Last active
June 18, 2024 10:04
-
-
Save valeriansaliou/380ca483e295dc96efc51a2142187260 to your computer and use it in GitHub Desktop.
RouterOS / MikroTik router configuration export to connect to the Orange/Sosh Livebox 4 fiber ONT (IPv4 + IPv6)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# jan/13/2020 08:34:56 by RouterOS 6.46.1 | |
# | |
# notes: \ | |
# - wan to orange ont on ether1; \ | |
# - lan to ap/switch on ether2; \ | |
# - ipv4 + ipv6 w/ fw rules; \ | |
# - using routeros dns cache for lan, proxying to the dns servers advertised by orange's dhcpv4 server; \ | |
# - direct plug your computer w/ wireshark to your livebox 4 fiber ethernet port and reboot it, inspect the dhcpv4 packat in wireshark and extract the value of 'authsend'; \ | |
# - the cos tag needs to be set to 6 to be accepted by the ont dhcpv4/v6 server (from default 0), this may not be required depending on your ont, check for the cos flag sent by your livebox 4 when sniffing its traffic | |
# | |
# model = RB750Gr3 | |
/interface bridge | |
add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge-lan protocol-mode=none | |
add name=bridge-wan protocol-mode=none | |
/interface ethernet | |
set [ find default-name=ether1 ] name=ether1-wan speed=1Gbps | |
set [ find default-name=ether2 ] name=ether2-lan speed=1Gbps | |
set [ find default-name=ether3 ] disabled=yes name=ether3-noop speed=1Gbps | |
set [ find default-name=ether4 ] disabled=yes name=ether4-noop speed=1Gbps | |
set [ find default-name=ether5 ] disabled=yes name=ether5-noop speed=1Gbps | |
/interface vlan | |
add comment="ONT Internet" interface=ether1-wan name=vlan832-internet vlan-id=832 | |
/interface list | |
add comment=defconf name=WAN | |
add comment=defconf name=LAN | |
/ip dhcp-client option | |
add code=77 name=userclass value=0x2b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e4c697665626f7834 | |
add code=90 name=authsend value="0x0000000000000000000000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | |
add code=60 name=vendor-class-identifier value=0x736167656d | |
/ip pool | |
add name=dhcp-lan ranges=10.0.1.10-10.0.1.254 | |
/ip dhcp-server | |
add address-pool=dhcp-lan disabled=no interface=bridge-lan lease-time=1w name=defconf | |
/ipv6 dhcp-client option | |
add code=11 name=authsend value="0x0000000000000000000000XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" | |
add code=15 name=userclass value=0x002b46535644534c5f6c697665626f782e496e7465726e65742e736f66746174686f6d652e6c697665626f7834 | |
add code=16 name=vendor-class-identifier value=0x0000040e0005736167656d | |
/queue interface | |
set ether1-wan queue=ethernet-default | |
set ether2-lan queue=ethernet-default | |
set ether3-noop queue=ethernet-default | |
set ether4-noop queue=ethernet-default | |
set ether5-noop queue=ethernet-default | |
/interface bridge filter | |
add action=set-priority chain=output comment="CoS should be 6 for Orange DHCPv4" dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-interface=vlan832-internet passthrough=yes | |
add action=set-priority chain=output dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet | |
/interface bridge port | |
add bridge=bridge-lan comment=defconf interface=ether2-lan | |
add bridge=bridge-lan comment=defconf disabled=yes interface=ether3-noop | |
add bridge=bridge-lan comment=defconf disabled=yes interface=ether4-noop | |
add bridge=bridge-lan comment=defconf disabled=yes interface=ether5-noop | |
add bridge=bridge-wan interface=vlan832-internet | |
/ip neighbor discovery-settings | |
set discover-interface-list=none | |
/ip settings | |
set rp-filter=strict | |
/ipv6 settings | |
set accept-redirects=no accept-router-advertisements=yes | |
/interface list member | |
add comment=defconf interface=ether1-wan list=WAN | |
add comment=defconf interface=bridge-lan list=LAN | |
/ip address | |
add address=10.0.1.1/24 comment=defconf interface=bridge-lan network=10.0.1.0 | |
/ip cloud | |
set update-time=no | |
/ip dhcp-client | |
add dhcp-options=vendor-class-identifier,clientid,userclass,authsend disabled=no interface=bridge-wan | |
