条作用是端口映射,使得通过外网可以访问内某台机器的某个端口。
/ ip firewall nat
add chain=srcnat out-interface=pppoe-out1 src-address=192.168.0.0/24 \
action=masquerade comment="" disabled=no
add chain=srcnat src-address=10.0.0.0/8 action=masquerade comment="" \
disabled=no
add chain=dstnat in-interface=pppoe-out1 protocol=tcp dst-port=21 \
action=dst-nat to-addresses=192.168.0.251 to-ports=21 comment="" \
disabled=no
#---------------------------------------------
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
#---------------------------------------------
#添加防火墙策略:高端IP可以无限制访问外网,其他IP上班时间只可访问固定的网站、下班时间可访问除黑名单以外的网站。
/ ip firewall filter
add chain=forward src-address=192.168.0.241-192.168.0.253 action=accept \
comment="" disabled=no
add chain=forward dst-address=192.168.0.241-192.168.0.253 action=accept \
comment="" disabled=no
add chain=forward src-address=192.168.0.181-192.168.0.240 action=accept \
comment="" disabled=no
add chain=forward src-address=192.168.0.43 action=accept comment="" \
disabled=no
add chain=forward dst-address=58.2**.7*.1** action=accept \
comment="www.*****.com" disabled=no
add chain=forward dst-address=61.1**.1*.1** action=accept \
comment="mail.*****.com" disabled=no
add chain=forward dst-address=218.2.135.1 action=accept comment="DNS001" \
disabled=no
add chain=forward dst-address=202.102.24.35 action=accept comment="DNS002" \
disabled=no
add chain=forward protocol=tcp dst-port=53 action=accept \
comment="DNS-TCP-PORT" disabled=no
add chain=forward protocol=udp dst-port=53 action=accept \
comment="DNS-UDP-PORT" disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="SMTP" \
disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="
OP3" \
disabled=no
add chain=forward dst-address=58.60.9.247 action=drop comment="ccproxy dst" \
disabled=no
add chain=forward dst-address=219.133.60.206 action=drop comment="ccproxy dst" \
disabled=no
add chain=forward dst-address=119.147.41.14 action=drop \
comment="www.gougou.com" disabled=no
add chain=forward dst-address=222.73.207.132 action=drop \
comment="www.verycd.com" disabled=no
add chain=forward dst-address=220.181.38.70 action=drop \
comment="mp3.baidu.com" disabled=no
add chain=forward dst-address=121.14.243.91 action=drop \
comment="www.greenland.net" disabled=no
add chain=forward dst-address=121.14.243.102 action=drop \
comment="bt.greenland.net" disabled=no
add chain=forward dst-address=211.95.79.63 action=drop comment="www.ydy.com" \
disabled=no
add chain=forward dst-address=221.130.195.239 action=drop comment="bt.ydy.com" \
disabled=no
add chain=forward dst-address=60.28.197.103 action=drop \
comment="s.kuaiche.com" disabled=no
add chain=forward dst-address=222.73.205.95 action=drop \
comment="www.btchina.net" disabled=no
add chain=forward dst-address=220.196.59.236 action=drop \
comment="bt.btchina.net" disabled=no
add chain=forward dst-address=119.147.41.12 action=drop \
comment="search.gougou.com" disabled=no
add chain=forward protocol=tcp dst-port=3076-3078 action=drop comment="xunlei \
tcp 3076-3078" disabled=no
add chain=forward protocol=tcp dst-port=6881-6890 action=drop \
comment="kuaicheBT tcp 6881-6890" disabled=no
add chain=forward protocol=tcp dst-port=4662 action=drop comment="emule tcp \
4662" disabled=no
add chain=forward protocol=udp dst-port=4672 action=drop comment="emule udp \
4672" disabled=no
add chain=forward time=7h-8h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Morning 90mins" disabled=no
add chain=forward time=12h-13h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Noon 90mins" disabled=no
add chain=forward time=17h-18h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Evening 90mins" disabled=no
add chain=forward src-address=192.168.0.0/24 action=drop comment="Drop All" \
disabled=no
#---------------------------------------------
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
#---------------------------------------------
#建立DHCP服务,IP范围使用上面已经建立的IP地址池
/ ip dhcp-server
add name="dhcp-server" interface=lan lease-time=6h address-pool="dhcp ip pool" \
bootp-support=static add-arp=yes authoritative=after-2sec-delay \
disabled=no
#---------------------------------------------
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
#---------------------------------------------
#配置DHCP服务的网络参数,其中包括网关、DNS的IP地址
