mikrotik auto

1. /interface bridge
2. add auto-mac=yes name=bridge-local
3. /interface ethernet
4. set [ find default-name=ether1 ] name=ether1-gateway
5. set [ find default-name=ether2 ] name=ether2-master-local
6. set [ find default-name=ether3 ] master-port=ether2-master-local name=\
7. ether3-slave-local
8. set [ find default-name=ether4 ] master-port=ether2-master-local name=\
9. ether4-slave-local
10. /ip neighbor discovery
11. set ether1-gateway discover=no
12. /interface vlan
13. add interface=ether1-gateway name=vlan10 vlan-id=10
14. /interface wireless security-profiles
15. set [ find default=yes ] supplicant-identity=MikroTik
16. add authentication-types=wpa2-psk management-protection=allowed mode=\
17. dynamic-keys name=***** supplicant-identity=MikroTik wpa2-pre-shared-key=\
18. *************
19. /interface wireless
20. set [ find default-name=wlan1 ] band=2ghz-b/g/n disabled=no distance=indoors \
21. frequency=2427 mode=ap-bridge security-profile=****** ssid=****** \
22. wireless-protocol=802.11
23. /ip ipsec proposal
24. set [ find default=yes ] disabled=yes
25. /ip pool
26. add name=dhcp ranges=10.10.0.10-10.10.0.99
27. /ip dhcp-server
28. add address-pool=dhcp disabled=no interface=bridge-local name=default
29. /interface l2tp-client
30. add allow=chap,mschap2 connect-to=somehostname.somecompany.com disabled=no \
31. keepalive-timeout=30 max-mru=1300 max-mtu=1300 name=l2tp-out1 password=\
32. ************ profile=default user=default
33. /interface bridge port
34. add bridge=bridge-local interface=ether2-master-local
35. add bridge=bridge-local interface=wlan1
36. /ip address
37. add address=10.10.0.1/24 comment="default configuration" interface=\
38. ether2-master-local network=10.10.0.0
39. /ip dhcp-client
40. add comment="default configuration" dhcp-options=hostname,clientid disabled=\
41. no interface=ether1-gateway
42. add add-default-route=no dhcp-options=hostname,clientid disabled=no \
43. interface=vlan10
44. /ip dhcp-server network
45. add address=10.10.0.0/24 comment="default configuration" dns-server=\
46. 8.8.8.8,8.8.4.4 gateway=10.10.0.1 netmask=24
47. /ip dns
48. set allow-remote-requests=yes
49. /ip dns static
50. add address=10.10.0.1 name=router
51. /ip firewall filter
52. add chain=input comment="default configuration" protocol=icmp
53. add chain=input comment="default configuration" connection-state=established,related
54. add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=ether1-gateway limit=3/1m,3 protocol=tcp
55. add chain=input dst-port=22 in-interface=l2tp-out1 protocol=tcp
56. add chain=input dst-address=10.10.0.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
57. add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
58. add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
59. add chain=forward comment="default configuration" connection-state=established,related
60. add chain=forward dst-address=10.10.0.2 dst-port=80,61682 in-interface=l2tp-out1 protocol=tcp
61. add chain=forward dst-address=10.10.0.2 dst-port=61682 in-interface=l2tp-out1 protocol=udp
62. add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=l2tp-out1 protocol=tcp
63. add chain=forward dst-address=192.168.88.1 dst-port=22,80 in-interface=ether1-gateway protocol=tcp
64. add action=drop chain=forward comment="default configuration" connection-state=invalid
65. add action=drop chain=forward comment="default configuration" connection-nat-state=!dstnat connection-state=new in-interface=ether1-gateway
66. add action=reject chain=forward in-interface=l2tp-out1
67. /ip firewall nat
68. add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
69. add action=masquerade chain=srcnat out-interface=vlan10
70. add action=masquerade chain=srcnat out-interface=l2tp-out1
71. add action=dst-nat chain=dstnat dst-port=222 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=22
