Bonjour,
Je me suis aussi lancé dans le changement de mon ONT huawei puis LB 5 avec un ONU FS.com dans mon bon vieux RB3011 sous ROS 7.3.1 ( merci à tout les contributeurs et à l'OP pour le travail de recherche et test accompli )
Et en IPV4 ça a fonctionné sans soucis simplement en changeant le numéro de serie par celui de l'ONT de la LB 5. Le mikrotik est un peu sous dimensionné pour arriver au gigabit avec du bridge filter pour le COS6 (unique façon à ma connaissance de le faire avec l'ONU SFP, vu que pour ce routeur spécifique, le port SFP n'est raccroché à aucun switch), mais je m'en suis arrangé avec des scripts qui désactivent la règle quand le bail IP est recuperé ou apres un renouvellement.
Donc jusque là je peut flex en soirée.
J’essaie maintenant de passer au niveau supérieur avec double stack IPV4-IPV6 (un monde inconnu pour moi) en suivant le tuto GNUByte.
J'ai vu dans différents post qu'il y a peut être un paramétrage supplémentaires sur l'ONU ( modification obscure d'un fichier de conf) mais avant de me lancer dans une opération qui pourrais potentiellement briquer l'ONU, je me demandais si ça ne pouvais pas simplement venir d'une erreur de conf de ma part.
@gyto6 tu avais le même soucis, ça passait en V4 mais pas en V6 jusqu'a ce que tu modifie le fichier data_1g_8q.ini de l'ONU?
Je sollicite donc vos lumière pour m'aider.
Ma conf pour les courageux
/interface bridge
add comment="Bridge WAN" name=br-wan protocol-mode=none
add admin-mac=C4:AD:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=LAN name=ether1-LAN
set [ find default-name=ether2 ] disabled=yes
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=ether7 ] disabled=yes
set [ find default-name=ether8 ] disabled=yes
set [ find default-name=ether10 ] disabled=yes
set [ find default-name=sfp1 ] auto-negotiation=no comment=WAN name=sfp1-WAN speed=2.5Gbps
/interface vlan
add interface=sfp1-WAN loop-protect=off loop-protect-disable-time=0s name=vlan832-internet vlan-id=832
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=77 name=user-class value="'+FSVDSL_livebox.Internet.softathome.Livebox4'"
add code=90 name=identifiant value=0x00000000000000000000001a090000055XXXXXXXXXXXXXXXXXXXX
add code=60 name=dhcp-class-identifier value="'sagem'"
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
add name=dhcp_appartement_pool ranges=10.0.1.2-10.0.1.254
add name=dhcp_dmz ranges=11.0.0.2-11.0.0.254
/ip dhcp-server
add address-pool=dhcp interface=bridge name=defconf
add address-pool=dhcp_appartement_pool always-broadcast=yes interface=ether1-LAN name=dhcp-appartement
/ipv6 dhcp-client option
add code=16 name=class-identifier value=0x0000040e0005736167656d
add code=15 name=user-class value="'+FSVDSL_livebox.Internet.softathome.Livebox4'"
add code=11 name=identifiant value=0x00000000000000000000001a090000055XXXXXXXXXXXXXXXXX
/port
set 0 name=serial0
/queue interface
set ether1-LAN queue=ethernet-default
set sfp1-WAN queue=ethernet-default
/interface bridge filter
add action=set-priority chain=output disabled=yes dst-port=67 ip-protocol=udp mac-protocol=ip new-priority=6 out-bridge=br-wan out-interface=vlan832-internet passthrough=yes
add action=set-priority chain=output disabled=yes dst-port=547 ip-protocol=udp mac-protocol=ipv6 new-priority=6 out-interface=vlan832-internet passthrough=yes
/interface bridge port
add bridge=br-wan ingress-filtering=no interface=vlan832-internet
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set accept-router-advertisements=yes disable-ipv6=yes max-neighbor-entries=8192
/ip address
add address=10.0.1.1/24 interface=ether1-LAN network=10.0.1.0
/ip dhcp-client
add comment=defconf dhcp-options=dhcp-class-identifier,user-class,identifiant,clientid,hostname interface=br-wan
/ip dhcp-server network
add address=10.0.1.0/24 comment=Appartement dns-server=10.0.1.2,10.0.1.3 gateway=10.0.1.1 netmask=24