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.254 netmask=24 \
dns-server=218.2.135.1,202.102.24.35 comment=""
#---------------------------------------------
#以下分隔下线之间为初始默认配置命令。
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=no parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
max-cache-size=none max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="MikroTik"
/ system note
set show-at-login=yes note=""
/ system gps
set enabled=no set-system-time=yes
/ system lcd
set enabled=no type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set pptp-in1 display-time=5s disabled=yes
set l2tp-in1 display-time=5s disabled=yes
set pppoe-in1 display-time=5s disabled=yes
set wan display-time=5s disabled=yes
set lan display-time=5s disabled=yes
set pppoe-out1 display-time=5s disabled=yes
/ system ntp server
set enabled=no broadcast=yes multicast=yes manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ system routerboard bios
set
/ system health
set state-after-reboot=enabled
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
#---------------------------------------------
#添加PPP连接环境
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
add name="pppoe-service-profile" local-address=pppoe-serivce-pool \
remote-address=pppoe-serivce-pool use-compression=yes \
use-vj-compression=yes use-encryption=yes only-one=default \
change-tcp-mss=default dns-server=202.102.24.35,218.2.135.1 comment=""
add name="l2tp-server-profile" local-address=l2tp-service-pool \
remote-address=l2tp-service-pool use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes dns-server=218.2.135.1,202.102.24.35 comment=""
add name="pptp-server-profile" local-address=pptp-server-pool \
remote-address=pptp-server-pool use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=default comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
#---------------------------------------------
#添加PPP连接用户
/ ppp secret
add name="pppoe***" service=pppoe caller-id="" password="********" \
profile=pppoe-service-profile routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="l2tp***" service=l2tp caller-id="" password="********" \
profile=default-encryption routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="pptp***" service=any caller-id="" password="********" \
profile=pptp-server-profile routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
#---------------------------------------------
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
#---------------------------------------------
#添加queue type,queue type支援后面的queue simple,从而进行流量控制和分配。
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="queuetype-down1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="queuetype-down500K" kind=pcq pcq-rate=500000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up500K" kind=pcq pcq-rate=500000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="queuetype-down100K" kind=pcq pcq-rate=100000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up100K" kind=pcq pcq-rate=100000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="default-small" kind=pfifo pfifo-limit=10
#---------------------------------------------
#使用queue simple进行流量控制和分配,每IP下载速率不高于50K位每秒、总下载速率不高于3M位每秒,几个特殊IP没有速率限制。
/ queue simple
add name="fullspeed" target-addresses=192.168.0.241/32 dst-address=0.0.0.0/0 \
interface=all parent=none direction=both priority=8 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="pcq for server" \
target-addresses=192.168.0.252/32,192.168.0.253/32,192.168.0.203/32,192.168\
.0.207/32,192.168.0.246/32,192.168.0.241/32,192.168.0.201/32 \
dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="pcq for all others" target-addresses=192.168.0.0/24 \
dst-address=0.0.0.0/0 interface=lan parent=none direction=both priority=8 \
queue=queuetype-up500K/queuetype-down500K limit-at=0/0 \
max-limit=3000000/3000000 total-queue=default-small disabled=no
#---------------------------------------------
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
add name="read" group=read address=0.0.0.0/0 comment="" disabled=no
add name="backup" group=full address=0.0.0.0/0 comment="" disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ driver
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 \
streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes \
filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
#----------结束-----------------------------------
#1、未解释的命令为系统初始默认设置。
#2、所有命令为实际环境测试并使用的,保证没有问题,包括VPN部分和PPPoE的设置也可正常使用。
#3、使用这些命令时,要根据自己网络环境做相应修改,特别是ADSL拨号部分和手动设置IP部分要做相应改变。
#4、注意这里没有管理员密码修改命令,请注意管理员密码。
#5、为了保护隐私,有些设置项用“*”号代替,请根据实际需要修改或补充完整。
#---------------------------------------------
# jan/14/2009 08:46:50 by RouterOS 2.9.27
# software id = FQM8-46T
#
#---------------------------------------------
## 设置内网外网接口名称、启用内网外网接口、内网接口ARP模式为只回应(配合ARP绑定避免ARP欺骗)。
/ interface ethernet
set wan name="wan" mtu=1500 mac-address=00:0A:EB:43:FA:F0 arp=enabled \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
set lan name="lan" mtu=1500 mac-address=00:E0:4C:9E:5B:23 arp=reply-only \
disable-running-check=yes auto-negotiation=yes full-duplex=yes \
cable-settings=default speed=100Mbps comment="" disabled=no
#---------------------------------------------
#设置L2TP服务,因为XP连接此服务需要对XP注册表进行修改,所以不推荐使用L2TP服务。
/ interface l2tp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption
#---------------------------------------------
#设置PPPoE服务,客户机使用路由器中的PPPoE服务进行上网,可避免ARP欺骗,并且可进行简单的用户认证。
/ interface pppoe-server server
add service-name="pppoe-service1" interface=lan max-mtu=1488 max-mru=1488 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=10 \
one-session-per-host=no max-sessions=0 \
default-profile=pppoe-service-profile disabled=no
#---------------------------------------------
#添加PPTP服务器接口,远程办公人员可通过PPTP服务器接口连接到公司网络,它是VPN连接的一种方式。
/ interface pptp-server
add name="pptp-in1" user="" disabled=no
#---------------------------------------------
#设置PPTP服务器
/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 \
authentication=pap,chap,mschap1,mschap2 keepalive-timeout=120 \
default-profile=default-encryption
#---------------------------------------------
#配置外网接口为ADSL拨号
/ interface pppoe-client
add name="pppoe-out1" max-mtu=1480 max-mru=1480 interface=wan \
user="nj***********@nj1.201" password="********" profile=default \
service-name="" ac-name="" add-default-route=yes dial-on-demand=no \
use-peer-dns=no allow=pap,chap,mschap1,mschap2 disabled=no
#---------------------------------------------
#建立多个IP地址池,这些IP地址池被DHCP服务、PPPOE服务、L2TP服务和PPTP服务使用。
/ ip pool
add name="dhcp ip pool" ranges=192.168.0.181-192.168.0.190
add name="pppoe-service-pool" ranges=10.0.1.181-10.0.1.190
add name="l2tp-service-pool" ranges=10.0.3.181-10.0.3.190
add name="pptp-server-pool" ranges=10.0.2.181-10.0.2.190
#---------------------------------------------
/ ip telephony region
/ ip telephony gatekeeper
set gatekeeper=none remote-id="" remote-address=0.0.0.0
/ ip telephony aaa
set use-radius-accounting=no interim-update=0s
/ ip telephony codec
move G.711-uLaw-64k/sw
move G.711-ALaw-64k/sw
move G.729A-8k/sw
move G.729-8k/sw
move G.723.1-6.3k/sw
move GSM-06.10-13.2k/sw
move LPC-10-2.5k/sw
/ ip accounting
set enabled=no account-local-traffic=no threshold=256
/ ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
#---------------------------------------------
#修改路由器的服务端口
/ ip service
set telnet port=23 address=0.0.0.0/0 disabled=no
set ftp port=2121 address=0.0.0.0/0 disabled=no
set www port=8080 address=0.0.0.0/0 disabled=no
set ssh port=22 address=0.0.0.0/0 disabled=no
set www-ssl port=443 address=0.0.0.0/0 certificate=none disabled=yes
#---------------------------------------------
/ ip upnp
set enabled=no allow-disable-external-interface=yes show-dummy-rule=yes
#---------------------------------------------
#绑定ARP
/ ip arp
add address=192.168.0.3 mac-address=00:15:F2:CF:F7:8A interface=lan comment="" \
disabled=no
add address=192.168.0.10 mac-address=00:1D:60:8D:40:65 interface=lan \
comment="" disabled=no
add address=192.168.0.12 mac-address=00:E0:A0:13:9B:97 interface=lan \
comment="" disabled=no
add address=192.168.0.18 mac-address=00:13
4:C5:5C:60 interface=lan \comment="" disabled=no
add address=192.168.0.26 mac-address=00:15:F2:3A:E7:B2 interface=lan \
comment="" disabled=no
add address=192.168.0.32 mac-address=00:1D:60
8:67:19 interface=lan \comment="" disabled=no
add address=192.168.0.250 mac-address=00:0B:6A:89:F7:CE interface=lan \
comment="" disabled=no
add address=192.168.0.251 mac-address=00:E0:4C:71:BD:4B interface=lan \
comment="" disabled=no
