# =====================================================
# MikroTik RB5009 - 优化防火墙配置 (2025版)
# 基于纯路由 + 策略路由代理方案
# =====================================================
# 改动说明:
# 1. 删除 Universal Hairpin NAT(保留 ZeroTier 真实IP可见性)
# 2. 添加策略路由实现代理分流
# 3. 添加 LAN ↔ VPN 双向通信规则
# 4. 添加代理高可用检测
# 5. 清理冗余规则
# =====================================================
# ------------------ 接口列表 ------------------
/interface list
add name=WAN
add name=LAN
add name=VPN
add name=TRUSTED
/interface list member
add interface=bridge list=LAN
add interface=bridge list=TRUSTED
add interface=ether1 list=WAN
add interface=zerotier1 list=VPN
add interface=zerotier1 list=TRUSTED
# ------------------ 1. 地址列表 ------------------
/ip firewall address-list
# 本地内网网段
add address=10.10.10.0/24 list=local_network comment="LAN Subnet"
add address=10.24.152.0/24 list=local_network comment="ZeroTier Subnet"
# 需要走代理的设备(按需添加)
# add address=10.10.10.100 list=use_proxy comment="Device1 - use proxy"
# add address=10.10.10.101 list=use_proxy comment="Device2 - use proxy"
# Bogon / Bad IPv4
add address=0.0.0.0/8 list=bad_ipv4 comment="This Network"
add address=127.0.0.0/8 list=bad_ipv4 comment="Loopback"
add address=169.254.0.0/16 list=bad_ipv4 comment="Link-local (APIPA)"
add address=192.0.0.0/24 list=bad_ipv4 comment="RFC5735 Special Use"
add address=192.0.2.0/24 list=bad_ipv4 comment="TEST-NET-1"
add address=198.51.100.0/24 list=bad_ipv4 comment="TEST-NET-2"
add address=203.0.113.0/24 list=bad_ipv4 comment="TEST-NET-3"
add address=224.0.0.0/4 list=bad_ipv4 comment="Multicast"
add address=240.0.0.0/4 list=bad_ipv4 comment="Reserved for Future Use"
add address=255.255.255.255/32 list=bad_ipv4 comment="Limited Broadcast"
# RFC1918 + CGNAT 私有地址
add address=10.0.0.0/8 list=private_ipv4 comment="RFC1918 Private"
add address=172.16.0.0/12 list=private_ipv4 comment="RFC1918 Private"
add address=192.168.0.0/16 list=private_ipv4 comment="RFC1918 Private"
add address=100.64.0.0/10 list=private_ipv4 comment="CGNAT-anti-spoofing"
# ------------------ 2. 路由表(策略路由用)------------------
/routing table
add name=proxy-route fib
# ------------------ 3. RAW 表(第一道防线)------------------
/ip firewall raw
# 允许 LAN 侧 DHCP 发现
add action=accept chain=prerouting comment="defconf: accept DHCP discover" \
dst-address=255.255.255.255 dst-port=67 in-interface-list=LAN \
protocol=udp src-address=0.0.0.0 src-port=68
# 丢弃 Bogon 地址
add action=drop chain=prerouting comment="Drop Bogon from WAN" \
in-interface-list=WAN src-address-list=bad_ipv4 log=yes log-prefix="RAW-BOGON"
# 防止 WAN 口 IP 欺骗(如上级是光猫拨号请禁用)
; add action=drop chain=prerouting comment="Drop Private SRC from WAN (Anti-Spoof)" \
; in-interface-list=WAN src-address-list=private_ipv4
# 保护 LAN 网段不被 WAN 侧直接访问
add action=drop chain=prerouting comment="Drop WAN to local_network" \
dst-address-list=local_network in-interface-list=WAN
# TCP 标志位检查
add action=jump chain=prerouting comment="Check Bad TCP flags" \
jump-target=bad_tcp protocol=tcp
# ICMP 检查
add action=jump chain=prerouting comment="Check ICMP" \
jump-target=icmp4 protocol=icmp
# 丢弃端口0异常流量
add action=drop chain=prerouting comment="Drop UDP port 0" port=0 protocol=udp
add action=drop chain=prerouting comment="Drop TCP port 0" port=0 protocol=tcp
# --- 自定义链 bad_tcp ---
add action=drop chain=bad_tcp comment="NULL flags" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack,!psh,!urg,!ece,!cwr
