Update@2020.10.13 xifeng
#修改设备名称
/system identity set name=CQ
#删除默认,增加管理员账号
/user add name=user password=User@user group=full
/user remove 0
#动态Ip联网,升级系统版本
/ip dhcp-client
remove numbers=0
add interface=ether1 disabled=no
/system package update check-for-updates
/system package update install
/system> package update install
channel: stable
installed-version: 6.45.6
latest-version: 6.47.4
status: Downloaded, rebooting…
/system package update check-for-updates
channel: stable
installed-version: 6.47.4
latest-version: 6.47.4
status: System is already up to date
/system routerboard upgrade
/system routerboard print
;;; Firmware upgraded successfully, please reboot for changes to take effect!
routerboard: yes
model: 2011UiAS-2HnD
serial-number: 7315061BC1FD
firmware-type: ar9344
factory-firmware: 3.33
current-firmware: 6.45.6
upgrade-firmware: 6.47.4
/system routerboard print
routerboard: yes
model: 2011UiAS-2HnD
serial-number: 7315061BC1FD
firmware-type: ar9344
factory-firmware: 3.33
current-firmware: 6.47.4
upgrade-firmware: 6.47.4
#修改默认端口
/ip service> /ip service set telnet port=5555
/ip service set www port=1111
/ip service set winbox port=2222
/ip service set ssh port=3333
/ip service set ftp disabled=yes
/ip service set api disabled=yes
/ ip service set api-ssl disabled=yes
#增加桥方便后期配置
/int bridge add name=Brige-Wan1
/int bridge add name=Brige-Wan2
/int bridge add name=Brige-Wan3
/int bridge add name=Brige-Wan4
/int bridge add name=Brige-Lan1
/int bridge add name=Brige-Ovpn
#删除原有标记,把端口加入对应的桥里面
/interface bridge port remove numbers=0,1,2,3,4,5,6,7,8,9,10
/interface bridge port
add bridge=Brige-Lan1 interface=ether6
add bridge=Brige-Lan1 interface=ether7
add bridge=Brige-Lan1 interface=ether8
add bridge=Brige-Lan1 interface=ether9
add bridge=Brige-Lan1 interface=ether10
add bridge=Brige-Wan1 interface=ether1
add bridge=Brige-Wan2 interface=ether2
add bridge=Brige-Wan3 interface=ether3
add bridge=Brige-Wan4 interface=ether4
#删除默认IP,配置新的管理IP
/ip address remove numbers=0
/ip address add address=172.20.1.1/24 interface=Brige-Ovpn comment=“OVPN”
/ip address add address=172.20.2.1/24 interface=Brige-Lan1 comment=“LAN1”
#删除默认的防火墙规则,可以远程访问。有些版本可能没有,注意检查
/ip firewall filter remove numbers=0,1,2,3,4,5,6,7,8,9,10,11
#配置客户端DHCP上网
/ip pool remove numbers=0
/ip pool add name=lan1 ranges=172.20.2.100-172.20.2.200
/ip dhcp-server remove numbers=0
/ip dhcp-server add address-pool=lan1 disabled=no interface=Brige-Lan1 name=server1
/ip dhcp-server network add address=172.20.0.0/24 gateway=172.20.2.1
#配置DNS(可选)
/ip dns set servers=223.5.5.5
#配置动态DNS功能
/ip cloud set ddns-enabled=yes
#配置内网nat
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Brige-Wan1
add action=masquerade chain=srcnat out-interface=Brige-Wan2
add action=masquerade chain=srcnat out-interface=Brige-Wan3
add action=masquerade chain=srcnat out-interface=Brige-Wan4
#配置多线路回程路由
/ip firewall mangle
add action=mark-connection chain=prerouting in-interface=Brige-Wan1 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=prerouting in-interface=Brige-Wan2 new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=prerouting in-interface=Brige-Wan3 new-connection-mark=ISP3 passthrough=yes
add action=mark-connection chain=prerouting in-interface=Brige-Wan4 new-connection-mark=ISP4 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP1 dst-address-type="" in-interface=Brige-Lan1 new-routing-mark=pcc passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP2 dst-address-type="" in-interface=Brige-Lan1 new-routing-mark=pcc passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP3 dst-address-type="" in-interface=Brige-Lan1 new-routing-mark=pcc passthrough=yes
add action=mark-routing chain=prerouting connection-mark=ISP4 dst-address-type="" in-interface=Brige-Lan1 new-routing-mark=pcc passthrough=yes
add action=mark-connection chain=input in-interface=Brige-Wan1 new-connection-mark=ISP1 passthrough=yes
add action=mark-connection chain=input in-interface=Brige-Wan1 new-connection-mark=ISP2 passthrough=yes
add action=mark-connection chain=input in-interface=Brige-Wan1 new-connection-mark=ISP3 passthrough=yes
add action=mark-connection chain=input in-interface=Brige-Wan1 new-connection-mark=ISP4 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=pcc1 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=pcc2 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=pcc3 passthrough=yes
add action=mark-routing chain=output connection-mark=ISP2 new-routing-mark=pc4 passthrough=yes
#配置静态路由和各线路的标记
/ip route
add distance=1 gateway=172.16.1.1
add check-gateway=ping distance=1 gateway=172.16.1.1 routing-mark=pcc1
add check-gateway=ping distance=1 gateway=172.16.2.1 routing-mark=pcc2