add address=192.168.0.244 mac-address=00:0E:A6:8A:9C:83 interface=lan \
comment="" disabled=no
add address=192.168.0.1 mac-address=00:1A:92:EF:B1:9D interface=lan comment="" \
disabled=no
add address=192.168.0.14 mac-address=00:15:F2:EB:F7:CC interface=lan \
comment="" disabled=no
add address=192.168.0.30 mac-address=00:15:F2:90:5C
3 interface=lan \comment="" disabled=no
add address=192.168.0.37 mac-address=00:1D:60
8:68:EE interface=lan \comment="" disabled=no
add address=192.168.0.44 mac-address=00:1B:FC:5B:0E:3D interface=lan \
comment="" disabled=no
add address=192.168.0.49 mac-address=00:13
43:13:24 interface=lan \comment="" disabled=no
add address=192.168.0.53 mac-address=00:15:F2:EB:F8:5B interface=lan \
comment="" disabled=no
add address=192.168.0.247 mac-address=00:0F:1F:81:73:21 interface=lan \
comment="" disabled=no
add address=192.168.0.252 mac-address=00:02:B3:38:3A:C5 interface=lan \
comment="" disabled=no
add address=192.168.0.201 mac-address=00:1B:FC:92:1D:F8 interface=lan \
comment="" disabled=no
add address=192.168.0.225 mac-address=00:17:31:42:F5:BF interface=lan \
comment="" disabled=no
add address=192.168.0.227 mac-address=00:1A:4D:95:EB:0D interface=lan \
comment="" disabled=no
add address=192.168.0.36 mac-address=00:1A:92:98:98:3B interface=lan \
comment="" disabled=no
add address=192.168.0.43 mac-address=00:1A:92
6:CE:2E interface=lan \comment="" disabled=no
add address=192.168.0.62 mac-address=00:1F:C6:22:34:BB interface=lan \
comment="" disabled=no
add address=192.168.0.64 mac-address=00:15:F2:EB:F9:3D interface=lan \
comment="" disabled=no
add address=192.168.0.253 mac-address=00:0F:CB:73:24:20 interface=lan \
comment="" disabled=no
add address=192.168.0.22 mac-address=00:15:F2:EB:F8:5F interface=lan \
comment="" disabled=no
add address=192.168.0.58 mac-address=00:1F:C6:C8:EC:07 interface=lan \
comment="" disabled=no
add address=192.168.0.66 mac-address=00:1D:60:45:6C:30 interface=lan \
comment="" disabled=no
add address=192.168.0.48 mac-address=00:1A:92:98:98:A2 interface=lan \
comment="" disabled=no
add address=192.168.0.57 mac-address=00:15:F2:3A:E7:C6 interface=lan \
comment="" disabled=no
add address=192.168.0.59 mac-address=00:1E:8C:26:13:5D interface=lan \
comment="" disabled=no
add address=192.168.0.202 mac-address=00:11
8:C4:A7:0B interface=lan \comment="" disabled=no
add address=192.168.0.203 mac-address=00:E0:4C:39:1C:B0 interface=lan \
comment="" disabled=no
add address=192.168.0.204 mac-address=00:18:F3:FE:B8:14 interface=lan \
comment="" disabled=no
add address=192.168.0.206 mac-address=00:1F:C6:AB:F7:9F interface=lan \
comment="" disabled=no
add address=192.168.0.207 mac-address=00:0C:6E:3F:78:E2 interface=lan \
comment="" disabled=no
add address=192.168.0.208 mac-address=00:1A:92:EF:B0:39 interface=lan \
comment="" disabled=no
add address=192.168.0.209 mac-address=00:13
4:C5:5B:68 interface=lan \comment="" disabled=no
add address=192.168.0.210 mac-address=00:15:F2:EB:F8:C4 interface=lan \
comment="" disabled=no
add address=192.168.0.215 mac-address=00:1B:FC:92:1C:6D interface=lan \
comment="" disabled=no
add address=192.168.0.221 mac-address=00:22:15:C5:CE:FF interface=lan \
comment="" disabled=no
add address=192.168.0.222 mac-address=00:0C:6E:0B:8A:25 interface=lan \
comment="" disabled=no
add address=192.168.0.223 mac-address=00:11
8:75:E32 interface=lan \comment="" disabled=no
add address=192.168.0.224 mac-address=00:11
8:42:80:88 interface=lan \comment="" disabled=no
add address=192.168.0.234 mac-address=00:E0:18:95:62:A9 interface=lan \
comment="" disabled=no
add address=192.168.0.245 mac-address=00:15:F2:EB:F8:85 interface=lan \
comment="" disabled=no
add address=192.168.0.230 mac-address=00:1F:C6:C8:EC:53 interface=lan \
comment="" disabled=no
add address=192.168.0.11 mac-address=00:15:F2:EB:F7:CA interface=lan \
comment="" disabled=no
add address=192.168.0.17 mac-address=00:1D:60:4A:B7:3A interface=lan \
comment="" disabled=no
add address=192.168.0.29 mac-address=00:22:15:81:8C:5E interface=lan \
comment="" disabled=no
add address=192.168.0.4 mac-address=00:0B:6A:90:20:3F interface=lan comment="" \
disabled=no
add address=192.168.0.231 mac-address=00:1B:FC:92:1C:69 interface=lan \
comment="" disabled=no
add address=192.168.0.9 mac-address=00:1D:60:8D:40:19 interface=lan comment="" \
