MikroTik RouterOS-common configuration commands
MikroTik RouterOS is a routing operating system developed based on the Linux core and compatible with x86 PC routing software. Through this software, standard PC computers are converted into professional routers, in the development and application of the software RouterOS soft routing diagram, the software has undergone many updates and improvements, so that its functions are constantly improved and improved. It has outstanding features in wireless, authentication, Policy Routing, bandwidth control, and firewall filtering. It is highly cost-effective and favored by many network users. 1. Route version
# mar/09/1970 09:10:50 by RouterOS 6.23
2. Ethernet interfaces
# Ethernet port rename/interface ethernetset [find default-name = ether1] name = ether01set [find default-name = ether2] name = ether02set [find default-name = ether3] name = ether03set [find default-name = ether4] name = ether04set [find default-name = ether5] name = ether05set [find default-name = ether6] name = ether06set [find default-name = ether7] name = ether07set [find default-name = ether8] name = ether08set [find default-name = ether9] name = ether09set [find default-name = ether10] name = ether10
3. bridge configuration
# Configure bridge/interface bridgeadd name = bridge01 # bridge member (multiple Ethernet ports) /interface bridge portadd bridge = bridge01 interface = ether06add bridge = bridge01 interface = ether07add bridge = bridge01 interface = ether08add bridge = bridge01 interface = ether09add bridge = bridge01 interface = ether10
4. Intranet Interface Configuration
/Ip address # Intranet interface IP Configuration add address = 10.0.0.1/24 interface = bridge01 network = 10.0.0.0
5. Source Address NAT disguise the Intranet source host as a host with the current public IP address for communication with the Internet
/Ip firewall nat # Use PPPOE configuration method add action = masquerade chain = srcnat out-interface = all-ppp # use static ip configuration method add action = masquerade chain = srcnat out-interface = ether01
6. DHCP Configuration
# DHCP range/ip pooladd name = default-dhcp ranges = 10.0.0.50-10.0.0.199 # DHCP Service/ip dhcp-serveradd address-pool = default-dhcp disabled = no name = default # DHCP Client specify the network parameter/ip dhcp-server networkadd address = 10.0.0.0/24 comment = "default configuration" dns-server = 202.96.128.86, 202.96.128.166 gateway = 10.0.0.1 # configuration of the local machine as a DHCP Client/ip dhcp-clientadd comment = "default configuration" dhcp-options = hostname, clientid interface = ether01
7. Internet port configuration
# PPPOE dialing configuration/interface pppoe-clientadd ac-name = "" add-default-route = yes allow = pap, chap, mschap1, mschap2 \ default-route-distance = 1 dial-on-demand = yes disabled = no interface = ether01 \ keepalive-timeout = 60 max-mru = 1480 max-mtu = 1480 mrru = disabled name = \ ChinaNet password = ******* profile = default service-name = "" use-peer-dns = \ no user = 0769 ****** * @ 163.gd/ ip address # add interface = ether01 address = 192.168.1.64 for the static ip address of the Internet interface
8. Default route Configuration
# Use/ip routeadd dst-address = 0.0.0.0/0 gateway = 192.168.1.1 for a public ip address
9. The destination address NAT (Port ing) disguise the target Intranet host as a host with the current public IP address and communicates with the Internet.
/Ip firewall nat # Use the PPPOE configuration method add action = dst-nat chain = dstnat dst-port = 8080 in-interface = all-ppp protocol = tcp to-addresses = 10.0.0.200 -ports = 8080 # add action = dst-nat chain = dstnat dst-port = 8080 in-interface = ether01 protocol = tcp to-addresses = 10.0.200 to-ports = 8080
10. Firewall Configuration 10.1 and address list:
/ip firewall address-listadd list=10.0.0.0/24 address=10.0.0.2-10.0.0.254
10.2. filter10.2.1. basic configuration code
/Ip firewall filter # -- Allow icmp protocol (ping) data Packets enter all interfaces add chain = input action = accept protocol = icmp # -- allow data packets that have established connection status to access all interfaces add chain = input action = accept connection-state = establishedadd chain = input action = accept connection-state = related # -- reject all (TCP/UDP, etc) data Packets enter the all-ppp interface (if the fixed IP interface uses ether01) add chain = input action = drop in-interface = all-ppp # -- allow data packet kernel forwarding that has established connection status add chain = forward action = accept connection-state = establishedadd chain = forward action = accept connection-state = related # -- reject invalid data packet kernel forwarding add chain = forward action = drop connection-state = invalid
10.2.2 allow port access
# -- Allow data packets whose target port is 8080/tcp to enter the all-ppp interface # PPPOE configuration method add chain = input dst-port = 8080 in-interface = all-ppp protocol = tcp # static IP configuration method add chain = input dst-port = 8080 in-interface = ether01 protocol = tcp
10.2.3. Data Packet Filtering
/ip firewall filteradd chain=forward action=accept protocol=tcp in-interface=bridge01 dst-port=53add chain=forward action=accept protocol=udp in-interface=bridge01 dst-port=53add chain=forward action=accept protocol=tcp in-interface=bridge01 dst-port=80add chain=forward action=accept protocol=tcp in-interface=bridge01 dst-port=443add chain=forward action=drop in-interface=bridge01
11. NTP server and Time Zone settings:
/system ntp client set enabled=yes server-dns-names=1.centos.pool.ntp.org/system clock set time-zone-name=Asia/Shanghai
12. Other configurations
# Neighbor Discovery Protocol (default) /ip neighbor discoveryset ether01 discover = no # Management port/portset 0 name = serial0 # DNS server configuration/ip dnsset allow-remote-requests = yes servers = 202.96.128.86, 202.96.128.166 # service configuration/ip serviceset telnet disabled = yes/lcdset time-interval = daily/tool mac-serverset [find default = yes] disabled = yesadd interface = ether02add interface = ether03add interface = ether04add interface = ether05add interface = ether06add interface = ether07add interface = ether08add interface = ether09add interface = ether10add interface = sfp1add/tool mac-server mac-winboxset [find default = yes] disabled = yesadd interface = ether02add interface = ether03add interface = ether04add interface = ether05add interface = ether06add interface = ether07add interface = ether08add interface = ether09add interface = ether10add interface = sfp1add