add check-gateway=ping distance=1 gateway=172.16.3.1 routing-mark=pcc3
add check-gateway=ping distance=1 gateway=172.16.4.1 routing-mark=pcc4
#配置简单的防火墙脚本
#标记本地DNS地址
/ip firewall address-list
add list=DNS address=8.8.8.8
add list=DNS address=8.8.4.4
add list=DNS address=114.114.114.114
add list=DNS address=223.5.5.5
add list=DNS address=223.6.6.6
add list=DNS address=210.22.84.3
add list=DNS address=210.22.70.3
标记本地安全地址
/ip firewall address-list
add list=local address=172.20.0.0/17 comment=“LAN”
#允许DNS和本地安全地址
/ip firewall filter
add chain=input action=accept src-address-list=local in-interface-list=all comment=“local safe IP”
add chain=forward action=accept src-address-list=DNS comment=“discover accpet DNS”
#拒绝端口扫描和DDOS攻击(先标记,后拒绝,也可以直接拒绝,不做记录),注意,需要绑定外网端口(默认有端口组WAN),否则容易导致本地内网被封。经过验证,有VPN的情况下不受影响。
/ip firewall filter
add chain=input action=drop connection-state=invalid comment=“drop all port no use input”
add chain=forward action=drop connection-state=invalid comment=“drop all port no use forward”
add chain=input protocol=tcp connection-limit=100,32 action=add-src-to-address-list address-list=DDOS-tcp in-interface-list=WAN address-list-timeout=1d disabled=no comment=“sign wan DDoS address table”
add chain=input action=add-src-to-address-list protocol=tcp psd=99,3s,3,1 address-list=TCP-SCAN address-list-timeout=1d in-interface-list=WAN comment=“sign wan TCP scan table”
add chain=forward action=add-dst-to-address-list protocol=udp psd=99,3s,3,1 address-list=UDP-Scan address-list-timeout=1d in-interface-list=WAN comment=“sign wan UDP scan table”
add chain=input protocol=tcp connection-limit=3,32 src-address-list=DDOS-tcp action=tarpit comment=“limit wan DDoS”
add chain=input action=drop src-address-list=TCP-SCAN comment=“deny wan TCP scan”
add chain=input action=drop src-address-list=UDP-Scan in-interface-list=WAN comment=“deny wan UDP scan”
add chain=input action=drop protocol=udp in-interface-list=WAN dst-port=53,161 comment=“deny wan DNS and SNMP”
add chain=forward src-address-type=!unicast action=drop comment=“Discard all non-unicast data”
add chain=input dst-address-type=!local action=drop comment=“drop no lan date”
#防止暴力破解。登录失败5秒禁止,超过3次限制5M
/ip firewall filter
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 src-address-list=login_blacklist action=drop comment=“drop login brute forcers 1” log=“yes” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new src-address-list=login_stage5 action=add-src-to-address-list address-list=login_blacklist address-list-timeout=5m comment=“drop login brute forcers 2” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new src-address-list=login_stage4 action=add-src-to-address-list address-list=login_stage5 address-list-timeout=1m comment=“drop login brute forcers 3” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new src-address-list=login_stage3 action=add-src-to-address-list address-list=login_stage4 address-list-timeout=10s comment=“drop login brute forcers 4” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new src-address-list=login_stage2 action=add-src-to-address-list address-list=login_stage3 address-list-timeout=5s comment=“drop login brute forcers 5” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new src-address-list=login_stage1 action=add-src-to-address-list address-list=login_stage2 address-list-timeout=5s comment=“drop login brute forcers 6” disabled=no
add chain=input protocol=tcp dst-port=1111,2222,3333,4444,5555 connection-state=new action=add-src-to-address-list address-list=login_stage1 address-list-timeout=5s comment=“drop login brute forcers 7” disabled=no
#常用端口封锁(外网21,22,80,81,443,1433,8800,8080,8081,8088等),先标记,后拒绝。
/ip firewall filter
add action=drop chain=input comment=“Port attack” src-address-list=“Port attack”
add action=add-src-to-address-list address-list=“Port attack” address-list-timeout=1w3d chain=input connection-state=new dst-port=21,22,80,443,1433,7700,8800,8080,8081,8088 log=yes log-prefix=“Port attack” protocol=tcp
#关闭默认无线,使路由器充分发挥性能
/interface wireless> set numbers=wlan1 disabled=yes
#配置图表监控,可以查看流量和CPU,内存,硬盘记录
/tool graphing set store-every=24hours
/tool graphing interface add interface=all
/tool graphing resource add
#如果外置优盘或者SD卡,可以设置日志单文本显示1万条,保存5万个文本,适用于256G SD卡
/system logging action
set 1 disk-file-count=100
add disk-file-count=50000 disk-file-name=“log SD” disk-lines-per-file=10000 name=SDfile target=disk
/system logging
set 0 action=SDfile
set 1 action=SDfile
set 2 action=SDfile
set 3 action=SDfile
add action=SDfile prefix=FW topics=firewall
add action=SDfile prefix=manager topics=manager
add action=SDfile prefix=health topics=health
add action=SDfile disabled=yes topics=debug,ovpn
add action=SDfile disabled=yes topics=ipsec