MikroTik配置IPv6-NAT
目 录
相信大家对IPv6也不陌生,下面以肉丝漏油器V7.8版本为例做IPv6-NAT
1.创建Interface List
/interface list add name=Trust
/interface list add name=Untrust
/interface list member add list=Trust interface=Bridge #Bridge=内网桥接口
/interface list member add list=Untrust interface=PPPoE-Unicom #PPPoE-Unicom=拨号接口
如下图:
2.创建IPv6-pool池
/ipv6 pool add name=My_Pool prefix=2111:192:168:99::/64 prefix-length=64
3.开启IPv6设置选项
/ipv6 settings set disable-ipv6=no accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes-if-forwarding-disabled
无法获取IPv6前缀也可以试试以下命令:
/ipv6 settings set disable-ipv6=no accept-redirects=yes-if-forwarding-disabled accept-router-advertisements=yes
4.修改ND配置
/ipv6 nd prefix default set valid-lifetime="00:10:00"
/ipv6 nd prefix default set preferred-lifetime="00:01:00"
/ipv6 nd set interface=all ra-interval=30-50 ra-delay=3 ra-preference=high reachable-time=1200 retransmit-interval=600 ra-lifetime=1800 hop-limit=64 dns=2111:192:168:99::9 advertise-mac-address=yes advertise-dns=yes managed-address-configuration=yes other-configuration=yes #dns不用设置我这里有DNS server
/ipv6 nd prefix add prefix=2111:192:168:99::/64 interface=Bridge
5.创建DHCPv6-Client
注:实用路由器拨号
/ipv6 dhcp-client add interface=PPPoE-Unicom request=prefix pool-name=Public pool-prefix-length=64 use-peer-dns=no add-default-route=no use-interface-duid=no #Advanced可以调用脚本噢
如下图:
注:【光猫拨号】把命令改成request=address pool-name pool-prefix-length不填
ZTE中兴虚拟vBRAS.C-1.NMAN.V6000 获取IPv6前缀(Version 7.18beta2)
/ipv6 dhcp-client add interface=pppoe-scdx request=prefix pool-name=Public pool-prefix-length=64 use-peer-dns=no add-default-route=no use-interface-duid=no validate-server-duid=no
注:validate-server-duid=no 跳过vBRAS服务端duid验证
开启IPv6 FastTrack
/ipv6 firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related protocol=tcp in-interface=PPPoE-Unicom /ipv6 firewall filter add chain=forward action=fasttrack-connection connection-state=established,related protocol=udp in-interface=PPPoE-Unicom /ipv6 firewall filter add chain=forward action=accept connection-state=established,related
!固定IPv6前缀方法:
查找指定IP
put [/ip fir con print where dst-address~"172.16.3.1:18472"]
查找指定端口
put [/ip fir con print where dst-address~":853"]
查看防火墙连接数:
/ip fir conn pri coun
查看路由表ipv4:
/rout rou pri coun whe afi=ip4
查看路由表ipv6:
/rout rou pri coun whe afi=ip6
6.创建路由
/ipv6 route
add gateway=PPPoE-Unicom distance=1 vrf-interface=PPPoE-Unicom
7.创建IPv6 Address List
/ipv6 address
add address=::1/64 from-pool=My_Pool interface=Bridge advertise=no
add address=::192:168:99:1/64 from-pool=Public interface=PPPoE-Unicom advertise=no no-dad=yes
/ipv6 address add address=::1/64 from-pool=My_Pool interface=Bridge advertise=no add address=::192:168:99:1/64 from-pool=Public interface=PPPoE-Unicom advertise=no no-dad=yes
如下图:
注:如果删除了上图标红【本地链路】DHCPv6-Client 无法获取IPv6 Prefix公网地址 禁用PPPoE拨号接口再启用
8.创建IP DNS
/ip dns set verify-doh-cert=yes use-doh-server="https://dns.alidns.com/dns-query" allow-remote-requests=no
如下图:
注:上面是Doh地址自己替换成Servers 223.5.5.5 ,2400:3200::1
9.创建IPv6 Firewall
/ipv6 firewall address-list
add list=local address=2111:192:168:99::/64
add list=local address=fe80::/64
/ipv6 firewall filter
add chain=input action=accept src-address-list=local in-interface=PPPoE-Unicom comment="Allow connections"
/ipv6 firewall mangle
add chain=forward in-interface=PPPoE-Unicom protocol=tcp tcp-flags=syn action=change-mss new-mss=1432 comment="IPv6_chang mss"
add chain=forward out-interface=PPPoE-Unicom protocol=tcp tcp-flags=syn action=change-mss new-mss=1432
/ipv6 firewall nat
add chain=srcnat action=masquerade comment="hairpin nat"
注:根据自己要求设置
/ipv6 firewall filter add chain=input connection-state=invalid action=drop comment="丢弃 INVALID 连接" add chain=input connection-state=established,related,untracked action=accept comment="允许 Established/Related/Untracked 连接通过" add chain=input protocol=icmp action=accept ;comment="允许 ICMP 通过" add chain=input protocol=tcp port=8291,22 action=accept comment="允许 Winbox 和 SSH 端口 通过" add chain=input action=drop comment="丢弃所有数据"
至此结束,提醒一点防火墙丢弃所有数据可能引起ospf Gre6-tunne 不通要放行或者不启用 add chain=input action=drop comment=”丢弃所有数据”
Windows关闭临时IPv6,运行win+r
相关命令如何使用
netsh interface ipv6 直接回车 netsh interface ipv6 show 直接回车 netsh interface ipv6 set privacy state=disable 关闭临时IPv6 netsh interface ipv6 set privacy state=enable 开启临时IPv6
第一列优先循序越大优先级越高,会优先访问
netsh interface ipv6 show prefixpolicies 查看 netsh interface ipv6 set prefixpolicy ::ffff:0:0/96 100 4 IPv4优先 netsh interface ipv6 add prefixpolicy ::/0 40 1 IPv6优先 shutdown -r -t 0 重启
重新设置 IPv6访问优先
netsh interface ipv6 reset shutdown -r -t 0
调整网络前缀优先级,重启之后也是生效
ros控制台
ping [:resolve ipv6.google.com]
纠结IPv6连接状态滴在内网地址前面加上 例:2111:192:168:99::/64 创建地址池
Tracert隐藏路由跟踪方法:
Windows下命令:
tracert -d www.jd.com
tracert -6 -d www.jd.com
Linux下命令:
traceroute -I www.baidu.com
# dig 只返回IPv6与IPv4
dig www.baidu.com AAAA +short
dig www.baidu.com A +short
# dig 最基本的用法
dig www.geekeden.net a +trace
dig @server sina.com.cn.
# 用 dig 查看 zone 数据传输
dig @server zx.xmgd.com. AXFR
# 用 dig 查看 zone 数据的增量传输
dig @server zx.xmgd.com. IXFR=N
# 用 dig 查看反向解析
dig -x 210.52.83.228 @server
# 查找一个域的授权 dns 服务器
dig xmgd.com. +nssearch
# 从根服务器开始追踪一个域名的解析过程
dig xmgd.com +trace
# 查看你使用的是哪个 F root dns server
dig +norec @F.ROOT-SERVERS.NET HOSTNAME.BIND CHAOS TXT
# 查看 bind 的版本号
dig @bind_dns_server CHAOS TXT version.bind
常见问题FAQ
- 免费下载或者VIP会员专享资源能否直接商用?