mikrotik使用web设置

好，接着我们来讲一下若思路游戏的一个基本配置，联网 之前已经讲过快速向导设置，如果你想进一步了解他快速向导生成了什么配置，或者更加了解的去配置这个设备的话，我们可以用手动配置的方法去尝试配置。 这边已经讲述了手中配置应该配置哪些部分。首先是望口， 望口的一个配置，现在我们望口接入的话有三种模式，第一种是 dhcp 客户端，比如说你有个光猫，光猫已经拨号了或者上行，没有光猫上行就直直接是小区宽带那种，呃宽， 在运营商直接给你 dhcb 分配 ip。 好，第二种也是我们常见的 pppo 一拨号。 第三种是静态 ip， 有的时候状作为腕口的时候，我们不管是 dhcp 自动获取方式还是 pppoe 方式，我们都是一个客户端模式，都是作为客户端让运营商给我们提供服务， 然后进他 ip 的话，就是一般都是我们的装线接入，运营商会给你提供一系列的 ip 参数让你填入就可以了。 好，接着望口的已经讲完。好，我们配置完的话，我们可以看一下 lime 口的， lime 口的无非就是内网网关的一个配置，内网服务 的配置，内网的话我们一般会开启 dhcb 服务，给下面的客户端直接连接就可以自动获取到，也可以开启 pppov 服务器，就类似我们运营商 给下面的用户提供拨号账号、密码拨号的服务。然后是静态 ip， 静态 ip 的话就直接在在你的内网借口加个 ip 地址和野马就可以了。 做完望口和 lam 口的内外网配置之后，还要做一个防火墙的一个 nat 伪装 at 转化， 因为我们的内网私有 ip 地址都是不能在公网里面传输的，所以说需要一个 it 的一个地址转 换，一层一层的转化上去，如果有多层内容的话，接着是我们 dnsdns 转发， 他是一个可选项，如果你内往后端直接指定公网的 dns 的话，就不需要执行这个 dms 转发操作，如果你是要以路由器来作为 dns 服气的话，那就有必要开启这个 dms 保存转发。 好，我们来看一下，我们来看一下望口 dhcp 客户端的一个建立 ip dhcp 后端这单词可以记一下，然后就添加，添加的话指定哪个接口，你哪个接口为万口，你就指定哪个接口，然后这边下面 dn 开始就询问你要不要从啊上级获取 dms， dms 给路由器引用 好，就是我添加默认录由，这默认都是勾选上的，一般的话你可以直接填个接口，点 ok 就可以了，这两个有必要了解的，我这边就说一下 好。还有个 pppo1pppo1 客户端的 就拨号的，在我们 ppp 菜单 ppp 菜单之后点这个加号，他会出现一个选项框，选择 pppoe 客户端这个单词也记一下， 之后会生成一个新接口，新接口的话我们第一个菜单可以选择拨号的一个接口，然后再切换到第二个直选项卡，到这里填入运营商提供的拨号账号密码，然后这下边 拨号获取 dns 也是建议勾上的，还要添加默认陆游，然后就直接点 ok 就可以了。这是万口 pppoe 接触方式的一个，创建 好万口，如果是专线接入进他 ip 的话，就要 ip 地址里面添加运营商提供的给你的参数。运营商专线接入肯定会提供 ip 野马，网关 dms 给你 i p 二野马，看，我们在这里添加地址的时候， i p 二野马已经在这里填了。好，你再选择一个外网接口，那现在就差 网关和 dms。 网关是在哪里填？网关是直接添加默认陆游 ip root 添加一个默认陆游， 然后接着这里填入运营商提供给你的网关 gato 位，这里填入运营商提供给你的网光目的地址的话，就是默认陆游的全名，代表所有地址。 好，还要填一下 dms， dms 的话就 ip dms 这边手动填入运营商给你提供的 dms 地址， 然后这边打钩的话，可以给内网作为给内网作为 dms 服务器。如果内内网客户端如果要指定路由器的 ip 作为 dms 解析的话，那这里就要打上钩。 好，刚刚说的旺的伤口啊旺的三种接入方式的创建方式，您说完，现在我们讲一下 lamb lam 的话，同样你要先给内网接口创建一个静态 ip 地址， 所以在我们的 ip address， 比如针对二口创建一个八八点一的其他 ip 地址。 好，刚刚因为是静态接触的话，你只需要给网络称这个 ip， 然后告诉你下面的人，让下面的人自己选择一个静态 ip 去接住， 根据你的所选择的一个野马范围。好，如果你是想让下面内网是自动获取的话， 可以在这边呃，添加完了网关 ip 之后，我们可以通过 dhcp 向导来完成这一系列操作。我们接着点开 ipdhcp server， 然后点开这边有个 dhcp 向挡安装的，然后选择你刚刚 创建网红 ip 的接口，你创建了网红 ip 之后，那个接口，你直接按下一步， 他会自动帮你填好一系列的一个配置内容。首先比如说我刚刚填了个八八点一杠二式的一个 ip 地址到二口上，我刚刚向导选择了二口，然后点下一步，他会出现一这样帮你填好的一个范围， 这个范围先告诉一下你的直网，八八点零刚好是这个直网。好，我们确认没问题，下一步到右边这个图， 然后网关 dhcp 网络网关是多少？八百点一也没错。再下一步，然后他会让你填一下 dhcp 分配的一个地址范围，这里也没问题的话，可以根据，大家 可以根据情况自己修改要分配下去的范围，也直接点下一步，然后就让你指定 dms 服务器，默认不填也可以，你也可以手动指定，不填的话，呃，会优先指定到网关 就八八点一，然后在下面再确认最后的一个诸曰更新的一个时间十分钟，然后直接再点下一步。 net 这个过程就已经创建完了， 这功能就已经创建完了，所以是比较简单的步骤，就两个，先在内网接口加网络 ip， 再打开这 dhcp 服气向导直接一直点下一步就完成了。 好，我们来讲一下基本防火墙 nat 的一个伪装操作，然后说了这个，这个动作是为了 十年网络数据能正常传输，因为我们内网地址是不能在官网里面传输的，所以需要这一层伪装的一个操作， 在我们的 ip 发货有个 nat anat， 然后点个添加规则，做一个原地级的原地址的伪装，要把你的原地址改为万粉地址， 那上集如果回送的话，就直接回送到你的万口地址原地址，然后可以做个全局伪装，你什么都不要填，只要选这 一个原地之恋，然后动作动作选择这个伪装这个单词，然后直接 ok 就可以了。到这里的话就内网已经配置了，外网已经配置了， nat 已经配置了。 接着看一下 dms 代理， dms 代理就 ipdms， 这里 要填住你的 dms 福气，这个福气路由能可达就可以了， 这个福气填的是陆游自己用的。然后下面这个呃允许远程请求的话，就是允许为其他请求客户端提供 ds 解析服务。当然这个勾选的钱 题上你自己要填一个呃 dms， 让你自己路由器自身要能够解析才能帮别人解析。

上期我们讲到如何用电脑做一个无线路由器，路由系统用的是 otoros， 可以自行去网上下载或自己去电商买一个，几十块钱就可以了。这期呢，我来讲一下怎么设置路由器。本期分两部分来讲， 首先来讲一下 autos 的基本设置，就是让他能正常的上网。后期再来讲怎么设置 wifi 功能。在这之前，我们来准备一台电脑，去 autos 官网下载一个 winbox， 这是 ochos 的管理软件，在把路由器的任何一个网口与电脑的网口用网线连接。接下来我们双击温 box， 在弹出的对话框中找到本路由器的麦克或 ip， 选中 如图中的标记。二、账号默认 admin password 为空，点 connect 就进入到路由器管理页面里了。第一步，先设置外网 ip 和接口，这里我们点左侧的 ip addresses， 再弹出的对话框终点加号，然后在 address 里填入外网的 ip， 这里是外网 ip， 就是上一集路由器的地址。

实操一下，好，这是我们已经配置好的，配置好的一个路由器，我现在把它清空了。 she's ten the second figure is the configuration。 不要默认配置，我们来首都配一下。好，清除 好，我们等它重启一下。 好，现在已经重启完成了，可以看到清空配置之后，他 ip 地址是零点零点零点零，比如说没有地址的，我们只能用麦克地址登录 好，现在是一个，现在是一个清空配置的一个状态，清空配置的一个状态，我们现在来做一下我们腕口，首先基本联网配置一个腕口 万口，假设我们配置一口要做什么呢？就是给一口添加一个，我上行是自动获取的， 所以我要给他添加一个 dhcp 客户端，自动获取的一个客户端 ipdhcp 客链的，然后添加一口， 一口作为万口。好，可以看到我这边已经获取了 ip 的两百点二三零杠四， 好，获取了 ip， 也获取了 dns， 我们来看一下 dns 也是获取到两百点一。 好，这个时候我们可以尝试一下能不能聘通外网。 好，外网已经没问题了，因为你添加 dhcb 客户端的时候，他会自动给你给你 添加默认入油。现在外网没问题啊，我们就配置一下内网， 假设内网我要给他配置五口，内网肯定要先给他搞个网吧。 ip， 内网假设为八八点一网段的，我把它放到五口上， 五口上，那五口上如果你想用静态接住的方式，那底下客户端用静态接住的方式，你只要告诉他野马范围网关地址啊，这个纸网让他自己填就可以。如果你是想让他 自动获取，我们还要进入 dhcp server 一个创建，点击这 dhcp 向港安装，选择，我们五口接下一步，你看它会自动生成， 下一步，下一步，下一步，再下一步。好，这样已经完成了。这样的话，我们接着来看一下，来看一下我们有没有获取到 ip， 能不能获取到 ip 地址。 ip config。 好，这个时候是没有获取到的，幺六九开头，幺六九二五四是没有获取到，来更新一下。 好，更新完成了，他已经发现了，你看现在已经有八八点二五三已经获取到了， 你可以看一下 dhcp 这里出约表，也可以看到八八零欧尚的获取照。好，这个时候我们还是不能上网的，这只是内网通了而已，外网还是不通 好，拼不通的。要做什么操作？就做一个 nat 伪装的一个操作， ip firewood nat， 增加一个原地址伪装， ok。 好，我们再来试一下能不能平通啊，已经 ok 了，我们拼一下域名能不能平通也是 ok 的。我们刚刚没有做了一，没有做一个， 没有做一个 dms 转发的一个操作没有勾，那是因为我们给他指定了 dhcp， dhcp 设管是两百点 一的，他也会往下传递，可以看一下。 你好， dhcp 设备，刚刚我们 dhcp 创建是两百点一，不是到路由器，本身是上级给我们的，所以说我们就不用去勾选。如果你看，我们再来指定一个 假设，我想把它指定到路由器。好，再来看一下。 好，这个时候就屁股不通了，因为他这个 ros 路由器没有给你开启 dms 转发的一个功能。好，我们现在开启一下 应用，再来试一下，这样就可以了，这就是一个联网的一个基本手动配置的一个操作。