add action=drop chain=bad_tcp comment="XMAS" protocol=tcp \
tcp-flags=fin,psh,urg
add action=drop chain=bad_tcp comment="FIN+SYN" protocol=tcp \
tcp-flags=fin,syn
add action=drop chain=bad_tcp comment="SYN+RST" protocol=tcp \
tcp-flags=syn,rst
add action=drop chain=bad_tcp comment="FIN+RST" protocol=tcp \
tcp-flags=fin,rst
add action=drop chain=bad_tcp comment="FIN without ACK" protocol=tcp \
tcp-flags=fin,!ack
# --- 自定义链 icmp4 ---
add action=accept chain=icmp4 comment="Echo Reply (rate limit)" \
icmp-options=0:0 limit=10,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Echo Request (rate limit)" \
icmp-options=8:0 limit=10,10:packet protocol=icmp
add action=accept chain=icmp4 comment="Dest Unreachable" \
icmp-options=3:0-255 protocol=icmp
add action=accept chain=icmp4 comment="Time Exceeded" \
icmp-options=11:0-255 protocol=icmp
add action=accept chain=icmp4 comment="Parameter Problem" \
icmp-options=12:0 protocol=icmp
add action=drop chain=icmp4 comment="Drop other ICMP" \
protocol=icmp log=yes log-prefix="RAW-ICMP-DROP"
# ------------------ 4. Mangle 表(策略路由标记)------------------
/ip firewall mangle
# 标记需要走代理的流量(仅对外网流量生效)
add action=mark-routing chain=prerouting \
src-address-list=use_proxy \
dst-address-list=!local_network \
new-routing-mark=proxy-route \
passthrough=no \
comment="Mark traffic for proxy gateway"
# ------------------ 5. Filter 表 ------------------
/ip firewall filter
# FastTrack (RB5009 性能关键) - 排除代理流量避免连接跟踪问题
add action=fasttrack-connection chain=forward comment="FastTrack" \
connection-state=established,related hw-offload=yes \
src-address-list=!use_proxy dst-address-list=!use_proxy
add action=accept chain=input comment="Accept Est/Rel/Untracked" \
connection-state=established,related,untracked
add action=accept chain=forward comment="Accept Est/Rel/Untracked" \
connection-state=established,related,untracked
# Drop Invalid
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
# 在 Drop Invalid 之前放行 bridge 内部的 invalid 流量(策略路由导致的连接跟踪异常)
add action=accept chain=forward comment="Accept invalid for proxy (before drop invalid)" \
connection-state=invalid in-interface=bridge out-interface=bridge
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
# Input 链 - 保护路由器本身
add action=accept chain=input comment="ICMP (limited)" \
protocol=icmp limit=10,10:packet
add action=accept chain=input comment="WinBox from TRUSTED" \
dst-port=8291 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="SSH from TRUSTED (port 2200)" \
dst-port=2200 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="DNS UDP from TRUSTED" \
dst-port=53 in-interface-list=TRUSTED protocol=udp
add action=accept chain=input comment="DNS TCP from TRUSTED" \
dst-port=53 in-interface-list=TRUSTED protocol=tcp
add action=accept chain=input comment="Allow all from VPN interface (ZeroTier)" \
in-interface-list=VPN
add action=drop chain=input comment="Drop all other input" \
log=yes log-prefix="INPUT-DROP"
# Forward 链 - 保护内网
add action=accept chain=forward comment="LAN -> WAN (new)" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
# ZeroTier 双向通信(纯路由模式核心)
add action=accept chain=forward comment="VPN -> LAN" \
in-interface-list=VPN out-interface-list=LAN
add action=accept chain=forward comment="LAN -> VPN" \
