[研究所] MikroTik RouterOS 學習 (持續更新)

pctine wrote:
小弟比較好奇的是, ...(恕刪)

necosjou wrote:
因為小弟家有二台se...(恕刪)

gfx wrote:
我匯出家中Synol...(恕刪)

necosjou wrote:
小弟在filter rules裡補另加了一條，可以少一些連線

/ip firewall filter
add action=drop chain=input comment=\
"\A5\E1\B1\F3\ABD\A5\BB\BE\F7\AA\BA\AB\CA\A5]" dst-address-type=!local

add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\B5L\\AE\\C4\\AA\\BA\\AB\\CA\\A5]" \
connection-state=invalid

add action=drop chain=forward connection-state=invalid dst-address=\
!10.8.0.0/24

add action=drop chain=input comment="\\A5\\E1\\B1\\F3\\A6h\\BC\\BD\\AA\\BA\\AB\\CA\\A5]" \
src-address-type=!unicast

add action=drop chain=input comment="DoS\\A9\\DA\\B5\\B4\\AAA\\B0\\C8\\A7\\F0\\C0\\BB" \
connection-limit=10,32 protocol=tcp

add action=drop chain=input comment="\\A8\\BE\\A4\\EE\\B3Q\\B1\\BD\\BA\\CB Port" \
protocol=tcp src-address-list="port scanners"

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg

add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg

add action=drop chain=input comment=\
"PPTP \A8\BE\A4\F5\C0\F0(\B5n\A4J3\A6\B8\BF\F9\BB~\A7Y\AB\CA\C2\EA)" \
src-address-list=login_blacklist

add action=add-src-to-address-list address-list=login_blacklist \
address-list-timeout=10m chain=input connection-state=new dst-port=1723 \
protocol=tcp src-address-list=login_stage3

add action=add-src-to-address-list address-list=login_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
protocol=tcp src-address-list=login_stage2

add action=add-src-to-address-list address-list=login_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
protocol=tcp src-address-list=login_stage1

add action=add-src-to-address-list address-list=login_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=1723 \
p2p=!all-p2p protocol=tcp src-address-list=!Lan

add action=drop chain=forward comment=\
"\B8T\A4\EE\AC\F5\A6\CC\B3s\A9\B9\A4\A4\B0\EA" dst-address-list=\
ChinaIPList src-address=192.168.88.95

add action=drop chain=forward dst-address-list=ChinaIPList src-address=\
192.168.88.13

add action=drop chain=forward comment="\\C3\\F6\\B3\\ACDownload-Master" disabled=\
yes dst-address=192.168.88.3 dst-port=51413 protocol=tcp

add action=drop chain=forward disabled=yes dst-address=192.168.88.3 dst-port=\
51413 protocol=udp

add chain=input comment="\\A4\\B9\\B3\\\\\\B0\\CF\\BA\\F4\\B8\\CB\\B8m" src-address-list=\
All-Lan
add chain=forward src-address-list=All-Lan

add chain=forward comment="\\A4\\B9\\B3\\\\\\ABT\\AB\\DB\\BA\\F4\\B0\\EC" src-address=\
192.168.1.0/24

add chain=input comment="\\A4\\B9\\B3\\\\\\A6n\\A4\\CD\\A1\\FE\\AEQ\\AEa\\B8\\CB\\B8m" \
src-address-list=friends

add chain=input src-address-list=amberlin

add chain=forward src-address-list=friends

add chain=forward src-address-list=amberlin

add chain=forward comment="\\A4\\B9\\B3\\\\\\B3\\B7\\ADs\\B8\\CB\\B8m" dst-address=\
192.168.88.99-192.168.88.102

add chain=forward comment="\\A4\\B9\\B3\\\\NAS\\A9\\D2\\A6\\B3\\B3s\\BDu" \
dst-address-list=NAS

add chain=input comment="\\A4\\B9\\B3\\\\\\B8\\F3\\A4\\E9\\A5\\BBVPN\\A6\\F8\\AAA\\BE\\B9" \
src-address=49.212.0.54

add chain=input src-address=49.212.48.199

add chain=input src-address=118.157.74.169

add chain=input src-address=115.177.60.80

add chain=forward src-address=118.157.74.169

add chain=input comment="\\A4\\B9\\B3\\\\VPN" dst-port=1723 protocol=tcp

add chain=input protocol=gre

add chain=input dst-port=500,1701,4500 protocol=udp

add chain=input dst-port=1195 protocol=tcp

add action=add-dst-to-address-list address-list=a.test address-list-timeout=\
1s chain=output comment="\\A4\\B9\\B3\\\\ICMP\\A6^\\C0\\B3" dst-address-list=\
!All-Lan protocol=icmp

add chain=input protocol=icmp src-address-list=a.test

add chain=forward protocol=icmp

add chain=input comment="\\A4\\B9\\B3\\\\DNS" src-address-list=DNS-Server

add chain=forward src-address-list=DNS-Server

add chain=input comment="\\A4\\B9\\B3\\\\ROS-Cloud\\A6\\F8\\AAA\\BE\\B9" protocol=udp \
src-address=81.198.87.240

add chain=forward comment="\\A4\\B9\\B3\\\\Hinet\\B4\\FA\\B3t" src-address=\
210.61.132.0/24

add chain=input comment="\\A4\\B9\\B3\\\\\\B6l\\A5\\F3\\A6\\F8\\AAA\\BE\\B9" protocol=tcp \
src-port=25

add chain=forward protocol=tcp src-port=25,110,993,995,587,465

add chain=input comment="\\A4\\B9\\B3\\\\WWW\\A6\\F8\\AAA\\BE\\B9" protocol=tcp \
src-port=80,443

