[研究所] MikroTik RouterOS 學習 (持續更新)

gfx

1603分

6871樓

gfx

個人積分：1603分

文章編號：72557494

chengjc wrote:
小弟我有兩台rb750gr3...(恕刪)

需要我幫忙嗎

smallbeetw

4588分

6872樓

smallbeetw

個人積分：4588分

文章編號：72557930

pctine wrote:
前幾週經由網友介紹...(恕刪)

登記一下...

kk57

82分

6873樓

kk57

個人積分：82分

文章編號：72558052

請教各位大大, 小弟原本是用光世代100M/40M + RB450G .. 由於最近需要升速使用光世代300M/100M .. 上網找了相關資訊得知RB450G無法負荷300M/100M撥接速度,但是RB450GX4可以勝任..所以前幾天跟元芳大大買了RB450GX4回來.

原本天真的想法只要把舊的RB450G設定參數Backup後拿到RB450GX4 Restore 就可無痛升級..哪知道事情不是我想的那麼簡單..因為RB450GX4 被Restore後 5個接口 MAC-Address都被設定成原本RB450G的參數. 然後透過MAC Address Reset 後..MAC Address排列順序也是亂掉.. (例如原本MAC 是 1 2 3 4 5 , MAC Reset 會變成 2 4 5 3 1), 然後透過Neighbor登入的MAC Address 也是= RB450G 舊的 MAC...

不知道其他有經驗的大大們..請問小弟該怎樣操作才能把升級的工作弄得最簡單呢?? 麻煩救救小弟吧..感恩.

PS: 因為小弟想到 RB450GX4 還要跟以前一樣..要一個一個Key..一個一個去設定....想到快要瘋掉...

個人單車日記 http://www.bikemap.net/user/kk57

awenh

23分

6874樓

awenh

個人積分：23分

文章編號：72558403

gfx wrote:
把這些手動設的IPSec...(恕刪)

感謝gfx大的協助!

hschang

368分

6875樓

hschang

個人積分：368分

文章編號：72572386

kk57 wrote:
請教各位大大, 小弟...(恕刪)

用Export 匯出設定
再用import 回復
這樣應該就可以了

JQJQ

954分

6876樓

JQJQ

個人積分：954分

文章編號：72573192

kk57 wrote:
請教各位大大, 小...(恕刪)

匯出後另存新檔
開啟匯出的檔案，裁切需要的段落，貼到 Terminal 即可

型號不同，別指望能直接套用舊版，就算能用也會導致部分功能失常。

steveniori

79分

6877樓

steveniori

個人積分：79分

文章編號：72575023

GFX大...可以麻煩您幫忙抓一下問題嗎？
目前用CCR內建的TERMINAL沒辦法PING任何的WAN網址，但PING LAN上的IP都可以
LAN上的每一個HOST也都可以順利上網，不知到是哪裡的問題導致內建無法PING出去

以下是我的設定，因為是公司的固定IP，所以我先刪除了部分資訊

# mar/27/2019 19:45:50 by RouterOS 6.43.4
# model = CCR1009-7G-1C-1S+

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=combo1 ] comment="HP Switch 1"
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes comment=Hinet interface=ether1 name=pppoe-Hinet \
password= service-name=Hinet use-peer-dns=yes user=\
@ip.hinet.net
/interface vlan
add interface=combo1 name=vlan10 vlan-id=10
add interface=combo1 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.200
add name=OVPN_pool ranges=172.18.22.1-172.18.22.5
add name=Pool10 ranges=192.168.10.1-192.168.10.250
add name=Pool20 ranges=192.168.20.1-192.168.20.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1d name=dhcp1
add address-pool=Pool10 disabled=no interface=vlan10 lease-time=1d name=\
dhcp10
add address-pool=Pool20 disabled=no interface=vlan20 lease-time=1d name=\
dhcp20
/ppp profile
add dns-server=168.95.1.1,8.8.8.8 local-address=172.18.22.254 name=OVPN \
remote-address=OVPN_pool
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=combo1
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set certificate=ca.crt_0 cipher=blowfish128,aes128,aes192,aes256 mode=\
ethernet port=1943
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
add address=/24 interface=ether1 network=220.128.137.0
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.254
add address=192.168.20.0/24 gateway=192.168.20.254
/ip dns
set servers=168.95.1.1
/ip firewall nat
add action=masquerade chain=srcnat comment="\\B9w\\B3]NAT" out-interface-list=\
WAN
add action=dst-nat chain=dstnat comment=OVPN dst-address=\
dst-port=1943 in-interface=ether1 protocol=udp to-addresses=192.168.1.252 \
to-ports=1943
add action=dst-nat chain=dstnat comment="\\BA\\CA\\B5\\F8\\BE\\B9DVR" disabled=yes \
dst-address= dst-port=34567 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.30 to-ports=34567
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=220.128.137.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-Hinet type=external