之前的视频我们讲的关于 haps 二的 接口配置，那么现在我们简单讲一下如何呃将 h a c r 配置上网，做一个简单的单线的上网配置实力， 那么呃我们现在已经进入到了瑞特这个 h a p c 二的内口，那内口的话我们之前已经讲过了，他是由二到五口以及 w 烂口组成的内网口，统一规划到了 brus 下面， 比如说在英特惠 supreme 下面，我们已经把它内网口定义好了，那么烂网络已经组成 一个交换，一个交换分组就是在这几个口都是在一个交换机下面，相当于是那么剩下的 一一点一的话，就是我们的外网口作为一条单线接入，那么我们接入的时候那有三种方式，一种是 静态界的 ip， 或者是动态获取 ip 以及 ppo 一拨号的方式，那么通常我们现在运营商接入的话，都是以光猫形式接入，通过 ppo 一拨号，所以说这个地方我来简单介绍一下关于 ppo 一拨号的单线接入， 那么呃运营商的光猫接入的话，他有两种模式，一种就是路由模式，一种是网桥模式，通常运营商光猫在给你的时候都是路由的方式，也就是说 有光猫来拨号，然后带你请求上网，然后通过光猫的肋口分配动态分配一个 ip 地址给你的路由器。 那么还有一种方式就是网桥，网桥的话这个需要连续运营商将光猫修改为网桥模式，网桥模式相当于是他是一个透明的交换机一样透传，把那个上乘的倍似的数据直接 下滑到你的路由器，由路由器来拨号，那么路由器来拨号的话，那就需要啊，我们配置 ppo e， 那么首先第一步的话，我们先检查一下我们呃 ip igs， ip igs 的话，我们看到在 h a p 四二的默认配置里面已经 写入了这个幺九零幺六八点八八点一到不瑞吉街口上，比如说我们的二到五口以及 w 两个 w 烂口叫这个不瑞吉，那么都是用的幺九二零幺八点八八点一，这个 iphone 应该是幺九二零幺六八点八八点零写二十四，这个 ip 指段一共有二百五十六个 ip 地址一作为网关，那么剩下的地址都可以呃作为主机地址使用。那现在我们第一步的话，就是我们需要去呃配置一个拨号， 那么拨号的话，我们可以在英特飞士这个地方点这个加号的下拉菜单， 出现了，大出现了很多相关的接口。配置这些接口的话都是虚拟接口 啊，基于某一个物理网卡生成的虚拟接口，那么我们选择 ppv clant， 就是我们作为 ppv 客户端，那么我在我的网络内建了一个 ppvcri， 然后通过 ppvcrv 来做一个演示，那么我就创建一个我的账号是 yus， 另外也是 yes， 那么这个地方 perfect 的话我们默认就行，然后记住 urpides 的话，这个勾要选上，也就是说使用对端， 对端 ppv 十二万分发的第一年是这个地方添加默认路由，添加默认路由的话，呃是肯定必须设置的，如果不添加这个默认路由，你的路由器是无法上网的。 好了，这个地方他会显示一个，也是啊， 十类英特惠是这个地方我配置忘了一步，就是选择接口，那么我们的外网口是接到一口的，那么我们就选一对一好了。配置完了以后，这个时候前面出现一个阿尔 代表的是呃连接成功 rendy， 如果没有这个二的话，代表你拨号没有成功，那么肯定要检查一下光猫配置是不是改为调节模式，然后以及你的账号密码是否正确。 好了，我们看一下在 ip igs 里面，这个时候我们的 ip 地址里面已经多了一个 ppo e out 一的地址，这个是自动由 ppu 十二板自动分配的，那我们再检查一下 像 iput 里面 陆游，陆游的话已经动态的添加了 pp 奥特一的默认网关，也就说地址我们已经获取了，网关我们也做了，那么也就是说，呃，这几部分， 比如说前面这这两部的话，我们基本上已经保证了路由器呃能够正常的上网，但是并不代表下面的主机能上网，那么这个时候我们就要检继续看一下我们内口是否配了 dhc p cl 啊 h a p c 二的话，在官方默认的配置里面是已经配置好 dhc crv 的，我们可以打开看一下，那么我已经打开了 ip dhc p crv， 那么 ip t c p crv 的话，那么首先第一个就是他需要设置这个接口是对应的不锐气，然后按最死扣选择地址词，选择地址词就是选择要分配给下面主机的 ip 值范围，那么这两部配了好了以后，那么下面一步的话就是迈特沃尔克，迈特沃尔克这个地方是分配给网关和呃主机的 dns， 那么网关的话是幺九零幺六八点八八点一，低音 s 的话，这个地方需要我们在手动配一下幺九二点幺 零八点八八点一官方默认配置是没有写的啊，之前我是设置好的，这个地方你一定要记住，呃，要手动添加个 dns， 为什么我这边写的是幺幺九点幺二八点八八点 一啊？是因为呃 ipdns 里面 啊，刚才我们不是使用了那个在 ppp 里面，在 ppu 一拨号里面，我们不是使用了优质 prdes 吗？ 因为试完这个以后，他会自动下发 dsapps iphone 的 dns 到我的 ipds 里面就是动态 siri， 那么他获取以后我们只需要选这个阿拉奥的瑞 mort 瑞 cast， 也就是说代理请求 dns 相当于是 ds 服务器在如特市里面创建了一台， 那么我们就可以用本地的 ip 地址，比如说幺零零幺八点八八点一内网的网关作为 dns 服务器代理请求，那么这就是 dns 服务器的配置。那么哦，还忘了说一个 ipple 里面， 刚才我们不是说了，在 iphone 里面有一个分配给用户的地址范围，这个就在 ip ppo 里面进行设置，那么可以看到 ip pposippoddowdecb cirl 这个地址词，这个地址词的范围是从八八点一零到八八点二五四都分配给用户， 那这是第一个 cpciv 的配置啊，那你下面的一些电脑，比如说笔记本、台式机，还有我们的手机 平板都可以自动获取 ip， 那么这个时候是通过有限获取的，因为我们的内扣是接在有限上，我们 还没有去介绍配置无限的一些参数，然后我们这个配置完了以后，那么下面的一步的话就可能是一道呃 nkt 转换 ip 发热卧里面， ip 发热卧里面有一个 feel， 这个 feel h a p 十二里面 ap 录腾模式下已经提前写好了这些保护策略，你可以不用去再改他，除非你有其他的需要。 那么我们点开 n a t， n a t 就是我们的 n a t 转换，比如说我们把内网的丝网 ip 转换为运营商分给我们的外网 ip， 运营商分给我们的外网 ip 的话，可能是一 搬来说是狮王地址，现在基本上，呃，基本上不会默认分配官网 ip 了，除非你申请。 那么我们看一下这个 n a t 规则， n a t 规则是 max clue 的， max clue 的就是 x， 等于 max clue 的就是伪装的意思，就是说我把内网伪装成外网去上网 这个意思。那么我们看一下这个配置里面有一个很关键的参数是奥特英特菲斯，那是成就是我们出 是从哪个口出去上网，那么这个写的是一个地址列，一个 excex 就是接口列表，写的是万。 我们之前讲过在英特飞是类似，这里面他是定义了这个万的分组的，他的万的分组是一点一，就是我们的一号口， 但是现在我们是用拨号的方式去上网，那拨号的方式去上网的话，这个就不在这个慢分组里面，所以说我们要补充一个接口，比如说把慢列表加上 pp 奥的一，这样的话你才能真正的通过拨号去上网， 不然的话，呃你会无法返回网络，那么现在我们的整个呃上网配置已经做完了， 那么下面我们看一下无线，无线的话是有两个无线网卡，一个是负责二点四 g 的，一个是负责 五 g 的，你看这个是半的是二 g bgn， 另外一个接口搭配了二是五 g a n ac， 那么也就说这是两张无线网卡。我们现在要做的其实很简单，呃，只需要去设置一下他的无线密码就可以， 然后如果你要去修改 sos id， 这个地方就是 sod， 你可以去设置自己的，比如说我设置一个 wifisid， 但是注意两张网卡的 sod 都必须是一样的，不然你在使用的过程中 会发现有两个无线网络，一个两 g 二点四 g 和制的，一个五 g 和 g 的两个网络，那么你无法实践漫游。应该这样说，就是说你手机上是双屏的，但路由器是双屏的，两个 sod 不一样， 那么你在切换两 g 和五 g 的时候无法实现呃快速的漫游，所以说两个 sod 必须设置为一样，设置完一样的话，那下面就是我们要设置一个加密的无线密码，那无线密码的话我们在哪里设置？我们先看一下，在 windows 点开 wled 的 windows 菜单里面，我们 看不到有一个 ccrl 的一个选项，是因为他隐藏了，我们需要打开一个 idus no 的，打开以后我们看到这个 ccut 是底 fot， 那么哪里去看这个这块底 fot 的配置呢？我们就需要去打开， 主要是菜单里面有一个 cctopry， 这个选这个菜单栏打开以后就可以看到这个底 boot 底 boos。 点击开了以后， 那么我们通常是选择 dnamex 这个地方就可以去设置我们的 加密方式啊，应该是设置我们的无线密码，我们只要选择 wap wpaps k 和 wpa 二 ps k 两种模式，选择两种，呃，加密验证的密要哎进行设置，那么这个地方我随便设一个， 这边是一个 ys， 一二三四五六七八， ys 一二三四五六七八，这样的话设置完了以后，你的无线密码就已经配置好了，我们可以把这个嗨的他是 word 给我取掉，我们就可以看到这个就是我们设置的无线密码 点， ok， 这样的话两张无线网卡的 s id 都是 ys 默认的那个密码，无线密码就是我们的那个 ys 一二三四五六七八，那么无线就已经设置完了。 好了，整个一个有线和无线的配置就这样。那么下面最后一步很关键的一步就是我们呃需要去保护这个 路由器，那么就是设置密码，那么注意之前我们已经讲过，呃，在这个万分组里面 是外网，烂分组里面是内网，那么已经通过这个邻居探测协议的策略已经禁止了外网的探测，因为在这个 地方我们可以看到允许的是烂口的，然后同时在迈克 sorry 里面也是配置了这个烂口的，都是烂口的，所以说外网口基本的保护已经完了。那么就是我们需要设置账号密码， 点开 uzi set uzi 里面可以看到我们的爱的命这个账号，那么双击开以后，只需要点击拍手二的设置我们需要的密码就可以，比如说设置一个一二三一二三， 那么或者是一个更复杂的密码，那么点 ok 就可以了，那么这就是账号的密码设置。 然后还有一个就是我们的服务端口，这个服务端口官方在默认情况下是打开的啊，这个地方我已经把它 全部不需要的一些管理服务曾应用的话都关闭掉了，只留了 winbox。 当然 winbox 的话我们还可以做一些更强的保护，比如说我们可以限制来访的地址段， 也可以修改他的服务端口，比如说我可以修改一个五八二九幺，这样的话作为高位端口的话去连接 winbox， 冲过来吧。 一个简单的 h a ps 配置，那其实他就一共分为了几个步骤，那么这几个步骤的话，其实就是接口 ip 地址，然后呃陆游网关还有 mvt 规则以及地形式服务，那么对于外网接入的话，我们的方式家庭都是通过 拨号的方式，那么就需要创建一个 qq e out 的一个拨号客户端，那么也就是说我们配置的步骤的话就大概是一共六步， 那么希望这个呃讲解对你作为一个初学者的话有很大的帮助。

接着我们进一步来了解一下温波士工具啊。温波使用的端口号是 tcp 的八二九幺端口，这个端口号你是可以根据需要来修改的，修改之后只要在登录所后面加个端口号进行访问就可以了。 呃，我用 when boss 工具支持 mic 登录，也支持 ip 登录，如果可以的话，尽量通过 ip 去登录访问。在实际的已经投入使用的设备中， 为麦克绘画的话，他使用是网络广播，他可能呃数据传输大了，他可能会不稳定。 在某些不支持 win box 工具登录的设备，也也是 是可以通过文博士工具进行发现扫描的，因为他支持呃诗科发现协议。 比如说像我们诗歌路由器有使用到这个诗歌发现协议的，还有 mi michael t 的话，还有另外一个系统的设备，就是 which os 设备，这是一个二层交换机系统 啊， rs 的话是三层的一个路由系统。 switch os 设备它是能够被 windbox 发现的，但是它只能通过 web 登录，不能通过 windbox 配置登录 windows 工具的话，他只支持 windows 系统。所以说你在呃 mic 系统，苹果系统是 不能运行的，但是你可以通过呃苹果支持的一个仿真软件就是呃玩 bott 这个软件，这个软件可以在 max 系统里运行 windows 的。 windows 的工具 可以通过呃第三方的工具来打开 windows 运行 windows。 好，这这副界面是我们的路走外形的一个 wife 登录的一个登录界面， 浏览器的一个登录界面，默认设备的用户名是艾特密，没有密码。 vivo 方式登录上了之后可以 看到他右上角有三个菜单项。第一个的话是我们的快速设置菜单， 快速设置菜单下他会根据设备的型号会和用途会有不同的快速设置模式，稍后我们会有讲到这些模式有什么区别？ 