Router - RouterOS and Routerboard: Difference between revisions
No edit summary |
(Removed line which should have been removed from example!) |
||
Line 59: | Line 59: | ||
add action=drop chain=forward comment="Drop the rest" disabled=no |
add action=drop chain=forward comment="Drop the rest" disabled=no |
||
add action=accept chain=output disabled=no |
add action=accept chain=output disabled=no |
||
add action=accept chain=input comment="REMOVE FROM EXAMPLE" disabled=no |
|||
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 |
add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 |
||
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no |
add action=accept chain=input comment="Established traffic" connection-state=established disabled=no |
Revision as of 16:31, 25 Ocak 2011
Overview
Here we will build a basic configuration for RouterOS. The examples are relevant for ADSL (Be and BT) as well as FTTC/FTTP through AAISP.
With the exception of IPv6, the examples shown should work on any stable release. IPv6 requires versions prior to and including 3.17 or version 5.xbeta onwards.
We have an AAISP ADSL line with the following details:
- Username= abc@a.1
- Password=secret
- Routed IPv4 block = 192.0.2.0/28 (we will allocate 192.0.2.1 to the router)
- Routed IPv6 block = 2001:DB8::/48 (we will allocate 2001:DB8::1/64 to the router)
Note that the IPv4 block 192.0.2.0/24 and the IPv6 block 2001:DB8::/32 are special blocks reserved for documentation (rfc5737 and rfc3849). Also note that A&A supply a /48 block of IPv6s by default and this example will only use the first /64 in this block.
Default Config
This example assumes that the router is at its default configuration with any example/demo/supplied settings removed. Further, it is assumed that your WAN (ADSL/VDSL/whatever modem) is plugged into interface 'ether1' and LAN into 'ether2'.
Configuring Initial Basic Settings
Set a password for the admin user:
/user set admin password=NEWPASSWORD
Define which services we want to run:
/ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set ssh disabled=no port=22 set www-ssl disabled=yes set api disabled=yes set winbox disabled=no port=8291
And then which helpers we want. Usually you want none as they tend to get in the way!
/ip firewall service-port set ftp disabled=yes set tftp disabled=yes set irc disabled=yes set h323 disabled=yes set sip disabled=yes set pptp disabled=yes
Set IP addresses on LAN
/ip address add \ address=192.0.2.1/28 \ broadcast=192.0.2.15 \ disabled=no \ interface=ether2 \ network=192.0.2.0 /ipv6 address add \ address=2001:db8::1/64 \ advertise=yes \ disabled=no \ eui-64=no \ interface=ether2
Set basic firewalling (all out, none in!)
/ip firewall filter add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no add action=accept chain=forward comment=ICMP disabled=no protocol=icmp add action=drop chain=forward comment="Drop the rest" disabled=no add action=accept chain=output disabled=no add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 add action=accept chain=input comment="Established traffic" connection-state=established disabled=no add action=accept chain=input comment="Related traffic" connection-state=related disabled=no add action=accept chain=input comment=ICMP disabled=no protocol=icmp add action=drop chain=input comment="Drop the rest" disabled=no /ipv6 firewall filter add action=accept chain=forward disabled=no in-interface=ether2 add action=accept chain=forward comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 add action=accept chain=forward comment="Established traffic" connection-state=established disabled=no add action=accept chain=forward comment="Related traffic" connection-state=related disabled=no add action=accept chain=forward comment=ICMP disabled=no protocol=icmpv6 add action=drop chain=forward comment="Drop the rest" disabled=no add action=accept chain=output disabled=no add action=accept chain=input comment="LAN traffic can go anywhere" disabled=no in-interface=ether2 add action=accept chain=input comment="Established traffic" connection-state=established disabled=no add action=accept chain=input comment="Related traffic" connection-state=related disabled=no add action=accept chain=input comment=ICMP disabled=no protocol=icmpv6 add action=drop chain=input comment="Drop the rest" disabled=no
Then create the profile to use for PPPoE.
/ppp profile add \ change-tcp-mss=yes \ name=aaisp \ only-one=yes \ use-compression=default \ use-encryption=default \ use-ipv6=yes \ use-mpls=no \ use-vj-compression=default
Create the PPP interface.
/interface pppoe-client add \ ac-name="" \ add-default-route=no \ allow=pap,chap,mschap1,mschap2 \ dial-on-demand=no \ disabled=no \ interface=ether1 \ max-mru=1492 \ max-mtu=1492 \ mrru=disabled \ name=AAISP \ password=secret \ profile=aaisp \ service-name="" \ use-peer-dns=no \ user=abc@a.1
This should create and bring up the PPPoE interface. Check the logs to make sure it does! However, you still won't have connectivity... Configure DNS:
/ip dns set \ allow-remote-requests=yes \ cache-max-ttl=1w \ cache-size=2048KiB \ max-udp-packet-size=512 \ servers=217.169.20.20,217.169.20.21,2001:8b0::2020,2001:8b0::2021
And then configure routing:
/ipv6 route add \ disabled=no \ distance=1 \ dst-address=::/0 \ gateway=AAISP \ scope=30 \ target-scope=10 /ip route add \ disabled=no \ distance=1 \ dst-address=0.0.0.0/0 \ gateway=AAISP \ scope=30 \ target-scope=10
Which should give you full connectivity. Note that you could skip the add routes bit by changing 'add-default-route' to 'yes' in the PPPoE interface definition. Adding routes manually is more flexible, but for a basic configuration probably isn't required.
Then, make sure IPv6 neighbour detection is configured properly.
/ipv6 nd remove [find] /ipv6 nd add \ advertise-dns=yes \ advertise-mac-address=yes \ disabled=no \ hop-limit=64 \ interface=ether2 \ managed-address-configuration=no \ mtu=1492 \ other-configuration=no \ ra-delay=3s \ ra-interval=3m20s-10m \ ra-lifetime=30m \ reachable-time=unspecified \ retransmit-interval=unspecified
Set the time:
/system ntp client set \ enabled=yes \ mode=unicast \ primary-ntp=90.155.53.32 /system clock set time-zone-name=Europe/London
Next Steps, Bonding a Second Line
To be continued.....