RouterOS中文手册2
ISP级软件路由器之王
RouerOS 宽带接入服务器
用户手册(下部)
――配置指南
RouerOS 系列宽带接入服务器配置指南内容摘要
一.概述 (3)
1.RouerOS 宽带接入服务器的网络接口类型 (3)
2.RouerOS 宽带接入服务器具有以下网络功能 (3)
二.基本的配置管理 (5)
1 1.系统的缺省帐号 (5)
1 2.登录方式 (5)
1 3.命令行配置的基本操作 (6)
1 远程管理-权限管理 (7)
1 5.日志管理 (8)
1 9
1 7.系统时间设置 (10)
8. 系统热启动 (10)
三.物理接口的配置管理 (10)
四.查看当前配置 (11)
4.1 查看全部配置 (11)
4.2 查看子项配置 (11)
五.IP 参数配置 (11)
1 1. 路径: (11)
1 2. 功能: (11)
1 3. 配置IP 地址及路由 (12)
1 4. 配置Firewall (14)
1 5. 配置IP Service,限定远程管理RouerOS 的地址和方式 (16)
1 6. 配置Hotspot(WEB 认证) (16)
1 7. 配置IP Pool (16)
1 8. 启用NAT 后的策略路由配置 (16)
六.配置ppp 参数 (21)
1. 配置PPP 模板 (22)
2. 配置Radius-client (22)
七.PPPoE 配置 (23)
八.HOTSPOT 配置 (25)
九.VLAN 配置 (30)
十.VPN 配置 (31)
10.1 PPTP VPN (31)
10.2 EOIP VPN (32)
十一.DHCP 配置 (33)
11.1 DHCP Server (33)
MAC 地址(及IP 地址)与端口绑定 (34)
十二.防火墙配置 (35)
12.1 防“冲击波”病毒 (35)
十三. 配置文件的备份与恢复 (36)
1 1. 显示文件系统 (36)
1 2. 备份配置文件 (36)
1 3. 恢复配置文件 (37)
1 4. 配置文件上载与下载 (37)
1 5. 配置复位 (37)
1 6. 查看系统资源状况 (37)
2 7. 监视端口流量 (37)
Reference: (37)
八.HOTSPOT 配置
Hotspot 的工作原理是:用户打开浏览器,浏览器将地址解析请求发给DNS 服务器,DNS 完成地址解析后
反馈给客户端所以在保证BAS 的Hotspot 配置正确的情况下,要令客户端在打开浏览器时弹出认证窗口,
必须保证BAS 与DNS 的路由畅通。
方法一. 使用setup 向导:
[admin@RouerOS] ip hotspot>
reset-html Reset current hotspot HTML page
active HotSpot active user list
profile HotSpot user profile management
user HotSpot local user list
server HotSpot DHCP profile management
aaa AAA (Authentication, Authorization and Accounting) configuration
cookie HotSpot active HTTP cookie list
print Print current configuration and status
get Get value of configuration property
set Change hotspot configuration
export Export hotspot settings
setup Setup wizard for hotspot configuration
universal Universal client configuration
在配置第一个hotspot 接口时建议使用向导,这样可以快速的完成配置。注意,如果要通过AAA 服
务器计费,则需配置/radius 和/ip hotspot aaa。
方法二. 手工配置:可以使用add copy-from 命令,下面蓝色部分为新增加的配置。
在完成第一个接口的配置后,后续的接口配置只能以手工的方式进行。
□ 1. 配置/ip hot profile //认证账户属性要关联profile [admin@RouerOS] ip hotspot profile>
pri Flags: * - default 0 * name="default" session-timeout=0s idle-timeout=0s only-one=yes
□tx-bit-rate=0 rx-bit-rate=0 incoming-filter="" outgoing-filter="" mark-flow="hs-auth"
login-method=smart keepalive-timeout=2m hotspot 认证使用动态ip 还是静态ip 在profile 中由
login-method 配置。
□ 2. 配置/ip pool [admin@RouerOS] ip pool> pri # NAME RANGES 0 hs-pool-temp 192.168.0.2-192.168.3.254 1 hs-pool-real 10.5.4.1-10.5.5.0 10.5.5.2-10.5.7.254 □新增加一个ip pool:[admin@RouerOS] ip pool> add name=hs-pool-real1
ranges=10.25.25.2-10.25.25.254
□ 3. 配置/ip add 在Hotspot 接口上配置IP,作为客户端的静态网关或dhcp_serv 的网关:
[admin@RouerOS] ip address> pri Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWOR
BROADCAST INTERFACE 0 10.255.255.200/24 10.255.255.0 10.255.255.255 eth0 1 ;;; hotspot temporary
network 192.168.0.1/22 192.168.0.0 192.168.3.255 v12 2 ;;; hotspot network 10.5.5.1/22 10.5.4.0
10.5.7.255 v12
□ 3 10.25.25.1/24 10.25.25.0 10.25.25.255 eth1
□ 4. 配置/ip dhcp-server [admin@RouerOS] ip dhcp-server> pri Flags: X - disabled, I - invalid
0 name="hs-dhcp-server" interface=v12 lease-time=14s address-pool=hs-pool-temp netmask=22
gateway=192.168.0.1 src-address=0.0.0.0 dns-server=202.103.96.112 domain=""
