环境

  • Proxmox 7
  • RouterOS 6

PVE安装RouterOS

新建虚拟机

常规->名称->RouterOS
操作系统->客户机操作类型->类别->Linux
操作系统->客户机操作类型->版本->5.x-2.6 kernel
操作系统->不适用任何介质
系统->无需修改
系统->机型->q35
磁盘->删除所有磁盘
CPU->核心->4
CPU->类别->host
CPU->CPU权重->2048
内存->内存->2048
网络->模型->VirtIO(半虚拟化)
网络->防火墙->关

下载和导入磁盘

  1. 下载RouterOS云镜像的img镜像,并上传到PVE

  2. 导入磁盘到虚拟机

    // 104为虚拟机id
    qm importdisk 104 /var/lib/vz/template/iso/routeros.img local-lvm

  3. 虚拟机->硬件->双击磁盘添加

  4. 虚拟机->选项->引导顺序->选中硬盘

  5. 添加其他pcie设备,并选中PCI-Express

  6. 启动虚拟机

RouterOS配置

配置网络

  1. 配置一个静态ip,登录web

    ip address add address=192.168.3.180 interface=ether1

  2. 配置Interfaces

    Interfaces->Interface List->List-Add New->Namn->LAN/WAN
    Bridge->Bridge->Add New->Name-bridge
    Bridge->Ports->Add New->Interface->LAN
    IP->DHCP->DHCP Setup

  3. 导入默认防火墙配置

    #
    /ip firewall filter
    add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
    add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
    add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
    add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
    add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
    add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
    add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
    add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
    add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
    add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
    add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
    #
    /ip firewall nat
    add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
    #

配置路由

  1. 生成路由表(openwrt上运行)

    /usr/bin/curl 'http://ftp.apnic.net/apnic/stats/apnic/delegated-apnic-latest' | grep ipv4 | grep CN | awk -F\| '{ printf("%s/%d\n", $4, 32-log($5)/log(2)) }' |sed -e 's/^/add address=/g' -e 's/$/ list=CNIP/g'|sed -e $'1i\\\n/ip firewall address-list' -e $'1i\\\nremove [/ip firewall address-list find list=CNIP]' -e $'1i\\\nadd address=10.0.0.0/8 list=CNIP comment=private-network' -e $'1i\\\nadd address=172.16.0.0/12 list=CNIP comment=private-network' -e $'1i\\\nadd address=192.168.0.0/16 list=CNIP comment=private-network'>/www/cnip.rsc

  2. 手动RouterOS导入地址

    /im file=cnip.rsc

  3. RouterOS自动导入地址

  • 新建脚本(System->Scripts->Scripts->add New)
    # Update blocked.rsc
    /tool fetch mode=http url="http://192.168.3.2/cnip.rsc" dst-path=cnip.rsc
    /im file=cnip.rsc
  • 新建定时器(System->Scheduler->Add New)
    :execute script="cnip"
  1. 设置路由
    IP->Routers->Add New->Address(0.0.0.0/0)/Gateway(192.168.3.2)/Routing Make(world)
    IP->Firewall->Mangle->->Add New->China(prerouting)/Src.Address(192.168.3.2)/Action(accept)
    IP->Firewall->Mangle->->Add New->Chain(prerouting)/Dst.Address List(!CNIP)/Action(make routing)/New 
    Routing Mark(world)/enable Passthrough

5.配置dns

IP->DNS

参考