（四）routeros命令笔记：网络篇

创建ipv4地址池

[admin@MikroTik] ip pool> add name=my-pool ranges=10.0.0.2-10.0.0.99,10.0.0.101-10.0.0.126
[admin@MikroTik] ip pool> add name=dhcp-pool ranges=10.0.0.200-10.0.0.250[admin@MikroTik] ip pool> print  # NAME                                        RANGES  0 ip-pool                                     10.0.0.2-10.0.0.99                                                10.0.0.101-10.0.0.126  1 dhcp-pool                                   10.0.0.200-10.0.0.250

创建ipv6地址池

[admin@test-host] /ipv6 pool> add
name: test prefix: 2001::/60prefix-length: 62[admin@test-host] /ipv6 pool> print# NAME PREFIX PREFIX-LENGTH0 test 2001::/60 62bits

查看接口信息

/ip address
add address=172.16.1.2/30 interface=ether1add address=192.168.2.1/24 interface=bridge2

查看路由表

[admin@MikroTik] > /ip/route> print 
Flags: D - dynamic; X - disabled, I - inactive, A - active; C - connect, S - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpnColumns: DST-ADDRESS, GATEWAY, Distance    DST-ADDRESS    GATEWAY DDAC 10.1.1.0/24    ether1  0DAC 172.16.1.0/30  ether2  0DAC 192.168.1.0/24 bridge1 0

添加静态路由

[admin@MikroTik] > /ip route add dst-address=192.168.2.0/24 gateway=172.16.1.2
[admin@MikroTik] > /ip/route> print Flags: D - dynamic; X - disabled, I - inactive, A - active; C - connect, S - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpnColumns: DST-ADDRESS, GATEWAY,       Distance        DST-ADDRESS    GATEWAY       D    DAC 10.1.1.0/24    ether1        0    DAC 172.16.1.0/30  ether2        0    DAC 192.168.1.0/24 bridge1       00   AS  192.168.2.0/24 172.16.1.2   

添加默认路由

/ip route add gateway=172.16.1.1

查看详细路由

[admin@MikroTik] /routing/route> print
Flags: X - disabled, I - inactive, F - filtered, U - unreachable, A - active; c - connect, s - static, r - rip, b - bgp, o - ospf, d - dhcp, v - vpn, a - ldp-address, l - ldp-mappingColumns: DST-ADDRESS, GATEWAY, DIStance, SCOpe, TARget-scope, IMMEDIATE-GW     DST-ADDRESS            GATEWAY      DIS SCO TAR IMMEDIATE-GW Xs   10.155.101.0/24 Xs d    0.0.0.0/0              10.155.101.1 10  30  10  10.155.101.1%ether12As   0.0.0.0/0              10.155.101.1 1   30  10  10.155.101.1%ether12As   1.1.1.0/24             10.155.101.1 10  30  10  10.155.101.1%ether12As   8.8.8.8                2.2.2.2      1   254 254 10.155.101.1%ether12Ac   10.155.101.0/24        ether12      0   10      ether12 Ic   2001:db8:2::/64        ether2       0   10 Io   2001:db8:3::/64        ether12      110 20  10 Ic   fe80::%ether2/64       ether2       0   10 Ac   fe80::%ether12/64      ether12      0   10      ether12 Ac   fe80::%bridge-main/64  bridge-main  0   10      bridge-main A    ether12                             0   250 A    bridge-main                         0   250   

建议配置的防火墙策略

/ip firewall filter
add action=accept chain=input comment="accept ping" protocol=icmp
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=drop in-interface=pppoe-out1 chain=input comment="drop all from WAN"
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop in-interface=pppoe-out1 chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new

in-interface=pppoe-out1接口按自己实际分配