旁边一个 welcome 菜单， welcome 菜单跟温波斯登录的话没有什么区别，呃内所有内容像都是包含在这里的，但是他的内容点击进去选项框里面话，有些内容是比较分散的，所以呃便于查看的话， 个人是比较喜欢用温波式工具来登录。最右边这个菜单的话是中端，中端菜单是直接敲命令行的。 我们来看一下设备的末端配置，在说如此不出场时都会有末端配置，呃根据主板的类型的话有不同的配置选项。 呃同时也我们刚刚也有说了，快速向导里面也对应着呃设备的几种 快速设置模式，比如说像我们 cp 路由器， cp 路由器的话一般都是有带有无线接口的无线接口，他会他的配置的话就将无线接口 口作为万口，其他接口作为 limco。 还有的是 lte cpap 路由器， 有这种模式的话，他就将呃都会带有二 t 网卡，他是把 lt 一接口左右忘的。无线和其他有线接口作为 ap 模式，就相当于是个四驱的无线路由器。 还有一种是 ap 路由器模式，然后单屏和双屏都有这个模式。 末正话是有线接口，一般都用第一个接口作为万口来配置的，接触方式是自动获取 dhcp 的，然后其他的无线接口还有其他的 的呃内网接口都会作为 limco。 还有点对点的桥模式包含了 apscpe， 这就是一个无线网桥的一个配对，还有 wisp 桥模式， 呃，这个区别的话就是他是四级授权的，相对于 ptp 桥的话，他的 visp 桥模式的话，这个设备拥有是四级授权，可以做 wifi 覆盖的，也可以作为点对多点。他是将所有借口都加入桥里面， 还好是交换机模式，使用交换芯片进行应对调节。像我们 ccr， 比如说一些比较高兴的电信级的产品， ccr 系列，幺幺零零系列的话， 他就会仅配置了一个登录 ip， 比如说将一九二点、一六八点、八八点一设置在一口上第一个口，然后他其他的没有多余配置。还有的是是 cap 模式， cap 就是一个被管理的 ap 模式，我们 lros 系统有统一管理的 capsman 功能，可以将 ap 快速设置为 cap 模式，这样的话，呃，控制器他可以直接发现 我们也可以运行，在设备初始登录的时候，他会有弹出一个提示框，告诉你这个设备的默认配置内容，也可以进行 运行命令 system default configuration print， 查看默认的一个配置内容。

if you need to expose any boards to divide area network， you're leaving them out in the open anybody on the internet could perform a port scan and start brute forcing or attempting to use any known exploits on them one way to defend against this is to use port knocking， which means that all of your ports are going to appear as if they are closed until somebody knocks on the correct ports in the right order in other words， they need to attempt to open a socket to those sports when the correct knock is performed the ip address is added to a secure address list， which is allowed axis to demonstrate this i have set up an rb five thousand nine with the default configuration which means there is one van port and several land ports and i've set up access both to the van port and a land port， so let's set up the port knocking， i'm going to set up the port knock on the van port let's have a look at my firewall configuration as you can see i have the def carnes there and the most important line here is the training input drop not land， which means that any incoming connections to the router are going to be dropped if they're coming from divine， so if you're going to set up our port knocking sequence it will need to be set up above this rule so let's add the first port that needs to be knocked on for the first knocker， i'm going to use the destination port tripleade， and i'll just add the ip address to list also named tripleade a lot of thirty second time out， so once somebody opens a connection to that port they have thirty seconds to perform the next knock and i need to place this rule somewhere at the top， so i'm just going to do place them before zero and cut added at the top， but also it is also a good idea to set it only to be enforced for the man port， so let me just set zero in interface list one there that's better so now let's add the next knock and then the last one and then this case i also want to make sure the daddress is in the previous list， so there it has to be in the triple eight list already and then we're gonna place before one okay， now add i'll name this address list as secured and i'll set the time out to be thirty minutes， so that within the window of thirty minutes i can disconnect and connect again without having to perform the nox sequence again okay， now there is a mechanism in place for somebody to perform the knock and be placed in the secured list， so now we need to add the rule which is going to allow anybody in the secured list to access the router now that is port knocking in its simplest form set up， but there is a problem with this if somebody is scanning your ports and they just happen to the scan these specific ports in the right order they will actually unlock the other ports that were hidden so let's try that let's run an nmap scan and see what happens okay now this is interesting as you can see i found basically all of these service ports on my router， so what happened here if we go on this section ip five all address list we can see what addresses have been added to any lists we can see that our ip address was actually added to all of the lists including the secured list from this one simple and map command， so we kind of got lucky here， so the ann map does the port scan in somewhat of a semi random order so it just happens so that it did the correct order and access the router and scandal deports in one go left as it is this is not very secure， but there are several things that we could do to actually make this secure so the first thing i will try is to add a blacklist so if anybody scans the wrong port they'll be added to a blacklist and you could go even further and add them to the black list if they knock on the right ports， but in the wrong order now that would be a pretty long configuration so i'll just add a simple black list so first， we add the rule to drop anything in the black list okay so if anybody is in this blacklist， they will not even be allowed to perform the knock anymore there are several ways how you could add ip addresses