disabled=no
add address=192.168.0.13 mac-address=00:15:F2:EB:F8:57 interface=lan \
comment="" disabled=no
add address=192.168.0.15 mac-address=00:22:15:A1:31:55 interface=lan \
comment="" disabled=no
add address=192.168.0.19 mac-address=00:1D:60
8:66:FB interface=lan \comment="" disabled=no
add address=192.168.0.23 mac-address=00:15:F2:EB:F8:53 interface=lan \
comment="" disabled=no
add address=192.168.0.24 mac-address=00:1B:FC:5B:0E:23 interface=lan \
comment="" disabled=no
add address=192.168.0.25 mac-address=00:15:F2:EB:F8:51 interface=lan \
comment="" disabled=no
add address=192.168.0.35 mac-address=00:15:F2:EB:F8:78 interface=lan \
comment="" disabled=no
add address=192.168.0.65 mac-address=00:1D:60:8D:35:B1 interface=lan \
comment="" disabled=no
add address=192.168.0.67 mac-address=00:1D:60:1D:1E:E4 interface=lan \
comment="" disabled=no
add address=192.168.0.120 mac-address=00:1D:60:8D:27:46 interface=lan \
comment="" disabled=no
add address=192.168.0.246 mac-address=00:0C:6E:A0:7B:63 interface=lan \
comment="" disabled=no
add address=192.168.0.214 mac-address=00:1B:FC:92:1C:6F interface=lan \
comment="" disabled=no
add address=192.168.0.21 mac-address=00:01:01:01:01:01 interface=lan \
comment="" disabled=no
add address=192.168.0.237 mac-address=00:E0:18:08:A5:E8 interface=lan \
comment="" disabled=no
add address=192.168.0.20 mac-address=00:13:46:9C:67:5E interface=lan \
comment="" disabled=no
add address=192.168.0.211 mac-address=00:1B:FC:92:1E:06 interface=lan \
comment="" disabled=no
add address=192.168.0.212 mac-address=00:1B:FC:92:1C:98 interface=lan \
comment="" disabled=no
add address=192.168.0.217 mac-address=00:1B:FC:92:1C:94 interface=lan \
comment="" disabled=no
add address=192.168.0.249 mac-address=00:1A:92:98:98:A9 interface=lan \
comment="" disabled=no
add address=192.168.0.68 mac-address=00:1D:60
8:67:EB interface=lan \comment="" disabled=no
add address=192.168.0.46 mac-address=00:1F:C6:42
8:2B interface=lan \comment="" disabled=no
add address=192.168.0.228 mac-address=00:1A:92:EF:B1:95 interface=lan \
comment="" disabled=no
add address=192.168.0.226 mac-address=00:15:F2:3A:E7:F4 interface=lan \
comment="" disabled=no
add address=192.168.0.70 mac-address=00:1F:C6:22:34
3 interface=lan \comment="" disabled=no
add address=192.168.0.216 mac-address=00:1E:8C:34:6F:2C interface=lan \
comment="" disabled=no
add address=192.168.0.73 mac-address=00:1F:C6:42
0:A1 interface=lan \comment="" disabled=no
add address=192.168.0.74 mac-address=00:1D:60:4A:B8:A2 interface=lan \
comment="" disabled=no
add address=192.168.0.229 mac-address=00:1E:8C:1A:E5:CC interface=lan \
comment="" disabled=no
add address=192.168.0.243 mac-address=00:11
8:75:E2:EF interface=lan \comment="" disabled=no
add address=192.168.0.232 mac-address=00:1F:C6:AB:F7:E3 interface=lan \
comment="" disabled=no
add address=192.168.0.242 mac-address=00:0E:A6:30:C5:2C interface=lan \
comment="" disabled=no
add address=192.168.0.69 mac-address=00:1D:60
8:67:71 interface=lan \comment="" disabled=no
add address=192.168.0.218 mac-address=00:22:15:18:06:94 interface=lan \
comment="" disabled=no
add address=192.168.0.75 mac-address=00:22:15:18:06:74 interface=lan \
comment="" disabled=no
add address=192.168.0.241 mac-address=00:22:15:18:06:6B interface=lan \
comment="" disabled=no
add address=192.168.0.213 mac-address=00:0E:A6:30:C7:61 interface=lan \
comment="" disabled=no
add address=192.168.0.220 mac-address=00:0C:6E:0B:89:F2 interface=lan \
comment="" disabled=no
add address=192.168.0.76 mac-address=00:23:54:0F:80:93 interface=lan \
comment="" disabled=no
add address=192.168.0.233 mac-address=00:23:54:0F:77:4A interface=lan \
comment="" disabled=no
#---------------------------------------------
/ ip socks
set enabled=no port=1080 connection-idle-timeout=2m max-connections=200
#---------------------------------------------
#设置路由器DNS,此命令仅对路由器自身有作用,对客户机没有任何影响。
/ ip dns
set primary-dns=218.2.135.1 secondary-dns=202.102.24.35 \
allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w
#---------------------------------------------
/ ip traffic-flow
set enabled=no interfaces=all cache-entries=4k active-flow-timeout=30m \
inactive-flow-timeout=15s
#---------------------------------------------
#设置内网接口的IP,外网因为是ADSL拨号所以不用手动设置IP.
