Splitting Routing and GFWlist Domains with Bird & Clash in RouterOS
Tested on RouterOS 7.1.3
Tested Running Inside RouterOS container 7.6
RouterOS is a powerful operating system for router from Mikrotik.
Although it is based on linux kernel but it is closed. It is impossible to run any third party services inside it. (though 7.1rc3-rc4 includes docker ...)
After searching many articles and tutorials from google, just found the same setting among them is to change the main router's gateway and DNS server to another device ip address.
Yes, it works, but it may cause your network down when the "another device" is down, then you will have more than two devices to fix, it's somehow waste of time.
I personally prefer everything is handled by RouterOS which will be easier to maintain and debug when there is any network problem .
So I created a Dockerfile to build the clash and bird together into a docker image.
Here is my solution based on Clash and OSPF running inside docker.
1, Keep your RouterOS as it is. (Gateway from itself and DNS from ISP)
2, Get a linux system with docker installed.
3, Run the Blash (Bird+Clash) container.
Prepare your config.yaml for Clash
Docker setting :
You need to
Reply and refresh to see the content
If you are using maclvan mode.
You need to
Reply and refresh to see the content
To make promisc mode persistent
vi /etc/systemd/system/promiscuous@ens192.service
[Unit]
Description=Set ens192 interface in promiscuous mode
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev ens192 promisc on
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
sudo systemctl enable promiscuous@ens192.service
4, Enable OSPF in RouterOS.
/routing ospf instance
add disabled=no name=default-v2 router-id=10.0.0.1 routing-table=main
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing ospf interface-template
add area=backbone-v2 auth-id=1 auth-key="" cost=10 disabled=no interfaces=\
bridge networks=10.0.0.0/24 priority=1 type=ptp
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=yes interfaces=\
bridge networks=10.0.0.0/24 priority=1 type=ptp
After this, the RouterOS should received more than ten thousands routes.
check if OSPF works
a, /routing ospf neighbor print
b,/ip route print
Now, All none China routes will be handled by Clash.
5, Then set GFWlist domains in RouterOS
Thanks 香蕉 @admin who wrote the golang binary to generate the rsc file.
Run in routerOS terminal
import file=gfwdns.rsc
6, The Blash container also include yacd (https://github.com/haishanh/yacd)
You can now access clash webui for management.
UPDATE ! 2022/02/07
Now your can update the gfwdns.rsc directly from the container.
add -e GFWLIST_GEN="true" \ when running the docker.
docker logs blash to check the IP address.
if your ip is 10.0.0.250. you can log your web browser
You can also create a script inside RouterOS and give it a scheduled execute time
Scripts:
You need to
Reply and refresh to see the content
And also you can specify the FWD dns address by
-e DNS_FWD="YOUR DESIRED DNS SERVER" \
7, Enjoy!
After upgrading 7.2x +.
You may need to add
if you often download and upload abroad using BT/PT.
you may not set ospf table to main, then control it by mangle
/routing ospf instance
add disabled=yes name=default-v3 router-id=10.0.0.1 routing-table=OSPF \
/routing/rule/
add src-address=10.0.0.1/24 dst-address=198.18.0.1/16 action=lookup table=OSPF comment="Foreign Traffic to Clash"