kk57

82分

6878樓

kk57

個人積分：82分

文章編號：72576034

hschang wrote:
用Export 匯...(恕刪)

感謝hschang及JQJQ大大的建議..我再來試試看, 謝謝!

個人單車日記 http://www.bikemap.net/user/kk57

gfx

1603分

6879樓

gfx

個人積分：1603分

文章編號：72576897

steveniori wrote:
GFX大...可以...(恕刪)

從上面看只知道，Router上面同時安裝著固定ip與pppoe撥號。
因為您沒給/ip firewall filter與raw，

所以無從得知您的固定ip是否鎖ping(社區網路是禁ping外網的)，

或是Router防火牆自己鎖住的(區網內的電腦聯繫是不經過Router處理器，
所以防火牆管不著，所以電腦間的互ping自然是無礙的)。

若是防火牆的可能，試著找到icmp協定相關並關掉，再ping外網試試！！

steveniori

79分

6880樓

steveniori

個人積分：79分

文章編號：72577237

抱歉，因為FIREWALL太長了，所以才FIREWALL的部分截掉，補上比較完整的內容給您看看
另外現在只有純固定IP對外(一固6 IP)其他中某一個IP我拿來架WEBSERVER是可以直接PING出去的(不透過ROUTEROS，直接對外)，PPPOE已經沒有再用只是留著但是DISABLE了，請您再看一下有沒有什麼地方需要調整

