环境

  • Proxmox 7
  • RouterOS 6

PVE安装RouterOS

新建虚拟机

1
2
3
4
5
6
7
8
9
10
11
12
13
常规->名称->RouterOS
操作系统->客户机操作类型->类别->Linux
操作系统->客户机操作类型->版本->5.x-2.6 kernel
操作系统->不适用任何介质
系统->无需修改
系统->机型->q35
磁盘->删除所有磁盘
CPU->核心->4
CPU->类别->host
CPU->CPU权重->2048
内存->内存->2048
网络->模型->VirtIO(半虚拟化)
网络->防火墙->关

下载和导入磁盘

  1. 下载RouterOS云镜像的img镜像,并上传到PVE
  2. 导入磁盘到虚拟机
1
2
// 104为虚拟机id
qm importdisk 104 /var/lib/vz/template/iso/routeros.img local-lvm
  1. 虚拟机->硬件->双击磁盘添加
  2. 虚拟机->选项->引导顺序->选中硬盘
  3. 添加其他pcie设备,并选中PCI-Express
  4. 启动虚拟机

RouterOS配置

配置网络

  1. 配置一个静态ip,登录web
1
ip address add address=192.168.3.180 interface=ether1
  1. 配置Interfaces
1
2
3
4
Interfaces->Interface List->List-Add New->Namn->LAN/WAN
Bridge->Bridge->Add New->Name-bridge
Bridge->Ports->Add New->Interface->LAN
IP->DHCP->DHCP Setup
  1. 导入默认防火墙配置
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
#
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
#

配置路由

  1. 生成路由表(openwrt上运行)
1
/usr/bin/curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' |sed -e 's/^/add address=/g' -e 's/$/ list=CNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=CNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=CNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=CNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=CNIP comment=private-network'>/www/cnip.rsc
  1. 手动RouterOS导入地址
1
/im file=cnip.rsc
  1. RouterOS自动导入地址
  • 新建脚本(System->Scripts->Scripts->add New)
1
2
3
# Update blocked.rsc
/tool fetch mode=http url="http://192.168.3.2/cnip.rsc" dst-path=cnip.rsc
/im file=cnip.rsc
  • 新建定时器(System->Scheduler->Add New)
1
:execute script="cnip"
  1. 设置路由
1
2
3
4
IP->Routers->Add New->Address(0.0.0.0/0)/Gateway(192.168.3.2)/Routing Make(world)
IP->Firewall->Mangle->->Add New->China(prerouting)/Src.Address(192.168.3.2)/Action(accept)
IP->Firewall->Mangle->->Add New->Chain(prerouting)/Dst.Address List(!CNIP)/Action(make routing)/New 
Routing Mark(world)/enable Passthrough

5.配置dns

1
IP->DNS

参考