Router OS 配置脚本

# 创建 LAN 网桥并添加 ether2-ether6
/interface bridge add name=bridge-lan comment="LAN Bridge"
/interface bridge port add bridge=bridge-lan interface=ether2,ether3,ether4,ether5,ether6

# 配置 LAN 网桥 IPv4 地址
/ip address remove [find]
/ip address add address=192.168.6.1 interface=bridge-lan comment="LAN Gateway"

# 启用 IPv6 包
/system package enable ipv6

# 配置 IPv6 DHCP 客户端（从 ISP 获取前缀）
/ipv6 pool add name=ipv6-pool prefix=::/0 prefix-length=64
/ipv6 dhcp-client remove [find]
/ipv6 dhcp-client add interface=wan pool-name=ipv6-pool add-default-route=yes request=prefix use-peer-dns=yes

# 将 IPv6 前缀分配到 LAN 网桥
/ipv6 address remove [find interface=bridge-lan]
/ipv6 address add from-pool=ipv6-pool interface=bridge-lan advertise=yes

# 启用 IPv6 邻居发现（RA 广播）
/ipv6 nd set interface=bridge-lan advertise-mac-address=yes advertise-dns=yes other-configuration=yes numbers=0

# 配置 LAN DHCP Server（IPv4）
/ip pool remove [find name="lan-pool"]
/ip pool add name="lan-pool" ranges=192.168.6.50-192.168.6.200
/ip dhcp-server remove [find name="lan-dhcp"]
/ip dhcp-server add name="lan-dhcp" interface=bridge-lan address-pool=lan-pool lease-time=12h disabled=no
/ip dhcp-server network remove [find address=192.168.6.0/24]
/ip dhcp-server network add address=192.168.6.0/24 gateway=192.168.6.1 dns-server=192.168.6.1 comment="LAN DHCP Network"

# 清空旧防火墙规则
/ip firewall filter remove [find]
/ip firewall filter remove [find]

# IPv4 防火墙 + FastTrack
# 清空旧规则（可选）
/ip firewall filter remove [find]
/ip firewall nat remove [find]

# NAT 出口（IPv4）
/ip firewall nat add chain=srcnat out-interface=wan action=masquerade

# 允许已建立和相关连接
/ip firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related input"
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established/related forward"

# 丢弃无效连接
/ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid input"
/ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid forward"

# 允许 LAN 访问路由器
/ip firewall filter add chain=input in-interface=bridge-lan action=accept comment="Allow LAN to router"

# 阻止 WAN 直接访问路由器（除非有特殊端口需要开放）
/ip firewall filter add chain=input in-interface=wan action=drop comment="Drop WAN to router"

# FastTrack（仅 IPv4 TCP/UDP 已建立连接）
/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related hw-offload=yes comment="FastTrack"
/ip firewall filter add chain=forward connection-state=established,related action=accept comment="Accept after FastTrack"

# 允许 LAN 到 WAN
/ip firewall filter add chain=forward in-interface=bridge-lan out-interface=wan action=accept comment="Allow LAN to WAN"

# 阻止其他转发流量
/ip firewall filter add chain=forward action=drop comment="Drop all other forward"

# IPv6 防火墙
# 清空旧规则（可选）
/ipv6 firewall filter remove [find]

# 允许已建立和相关连接
/ipv6 firewall filter add chain=input connection-state=established,related action=accept comment="Allow established/related input"
/ipv6 firewall filter add chain=forward connection-state=established,related action=accept comment="Allow established/related forward"

# 丢弃无效连接
/ipv6 firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid input"
/ipv6 firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid forward"

# 允许 ICMPv6（必须，否则 IPv6 会有问题）
/ipv6 firewall filter add chain=input protocol=icmpv6 action=accept comment="Allow ICMPv6"
/ipv6 firewall filter add chain=forward protocol=icmpv6 action=accept comment="Allow ICMPv6 forward"

# 允许 LAN IPv6 访问路由器
/ipv6 firewall filter add chain=input in-interface=bridge-lan action=accept comment="Allow LAN IPv6 to router"

# 阻止 WAN IPv6 访问路由器
/ipv6 firewall filter add chain=input in-interface=wan action=drop comment="Drop IPv6 WAN to router"

# 允许 LAN IPv6 到 WAN
/ipv6 firewall filter add chain=forward in-interface=bridge-lan out-interface=wan action=accept comment="Allow LAN IPv6 to WAN"

