自用RouterOS系统设置命令

前言

自用RouterOS系统设置命令，包括DoH证书以及常用防火墙设置。

DNS设置

使用阿里云DoH Dns地址 https://dns.alidns.com/dns-query

证书导入

以下是证书导入代码

/tool fetch url="https://secure.globalsign.net/cacert/Root-R5.crt"
/tool fetch url="https://secure.globalsign.com/cacert/gseccovsslca2018.crt"

/certificate import file-name=Root-R5.crt

/certificate import file-name=gseccovsslca2018.crt

静态地址解析

RouterOS.Lan

• 172.16.1.1

dns.alidns.com

• 223.5.5.5
• 223.6.6.6

防火墙设置

/interface list
add name=WAN comment="defconf: Connect To Global"
add name=LAN comment="defconf: Local Bridge"
add name=ONU comment="onuconf: Access To ONU"

/interface list member
add interface=pppoe-out1 list=WAN comment="defconf: Connect To Global"
add interface=bridge1 list=LAN comment="defconf: Local Bridge"
add interface=ether2 list=ONU comment="onuconf: Access To ONU"

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: ONU Address" list=onu_ipv4
add address=172.16.1.0/24 comment="lanconf: Local Address" list=local_subnet_ipv4

add address=172.16.1.1 comment="lanconf: Local DNS Address" list=local_dns_ipv4


/ip firewall nat

add action=endpoint-independent-nat chain=srcnat protocol=udp place-before=0 comment=FullCone-Nat
add action=endpoint-independent-nat chain=dstnat protocol=udp place-before=0 comment=FullCone-Nat
add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface-list=WAN
add action=masquerade chain=srcnat out-interface-list=ONU src-address-list=local_subnet_ipv4 dst-address-list=onu_ipv4 comment="onuconf: Access To ONU"


/ip firewall mangle

add action=change-mss chain=forward comment="defconf: Fix IPv4 MSS For WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting src-address-list=local_subnet_ipv4 dst-address-list=onu_ipv4 comment="onuconf: Access To ONU"