/ ip address
add address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 \
interface=lan comment="" disabled=no
#---------------------------------------------
/ ip proxy
set enabled=no port=8080 parent-proxy=0.0.0.0:0 maximal-client-connecions=1000 \
maximal-server-connectons=1000
/ ip proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
#---------------------------------------------
#开启或关闭一些网络接口的邻居发现协议。
/ ip neighbor discovery
set wan discover=yes
set lan discover=yes
set pppoe-out1 discover=no
set pppoe-in1 discover=no
set l2tp-in1 discover=no
set pptp-in1 discover=no
#---------------------------------------------
#添加路由,因为外网接口是ADSL拨号,所以缺省路由会动态添加、无需手动添加。
/ ip route
#---------------------------------------------.
/ ip firewall mangle
#---------------------------------------------
#添加网络地址转换。第一作用是对192.168.0.0/24网段(内网网段)的地址进行伪装。第二条作用是对10.0.0.0/8网段(ppptp、l2tp连接时用到的网段)的地址进行伪装。第三条作用是端口映射,使得通过外网可以访问内某台机器的某个端口。
/ ip firewall nat
add chain=srcnat out-interface=pppoe-out1 src-address=192.168.0.0/24 \
action=masquerade comment="" disabled=no
add chain=srcnat src-address=10.0.0.0/8 action=masquerade comment="" \
disabled=no
add chain=dstnat in-interface=pppoe-out1 protocol=tcp dst-port=21 \
action=dst-nat to-addresses=192.168.0.251 to-ports=21 comment="" \
disabled=no
#---------------------------------------------
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s \
tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-time-wait-timeout=10s tcp-close-timeout=10s udp-timeout=10s \
udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m \
tcp-syncookie=no
#---------------------------------------------
#添加防火墙策略:高端IP可以无限制访问外网,其他IP上班时间只可访问固定的网站、下班时间可访问除黑名单以外的网站。
/ ip firewall filter
add chain=forward src-address=192.168.0.241-192.168.0.253 action=accept \
comment="" disabled=no
add chain=forward dst-address=192.168.0.241-192.168.0.253 action=accept \
comment="" disabled=no
add chain=forward src-address=192.168.0.181-192.168.0.240 action=accept \
comment="" disabled=no
add chain=forward src-address=192.168.0.43 action=accept comment="" \
disabled=no
add chain=forward dst-address=58.2**.7*.1** action=accept \
comment="www.*****.com" disabled=no
add chain=forward dst-address=61.1**.1*.1** action=accept \
comment="mail.*****.com" disabled=no
add chain=forward dst-address=218.2.135.1 action=accept comment="DNS001" \
disabled=no
add chain=forward dst-address=202.102.24.35 action=accept comment="DNS002" \
disabled=no
add chain=forward protocol=tcp dst-port=53 action=accept \
comment="DNS-TCP-PORT" disabled=no
add chain=forward protocol=udp dst-port=53 action=accept \
comment="DNS-UDP-PORT" disabled=no
add chain=forward protocol=tcp dst-port=25 action=accept comment="SMTP" \
disabled=no
add chain=forward protocol=tcp dst-port=110 action=accept comment="
OP3" \disabled=no
add chain=forward dst-address=58.60.9.247 action=drop comment="ccproxy dst" \
disabled=no
add chain=forward dst-address=219.133.60.206 action=drop comment="ccproxy dst" \
disabled=no
add chain=forward dst-address=119.147.41.14 action=drop \
comment="www.gougou.com" disabled=no
add chain=forward dst-address=222.73.207.132 action=drop \
comment="www.verycd.com" disabled=no
add chain=forward dst-address=220.181.38.70 action=drop \
comment="mp3.baidu.com" disabled=no
add chain=forward dst-address=121.14.243.91 action=drop \
comment="www.greenland.net" disabled=no
add chain=forward dst-address=121.14.243.102 action=drop \
comment="bt.greenland.net" disabled=no
add chain=forward dst-address=211.95.79.63 action=drop comment="www.ydy.com" \
disabled=no
add chain=forward dst-address=221.130.195.239 action=drop comment="bt.ydy.com" \
disabled=no
add chain=forward dst-address=60.28.197.103 action=drop \
comment="s.kuaiche.com" disabled=no
add chain=forward dst-address=222.73.205.95 action=drop \
comment="www.btchina.net" disabled=no
add chain=forward dst-address=220.196.59.236 action=drop \
comment="bt.btchina.net" disabled=no
add chain=forward dst-address=119.147.41.12 action=drop \
comment="search.gougou.com" disabled=no
add chain=forward protocol=tcp dst-port=3076-3078 action=drop comment="xunlei \
tcp 3076-3078" disabled=no
add chain=forward protocol=tcp dst-port=6881-6890 action=drop \
comment="kuaicheBT tcp 6881-6890" disabled=no
add chain=forward protocol=tcp dst-port=4662 action=drop comment="emule tcp \
4662" disabled=no
add chain=forward protocol=udp dst-port=4672 action=drop comment="emule udp \
4672" disabled=no
add chain=forward time=7h-8h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Morning 90mins" disabled=no
add chain=forward time=12h-13h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Noon 90mins" disabled=no
add chain=forward time=17h-18h30m,sat,fri,thu,wed,tue,mon,sun action=accept \