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m chain=input comment="Add Syn Flood IP to the list" connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment="Drop to syn flood list" src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w chain=input comment="Port Scanner Detect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="Drop to port scan list" src-address-list=Port_Scanner
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=add-src-to-address-list address-list=spammers address-list-timeout=3h chain=forward comment="Add Spammers to the list for 3 hours" connection-limit=30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward comment="Avoid spammers action" dst-port=25,587 protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Accept DNS - UDP" port=53 protocol=udp
add action=accept chain=input comment="Accept DNS - TCP" port=53 protocol=tcp
add action=accept chain=input comment="Accept to established connections" connection-state=established
add action=accept chain=input comment="Accept to related connections" connection-state=related
add action=accept chain=input comment="Full access to SUPPORT address list" src-address-list=support
add action=drop chain=input comment="Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED"
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=1,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment=PMTUD icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="NAT LAN TO WAN: masquerade" out-interface=br-wan
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip route
add disabled=no dst-address=10.0.1.0/24 gateway=ether1-LAN
add blackhole disabled=no dst-address=10.0.1.0/24
/ip service
set telnet disabled=yes
/ip upnp
set enabled=yes
/ipv6 address
add address=::1 disabled=yes from-pool=pool_FT_6 interface=ether1-LAN
/ipv6 dhcp-client
add add-default-route=yes dhcp-options=class-identifier,user-class,identifiant dhcp-options=class-identifier,user-class,identifiant disabled=yes interface=br-wan pool-name=pool_FT_6 request=prefix
/ipv6 firewall filter
add action=accept chain=input dst-port=546 in-interface=br-wan protocol=udp src-address=fe80::ba0:bab/128
/ipv6 nd
set [ find default=yes ] disabled=yes
/lcd
set default-screen=informative-slideshow
/system clock
set time-zone-name=Europe/Paris
/system identity
set name=Routeur-Appart
/system scheduler
add interval=1d name="Renew Orange Lease" on-event=":delay 5000ms\r\
\n/interface bridge filter enable 0\r\
\n:delay 1000ms\r\
\n/ip dhcp-client renew br-wan\r\
\n:delay 2000ms\r\
\n/interface bridge filter disable 0\r\
\n/system script run freedns.afraid.org" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add name="Get IP upon startup" on-event="/ip dhcp-client disable br-wan\r\
\n/interface bridge filter enable 0\r\
\n/ip dhcp-client enable br-wan\r\
\n:delay 2000ms\r\
\n/interface bridge filter disable 0\r\
\n/system script run freedns.afraid.org" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=1m name="Check Internet connectivity" on-event=\
":delay 10000ms\r\
\n:if ( [/ping 8.8.8.8 interface=br-wan count=6 ] = 0 ) do={\r\
\n/ip dhcp-client disable 0\r\
\n:delay 2000ms\r\
\n/interface bridge filter enable 0\r\
\n/ip dhcp-client enable 0\r\
\n:delay 2000ms\r\
\n/interface bridge filter disable 0\r\
\n/system script run freedns.afraid.org\r\
\n}\r\
\n" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-time=startup
add interval=1m name=IPV4.freedns.afraid.org on-event="/system script run freedns.afraid.org" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add dont-require-permissions=no name="Get IP from ORANGE" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip dhcp-client disable 0\r\
\n:delay 2000ms\r\
\n/interface bridge filter enable 0\r\
\n/ip dhcp-client enable 0\r\
\n:delay 2000ms\r\
\n/interface bridge filter disable 0"
add dont-require-permissions=no name="Check bridge filter enabled" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=\
":local isBridgeRuleEnabled\r\
\n:set isBridgeRuleEnabled[/interface bridge filter get number=0 disabled]\r\
\nif(\$isBridgeRuleEnabled) do={\r\
\n# Rule is disabled do nothing\r\
\n} else={\r\
\n# Rule is enabled, disable it\r\