wins-server=""
add-arp=yes
□ # 新增加一个dhcp-server,注意gateway 参数1 name="hs-dhcp-s1" interface=eth1 lease-time=14s address-pool=hs-pool-real1 netmask=24 gateway=10.25.25.1 src-address=0.0.0.0
dns-server=202.103.96.112 domain="" wins-server="" add-arp=no
2 5. 配置/ip hot server //可以不用增加配置[admin@RouerOS] ip hotspot server> pri 0 name="hs-server" dhcp-server=hs-dhcp-server lease-time=1m login-delay=10s address-pool=hs-pool-real netmask=22 gateway=10.5.5.1
1 name="hs-s1" dhcp-server=hs-dhcp-s1 lease-time=1m login-delay=10s
address-pool=hs-pool-real1 netmask=22 gateway=10.25.25.1
6. 配置防火墙规则 //可以不用配置
① /ip fire rule forw:[admin@RouerOS] ip firewall rule forward> pri Flags: X - disabled, I -
invalid, D - dynamic 0 ;;; limit access for unauthorized hotspot clients
src-address=192.168.0.0/22:0-65535 in-interface=v12 dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any tcp-options=any connection-state=any
flow="" connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=jump jump-target=hotspot-temp log=no
# 下面是新增加的接口eth1 1 ;;; limit access for unauthorized hotspot clients
src-address=10.25.25.0/24:0-65535 in-interface=eth1 dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any tcp-options=any connection-state=any
flow="" connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=jump jump-target=hotspot-temp log=no
2 ;;; account traffic for authorized hotspot clients src-address=0.0.0.0/0:0-65535
in-interface=all dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all icmp-options=any:any tcp-options=any connection-state=any flow="" connection=""
content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s
action=jump jump-target=hotspot log=no
②配置/ip fire rule hotspot-temp: [admin@RouerOS] ip firewall rule hotspot-temp> pri Flags: X
- disabled, I - invalid, D - dynamic 0 ;;; return, if connection is authorized src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any tcp-options=any connection-state=any
flow=hs-auth connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0
limit-burst=0 limit-time=0s action=return log=no 1 ;;; allow ping requests
src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=icmp icmp-options=any:any tcp-options=any connection-state=any
flow="" connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=return log=no 2 ;;; allow dns requests src-address=0.0.0.0/0:0-65535
in-interface=all dst-address=0.0.0.0/0:53 out-interface=all protocol=udp icmp-options=any:any
tcp-options=any connection-state=any flow="" connection="" content=""
src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s
action=return
log=no 3 ;;; reject access for unauthorized hotspot clients src-address=0.0.0.0/0:0-65535
in-interface=all dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all
icmp-options=any:any tcp-options=any connection-state=any flow="" connection="" content=""
src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=reject
log=no
7. 配置防火墙NAT
① src-nat:[admin@RouerOS] ip firewall src-nat> pri Flags: X - disabled, I - invalid,
D - dynamic 0 ;;; masquerade hotspot temporary network src-address=192.168.0.0/22:0-65535
dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all icmp-options=any:any flow=""
connection="" content="" limit-count=0 limit-burst=0 limit-time=0s action=masquerade
to-src-address=0.0.0.0 to-src-port=0-65535 1 ;;; masquerade hotspot network
src-address=10.5.4.0/22:0-65535 dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all
icmp-options=any:any flow="" connection="" content="" limit-count=0 limit-burst=0 limit-time=0s action=masquerade to-src-address=0.0.0.0 to-src-port=0-65535
2 ;;; masquerade hotspot network src-address=10.25.25.0/24:0-65535
dst-address=0.0.0.0/0:0-65535 out-interface=all protocol=all icmp-options=any:any flow=""
connection="" content="" limit-count=0 limit-burst=0 limit-time=0s action=masquerade
to-src-address=0.0.0.0 to-src-port=0-65535
□② dst-nat:[admin@RouerOS] ip firewall dst-nat> pri Flags: X - disabled, I - invalid,
D - dynamic 0 ;;; accept authorized connections
src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535 protocol=all
icmp-options=any:any flow=hs-auth connection="" content="" src-mac-address=00:00:00:00:00:00
limit-count=0 limit-burst=0 limit-time=0s action=accept to-dst-address=0.0.0.0
to-dst-port=0-65535 1 ;;; redirect unauthorized hotspot clients to hotspot service
src-address=192.168.0.0/22:0-65535 in-interface=v12 dst-address=0.0.0.0/0:0-65535
protocol=tcp icmp-options=any:any flow="" connection="" content=""
src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=redirect
to-dst-address=0.0.0.0 to-dst-port=80
# 下面是新增加的配置项eth1。可以使用add copy-from 命令:2 ;;; redirect unauthorized hotspot
clients to hotspot service src-address=10.25.25.0/24:0-65535 in-interface=eth1
dst-address=0.0.0.0/0:0-65535 protocol=tcp icmp-options=any:any flow="" connection=""
content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s
action=redirect to-dst-address=0.0.0.0 to-dst-port=80
九.VLAN 配置
/ interface vlan add name="acc" mtu=1500 arp=enabled vlan-id=100 interface=eth3 disabled=no
结果示例:
给vlan 分配IP:在/ip address 子路径下配置/ip address add addr=192.168.5.1/24 int=acc
注意MT2 将vlan 当做物理接口,上述命令中interface 参数是vlan 的名称,而不是“vlan+ID”。结
果示例:
表中interface 项的acc、office、finance 均为vlan 名称。
十.VPN 配置
10.1 PPTP VPN
10.1.1 PPTP Server
□① [admin@RouerOS] interface pptp-server server> set enabled=yes authentication=chap,mschap1,mschap2 default-profile=pppoe mru=1484 mtu=1484 [admin@RouerOS]
interface pptp-server server>pr enabled: yes mtu: 1484 mru: 1484 authentication: mschap2,mschap1,chap default-profile: pppoe
□②[admin@RouerOS] interface pptp-server> add name=pptp-s user=vinson disabled=no
[admin@RouerOS] interface pptp-server> pr Flags: X - disabled, D - dynamic, R - running # NAME
USER MTU CLIENT-ADDRESS UPTIME ENCODING 0 pptp-s vinson
10.1.2 PPTP Client
[admin@RouerOS] interface pptp-client> add name=pptp-c connect-to=61.234.253.126 user=lei
password=woyhj998 profile=default disabled=no [admin@RouerOS] interface pptp-client> pr Flags:
X - disabled, R - running 0 name="pptp-c" mtu=1460 mru=1460 connect-to=61.234.253.126
user="lei" password="woyhj998" profile=default add-default-route=no