72. add action=dst-nat chain=dstnat dst-port=80 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=80
73. add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.2 to-ports=61682
74. add action=dst-nat chain=dstnat dst-port=61682 in-interface=l2tp-out1 protocol=udp to-addresses=10.10.0.2 to-ports=61682
75. add action=dst-nat chain=dstnat dst-port=888 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=80
76. add action=dst-nat chain=dstnat dst-port=222 in-interface=l2tp-out1 protocol=tcp to-addresses=10.10.0.1 to-ports=22
77. add action=dst-nat chain=dstnat dst-port=888 in-interface=ether1-gateway protocol=tcp to-addresses=10.10.0.1 to-ports=80
78. add action=dst-nat chain=dstnat dst-port=2222 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.88.1 to-ports=22
79. add action=dst-nat chain=dstnat dst-port=2222 in-interface=l2tp-out1 protocol=tcp to-addresses=192.168.88.1 to-ports=22
80. /ip ipsec policy
81. set 0 disabled=yes
82. /ip route
83. add check-gateway=ping distance=1 dst-address=10.0.0.0/24 gateway=10.0.0.1
84. add check-gateway=ping distance=1 dst-address=192.168.1.0/24 gateway=10.0.0.1
85. /system clock
86. set time-zone-name=Europe/Bratislava
87. /system identity
88. set name=somename-router
89. /system routerboard settings
90. set cpu-frequency=650MHz protected-routerboot=disabled
91. /user set admin password=************ group=full
92. /system script
93. add name=ipsecwanip owner=admin policy=\
94. ftp,reboot,read,write,policy,test,password,sniff,sensitive source="# IPsec\
95. \_remote host and PSK\
96. \n:local dhost \"111.222.333.444\";\
97. \n:local psk \"*******************************\";\
98. \n:local ifacevpn \"l2tp-out1\";\
99. \n\
100. \n# Get WAN IP and generate variables\
101. \n:local wanip [/ip dhcp-client get number=0 address];\
102. \n:local wanip [:pick \$wanip 0 [:find in=\$wanip key=\"/\"]];\
103. \n:local ipsecwanip \"\$wanip/32\";\
104. \n:local ipsecdhost \"\$dhost/32\"\
105. \n\
106. \n# Get IP from IPsec policy and return \"0\" if fail\
107. \n:local getipoldstaddr do={\
108. \n :do {\
109. \n :local ipaddr [/ip ipsec policy get value-name=src-address [find\
110. \_sa-dst-address=\"\$1\"]];\
111. \n :return \"\$ipaddr\";\
112. \n } on-error={return \"0\"};\
113. \n}\
114. \n\
115. \n:local policywanip [\$getipoldstaddr \$dhost];\
116. \n\
117. \n# if wan ip changed\
118. \n:if ( \$policywanip != \$ipsecwanip ) do={\
119. \n :log warning \"Reinstalling IPsec rules. Remote ip: \$dhost, WAN IP:\
120. \_\$wanip\"\
121. \n # Remove IPsec rules\
122. \n :put \"dhost: \$dhost\";\
123. \n /interface l2tp-client disable \"\$ifacevpn\";\
124. \n /ip ipsec proposal \\\
125. \n remove [find name=\"\$dhost\"];\
126. \n /ip ipsec peer \\\
127. \n remove [find address=\"\$ipsecdhost\"];\
128. \n /ip ipsec policy \\\
129. \n remove [find sa-dst-address=\"\$dhost\"];\
130. \n /ip ipsec installed-sa flush;\
131. \n /ip ipsec remote-peers kill-connections;\
132. \n\
133. \n # Add new IPsec rules\
134. \n /ip ipsec proposal \\\
135. \n add enc-algorithms=aes-256-cbc auth-algorithms=sha1 \\\
136. \n lifetime=30m pfs-group=modp2048 name=\"\$dhost\";\
137. \n /ip ipsec peer \\\
138. \n add address=\"\$ipsecdhost\" enc-algorithm=aes-256 dh-group=modp\
139. 2048 \\\
140. \n proposal-check=strict secret=\"\$psk\" nat-traversal=yes;\
141. \n /ip ipsec policy \\\
142. \n add dst-address=\"\$ipsecdhost\" dst-port=1701 level=unique \\\
143. \n proposal=\"\$dhost\" protocol=udp sa-dst-address=\"\$dhost\" \\\
144. \n sa-src-address=\"\$wanip\" src-address=\"\$ipsecwanip\";\
145. \n :delay 0.5;\
146. \n /interface l2tp-client enable \"\$ifacevpn\";\
147. \n}\
148. \n"
149. /system scheduler
150. add interval=1m name=ipsecwanip on-event=ipsecwanip policy=\
151. ftp,reboot,read,write,policy,test,password,sniff,sensitive