to this blacklist first， let's create a bad point if anybody is running a port scan， there will scan this bad port and they'll be immediately added to this blacklist preventing them to perform the knock further there， if somebody scans my triple six port， there added to the blacklist for sixteen hours and forty minutes which on the internet is pretty much an eternity obviously this is still pretty weak protection somebody could figure out that this one port is bad and just not scan it now let's go further and add another rule which blackless ip addresses if they are not in the secured list already and they try to connect to specific ports this time i'll set the time out to be just one minute because we don't want to be blacklisted ourselves if we forget that we are already timed out from our secured list and in fact for somebody attempting to scan the sixty thousand something ports one minute is a lot already and i'll just pick some commonly used sports like ftp ssh town at windbox service port in fact， i can add an entire range such as ten thousand all the way up to sixty thousand then on their dissource address less specify exclamation， mark secured and finally we'll place it at the top again now let's try the ssh into a router from the wan and see what happens and nothing happened because we got put into blacklist for one minute similarly if we do the end maps can we're going to be blacklist sitting in okay and we're in the blacklist because we scanned the really bad port okay let's remove ourselves from the blacklist now i'm going to show you how to actually access the device one way would be to use a portal client， but that's really not necessary you can do that with a bash script we'll use n map in the script as well， but n map on itself again might scan the ports in the wrong order， so we need to use a bash script as you can see i knocked on these three ports successfully and now if i check my list you can see i'm on the secured list so， if i is the sage now i'm given access to my router in fact at this point i could have accessed any service port that's listed on my router go on ip service you can see the default list you should probably change those port numbers if you're going to expose them to the internet as it's going to complicate things even further for any attackers and disable any of those services that you're actually not going to be using if you have also set up port forwarding or bpn those ports would at this point also be exposed to the ip address in the secured list that's about all that we're going to do in this demonstration， but as i said before you could go in further to make this an even more secure setup for example with each knock you could send a pass phrase that the router verifies and you could limit the login attempts we might cover those in other videos thank you for watching。

that you have created a website for your small business and now you would like to share it with your customers so you need to host it somewhere it might as well be a container on your router for this demonstration i created a silly little website for a coffee shop， that just consists of the drinks menu and some floating coffee cups the side consists of three files that take up only about two megabytes of free space really， we could host it on a calculator， so it will not be issue for this router so let's take a look at the configuration that i've already got in place before we do anything else it's only a few lines of configuration for now i've left out the firewall as i am providing the internet connection through the ether one port and also using the very same port to access the router then i have a wireless access point setup that's handing out addresses from the 10 0 network and i've got the very basic container configuration in place， obviously on their device mode containers are enabled i've added a bead interface that is included in the container's bridge and we're using the 172， 17 0 network similar to other container videos in the past and then there's a masquerade rule that ensures that we have intern connection both for our containers and also for any devices that connect to the wireless access point the only part part of this configuration that you cannot directly copy is the registry url you should probably use the default dockers registry which is registry dash one dot docker io？ so i have a usb stick inserted and next we're going to copy the website files onto this usb stick now i have a folder named hdml i'm just gonna drop it into the drive and next， we will create a mount point for the default engine x container we could alternately use something like flask or maybe build our own web server from alpine or busy box which would take up less space but 60 megabytes is not much and since we got a usb stick it's not really initial at all go to container mounts and destination user share enginex hdml and then the source is going to be on the location of our folder then i'll give it a name hdml now i can go back to the container section and add remote image enginex column latest interface with one root directory is going to be on my flash drive i'll create a folder engine x and then mounts is going to be html now while that is being created i need to add port forwarding to make sure we can access this website from our browser so under ip 5 will not add chain destination at action destination at protocol tcp destination port ed two ports ed and two address one seven two dot one seven dot zero dot two which is the address of my container now i can start my container now if i open the browser and enter the ip address of my router and i'm grated with my coffee shop website the way i structure the natural makes this work also from any device that is accessing internet through the our wireless access point so the next step i guess we could create a static dns entry， so that users of our wireless access point could just enter something like coffee local into their browser instead of the ip address so under ip dns we need to first enable aloe motor quests this allows the router to act as a dns server now i can go to static subsection at name coffee local with the address which i'm using for the wireless access point， which is 10， 0001 now if i connect to this access point with my phone and enter coffee local into the browser， i'm indeed greeted with the coffee shop website okay， so far so good， but not all our customers are gonna be connecting to our access point and they might want to your site from their homes， so we need to make our website accessible through the internet so first of all we will need to purchase a the main name and then we have several options how to make this work number one is that if we have a public static ip， then we could have dns point directly to our router， but that's unlikely for a small business then we get option two would be to have dynamic dns which means that the router will get a dynamic ip address from the isp and the dns records will be have to continuously updated now both of these are good options， but there's still the tls problem our website is http and the end users browsers will give them warning that this is not a secure website because encryption is not taking place， which brings us to the third option， which is to use the cloudflower zero trust container we already have a video on that and it will solve the dls issue the end user has no way of telling whether the dls certificate is stored on the cloud first server or the router， so they simply won't know that the website is actually hdtp as their traffic will be encrypted to the cloud floor server the only issue that you might have with this is that the traffic going through the cloud floor tunnel is effectively bypassing the fireball on your router， so there could be security implications i can't comment much on how to do this securely， as i haven't really explored this further but if you would like me to do that let us know in the comments should we buy a domain name and set up our little coffee shop website using cloudflare。

上期视频我们讲了 rtros 中如何做上网的基本配置，这期来讲一下在 rtros 如何配置同时发射多个 wifi。 这期所有的配置是要在上期视频的内容基础上才有效的。第一步，打开无线网络，点击左侧的 what， 在 wifi into cc 选项卡中能看到有一个无烂一的无线网络，如果没有哦，那说明你的无线网卡未驱动或没有安装无线网卡，然后选中这个无烂一点上面的对， 最后就打开了无线网卡了。第二步，设置无线密码配置文件。在这个窗口中找到 security profiles， 设置无限的密码配置文件，点加号，新建一条内幕为 test 一的配置文件。勾选 wpipsk wpirpsk， 在下面的 wpfp sharp 和 wplpreshlt 中填入对应的 wifi 密码。比如我这里，我输入一二三四五六七八点， ok， 完成设置。

doctor containers on router os， yes， it is possible our operating system is linux based and our developers have gone out of their way to give you the freedom to make custom solutions never seen before private dns network access storage web servers， iot management home automation those are just a few examples to give you an idea what you can now set up directly on your microtic router there is no need to buy another single board computer and the necessary software comes for free with your routerized license even if you have never set up doctor containers before you will be able to do so on routeros this is part one and in this video we will learn about the prerequisites for your setup before you get started， so let's get into it first of all you need to make sure with your devices of one of the following arctictress， arm， arm， sixty， four or x a d six many of our routers have an armed cpu you can check the architeture of your device under system resources the x a d six if you are not familiar with it is not an architecture that we use in our manufacturing you can only have it if you've installed rotorize on your own hardware such as your old pc next you want to make sure that you have upgraded to the latest rotorized version the support for doctor containers has been introduced starting with a stable version seven point five and to enable it you will need to download the extra packages zip file from our website make sure you pick the correct architecture， open the file