in-interface-list=LAN out-interface-list=VPN
# 安全规则
add action=accept chain=forward comment="WAN -> LAN (return traffic)" \
connection-state=established,related \
in-interface-list=WAN out-interface-list=LAN
add action=drop chain=forward comment="Drop new from WAN if not DSTNAT" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN \
log=yes log-prefix="WAN-NEW-DROP"
add action=drop chain=forward comment="Drop Bogon src in forward" \
src-address-list=bad_ipv4
add action=drop chain=forward comment="Drop Bogon dst in forward" \
dst-address-list=bad_ipv4
# 允许策略路由到代理的 LAN 内部转发
add action=accept chain=forward comment="LAN internal routing (for proxy)" \
connection-state=new in-interface=bridge out-interface=bridge
add action=drop chain=forward comment="Final drop forward" \
log=yes log-prefix="FWD-DROP"
# ------------------ 6. NAT ------------------
/ip firewall nat
# 只保留 WAN 出口 masquerade(删除了 Hairpin NAT)
add action=masquerade chain=srcnat comment="Internet Masquerade" \
out-interface-list=WAN
# ------------------ 7. 路由配置 ------------------
/ip route
# 代理网关路由(策略路由)- 带健康检查
add dst-address=0.0.0.0/0 gateway=10.10.10.252 routing-table=proxy-route \
check-gateway=ping comment="Proxy gateway (primary)"
# 代理故障回退路由
add dst-address=0.0.0.0/0 gateway=10.10.10.1 routing-table=proxy-route \
distance=10 comment="Proxy fallback to main gateway"
# ------------------ 8. 代理高可用监控(可选)------------------
# 如果需要更快的故障检测和通知,启用 Netwatch
/tool netwatch
add host=10.10.10.252 interval=10s timeout=2s \
comment="Monitor proxy server" \
down-script=":log warning \"Proxy 10.10.10.252 is DOWN - traffic will use fallback\"" \
up-script=":log info \"Proxy 10.10.10.252 is UP\""
# ------------------ 9. 服务安全加固 ------------------
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set www-ssl disabled=yes
set winbox address=10.10.10.0/24,10.24.152.0/24
set ssh address=10.10.10.0/24,10.24.152.0/24 port=2200
/ip ssh
set strong-crypto=yes forwarding-enabled=no
# ------------------ 10. IPv6 禁用 ------------------
/ipv6 settings
set disable-ipv6=yes
# ------------------ 11. 其他安全设置 ------------------
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip firewall service-port
set sip disabled=yes
/ip dns
set allow-remote-requests=yes \
servers=1.1.1.1,1.0.0.1,8.8.8.8,8.8.4.4 \
use-doh-server=https://cloudflare-dns.com/dns-query \
verify-doh-cert=yes \
cache-size=4096KiB
# =====================================================
# ZeroTier Central 配置提醒
# =====================================================
# 在 my.zerotier.com 的网络设置中添加 Managed Route:
#
# Destination: 10.10.10.0/23 (用/23,比实际/24大)
# Via: [RB5009的ZeroTier IP,例如 10.24.152.1]
#
# 这样 ZeroTier 客户端就知道如何路由到你的 LAN
# =====================================================
# =====================================================
# 使用说明
# =====================================================
# 1. 所有内网设备的默认网关设为 10.10.10.1
#
# 2. 需要走代理的设备,添加到 use_proxy 地址列表:
# /ip firewall address-list add address=10.10.10.xxx list=use_proxy
#
# 3. ZeroTier 客户端访问内网时会保留真实IP
#
# 4. 代理服务器(10.10.10.252)故障时自动回退到直连
#
# 5. 导入后建议重启:/system reboot
# 检查日志:/log print where topics~"firewall"
# =====================================================
u3
Comments:
Email questions, comments, and corrections to hi@smartisan.dev.
Submissions may appear publicly on this website, unless requested otherwise in your email.