add chain=forward protocol=tcp src-port=80,443,8080

add chain=forward comment="\\A4\\B9\\B3\\\\iCould\\A6\\F8\\AAA\\BE\\B9" protocol=tcp \
src-port=5223

add chain=input comment="\\A4\\B9\\B3\\\\\\AE\\C9\\B6\\A1\\A6\\F8\\AAA\\BE\\B9" protocol=\
udp src-port=123

add chain=forward protocol=udp src-port=123

add chain=forward comment="\\A4\\B9\\B3\\\\SSH\\BB\\B7\\BA\\DD\\B5n\\A4J\\A8\\F3\\A9w" \
disabled=yes protocol=tcp src-port=22

add chain=forward comment=\
"\A4\B9\B3\\FTP\A1\FEFTPS\A1\FESFTP \C0\C9\AE\D7\A6\F8\AAA\BE\B9" \
protocol=tcp src-port=21,989,990,115

add chain=forward comment="\\A4\\B9\\B3\\\\Teamviewer \\A6\\F8\\AAA\\BE\\B9" protocol=\
tcp src-port=5938

add chain=forward comment="\\A4\\B9\\B3\\\\Teredo\\A6\\F8\\AAA\\BE\\B9" protocol=udp \
src-port=3544

add chain=forward comment="\\A4\\B9\\B3\\\\Gogo6\\A6\\F8\\AAA\\BE\\B9" protocol=udp \
src-port=3653

add action=drop chain=input comment=\
"\A5\E1\B1\F3\A5\BC\A9w\B8q\AA\BA\AB\CA\A5]"

add action=drop chain=forward

gfx wrote:
我也分享自己的fir...(恕刪)

derliang wrote:
其實自己發起的連線不...(恕刪)

gfx wrote:
若您有將firewa...(恕刪)

client
dev tap (ethernet-mode輸入tap /ip-mode輸入tun)
remote 220.134.123.123 1195(OVPN-Server地址或IP ,以及連接Port)
proto tcp
auth-user-pass pw.txt (pw.txt儲存的為自動連線的帳號與密碼,省缺為連線後認證)
redirect-gateway

<ca> (將憑證ca.crt文字內容給貼上)
-----BEGIN CERTIFICATE-----
MIIDvDCCAyWgAwIBAgIJAL/ai1L7YRA7MA0GCSqGSIb3DQEBBQUAMIGbMQswCQYD
VQQGEwJUVzELMAkGA1UECBMCVFcxGDAWBgNVBAcTD05ldy1UYWlwZWktQ2l0eTEQ
MA4GA1UEChMHT3BlblZQTjERMA8GA1UECxMIZ2Z4ODY2NzQxETAPBgNVBAMTCHJv
dXRlcm9zMQwwCgYDVQQpEwNHRlgxHzAdBgkqhkiG9w0BCQEWEGdmeDg2Njc0QG1z
bi5jb20wHhcNMTMxMDExMDcxMjU2WhcNMjMxMDA5MDcxMjU2WjCBmzELMAkGA1UE
BhMCVFcxCzAJBgNVBAgTAlRXMRgwFgYDVQQHEw9OZXctVGFpcGVpLUNpdHkxEDAO
BgNVBAoTB09wZW5WUE4xETAPBgNVBAsTCGdmeDg2Njc0MREwDwYDVQQDEwhyb3V0
ZXJvczEMMAoGA1UEKRMDR0ZYMR8wHQYJKoZIhvcNAQkBFhBnZng4NjY3NEBtc24u
Y29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDPFLBujerLza8fvHR8NPUr
9rSYAQCos3ON7OsmUGJf+q6Ets0riyiw0dy+kgzjN65ffyWqNZ9p6tdTXyrFrYu/
MJmnRim6LQDLlZAvMCxOp/WnZG3tuwNBzud050JzqsZnUe2kYNV4Wtgzegj4Zq1t
mfgkJRQMQypq9s2WMIHQBgNVHSMEgcgwgcWAFPAOO08um62xmfgkJRQMQypq9s2W
oYGhpIGeMIGbMQswCQYDVQQGEwJUVzELMAkGA1UECBMCVFcxGDAWBgNVBAcTD05l
dy1UYWlwZWktQ2l0eTEQMA4GA1UEChMHT3BlblZQTjERMA8GA1UECxMIZ2Z4ODY2
NzQxETAPBgNVBAMTCHJvdXRlcm9zMQwwCgYDVQQpEwNHRlgxHzAdBgkqhkiG9w0B
CQEWEGdmeDg2Njc0QG1zbi5jb22CCQC/2otS+2EQOzAMBgNVHRMEBTADAQH/MA0G
CSqGSIb3DQEBBQUAA4GBAJRPx1S2c3KZTFX0QPcM+QMxCjQ9xx5/cfyJCs2OjhBX
V4b7nHjkgp/sVJ98W5wq1GJSGC+zk4gqsonF0KB6+x1Tr8aXPInbhyaIcfyJTqCT
Bk+aLMiRAWovPEsYwQ3KFoZLxm3kg1sJfZXF/fOOGdqaiqYuBnc2aSv8CzXKXGKM
-----END CERTIFICATE-----
</ca>

abc (用戶名稱)
123 (用戶密碼)

gfx wrote:
使用ip mode比較不便的地方是它不像ethernet mode可透過netmark設定遮罩,控制client數量.

它的netmark被系統鎖死為30 (255.255.255.252) ,
扣掉Server-IP(10.0.0.1) ,只剩10.0.0.2 與10.0.0.3 兩台clients可連接...數量相當的少....(恕刪)