comment="Evening 90mins" disabled=no
add chain=forward src-address=192.168.0.0/24 action=drop comment="Drop All" \
disabled=no
#---------------------------------------------
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set default name="default" hotspot-address=0.0.0.0 dns-name="" \
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 \
smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d \
split-user-domain=no use-radius=no
/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m \
status-autorefresh=1m shared-users=1 transparent-proxy=yes \
open-status-page=always advertise=no
#---------------------------------------------
#建立DHCP服务,IP范围使用上面已经建立的IP地址池
/ ip dhcp-server
add name="dhcp-server" interface=lan lease-time=6h address-pool="dhcp ip pool" \
bootp-support=static add-arp=yes authoritative=after-2sec-delay \
disabled=no
#---------------------------------------------
/ ip dhcp-server config
set store-leases-disk=5m
/ ip dhcp-server lease
#---------------------------------------------
#配置DHCP服务的网络参数,其中包括网关、DNS的IP地址
/ ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.254 netmask=24 \
dns-server=218.2.135.1,202.102.24.35 comment=""
#---------------------------------------------
#以下分隔下线之间为初始默认配置命令。
/ ip ipsec proposal
add name="default" auth-algorithms=sha1 enc-algorithms=3des lifetime=30m \
lifebytes=0 pfs-group=modp1024 disabled=no
/ ip web-proxy
set enabled=no src-address=0.0.0.0 port=3128 hostname="proxy" \
transparent-proxy=no parent-proxy=0.0.0.0:0 \
cache-administrator="webmaster" max-object-size=4096KiB cache-drive=system \
max-cache-size=none max-ram-cache-size=unlimited
/ ip web-proxy access
add dst-port=23-25 action=deny comment="block telnet & spam e-mail relaying" \
disabled=no
/ ip web-proxy cache
add url=":cgi-bin \\?" action=deny comment="don't cache dynamic http pages" \
disabled=no
/ system logging action
set memory name="memory" target=memory memory-lines=100 memory-stop-on-full=no
set disk name="disk" target=disk disk-lines=100 disk-stop-on-full=no
set echo name="echo" target=echo remember=yes
set remote name="remote" target=remote remote=0.0.0.0:514
/ system upgrade mirror
set enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 \
check-interval=1d user=""
/ system clock dst
set dst-delta=+00:00 dst-start="jan/01/1970 00:00:00" dst-end="jan/01/1970 \
00:00:00"
/ system watchdog
set reboot-on-failure=yes watch-address=none watchdog-timer=yes \
no-ping-delay=5m automatic-supout=yes auto-send-supout=no
/ system console
add port=serial0 term="" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
set FIXME term="linux" disabled=no
/ system console screen
set line-count=25
/ system identity
set name="MikroTik"
/ system note
set show-at-login=yes note=""
/ system gps
set enabled=no set-system-time=yes
/ system lcd
set enabled=no type=24x4 port=parallel contrast=0
/ system lcd page
set time display-time=5s disabled=yes
set resources display-time=5s disabled=yes
set uptime display-time=5s disabled=yes
set packets display-time=5s disabled=yes
set bits display-time=5s disabled=yes
set version display-time=5s disabled=yes
set pptp-in1 display-time=5s disabled=yes
set l2tp-in1 display-time=5s disabled=yes
set pppoe-in1 display-time=5s disabled=yes
set wan display-time=5s disabled=yes
set lan display-time=5s disabled=yes
set pppoe-out1 display-time=5s disabled=yes
/ system ntp server
set enabled=no broadcast=yes multicast=yes manycast=yes
/ system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/ system routerboard bios
set
/ system health
set state-after-reboot=enabled
/ port
set serial0 name="serial0" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
set serial1 name="serial1" baud-rate=9600 data-bits=8 parity=none stop-bits=1 \
flow-control=hardware
#---------------------------------------------
#添加PPP连接环境
/ ppp profile
set default name="default" use-compression=default use-vj-compression=default \
use-encryption=default only-one=default change-tcp-mss=yes comment=""
add name="pppoe-service-profile" local-address=pppoe-serivce-pool \
remote-address=pppoe-serivce-pool use-compression=yes \
use-vj-compression=yes use-encryption=yes only-one=default \
change-tcp-mss=default dns-server=202.102.24.35,218.2.135.1 comment=""
add name="l2tp-server-profile" local-address=l2tp-service-pool \
remote-address=l2tp-service-pool use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes dns-server=218.2.135.1,202.102.24.35 comment=""
add name="pptp-server-profile" local-address=pptp-server-pool \
remote-address=pptp-server-pool use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=default comment=""
set default-encryption name="default-encryption" use-compression=default \
use-vj-compression=default use-encryption=yes only-one=default \
