RB760iGS+PON STICK折腾过程
使用Mikrotik hEX S RB760iGS配合PON STICK猫棒实现PPPoE IPv6 IPTV,如果使用winbox截图太多了,所以就给出参考命令行
拓扑如下
创建2个桥接地址,LAN-bridge为5个电口的网桥,PON-bridge为猫棒互联的网桥
/interface bridge add admin-mac=DC:2C:6E:87:D9:D0 auto-mac=no comment=defconf igmp-snooping=yes name=LAN-bridge add igmp-snooping=yes name=PON-bridge
修改网口的命名
/interface ethernet set [ find default-name=ether1 ] name=LAN1 set [ find default-name=ether2 ] name=LAN2 set [ find default-name=ether3 ] name=LAN3 set [ find default-name=ether4 ] name=LAN4 set [ find default-name=ether5 ] name=LAN5 poe-out=off set [ find default-name=sfp1 ] name=PON STICK
为猫棒创建透传VLAN,经过测试西安电信iptv vlan为43,拨号无vlan所以禁用掉了
/interface vlan add interface="PON STICK" name=IPTV_IGMP vlan-id=43 add disabled=yes interface="PON STICK" name=INTERNET_B_VID vlan-id=41 add disabled=yes interface="PON STICK" name=VOICE_R_VID vlan-id=45 add disabled=yes interface="PON STICK" name=TR069_R_VID vlan-id=46
设置PPPoE拨号
/interface pppoe-client add add-default-route=yes disabled=no interface=PON-bridge name=PPPoE use-peer-dns=yes user=拨号用户名
为5个LAN电口创建地址池
/ip pool add name=DHCP-LAN-Pool ranges=10.0.0.2-10.0.0.30
开启DHCP服务,调用上面创建的地址池为LAN分配ip
/ip dhcp-server add address-pool=DHCP-LAN-Pool interface=LAN-bridge lease-time=1d name=DHCP-Server /ip dhcp-server network add address=10.0.0.0/27 comment=defconf dns-server=10.0.0.30,114.114.114.114,223.5.5.5 gateway=10.0.0.30 netmask=27 ntp-server=10.0.0.1
配置网桥端口并重命名对应接口
/interface bridge port add bridge=LAN-bridge comment=defconf ingress-filtering=no interface=LAN1 add bridge=LAN-bridge comment=defconf ingress-filtering=no interface=LAN2 add bridge=LAN-bridge comment=defconf ingress-filtering=no interface=LAN3 add bridge=LAN-bridge comment=defconf ingress-filtering=no interface=LAN4 add bridge=LAN-bridge comment=defconf ingress-filtering=no interface=LAN5 add bridge=PON-bridge comment=defconf ingress-filtering=no interface=PON STICK /interface detect-internet set detect-interface-list=all /interface list member add comment=defconf interface=LAN5 list=LAN add comment=defconf interface=PPPoE list=WAN add interface=LAN2 list=LAN add interface=LAN3 list=LAN add interface=LAN4 list=LAN add interface=LAN1 list=LAN add interface=LAN-bridge list=LAN
配置IPV6
/ipv6 settings set accept-router-advertisements=yes max-neighbor-entries=8192 /ipv6 address add address=::1 from-pool=V6-POOL interface=LAN-bridge /ipv6 dhcp-client add add-default-route=no interface=PPPoE pool-name=V6-POOL pool-prefix-length=56 request=prefix use-interface-duid=yes use-peer-dns=no /ipv6 dhcp-server add address-pool=IPV6 interface=LAN-bridge lease-time=1d name=default /ipv6 nd set [ find default=yes ] other-configuration=yes add interface=LAN-bridge mtu=1420 other-configuration=yes /ipv6 nd prefix default set preferred-lifetime=10m valid-lifetime=30m
配置网桥IP地址,LAN-bridge为局域网网关,PON-bridge与猫棒互联
/ip address add address=10.0.0.1/27 interface=LAN-bridge network=10.0.0.0 add address=172.18.1.2/30 interface=PON-bridge network=172.18.1.0 /ip neighbor discovery-settings set discover-interface-list=LAN /ip settings set tcp-syncookies=yes
开启系统内置DDNS
/ip cloud set ddns-enabled=yes
开启DHCP客户端,因为IPTV需要经过IPoE获取IP
/ip dhcp-client add add-default-route=no interface=IPTV_IGMP
配置DNS