and install the one name container on your device you can do this by simply copying the container and vk file to your router and rebooting now you have a new section called container but as a security measure the full functionality is disabled and can only be enabled if you have the router physically with you science containers give a lot of power to the user， they could also give a lot of power to a remote attacker they might execute malicious code in your device in attempt to steal your information compromise other devices on your network or add your device to their bottlement so before you proceed any further please make sure you understand the security risks involved and know how to protect your device my advice would be to set a good password learn how to configure a firewall and to just not expose any ports to divide area network unless you really know what you are doing so if your device is secured， we can execute system device mode update container equals yes， this will prompt you to press the reset button on your router after router boots up the container functionality will be enabled finally the last thing you should consider is storage you can set up containers directly in your router's storage if the space allows it now this will add an unnecessary wear and tier so unless you have something like a ccr two to one six with an ssd in your m two slot i suggest you store the container data either on a usb flash drive or an external ssd your external storage needs to be formatted either ext three or ext four this can be simply done from within routeros just plug your storage media in the usb slot wrote the disk section select the crag drive and click the format drive button then pick the hd four file system from the list and click start once the formatting is complete you are ready to set up your first container on router os in part two， we will continue to learn by setting up a pie hole container which is going to get rid of ads in our entire network at once。

来块 takeos， 从七点一零正式版就支持了完整的 nt 一，之前测试版的时候这功能有问题，一开呢 os 就开始无限的重启，现在是没有任何问题的。点开 ip， 选择方向网，选择 nt， 在这里呢，创建两条规则。第一条规则呢，在 general 下的第一条选项欠选择 dstnnt， 在 protoco 这个选项里面呢，选择 udp， 然后点到 action， 第一项选择 independent nt， 然后我们来创建第二条规则，接着这种选项里面直接选择 srcnt， 其他选项跟第一条规则一样即可。 我们来测试一下，我现在网络属于什么类型啊？ focal 全锥型，目前是最宽松的网络。如果你不想手动的去创建规则，没有关系，我还提供了自动挡方案，刚才那个是手动挡， 这两条命令呢，我会放在评论区，你直接在 ios 里面的终端的复制粘贴即可。我还要再给你分享一个功能，那就是 dhcp options， 打开 dhcp server， 选择 laces。 在这里面呢，可以看到局网里面所有的 dhcp 分配的设， 比如这个幺九六是我的手机，我想让他连接到旁路由，那如果 dhcp 没有指向旁路由的网关和 dns， 那我是不是要手动的去输入，比较的麻烦？ dhcp option 完美解决这个问题，我在这里先创建好 dns 和网关地址， 然后将它俩合并，如果你只改一个地址，你可以不用合并啊，你注意啊， code 这里面的数字不是乱写的，它是有规范的， dns 就是六，网关就是三。其实还有很多啊，你可以去找一下 option code 代码表。 options 里面创建好网关和 dns 以后呢？我们点到 option size 内幕写个名字，下边这个选项呢，就添加好我们刚才创建好的网光和地址，然后点 ok， 然后我们回到 laces 这个选项，我们选中一个 ip， 记得点一下这里的 max static 设置为静态，要不然你改不了 双击这个 ip。 如果你只改一个选项的话，那就选择 opins 添加。如果跟我一样啊，两个都改，那就选择 opincess。 然后设备呢？断开网络，重新连接一下，你就被指定 ip 了。好了各位，我是林青，下视频见。

microtic router os 是一种路由操作系统，并通过该软件将标准的 pc 电脑变成专业路由器。星语软件员小编在本文详细介绍啦 microtic rose 软路由设置教程，提供给大家参考。 windbox 下调试，根据你所设的局域往 ip 输入建原文链接，下载无音 box 输入管理员，用户艾特名默认密码为空。如图。第一项， interfaces 这里可以更改你的网卡名称，查看格内外网总体查看外网流量。如图第二项， ip 由于你已经填写好了内外网的 ip， 所以 ipi dresses 里不需再管了。注意事项，外网野马，请仔细询问你当地的电信或者网通部门。二、 ip roots 这里是更改你所走的网关用的， 如图三、 ip poo 四、 ip2 具体操作，双击前面带 d 的 ip 地址，点 tools 选择 copy 点 ok， 哈哈，前面的 d 就没了，恭喜你绑定成功。五、 ipvirp 六、 ip firewa 到这里了，是不是还拼不通外网啊？哈哈，没有 ip 伪装啊，当然上不了啊。 ip five one sorts 点加号加一条规则，第一项，里面填你的设置的内网网段，不是网关哦， 后面跟二十四，不是三十二哦，切记，能上网了吧。这时候你的软陆油非常脆弱，所以我们来给他增强本文核心防火墙配置 input 设置图一些重要的端口改变图为什么要改变端口用图很明显默认的 大家都知道，而你所改的呢？只有你自己知道，哈哈，这就是效果，看到没？比如 talent and win boxa new pmp http forward 设置，这里控制着你网吧的安全核心。先看图，其本都是 drop rap rap tcpu dp 协议的一百三十四到一百三十九端口四百四十五端口五百端口，还有迅雷五啊， p to p 啊， qq 幻想啊。 output 设置 此项比较简单，但很重要，私信大家都明白吧。如图， virus 设置如果你 input so work 两项防火没有起到什么作用， 可以在里面做个跳转，十举两项转向，麦瑞斯设置， myrus 设置图， jump 哈哈，防火墙设置基本完成，不要看似简单， 记住写规则的顺序，先允许后拒绝。别说我没讲哦，否则防火墙会被你配的一团糟，你还以为你的路由很安全呢，哈哈。端口映射这项比较简单， ip firewa destination 先看图，负载平衡 ip firewa connections to reacting。 看我图设置。吃午饭了，下午继续。还有一些东西经常遇到的问题啊什么的，呵呵，刚才有人问我配置怎么样，建议网卡用六十元左右的吧。八幺三九吗？最好不要用 路由的，流量不小哦，慎用慎用。别的硬件倒无所谓，我想现在硬件也不会差到哪里吧， cpu 内存都是超便宜哦。至于网卡顺序吗，以三块网卡为例，以我的为例，从 主板显卡这边数依次为三二一路由水晶头做法，路由与电信的转发包同一设备，所以你想想是用哪种接法呢？在这里卖个关子不说，不能什么都会给你吃哦，有的时候自己动手学的更多更深。 我想制的是软件稳不稳定，机子配置要不要很高的，一百多台的，还有能不能控制内网的，每个 ip 的下载上传的流量 限制以后会不会倒倒内网打开网页慢的，我前几天就买了霞诺的路由器，他的只能限制内网的总速度的，不能对每个 ip 的限制，还有这样整体限制上传下载 会影响到内网，打开网页慢。楼主我想知道这些的，不知大家有没有测试过的，这些问题得到解决没？机器配置要求不高，由于没有十二。