/ip dhcp-server network | |
add address=10.0.1.0/24 comment=defconf dns-server=10.0.1.1 domain=home gateway=10.0.1.1 netmask=24 | |
/ip dns | |
set allow-remote-requests=yes cache-max-ttl=1d max-concurrent-queries=200 max-concurrent-tcp-sessions=50 query-server-timeout=3s | |
/ip dns static | |
add address=10.0.1.1 name=router.lan | |
/ip firewall filter | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related | |
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid | |
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN | |
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid | |
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | |
/ip firewall nat | |
add action=masquerade chain=srcnat comment="NAT LAN to WAN" out-interface=bridge-wan | |
/ip service | |
set telnet disabled=yes | |
set ftp disabled=yes | |
set www disabled=yes | |
set api disabled=yes | |
set winbox disabled=yes | |
set api-ssl disabled=yes | |
/ip ssh | |
set forwarding-enabled=remote strong-crypto=yes | |
/ip upnp | |
set enabled=yes | |
/ip upnp interfaces | |
add interface=bridge-wan type=external | |
add interface=bridge-lan type=internal | |
/ipv6 address | |
add address=::1 from-pool=dhcp-wan interface=bridge-lan | |
/ipv6 dhcp-client | |
add add-default-route=yes dhcp-options=authsend,userclass,vendor-class-identifier interface=bridge-wan pool-name=dhcp-wan request=prefix | |
/ipv6 firewall filter | |
add action=accept chain=input connection-state=established,related,untracked | |
add action=drop chain=input connection-state=invalid | |
add action=accept chain=input in-interface-list=LAN | |
add action=accept chain=input protocol=icmpv6 | |
add action=accept chain=input dst-port=546 in-interface=bridge-wan protocol=udp src-address=fe80::ba0:bab/128 | |
add action=drop chain=input | |
add action=accept chain=forward connection-state=established,related,untracked | |
add action=drop chain=forward connection-state=invalid | |
add action=accept chain=forward in-interface-list=LAN | |
add action=accept chain=forward protocol=icmpv6 | |
add action=drop chain=forward | |
/ipv6 nd | |
set [ find default=yes ] advertise-dns=no | |
/system clock | |
set time-zone-name=Europe/Paris | |
/system identity | |
set name="MikroTik Router" | |
/system note | |
set note="XXX XXX <[email protected]> - Authorized administrators only. Access to this device is monitored." | |
/system ntp client | |
set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org | |
/system resource irq rps | |
set ether1-wan disabled=no | |
set ether2-lan disabled=no | |
set ether3-noop disabled=no | |
set ether4-noop disabled=no | |
set ether5-noop disabled=no | |
/system watchdog | |
set watchdog-timer=no | |
/tool bandwidth-server | |
set enabled=no | |
/tool mac-server | |
set allowed-interface-list=none | |
/tool mac-server mac-winbox | |
set allowed-interface-list=none | |
/tool mac-server ping | |
set enabled=no |
For some reason, ipv6 was disabled on my router, I had to add: /ipv6 settings set disable-ipv6=no
.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jan/13/2020
(not in the configuration above, apply diff if needed):1. Replace ISP peer DNS resolvers w/ Cloudflare's 1.1.1.1:
use-peer-dns
ondhcp-client
for IPv4 and IPv6 stacks so that RouterOS does not mix up custom resolvers with ISP ones:2. Add a new property on the IPv6 DHCP Client:
3. Forcibly renew DHCP leases if fiber goes down:
searching...
state (note that simply callingrenew
does not work; usingrelease
works but it allocates a new IPv4, which I don't want). This has been tested and fixes the issue I had, replicated by unplugging the fiber from the ONT, waiting more than 10 minutes, confirming that no packets could be routed to WAN anymore, and then executing the script and confirming WAN routing worked back again. Note that it is important to ping at least 2 different providers, as you do not want the WAN connection to be deemed down if eg. the Google Public DNS target IPs are all down (more providers is better, 2 providers is the minimum);