/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=combo1 ] comment="HP Switch 1"
set [ find default-name=ether1 ] comment=WAN
set [ find default-name=sfp-sfpplus1 ] disabled=yes
/interface pppoe-client
add add-default-route=yes comment=Hinet interface=ether1 name=pppoe-Hinet \
password=lobuxtfn service-name=Hinet use-peer-dns=yes user=\
7XXXXX@ip.hinet.net
/interface vlan
add interface=combo1 name=vlan10 vlan-id=10
add interface=combo1 name=vlan20 vlan-id=20
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.1.50-192.168.1.200
add name=OVPN_pool ranges=172.18.22.1-172.18.22.5
add name=Pool10 ranges=192.168.10.1-192.168.10.250
add name=Pool20 ranges=192.168.20.1-192.168.20.253
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1d name=dhcp1
add address-pool=Pool10 disabled=no interface=vlan10 lease-time=1d name=\
dhcp10
add address-pool=Pool20 disabled=no interface=vlan20 lease-time=1d name=\
dhcp20
/ppp profile
add dns-server=168.95.1.1,8.8.8.8 local-address=172.18.22.254 name=OVPN \
remote-address=OVPN_pool
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=sfp-sfpplus1
add bridge=bridge1 interface=combo1
/interface bridge settings
set use-ip-firewall=yes
/interface list member
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
/interface ovpn-server server
set certificate=ca.crt_0 cipher=blowfish128,aes128,aes192,aes256 mode=\
ethernet port=1943
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether2 network=\
192.168.1.0
add address=220.128.137.XXX/24 interface=ether1 network=220.128.137.0
add address=192.168.10.254/24 interface=vlan10 network=192.168.10.0
add address=192.168.20.254/24 interface=vlan20 network=192.168.20.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=ether1
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 netmask=24
add address=192.168.10.0/24 gateway=192.168.10.254
add address=192.168.20.0/24 gateway=192.168.20.254
/ip dns
set servers=168.95.1.1
/ip firewall address-list
add address=trendmicro.com list=WFBS
add address=wfbs-svc-nabu-aal.trendmicro.com list=WFBS
add address=saasubt.trendmicro.com list=WFBS
add address=wfbs-svc-dl-nabu.trendmicro.com list=WFBS
add address=wfbs-svc-nabu.trendmicro.com list=WFBS
add address=wfbs-svc30-p.activeupdate.trendmicro.com list=WFBS
add address=wfbs-svc30-p.pre-opr-au.trendmicro.com list=WFBS
add address=wfbs-svc-dl-emea.trendmicro.com list=WFBS
add address=wfbssvc61.icrc.trendmicro.com list=WFBS
add address=wfbs-svc500-en.fbs10.trendmicro.com list=WFBS
add address=wfbss57-en-us.grid-gfr.trendmicro.com list=WFBS
add address=wfbs-svc550-en.census.trendmicro.com list=WFBS
add address=cspi.trendmicro.com list=WFBS
add address=housecall71.nfc.trendmicro.com list=WFBS
add address=attk-en.census.trendmicro.com list=WFBS
add address=wfbssvc63-attk.icrc.trendmicro.com list=WFBS
add address=wfbs-svc61-ja-b.trx.trendmicro.com list=WFBS
add address=wfbs-svc61-ja-f.trx.trendmicro.com list=WFBS
add address=wfbs-svc50-el.url.trendmicro.com list=WFBS
add address=backup36.url.trendmicro.com list=WFBS
add address=wfbs-svc-emea.trendmicro.com list=WFBS
add address=wfbs-svc-emea-aal.trendmicro.com list=WFBS
add address=wfbs-svc-nabu-mobile-aal.trendmicro.com list=WFBS
add address=wfbs-svc-emea-mobile-aal.trendmicro.com list=WFBS
add address=168.95.1.1 list=WFBS
add comment="Black List (Telnet)" list="Black List (Telnet)"
add address=192.168.1.250 list="Block Internet"
add address=192.168.1.251 list="Block Internet"
add address=192.168.1.9 list="Block Internet"
/ip firewall filter
add action=add-src-to-address-list address-list=syn-flood \
address-list-timeout=1h chain=input comment=Anti-Syn-flood \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input src-address-list=syn-flood
add action=drop chain=input comment="\\C3\\F6\\B3\\AC\\A5~\\BA\\F4ICMP\\A6^\\C0\\B3" \
in-interface=ether1 protocol=icmp
add action=drop chain=input comment=\
"\AB\CA\C2\EA\A5~\BA\F4\B5n\BF\FDRouterOS\BA\F4\AD\B6" dst-port=80 \
in-interface=ether1 protocol=tcp
add action=drop chain=input comment="\\A8\\BE\\A4\\EEDoS\\A7\\F0\\C0\\BB" \
connection-limit=10,32 protocol=tcp
add action=drop chain=input comment="\\A8\\BE\\A4\\EE port scanning" protocol=tcp \
src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=input protocol=tcp tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward protocol=tcp tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward protocol=tcp tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2w chain=forward protocol=tcp tcp-flags=\
fin,syn,rst,psh,ack,urg
add action=drop chain=forward comment="#\\A8\\BE\\A4\\EESSH\\A1BTelnet\\A4j\\B6q\\B3s\\
\\BDu(DMZ)\\A1G30\\AC\\ED\\A4\\BA\\A1A\\AB\\D8\\A5\\DF\\B3s\\BDu4\\A6\\B8\\A5H\\A4W(\\A7t)\\
