X86 j4125 4网口小主机折腾笔记五：PVE安装ROS RouterOS
X86 RouterOS 7.18 设置笔记一：基础设置
X86 RouterOS 7.18 设置笔记二：网络基础设置(IPV4)
X86 RouterOS 7.18 设置笔记三：防火墙设置(IPV4)
X86 RouterOS 7.18 设置笔记四：网络设置(IPV6)
X86 RouterOS 7.18 设置笔记五：防火墙设置(IPV6)
X86 RouterOS 7.18 设置笔记六：端口映射(IPv4、IPv6)及回流问题
X86 RouterOS 7.18 设置笔记七：不使用Upnp的映射方法
X86 RouterOS 7.18 设置笔记八：策略路由及DNS劫持
X86 RouterOS 7.18 设置笔记九：上海电信单线复用IPTV设置
X86 RouterOS 7.18 设置笔记十：上海电信IPTV使用msd_lite实现组播转单拨
X86 RouterOS 7.18 设置笔记十一：ROS更新方法及更新后IPTV组播转单播失效的解决方法

实现的目标

设置防火墙

添加防火墙地址列表

/ipv6 firewall address-list add address=::/128 comment="defconf: unesecified address" list=bad_ipv6
/ipv6 firewall address-list add address=::/1 comment=defconf:Io list=bad_ipv6
/ipv6 firewall address-list add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
/ipv6 firewall address-list add address=::ffff:0.0.0.0/96 comment=defconf:ipv4-mapped list=bad_ipv6
/ipv6 firewall address-list add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
/ipv6 firewall address-list add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
/ipv6 firewall address-list add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
/ipv6 firewall address-list add address=100::/64 comment="defconf: discard only" list=bad_ipv6
/ipv6 firewall address-list add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6

MSS钳制

/ip firewall mangle add action=change-mss chain=forward comment="defconf: IPv4 mss for WAN" new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn

设置防火墙规则

# 允许入站已建立的、相关的或未跟踪的流量
/ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 拒绝入站无效的流量
/ipv6 firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
# 允许入站 ICMPv6 流量（用于 IPv6 的网络诊断和控制）
/ipv6 firewall filter add action=accept chain=input comment="defconf:accept ICMPv6" protocol=icmpv6
# 允许入站 DHCPv6 客户端流量（用于 IPv6 地址分配和前缀委派）
/ipv6 firewall filter add action=accept chain=input comment="defconf:accept DHCPv6-Client prefix delegation" dst-port=546 protocol=udp src-address=fe80::/10
# 拒绝入站非来自 LAN 口的流量
/ipv6 firewall filter add action=drop chain=input comment="defconf:drop everything else not comming from LAN" in-interface-list=!LAN


# 允许转发已建立的、相关的或未跟踪的流量
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
# 拒绝转发无效的流量
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
# 拒绝转发源地址为“bad_ipv6”列表的流量
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" connection-nat-state=srcnat src-address-list=bad_ipv6
# 拒绝转发目标地址为“bad_ipv6”列表的流量
/ipv6 firewall filter add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" connection-nat-state=dstnat dst-address-list=bad_ipv6
# 允许转发 ICMPv6 流量
/ipv6 firewall filter add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
# 拒绝转发非来自 LAN 接口的流量
/ipv6 firewall filter add action=drop chain=forward comment="defconf:drop everything else not comming from LAN" in-interface-list=!LAN