change-tcp-mss=yes comment=""
#---------------------------------------------
#添加PPP连接用户
/ ppp secret
add name="pppoe***" service=pppoe caller-id="" password="********" \
profile=pppoe-service-profile routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="l2tp***" service=l2tp caller-id="" password="********" \
profile=default-encryption routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
add name="pptp***" service=any caller-id="" password="********" \
profile=pptp-server-profile routes="" limit-bytes-in=0 limit-bytes-out=0 \
comment="" disabled=no
#---------------------------------------------
/ ppp aaa
set use-radius=no accounting=yes interim-update=0s
#---------------------------------------------
#添加queue type,queue type支援后面的queue simple,从而进行流量控制和分配。
/ queue type
set default name="default" kind=pfifo pfifo-limit=50
set ethernet-default name="ethernet-default" kind=pfifo pfifo-limit=50
set wireless-default name="wireless-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
set synchronous-default name="synchronous-default" kind=red red-limit=60 \
red-min-threshold=10 red-max-threshold=50 red-burst=20 red-avg-packet=1000
set hotspot-default name="hotspot-default" kind=sfq sfq-perturb=5 \
sfq-allot=1514
add name="queuetype-down1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="queuetype-down500K" kind=pcq pcq-rate=500000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up500K" kind=pcq pcq-rate=500000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="queuetype-down100K" kind=pcq pcq-rate=100000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="queuetype-up100K" kind=pcq pcq-rate=100000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="default-small" kind=pfifo pfifo-limit=10
#---------------------------------------------
#使用queue simple进行流量控制和分配,每IP下载速率不高于50K位每秒、总下载速率不高于3M位每秒,几个特殊IP没有速率限制。
/ queue simple
add name="fullspeed" target-addresses=192.168.0.241/32 dst-address=0.0.0.0/0 \
interface=all parent=none direction=both priority=8 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="pcq for server" \
target-addresses=192.168.0.252/32,192.168.0.253/32,192.168.0.203/32,192.168\
.0.207/32,192.168.0.246/32,192.168.0.241/32,192.168.0.201/32 \
dst-address=0.0.0.0/0 interface=all parent=none direction=both priority=8 \
queue=default-small/default-small limit-at=0/0 max-limit=0/0 \
total-queue=default-small disabled=no
add name="pcq for all others" target-addresses=192.168.0.0/24 \
dst-address=0.0.0.0/0 interface=lan parent=none direction=both priority=8 \
queue=queuetype-up500K/queuetype-down500K limit-at=0/0 \
max-limit=3000000/3000000 total-queue=default-small disabled=no
#---------------------------------------------
/ user
add name="admin" group=full address=0.0.0.0/0 comment="system default user" \
disabled=no
add name="read" group=read address=0.0.0.0/0 comment="" disabled=no
add name="backup" group=full address=0.0.0.0/0 comment="" disabled=no
/ user group
add name="read" policy=local,telnet,ssh,reboot,read,test,winbox,password,web,!f\
tp,!write,!policy
add name="write" policy=local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,!ftp,!policy
add name="full" policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web
/ user aaa
set use-radius=no accounting=yes interim-update=0s default-group=read
/ radius incoming
set accept=no port=1700
/ driver
/ snmp
set enabled=no contact="" location=""
/ snmp community
set public name="public" address=0.0.0.0/0 read-access=yes
/ tool bandwidth-server
set enabled=yes authenticate=yes allocate-udp-ports-from=2000 max-sessions=10
/ tool mac-server ping
set enabled=yes
/ tool e-mail
set server=0.0.0.0 from="<>"
/ tool sniffer
set interface=all only-headers=no memory-limit=10 file-name="" file-limit=10 \
streaming-enabled=no streaming-server=0.0.0.0 filter-stream=yes \
filter-protocol=ip-only filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
/ routing ospf
set router-id=0.0.0.0 distribute-default=never redistribute-connected=no \
redistribute-static=no redistribute-rip=no redistribute-bgp=no \
metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 \
metric-bgp=20
/ routing ospf area
set backbone area-id=0.0.0.0 type=default translator-role=translate-candidate \
authentication=none prefix-list-import="" prefix-list-export="" \
disabled=no
/ routing bgp
set enabled=no as=1 router-id=0.0.0.0 redistribute-static=no \
redistribute-connected=no redistribute-rip=no redistribute-ospf=no
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no \
redistribute-bgp=no metric-static=1 metric-connected=1 metric-ospf=1 \
metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
#----------结束-----------------------------------
渝公网安备 50011602500124号