\\A1C\\B4NDrop\\B1\\BC" dst-port=22,23 protocol=tcp src-address-list=\
ssh_blacklist
add action=log chain=forward connection-state=new dst-port=22,23 log-prefix=\
"Ban SSH_" protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1d chain=forward connection-state=new dst-port=22,23 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=30s chain=forward connection-state=new \
dst-address-list=!Admin_IP dst-port=22,23 protocol=tcp src-address-list=\
ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=30s chain=forward connection-state=new dst-port=\
22,23 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=30s chain=forward connection-state=new dst-address=\
192.168.1.0/24 dst-port=22,23 protocol=tcp src-address-list=!Admin_IP
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=2w6d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1m chain=input connection-state=new dst-port=22 \
protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment="Drop anyone in Black List (Telnet)." \
log=yes log-prefix="BL_Black List (Telnet)" src-address-list=\
"Black List (Telnet)"
add action=jump chain=input comment="Jump to Black List (Telnet) chain." \
dst-port=23 jump-target="Black List (Telnet) Chain" protocol=tcp
add action=add-src-to-address-list address-list="Black List (Telnet)" \
address-list-timeout=4w2d chain="Black List (Telnet) Chain" comment="Trans\\
fer repeated attempts from Black List (Telnet) Stage 3 to Black List (Teln\\
et)." connection-state=new log=yes log-prefix="Add_Black List (Telnet)" \
src-address-list="Black List (Telnet) Stage 3"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 3" \
address-list-timeout=4w2d chain="Black List (Telnet) Chain" comment=\
"Add successive attempts to Black List (Telnet) Stage 3." \
connection-state=new log=yes log-prefix="Add_Black List (Telnet) S3" \
src-address-list="Black List (Telnet) Stage 2"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 2" \
address-list-timeout=1w3d chain="Black List (Telnet) Chain" comment=\
"Add successive attempts to Black List (Telnet) Stage 2." \
connection-state=new log=yes log-prefix="Add_Black List (Telnet) S2" \
src-address-list="Black List (Telnet) Stage 1"
add action=add-src-to-address-list address-list="Black List (Telnet) Stage 1" \
address-list-timeout=1d chain="Black List (Telnet) Chain" comment=\
"Add initial attempt to Black List (Telnet) Stage 1." connection-state=\
new log=yes log-prefix="Add_Black List (Telnet) S1"
add action=return chain="Black List (Telnet) Chain" comment=\
"Return From Black List (Telnet) chain."
add action=accept chain=forward comment=\
"WFBS\A8\BE\ACr\A7\F3\B7s\A5\D5\A6W\B3\E6" dst-address-list=WFBS
add action=drop chain=forward comment="\\A9\\DA\\B5\\B4\\B3s\\A5~Block Internet" \
src-address-list="Block Internet"
add action=drop chain=forward comment="\\B8T\\A4\\EEOVPN\\B3s\\BDuServer" \
dst-address-list="Block Internet" src-address=172.18.22.0/24
add action=add-src-to-address-list address-list=OVPN_LOGIN \
address-list-timeout=2w1d chain=forward comment=\
"OVPN\B3s\BDu\AC\F6\BF\FD" connection-state=new dst-port=1943 protocol=\
udp
add action=drop chain=forward comment="\\B8T\\A4\\EEDVR\\B3s\\BDu\\A4\\BA\\BA\\F4" \
disabled=yes dst-address=192.168.1.0/24 src-address=192.168.1.30
add action=drop chain=forward comment="\\B8T\\A4\\EEDVR\\B3s\\BDu\\A4\\BA\\BA\\F4" \
disabled=yes dst-address=192.168.1.30 src-address=192.168.1.92
/ip firewall nat
add action=masquerade chain=srcnat comment="\\B9w\\B3]NAT" out-interface-list=\
WAN
add action=dst-nat chain=dstnat comment=\
"\BB\B7\BA\DD\AE\E0\AD\B1192.168.1.10" disabled=yes dst-address=\
220.132.243.XXX dst-port=11116 in-interface=pppoe-Hinet protocol=tcp \
to-addresses=192.168.1.10 to-ports=3389
add action=dst-nat chain=dstnat comment=OVPN dst-address=220.128.137.XXX \
dst-port=1943 in-interface=ether1 protocol=udp to-addresses=192.168.1.252 \
to-ports=1943
add action=dst-nat chain=dstnat comment="\\BA\\CA\\B5\\F8\\BE\\B9DVR" disabled=yes \
dst-address=220.128.137.XXX dst-port=34567 in-interface=ether1 protocol=\
tcp to-addresses=192.168.1.30 to-ports=34567
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=1 gateway=220.128.137.254
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=yes
/ip upnp interfaces
add interface=bridge1 type=internal
add interface=pppoe-Hinet type=external
/lcd
set backlight-timeout=5m
/lcd pin
set pin-number=1379
/system clock
set time-zone-name=Asia/Taipei
/system ntp client
set enabled=yes primary-ntp=103.18.128.60 secondary-ntp=118.163.81.61
/system routerboard settings
set silent-boot=no

[研究所] MikroTik RouterOS 學習 (持續更新)

小惡魔新聞台

小惡魔廣編特輯

[研究所] MikroTik RouterOS 學習 (持續更新)

小惡魔新聞台

小惡魔廣編特輯

今日熱門文章 網友點擊推薦！

今日熱門文章　網友點擊推薦！