侧边栏壁纸
博主头像
Backspace‘s Blog 博主等级

行动起来,活在当下

  • 累计撰写 33 篇文章
  • 累计创建 8 个标签
  • 累计收到 0 条评论

目 录CONTENT

文章目录
脚本

ros_firewall_ipv4.pppoe.basic.conf

Backspace
Backspace
2026-01-21 / 0 评论 / 0 点赞 / 4 阅读 / 0 字 / 正在检测是否收录... 
##       Filter 规则  9 条 + 虚拟规则 1 条
##          NAT 规则  4 条
##       Mangle 规则  2 条 + 虚拟规则 3 条
## Address-list 规则  2 条

/ip firewall address-list

add address=192.168.1.1 comment="onuconf: local ONU IPv4" list=local_onu_ipv4
add address=10.0.0.0/24 comment="defconf: local LAN IPv4 subnet" list=local_subnet_ipv4


/ip firewall filter

add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not from LAN" in-interface-list=!LAN

add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix="[wan-not-dnat]"
add action=drop chain=forward comment="onuconf: drop all from ONU not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=ONU log=yes log-prefix="[onu-not-dnat]"


/ip firewall nat

add action=masquerade chain=srcnat comment="defconf: masquerade IPv4" out-interface-list=WAN
add action=masquerade chain=srcnat comment="onuconf: access to ONU" out-interface-list=ONU src-address-list=local_subnet_ipv4 dst-address-list=local_onu_ipv4

add action=redirect chain=dstnat comment="lanconf: redirect DNS query (UDP)" dst-port=53 in-interface-list=LAN protocol=udp to-ports=53
add action=redirect chain=dstnat comment="lanconf: redirect DNS query (TCP)" dst-port=53 in-interface-list=LAN protocol=tcp to-ports=53


/ip firewall mangle

add action=change-mss chain=forward comment="defconf: fix IPv4 mss for WAN" new-mss=clamp-to-pmtu passthrough=yes protocol=tcp tcp-flags=syn
add action=accept chain=prerouting comment="onuconf: access to ONU" src-address-list=local_subnet_ipv4 dst-address-list=local_onu_ipv4


/ip firewall connection tracking

set tcp-syn-sent-timeout=120s
set tcp-syn-received-timeout=60s
set tcp-established-timeout=7440s
set tcp-fin-wait-timeout=120s
set tcp-close-wait-timeout=60s
set tcp-last-ack-timeout=30s
set tcp-time-wait-timeout=120s
set tcp-close-timeout=10s
set tcp-max-retrans-timeout=300s
set tcp-unacked-timeout=300s
set udp-timeout=30s
set udp-stream-timeout=120s
set icmp-timeout=30s
set generic-timeout=600s

0
RouterOS

  1. 支付宝打赏

    qrcode alipay

  2. 微信打赏

    qrcode weixin
版权归属: Backspace
本文链接: https://blog.lys613.top/archives/019be0af-b6b6-768c-9557-d91817d4c800
许可协议: 本文使用《署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》协议授权

评论区