# 阻止其他 IPv6 转发
/ipv6 firewall filter add chain=forward action=drop comment="Drop other IPv6 forward"

使用DHCP Option Sets

# 创建 DHCP Option（网关）
/ip dhcp-server option add name=proxy-gateway code=3 value="'192.168.6.6'"

# 创建 DHCP Option（DNS）
/ip dhcp-server option add name=proxy-dns code=6 value="'192.168.6.6'"

# 创建 Option Set
/ip dhcp-server option sets add name=proxy-set options=proxy-gateway,proxy-dns

添加清单列表的MAC到静态并分配静态IP地址

/ip dhcp-server lease add mac-address=38:E7:C0:D1:52:E5 address=192.168.6.23 dhcp-option-set=proxy-set comment="43OnnRokuTV"
/ip dhcp-server lease add mac-address=4E:C6:D1:B7:F5:3D address=192.168.6.24 dhcp-option-set=proxy-set comment="iPhone_L"
/ip dhcp-server lease add mac-address=A8:51:AB:C2:A9:13 address=192.168.6.41 dhcp-option-set=proxy-set
/ip dhcp-server lease add mac-address=38:86:F7:A2:B6:84 address=192.168.6.43 dhcp-option-set=proxy-set comment="GoogleTV"
/ip dhcp-server lease add mac-address=38:9E:80:8C:CA:FC address=192.168.6.4 comment="ZTE_G1612"
/ip dhcp-server lease add mac-address=30:1F:48:CB:1C:6C address=192.168.6.2 comment="ZTE_G7615"
/ip dhcp-server lease add mac-address=6C:1F:F7:0C:D4:95 address=192.168.6.11 dhcp-option-set=proxy-set comment="DXP4800"
/ip dhcp-server lease add mac-address=88:66:5A:40:F9:5B address=192.168.6.39 dhcp-option-set=proxy-set comment="MacbookPro"
/ip dhcp-server lease add mac-address=5C:1B:F4:9E:EB:C5 address=192.168.6.38 dhcp-option-set=proxy-set
/ip dhcp-server lease add mac-address=20:EF:BD:FA:F2:FB address=192.168.6.44 dhcp-option-set=proxy-set
/ip dhcp-server lease add mac-address=06:3A:48:7F:9C:BE address=192.168.6.36 dhcp-option-set=proxy-set comment="MacbookPro"
/ip dhcp-server lease add mac-address=C4:8B:66:B9:C2:87 address=192.168.6.51 dhcp-option-set=proxy-set
/ip dhcp-server lease add mac-address=D6:FE:88:39:FF:AE address=192.168.6.25 dhcp-option-set=proxy-set comment="MacbookPro"
/ip dhcp-server lease add mac-address=00:E0:4C:68:02:48 address=192.168.6.57 dhcp-option-set=proxy-set comment="MacMini"
/ip dhcp-server lease add mac-address=38:F6:CF:85:F8:9B address=192.168.6.5 comment="ZTE_G1615"

开启NTP自动对时

# RouterOS 默认时区是 UTC，要改成本地时间：
/system clock set time-zone-name=Asia/Shanghai
/system ntp client set enabled=yes server=ntp.aliyun.com,cn.pool.ntp.org
/system ntp client set mode=unicast
/system ntp client print

CLI单行自动备份脚本backup-with-date

/system script add name=backup-with-date source=":local rawdate [/system clock get date];:local dateStr \"\";:if ([:len \$rawdate] = 10 && [:pick \$rawdate 4 5] = \"-\") do={:local year [:pick \$rawdate 0 4];:local monthNum [:pick \$rawdate 5 7];:local day [:pick \$rawdate 8 10];:set dateStr (\$year . \"-\" . \$monthNum . \"-\" . \$day);};:if ([:len \$rawdate] = 11 && [:pick \$rawdate 3 4] = \"/\") do={:local month [:pick \$rawdate 0 3];:local day [:pick \$rawdate 4 6];:local year [:pick \$rawdate 7 11];:local monthNum \"\";:if (\$month = \"jan\") do={:set monthNum \"01\"};:if (\$month = \"feb\") do={:set monthNum \"02\"};:if (\$month = \"mar\") do={:set monthNum \"03\"};:if (\$month = \"apr\") do={:set monthNum \"04\"};:if (\$month = \"may\") do={:set monthNum \"05\"};:if (\$month = \"jun\") do={:set monthNum \"06\"};:if (\$month = \"jul\") do={:set monthNum \"07\"};:if (\$month = \"aug\") do={:set monthNum \"08\"};:if (\$month = \"sep\") do={:set monthNum \"09\"};:if (\$month = \"oct\") do={:set monthNum \"10\"};:if (\$month = \"nov\") do={:set monthNum \"11\"};:if (\$month = \"dec\") do={:set monthNum \"12\"};:set dateStr (\$year . \"-\" . \$monthNum . \"-\" . \$day);};/system backup save name=(\"backup-\" . \$dateStr);/export show-sensitive file=(\"export-\" . \$dateStr);:log info (\"Backup completed: backup-\" . \$dateStr);"

脚本执行

/file remove [find name~".backup|.rsc"]
/system script run backup-with-date

每周自动执行

/system scheduler add name=weekly-auto-backup start-time=03:00:00 interval=7d on-event=backup-with-date