/ip dns set allow-remote-requests=yes servers=114.114.114.114,223.5.5.5,180.76.76.76
配置IPTV组播
/routing igmp-proxy interface add interface=IPTV_IGMP upstream=yes add interface=LAN-bridge
配置服务
/ip service set telnet disabled=yes set ftp disabled=yes set ssh port=2222 set api disabled=yes set api-ssl disabled=yes /ip upnp set enabled=yes /ip upnp interfaces add interface=PPPoE type=external add interface=LAN-bridge type=internal
配置时区和NTP
/system clock set time-zone-name=Asia/Shanghai /system ntp client set enabled=yes /system ntp server set broadcast=yes broadcast-addresses=10.0.0.31 enabled=yes manycast=yes multicast=yes use-local-clock=yes /system ntp client servers add address=0.asia.pool.ntp.org add address=cn.ntp.org.cn add address=hk.ntp.org.cn add address=tw.ntp.org.cn
配置v4和v6防火墙和NAT
/ip firewall address-list add address=fxxxxxxxxxxxx.sn.mynetname.net list=WAN-DOMAIN /ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="accept ping" protocol=icmp add action=accept chain=input comment=wireguard disabled=yes dst-port=60000 in-interface-list=WAN protocol=udp add action=drop chain=input comment="drop all from WAN" in-interface-list=WAN add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN /ip firewall mangle add action=accept chain=prerouting dst-address=172.18.1.0/30 src-address=10.0.0.0/27 add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface=PPPoE passthrough=yes protocol=tcp tcp-flags=syn /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN src-address=10.0.0.0/27 add action=masquerade chain=srcnat comment=LAN_to_PON dst-address=172.18.1.0/30 src-address=10.0.0.0/27 add action=masquerade chain=srcnat comment="LAN_to_AX3 Pro" disabled=yes dst-address=192.168.3.0/24 src-address=10.0.0.0/27 add action=masquerade chain=srcnat comment="Hairpin NAT" out-interface=LAN-bridge src-address=10.0.0.0/27 add action=dst-nat chain=dstnat comment="Z97 NAT1" disabled=yes in-interface=PPPoE to-addresses=10.0.0.3 add action=dst-nat chain=dstnat comment=50000to5000 dst-address-list=WAN-DOMAIN dst-address-type=local dst-port=50000 protocol=tcp to-addresses=10.0.0.12 to-ports=5000 add action=dst-nat chain=dstnat comment=FRPS_57000 disabled=yes dst-address-list=WAN-DOMAIN dst-port=57000-57200 protocol=tcp to-addresses=10.0.0.13 to-ports=57000-57200 /ipv6 firewall address-list add address=fe80::/10 list=allowed add address=ff00::/8 comment=multicast list=allowed /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp src-address=fe80::/10 add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=accept chain=input comment="allow access to router from allowed addresses" src-address-list=allowed add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface=PPPoE src-address=fe80::/10 add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6 add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept HIP" protocol=139 add action=accept chain=forward comment="accept new connections from clients to internet" in-interface=PPPoE add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface=PPPoE /ipv6 firewall mangle add action=change-mss chain=forward comment=change-mss dst-prefix=::/0 new-mss=clamp-to-pmtu out-interface=PPPoE passthrough=yes protocol=tcp src-prefix=::/0 tcp-flags=syn
最后效果
本站所有文章均可随意转载,转载时请保留原文链接及作者。