Splitting Routing and GFWlist Domains with Bird & Clash in RouterOS
Tested on RouterOS 7.1.3
Tested Running Inside RouterOS container 7.6
RouterOS is a robust operating system for Mikrotik routers. Despite being based on the Linux kernel, it is a closed system that does not allow the execution of third-party services, except for the experimental inclusion of Docker in versions 7.1rc3-rc4.
After searching through various articles and tutorials on Google, I found a common recommendation: changing the main router's gateway and DNS server to the IP address of another device. While this solution works, it can lead to network downtime if the "another device" goes down, requiring the fixing of multiple devices, which can be time-consuming.
Personally, I prefer having everything managed by RouterOS for easier maintenance and debugging in case of network issues. To achieve this, I created a Dockerfile to build Clash and BIRD together into a Docker image.
Here is my solution based on running Clash and OSPF inside Docker.
1, Keep your RouterOS as it is. (Gateway from itself and DNS from ISP)
2, Get a linux system with docker installed.
3, Run the Blash (Bird+Clash) container.
Prepare your config.yaml for Clash
Docker setting :
You need to
Reply and refresh to see the content
If you are using maclvan mode.
You need to
Reply and refresh to see the content
To make promisc mode persistent
vi /etc/systemd/system/promiscuous@ens192.service
[Unit]
Description=Set ens192 interface in promiscuous mode
After=network.target
[Service]
Type=oneshot
ExecStart=/usr/bin/ip link set dev ens192 promisc on
RemainAfterExit=yes
[Install]
WantedBy=multi-user.target
sudo systemctl enable promiscuous@ens192.service
4, Enable OSPF in RouterOS.
/routing ospf instance
add disabled=no name=default-v2 router-id=10.0.0.1 routing-table=main
/routing ospf area
add disabled=no instance=default-v2 name=backbone-v2
/routing ospf interface-template
add area=backbone-v2 auth-id=1 auth-key="" cost=10 disabled=no interfaces=\
bridge networks=10.0.0.0/24 priority=1 type=ptp
add area=backbone-v2 auth-id=1 auth-key="" cost=100 disabled=yes interfaces=\
bridge networks=10.0.0.0/24 priority=1 type=ptp
After this, the RouterOS should received more than ten thousands routes.
check if OSPF works
a, /routing ospf neighbor print
b,/ip route print
Now, All none China routes will be handled by Clash.
5, Then set GFWlist domains in RouterOS
Thanks 香蕉 @admin who wrote the golang binary to generate the rsc file.
Run in routerOS terminal
import file=gfwdns.rsc
6, The Blash container also include yacd (https://github.com/haishanh/yacd)
You can now access clash webui for management.
UPDATE ! 2022/02/07
Now your can update the gfwdns.rsc directly from the container.
add -e GFWLIST_GEN="true" \ when running the docker.
docker logs blash to check the IP address.
if your ip is 10.0.0.250. you can log your web browser
You can also create a script inside RouterOS and give it a scheduled execute time
Scripts:
You need to
Reply and refresh to see the content
And also you can specify the FWD dns address by
-e DNS_FWD="YOUR DESIRED DNS SERVER" \
7, Enjoy!
After upgrading 7.2x +.
You may need to add
if you often download and upload abroad using BT/PT.
you may not set ospf table to main, then control it by mangle
/routing ospf instance
add disabled=yes name=default-v3 router-id=10.0.0.1 routing-table=OSPF \
/routing/rule/
add src-address=10.0.0.1/24 dst-address=198.18.0.1/16 action=lookup table=OSPF comment="Foreign Traffic to Clash"
