RouterOSIPv602 RouterOS 开启 IPv6 并配置防火墙
Tom本文介绍RouterOS如何开启IPV6
以NAT6模式为例,ipv6内网网段默认为dc00::/64,Routeros bridge1的IPv6内网地址为dc00::1111/64。桥接接口bridge1、拨号接口pppoe-out1名称若不同则自行替换
1. 开启 IPv6
1
| /ipv6 settings set disable-ipv6=no
|
2. 获取 IPv6 前缀
1
| /ipv6 dhcp-client add interface=pppoe-out1 pool-name=dhcpv6-gua-pool1 pool-prefix-length=60 request=prefix
|
3. 添加 ULA 地址池
1
| /ipv6 pool add name=dhcpv6-ula-pool1 prefix=dc00::/64 prefix-length=64
|
4. 计算并配置地址
使用wan网卡的MAC地址计算标准EUI-64地址(非必须,简单操作则在下一步中输入::1即可)
https://eui64-calc.princelle.org/
- 使用上面计算得到的后缀(例如::BF24:12FF:FEE1:E81B)配置pppoe-out1的GUA地址
1
| /ipv6 address add address=::BF24:12FF:FEE1:E81B/64 from-pool=dhcpv6-gua-pool1 interface=pppoe-out1
|
- 配置bridge1的ula地址,默认dc00::1111(可自行修改)
1
| /ipv6 address add address=dc00::1111/64 from-pool=dhcpv6-ula-pool1 interface=bridge1
|
5. 配置 NAT6
配置动态源地址伪装(开启NAT6),建议不做接口限制,若后期采用fakeip方案,再加上“排除代理IP列表的操作”
1
| /ipv6 firewall nat add action=masquerade chain=srcnat
|
6. 配置 ND
禁用默认ND配置,新建配置。默认不广播IPV6 DNS。
1
2
| /ipv6 nd set [ find default=yes ] advertise-dns=no disabled=yes
/ipv6 nd add advertise-dns=no advertise-mac-address=no interface=bridge1 managed-address-configuration=yes other-configuration=yes ra-interval=5m-15m
|
7. IPv6 防火墙
配置防火墙,因使用NAT6,防火墙与V4相似,没有PSD
1
2
3
4
5
6
7
8
9
10
11
| /ipv6 firewall filter
add action=accept chain=forward in-interface=bridge1
add action=accept chain=input in-interface=bridge1
add action=accept chain=forward connection-state=established,related,untracked
add action=accept chain=input connection-state=established,related
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input connection-state=invalid in-interface=pppoe-out1
add action=drop chain=input icmp-options=128:0-255 in-interface=pppoe-out1 protocol=icmpv6
add action=drop chain=input icmp-options=137:0-255 in-interface=pppoe-out1 protocol=icmpv6
add action=drop chain=input dst-port=53,8291,80,5391 in-interface=pppoe-out1 protocol=tcp
add action=drop chain=input dst-port=53,8291,80,5391 in-interface=pppoe-out1 protocol=udp
|
8. TCP MSS
1
2
| /ipv6 firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ipv6 firewall mangle add action=change-mss chain=output new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
|
至此,IPv6已开启,访问以下网址能打开(页面仅显示你的IPv6地址)则表示IPv6已通网
http://[2402:4e00:1013:e500:0:9671:f018:4947]