\n/interface bridge filter disable 0\r\
\n}"
add dont-require-permissions=no name="Renew Orange Lease" owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/interface bridge filter enable 0\r\
\n:delay 1000ms\r\
\n/ip dhcp-client renew br-wan\r\
\n:delay 2000ms\r\
\n/interface bridge filter disable 0"
add dont-require-permissions=no name=IPV4.freedns.afraid.org owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="##############\tScript FreeDNS.afraid.org\t##################\r\
\n##############\tPARSER EDITION\t##################\r\
\n##############\tCREATED LESHIY_ODESSA\t##################\r\
\n\t\r\
\n# Specify the \"Direct URL\", which is https://freedns.afraid.org/dynamic/\r\
\n# If RouterOS version 5.xx, then remove from the URL encryption - \"https\" change this to \"http\". Also see below.\r\
\n# In front of the sign \"\?\" put a backslash \"\\\".\r\
\n:global \"direct-url\" \"https://freedns.afraid.org/dynamic/update.php\?"\r\
\n\r\
\n# Specify the URL API \"ASCII\"\r\
\n# Log in under your account and open the page https://freedns.afraid.org/api/\r\
\n# Then copy the URL of your site - Available API Interfaces : ASCII (!!! NOT XML !!!)\r\
\n# ATTENTION!!!! Before the question mark, put a backslash \"\\\".\r\
\n# If RouterOS version 5.xx, then remove from the URL encryption - \"https\" change this to \"http\".\r\
\n:global \"api-url\" \"https://freedns.afraid.org/dynamic/update.php\\\?"\r\
\n\r\
\n \t\r\
\n# Specify your domain or subdomain.\r\
\n:global \"dns-domain\" \"blr.fr.to\"\r\
\n\r\
\n# Define variables for the external (WAN) interface\r\
\n# Case sensitive.\r\
\n:global \"out-interface\" \"br-wan\"\r\
\n \t\t\r\
\n# !!!!!!!!!!!!!!!!! Nothing more do not need to edit!!!!!!!!!!!!!!!!!\r\
\n \t\t\r\
\n# Check whether the file with the IP domain - freedns.txt\r\
\n:if ([:len [/file find name=freedns.txt]] > 0) do={\r\
\n} else={\r\
\n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\r\
\n}\r\
\n# Find out the IP address of the domain using the API and parsing.\r\
\n# Split the file\r\
\n:local \"result\" [/file get freedns.txt contents]\r\
\n:local \"startloc\" ([:find \$\"result\" \$\"dns-domain\"] + ([:len \$\"dns-domain\"] + 1))\r\
\n:local \"endloc\" ([:find \$\"result\" \$\"direct-url\" -1] -1)\r\
\n:global \"dns-domain-ip\" [:pick \$\"result\" \$\"startloc\" \$\"endloc\"]\r\
\n \t\t\r\
\n# Find the current IP address on the external interface\r\
\n:global \"current-ip\" [/ip address get [find interface=\$\"out-interface\"] address]\r\
\n \t\r\
\n# Obtained from IP addresses to be excluded subnet mask\r\
\n:set \"current-ip\" [:pick \$\"current-ip\" 0 ([:len \$\"current-ip\"]-3) ]\r\
\n \t\t\r\
\n# Compare the external IP with the IP address of the DNS domain.\r\
\n:if (\$\"current-ip\" != \$\"dns-domain-ip\") do={\r\
\n\r\
\n# If different, then sent to freedns.afraid.org our external IP by using Direct URL\r\
\n:log info (\"Service Dynamic DNS: old IP address \$\"dns-domain-ip\" for \$\"dns-domain\" CHANGED to -> \$\"current-ip\"\")\r\
\n/tool fetch url=\$\"direct-url\" keep-result=no\r\
\n# Download the file with the new IP after 5 sec.\r\
\n:delay 5\r\
\n/tool fetch url=\$\"api-url\" dst-path=\"/freedns.txt\"\r\
\n} else={\r\
\n# Not to clog the log, you need to comment out this line.\r\
\n:log info (\"IP address is NOT CHANGED, the update is not required\")\r\
\n}\r\
\n \t\r\
\n# Since version RouterOS version 6.0rc12 supported encryption /tool fetch mode=https\r\
\n# In :global \"direct-url\" need to change to httpS://\r\
\n# For RouterOS version 6.xx\r\
\n# /tool fetch mode=https url=\$\"direct url\"\r\
\n# :global \"direct-url\" \"https://freedns.afraid.org/dynamic/update.php\\\\"\r\
\n\r\
\n#\t\thttp://wiki.mikrotik.com/wiki/Manual:Scripting\r\
\n#\t\thttp://wiki.mikrotik.com/wiki/Manual:Scripting-examples\r\
\n#\t\thttp://wiki.mikrotik.com/wiki/Manual:Tools/Fetch\r\
\n#\t\thttp://forum.ixbt.com/topic.cgi\?id=14:60498-86#2373\r\
\n\r\
\n##############Script FreeDNS.afraid.org##################"
En vous remerciant