10.2 EOIP VPN
①在/int eoip 创建eoip 隧道接口:
[leitcomm@RouerOS] interface eoip> add Creates new item with specified property values. arp
Address Resolution Protocol copy-from Item number disabled Defines whether eoip interface is
disabled or not mtu Maximum Trasfer Unit name Tunnel name remote-address Remote address of tunnel
tunnel-id Tunnel identity [leitcomm@RouerOS] interface eoip> pri Flags: X - disabled,
R - running
0 R name="cdjw" mtu=1500 arp=enabled remote-address=218.75.129.134 tunnel-id=10
②给建立的EoIP 接口添加IP:
[leitcomm@RouerOS] ip address> pri Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK
BROADCAST INTERFACE 5 10.10.1.2/24 10.10.1.0 10.10.1.255 cdjw
十一.DHCP 配置
11.1 DHCP Server
[admin@RouerOS] ip dhcp-server> DHCP protocol allows dynamic configuration of IP addresses of
hosts on the network. Router can run DHCP service to provide hosts on attached networks with
IP addresses. print Show DHCP settings find Find DHCP interfaces set Change DHCP settings add
create new item remove remove item enable enables items disable disables items export Export
DHCP settings lease DHCP leases 在端口eth3 上创建一个名叫“eth3”的新的DHCPServer,使用地址池(在
ippool 中预先定
义)pool1=172.16.1.5-172.16.1.254,网关为该段地址中的172.16.1.1:[admin@RouerOS] ip
dhcp-server> add name=”eht3”inter=eth3 leas=14000 address-p=pool1 gate=172.168.1.1
[admin@RouerOS] ip dhcp-server> pri Flags: X - disabled, I - invalid 0 name="eth3" interface=eth3
lease-time=3h53m20s address-pool=pool1 netmask=0.0.0.0 gateway=172.16.1.1 src-address=0.0.0.0
dns-server="" domain="" wins-server="" add-arp=no
1 MAC 地址(及IP 地址)与端口绑定
2 1. 将指定端口的arp 设置为“reply-only”
[admin@RouerOS_ZSU] interface ethernet> set 3 arp=reply-only [admin@RouerOS_ZSU] interface
ethernet> pr Flags: X - disabled, R - running # NAME MTU MAC-ADDRESS ARP 0 R eth0 1500
00:90:27:74:AD:AA enabled 1 R eth1 1500 00:90:27:74:AD:AB enabled 2 R eth2 1500 00:90:27:74:AD:AC
enabled 3 R eth3 1500 00:90:27:74:AD:AD reply-only
2. 手动添加MAC 地址(IP 地址)表-对静态地址方式
在/ip arp 子项下添加:
[admin@RouerOS_ZSU] ip arp> add addr=10.255.255.58 mac-address=00:07:AA:39:11:B8
int=eth3 disabled=no
[admin@RouerOS_ZSU] ip arp> pr
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 211.97.52.74 00:06:28:8A:F4:07 eth0
1 D 202.116.68.1 00:30:6D:D6:71:40 eth1
2 D 211.97.117.147 00:06:28:8A:F4:07 eth0
3 D 211.96.187.155 00:06:28:8A:F4:07 eth0
4 D 211.96.31.24
5 00:06:28:8A:F4:07 eth0
5 10.255.255.58 00:07:AA:39:11:B8 eth3
3. 自动绑定MAC 地址-DHCP 方式
在/ip dhcp-server 项下设置“add-arp=no”:[admin@RouerOS_ZSU] ip dhcp-server> pr
Flags: X - disabled,
I - invalid 0 name="hs-dhcp-server" interface=v12 lease-time=14s address-pool=hs-pool-temp
netmask=22 gateway=192.168.0.1 src-address=0.0.0.0 dns-server=202.103.96.112 domain=""
wins-server="" add-arp=no
十二.防火墙配置
12.1 防“冲击波”病毒
/ip fire rule forword> [admin@xinhua] ip firewall rule forward> pr Flags: X - disabled, I - invalid,
D - dynamic 0 src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=all icmp-options=any:any tcp-options=any connection-state=established