hi， welcome to another quick video previously we talked about fix it and then we talked about ways to connect to your router in this video we'll talk about upgrading your software and with microtic software。 hi， welcome to another quick video previously we talked about quickset and then we talked about ways to connect to your router in this video we'll talk about upgrading your software and with microtic software it's not as easy as it can be because we have several different software releases and this is what we're going to talk about so why should you upgrade your order well， the reasons are obvious first of all sometimes we fix bugs if you report those bugs to us to support or to our form or in any other way we do fix those bugs and we release the bug fixes in software updates and also there could be some performance improvements or maybe security issues that are addressed so it's very important to from time to time to connect your device and make sure you have the latest suffer so the best way to do it is if you connect your router and click on the quick set button here you have check for updates button here at the bottom if you click the check for updates window will open and in the check for updates window you have the installed version the latest version that the the device is found on our web page and there is a change lock here and change lock lists all of the fixes between versions between the this one and the previous one also you have the channel and the channel is something that we need to talk about that will come in a second first， i wanted to show you if you don't want to use quick set you can find the same window and system packages in system packages you can see all the packages that you have installed and here you have the same check for updates button another weight update is go to the microtic web page in in the web page if you go to hardware and if you find the device that you are using xpo， you like let's say if you go to downloads you will see the routeros current release and you can download the latest file then you can do you can just drag the file to the windbox window and it will upload it and then you need to issue a system reboot command it will also update it just the same way as check for update if you are sure what kind of device you run in what system architecture is using you can go to the software page here and download the required packages manually just click on the main package or extra packages extra packages usually contain some other tools it's more for advanced users who want to install feature separately one by one for most people i suggest you stick to the main package or best of all simply use the check for update to window so what we have here in the channel？ so we have long term stable testing and development they're ordered roughly in order of stability and features so if you don't want to touch your device often， if you want to keep it on the most stable possible version and you don't care about the latest features you can leave it at long term long term is a is a version that is very stable has been out for a long time most nearly all critical issues have been fixed and we sometimes release only security updates and these versions are not updated or very often most people should be using stable this is a version that is considered usable for any situation good for nearly everyone stable as it's called is stable， but we do release updates with new features and fix some bugs every now and then testing is something that should only be used in for experimentation for your lab environment where you want to try out some new feature maybe experiment with something that's recently fixed for example some kind of bug that you're waiting for and you want to try it as soon as possible you can try out testing but it's not guaranteed that this bug fixes final it might change we might release a new one tomorrow testing is for testing and the development this is a channel that we used before we released version seven it was to test well basically what other school nightly build nobody is guaranteeing that this version will even boot we just build it and release it so that well if you want you can see what's what we're working on but it's it should not it should never be used in real in real setups real networks so for most people stick to stable another question if you go to our web page and you'll see in the software we actually have version seven and version six so what's the difference for we have a separate video on what's new in versions seven we had rotorists version six was out for many years and roger os version seven we were slowly slowly developing the new features and finally now it's out you can finally use it it's completely fine to use it for most people version six is the old one and version seven is the new one that's basically there are some features that are not currently completely finalized in version seven we have an article about that in our documentation so if you go to our documentation this page here help that marketing com dox if you go to the left hand side menu and if you go to getting started you have upgrading to version seven so this article lists some of the biggest changes that we had and some issues that you might run into if you're running version six and you want to move on to version seven so for example you can say bgp it's okay to use but some attention is required so let's scroll down a few features have changed a few a few things have have moved and the same for other stuff so