Config Căn Bản Nha. Có thể dựa theo rồi chỉnh sửa theo nhu cầu. Làm theo steps từ 1 trở đi, có thể xài winbox lẫn terminal.
Model : RB4011.
1. Tạo Bridge
Code: /interface bridge add name="Bridge Home" 2. Gán Port Cho Bridge. 10 Ports luôn, vì WAN mình xài cổng SFP ( AON)
Code: /interface bridge port add bridge="Bridge Home" interface=ether1 add bridge="Bridge Home" interface=ether2 add bridge="Bridge Home" interface=ether3 add bridge="Bridge Home" interface=ether4 add bridge="Bridge Home" interface=ether5 add bridge="Bridge Home" interface=ether6 add bridge="Bridge Home" interface=ether7 add bridge="Bridge Home" interface=ether8 add bridge="Bridge Home" interface=ether9 add bridge="Bridge Home" interface=ether10 3. Tạo VRRP
Code: /interface vrrp add interface=sfp-sfpplus1 name=vrrp1 version=2 vrid=20 add interface=sfp-sfpplus1 name=vrrp2 version=2vrid=30 4.Tạo IP Address
Code: /ip address 4.1 Cái này cho Bridge interface, gán IP cho nó add address=192.168.8.1/24 interface="Bridge Home" network=192.168.8.0 4.2 Cái này PHẢI gán IP cho VRRP ( xài IP private , lớp A, cho khỏi trùng) add address=10.20.40.1 interface=vrrp1 network=10.20.40.0 add address=10.20.50.1 interface=vrrp2 network=10.20.50.0 4.3 Cái này PHẢI Gán IP cho cổng nào cắm WAN ( mình xài sfp) add address=10.20.60.1 interface=sfp-sfpplus1 network=10.20.60.0 5. Tạo Pool
Code: /ip pool add name=dhcp_home ranges=192.168.8.10-192.168.8.254 6. Tạo DHCP Server
Code: /ip dhcp-server add address-pool=dhcp_home disabled=no interface="Bridge Home" lease-time=8h name="dhcp home" 7. Tạo Network
Code: /ip dhcp-server network add address=192.168.8.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.8.1 8. Tạo DNS
Code: /ip dns set cache-size=8048KiB servers=8.8.8.8,8.8.4.4 Chú ý cái cache, ít quá thì thêm. Thông thường 1/3 Ram là ngon. 9. TẠo PPPOE
Code: /interface pppoe-client add add-default-route=yes comment="WAN1" disabled=no interface=vrrp1 \ name=pppoe-out1 password=xxxx user=xxxx add add-default-route=yes comment="WAN2" disabled=no interface=vrrp2 \ name=pppoe-out2 password=xxxx user=xxxxx 10. FIREWALL
Code: /ip firewall filter add action=accept chain=forward comment="defconf: accept established,related" \ connection-state=established,related add action=drop chain=forward comment=" drop invalid" connection-state=invalid add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface=pppoe-out1 add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed From WAN2" connection-nat-state=\ !dstnat connection-state=new in-interface=pppoe-out2 add action=drop chain=input comment="WAN1" dst-port=53 in-interface=\ pppoe-out1 protocol=tcp add action=drop chain=input dst-port=53 in-interface=pppoe-out1 protocol=udp add action=drop chain=input comment="WAN2" dst-port=53 in-interface=\ pppoe-out2 protocol=tcp add action=drop chain=input dst-port=53 in-interface=pppoe-out2 protocol=udp 11. MAngle
Code: /ip firewall mangle 11.1 đánh dấu gói tin vào từ local (mark-connection, đường vào từ LAn/ Bridge) Vì chúng ta có 2 đường WAN, nên PCC chia gói tin ra, và tag vào cái dấu. add action=mark-connection chain=prerouting connection-mark=no-mark \ dst-address-type=!local in-interface="Bridge Home" new-connection-mark=\ Mark01 passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/0 add action=mark-connection chain=prerouting connection-mark=no-mark \ dst-address-type=!local in-interface="Bridge Home" new-connection-mark=\ Mark02 passthrough=yes per-connection-classifier=\ both-addresses-and-ports:2/1 11.2 đánh dấu gói tin vào từ wan ( Nếu xài wan vật lý thì chain = input) add action=mark-connection chain=prerouting comment="Mark Cont For Wan - Input" \ connection-mark=no-mark in-interface=pppoe-out1 new-connection-mark=Mark01 \ passthrough=yes add action=mark-connection chain=prerouting comment="Mark Cont For Wan - Input" \ connection-mark=no-mark in-interface=pppoe-out2 new-connection-mark=Mark02 \ passthrough=yes 11.3 Đánh dấu định tuyến phân luồng các gói tin, gói nào có tag1 thì đi đường 1.2 thì đi 2. add action=mark-routing chain=prerouting connection-mark=Mark01 in-interface=\ "Bridge Home" new-routing-mark=Route01 passthrough=yes add action=mark-routing chain=prerouting connection-mark=Mark02 in-interface=\ "Bridge Home" new-routing-mark=Route02 passthrough=yes 11.4 ĐỊnh tuyến đầu ra, đầu vào từ lan và wan đã chia gói , đã đánh dấu, đã phân luồng, thì giờ xuất ra add action=mark-routing chain=output connection-mark=Mark01 new-routing-mark=\ Route01 passthrough=no add action=mark-routing chain=output connection-mark=Mark02 new-routing-mark=\ Route02 passthrough=no Chú ý cái passthrough = no, lúc này để NO, để ko xử lý gì nữa, ko đẩy ngược vào, chỉ xuất đi. 12. NAT
Code: /ip firewall nat add action=masquerade chain=srcnat out-interface=pppoe-out2 add action=masquerade chain=srcnat out-interface=pppoe-out1 13. ROUTE
Code: /ip route add distance=5 gateway=x.x.x.x%pppoe-out1 routing-mark=Route01 add check-gateway=ping disabled=yes distance=5 gateway=pppoe-out1 routing-mark=\ Route01 add distance=5 gateway=x.x.x.x%pppoe-out2 routing-mark=Route02 add check-gateway=ping disabled=yes distance=5 gateway=pppoe-out2 routing-mark=\ Route02 Cái x.x.x.x là IP gateway, coi bằng cách vào cái pppoe_out đấy, mở lên, vào status, là thấy Remote IP ( cái này là IP gateway) Lý do chúng ta add gateway thủ công là tại vì, cùng khu, thì chỉ có 1 IP gateway duy nhất, cho nên phải add tay, và add dấu phần trăm % để nó định tuyến cho đúng. Nếu ko có dấu % nó giựt tung chảo ấy. 14. BẢO MẬT. Ngoài phần FIrewall ở trên, cần thêm cái dưới đây
Code: /ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes set udplite disabled=yes set dccp disabled=yes set sctp disabled=yes Code: /ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=yes set api disabled=yes set api-ssl disabled=yes /ip ssh set allow-none-crypto=yes Code: /tool bandwidth-server set enabled=no /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no /tool sms set allowed-number=""