flow="" connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=accept log=no 1 src-address=0.0.0.0/0:0-65535 in-interface=all
dst-address=0.0.0.0/0:135-139 out-interface=all protocol=tcp icmp-options=any:any tcp-options=any
connection-state=any flow="" connection="" content="" src-mac-address=00:00:00:00:00:00
limit-count=0 limit-burst=0 limit-time=0s action=drop log=no 2 src-address=0.0.0.0/0:0-65535
in-interface=all dst-address=0.0.0.0/0:445 out-interface=all protocol=tcp icmp-options=any:any
tcp-options=any connection-state=any flow="" connection="" content=""
src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s
action=drop log=no 3
src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:135-139 out-interface=all
protocol=udp icmp-options=any:any tcp-options=any connection-state=any flow="" connection=""
content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=drop
log=no 4 X src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=icmp icmp-options=any:any tcp-options=any connection-state=any flow=""
connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=drop log=no 第1,2,3 条规则用于防止冲击波病毒对内网的攻击。[admin@xinhua] ip
firewall rule input> pr Flags: X - disabled, I - invalid, D - dynamic 0 src-address=0.0.0.0/0:0-65535
in-interface=all dst-address=0.0.0.0/0:135-139 out-interface=all protocol=tcp icmp-options=any:any
tcp-options=any connection-state=any flow="" connection="" content=""
src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=drop log=no 1
src-address=0.0.0.0/0:0-65535 in-interface=all dst-address=0.0.0.0/0:445 out-interface=all
protocol=tcp icmp-options=any:any tcp-options=any connection-state=any flow="" connection=""
content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0 limit-time=0s action=drop
log=no 2 X src-address=0.0.0.0/0:0-65535 in-interface=all
dst-address=0.0.0.0/0:0-65535
out-interface=all protocol=icmp icmp-options=any:any tcp-options=any connection-state=any flow=""
connection="" content="" src-mac-address=00:00:00:00:00:00 limit-count=0 limit-burst=0
limit-time=0s action=drop log=no 第0,1 条规则用于防范冲击波病毒对RouerOS 本身的攻击。
十三. 配置文件的备份与恢复
1 1. 显示文件系统
2 2. 备份配置文件
/file print
方法一:
/system backup> save name
开。方法二:
/export file=
notepad 打开。
另外在每个子路径下可以用”Export”命令以文本文件的方式备份该子路径下的配置,如:/ip > export
file=ip # 这里“ip”是定义的文件名
3. 恢复配置文件
/system backup> load name
=
4. 配置文件上载与下载
从可以远程登录到RouerOS2 的PC 上用ftp 方式上载和下载配置文件。备份的配置文件保存在根目录
下。注意下载时应切换到二进制模式(bin)。
ftp> get
5. 配置复位
将配置清空恢复到缺省配置:
/system reset
6. 查看系统资源状况
/system resource monitor
7. 监视端口流量
/int monitor-traffic eth0 interval=4
Reference:
1 1. 用户带宽限制,需要与Radius 服务器配合。如果采用RouerOS 本地认证,则可以在相应的profile
中设置一组用户的带宽。
2 2. 基于用户名的访问控制:在接入网关的① ppp profile 中设置incoming-filter 和outgoing-filter;
□②在firewall rule 中设置ppp 的相应规则;
□③在Radius 中用“filter-ID”返回给接入网关,接入网关据此执行相应filter。
3. 在vlan 中禁用arp,可以防止用户配置静态IP 而不用PPPoE 认证上网。
4. VPN
①移动VPN,使用pptp 或L2tp(v2.6.10 以后版本支持)
5. RouerOS2 的两种应用模式(策略路由的一个例子)
6. 检测端口利用情况:[admin@xinhua] interface> monitor eth0 interval 4
received-packets-per-second: 1228 received-bits-per-second: 7.6Mbps sent-packets-per-second: 985
sent-bits-per-second: 784kbps
7. RouerOS 提供的内置工具在子路径/tool 下。