user manager is completely rebuilt you have to know that if you're running version six and want to move to version sell but if you are if your router is brand new you can there's absolutely no reason to use version six anymore you can simply use version seven it's working great i use it on all of my devices and just stick to seven forget about six so that's basically it upgrade using the automatic check for updates button either from the packages menu or from the quick set menu and for most people stick to stable if you want to experiment with new features try testing， and if you have a spare outer that's on your desk if you have a lab if you want to poke around with the new features only then look at the development， but if you stick the stable you'll be fine that's it thank you for watching。

有个网友有这样的需求，尼克奥特卡 os， 如有 adsl 线路假死，他并没有掉线，但是线路属异常状态，没有流量，上不了网，需要脚本自动检测，一旦发现线路有异常，自动重启该线路， 也可以对电路网络质量进行监测，并可以自定义丢包率达到百分之三，则发邮件通知技术员或重启链路刚刚给他写好，顺便把脚本共享到抖音平台上。如有这方面的需要的朋友，也可在视频中借鉴，或者直接拿去用。有个网友有这样。

if somebody is trying to brute force their way into your system you need to stop them， but not with this this is just some camera equipment you need to use firewall rules previously we set up port knocking which is going to hide your ports from most potential attackers， but regardles whether you are using it or not i'm going to show you some more firewall rules that you can use to limit the login attempts on your device here's the idea whenever， somebody is attempting to log into your device they're opening up a new connection so we can set up a series of address lists just like we did in port knocking， but when they moved to the final stage instead of being allowed access to your router they get put in a blacklist would win box this would be sprayed forward because whenever you fail to log in the connection is dropped so one new connection is one new login， but ssh allows you to make three login attempts before it drops the connection so keep this in mind when setting up the following rules as you can see i've set up four rules that add an address to an address list there's first attempt， second attempt， third attempt and finally they get put in a blacklist and i have named the list connection， one connection， two connection， three and finally brute force blacklist and then i have a rule that accepts any connection from an address that is not in the brute force blacklist to the destination port to simulate the functionality of a regular firewall that drops all incoming connections on a wine port an interesting thing you might notice about my example is that i am increasing the address list timeout with each connection attempt i'm not just doubling it i'm increasing even further there is a good reason for this if i was an attacker i could realize that making an x login attempts puts me in a blacklist and i'm no longer allowed to connect for entire day but if i do an x minus one connection attempts i'm only timed out for let's say five minutes and then i can try again so i could write a script for that and this exactly simple senses is for ssh each new connection gets three login attempts so three new connections actually means nine connection attempts that you get before you put in a blacklist so if you were to do nine connection attempts you would have to wait one hour before you can try again better yet you could make only six attempts and then have to wait fifteen minutes or better yet make only three attempts and then wait five minutes so the point is the maximum attempts that the attacker can squeeze out of this is three per five minutes which is not a lot and would take a very long time to guess your password if your password is strong now let's make some wrong login attempts and some more for now check our address list you can see that i've already been put into connection one and connection to so if i continue guessing i'll be put into blacklist but now let's say i remember my password and i will again okay now the address list i'm still there if i were to open up more ssh connections to my device i would essentially blacklist myself so for this to be an actually reliable method you would need to come up with a way how to remove yourself from these address lists or somehow wide list yourself？ i don't think you can quite do it with firewall rules， but you could come up with a script which monitors your log messages as you can see you got these log messages saying login failure for user with nip address so you could have a script which blackless that address but that would be too complicated to include in this video if you wish to learn more about security aspects of microtic devices i suggest you get microtic certified in fact here i have the material from microtic certified security and engineer which i was given when i attended a boot camp in riga if you wish to get certified to go to microtic com training and you can find boot camps that are happening all around the world perhaps even near you。