Default config - RouterOS v6.40

1. # jul/26/2017 22:25: 6 by RouterOS 6.40
2. # software id = XXXX-XXXX
3. #
4. script: :global ssid;
5. #| RouterMode:
6. #| * WAN port is protected by firewall and enabled DHCP client
7. #| * Wireless and Ethernet interfaces (except WAN port ether1)
8. #| are part of LAN bridge
9. #| wlan1 Configuration:
10. #| mode: ap-bridge;
11. #| band: 2ghz-b/g/n;
12. #| ht-chains: 0,1;
13. #| ht-extension: 20/40mhz-Ce;
14. #| LAN Configuration:
15. #| IP address 192.168.88.1/24 is set on bridge (LAN port)
16. #| DHCP Server: enabled;
17. #| DNS: enabled;
18. #| WAN (gateway) Configuration:
19. #| gateway: ether1 ;
20. #| ip4 firewall: enabled;
21. #| ip6 firewall: enabled;
22. #| NAT: enabled;
23.  
24. :log info Starting_defconf_script_;
25. :global action;
26. #-------------------------------------------------------------------------------
27. # Apply configuration.
28. # these commands are executed after installation or configuration reset
29. #-------------------------------------------------------------------------------
30. :if ($action = "apply") do={
31. # wait for interfaces
32. :local count 0;
33. :while ([/interface ethernet find] = "") do={
34. :if ($count = 30) do={
35. :log warning "DefConf: Unable to find ethernet interfaces";
36. /quit;
37. }
38. :delay 1s; :set count ($count +1);
39. };
40.  
41. :local count 0;
42. :while ([/interface wireless print count-only] < 1) do={
43. :set count ($count +1);
44. :if ($count = 30) do={
45. :log warning "DefConf: Unable to find wireless interface(s)";
46. /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
47. /quit
48. }
49. :delay 1s;
50. };
51. /interface wireless {
52. set wlan1 mode=ap-bridge band=2ghz-b/g/n tx-chains=0,1 rx-chains=0,1 \
53. disabled=no wireless-protocol=802.11 distance=indoors
54. :local wlanMac [/interface wireless get wlan1 mac-address];
55. :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
56. set wlan1 ssid=$ssid
57. set wlan1 frequency=auto
58. set wlan1 channel-width=20/40mhz-Ce ;
59. }
60. /interface bridge
61. add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
62. :local bMACIsSet 0;
63. :foreach k in=[/interface find where !(slave=yes || name~"ether1" || name~"bridge")] do={
64. :local tmpPortName [/interface get $k name];
65. :log info "port: $tmpPortName"
66. :if ($bMACIsSet = 0) do={
67. :if ([/interface get $k type] = "ether") do={
68. /interface bridge set "bridge" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
69. :set bMACIsSet 1;
70. }
71. }
72. /interface bridge port
73. add bridge=bridge interface=$tmpPortName comment=defconf;
74. }
75. /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
76. /ip dhcp-server
77. add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
78. /ip dhcp-server network
79. add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf";
80. /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
81. /ip dns {
82. set allow-remote-requests=yes
83. static add name=router.lan address=192.168.88.1
84. }
85.  
86. /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
87. /interface list add name=WAN comment="defconf"
88. /interface list add name=LAN comment="defconf"
89. /interface list member add list=LAN interface=bridge comment="defconf"
90. /interface list member add list=WAN interface=ether1 comment="defconf"
91. /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
92. /ip firewall {
93. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
94. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
95. filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
96. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
97. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
98. filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
99. filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
100. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
101. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
102. filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
103. }
104. /ipv6 firewall {
105. address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
106. address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
107. address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
108. address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
109. address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
110. address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
111. address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
112. address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
113. address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
114. address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
115. address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
116. address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
117. address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
118. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
119. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
120. filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
121. filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
122. filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."
123. filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
124. filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
125. filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
126. filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
127. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
128. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
129. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
130. filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
131. filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
132. filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
133. filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
134. filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
135. filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
136. filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
137. filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
138. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
139. filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
140. }
141. /ip neighbor discovery set [find name="ether1"] discover=no
142. /tool mac-server disable [find];
143. /tool mac-server mac-winbox disable [find];
144. :foreach k in=[/interface find where !(slave=yes || name~"ether1")] do={
145. :local tmpName [/interface get $k name];
146. /tool mac-server add interface=$tmpName disabled=no;
147. /tool mac-server mac-winbox add interface=$tmpName disabled=no;
148. }
149. }
150. #-------------------------------------------------------------------------------
151. # Revert configuration.
152. # these commands are executed if user requests to remove default configuration
153. #-------------------------------------------------------------------------------
154. :if ($action = "revert") do={
155. /user set admin password=""
156. /ip firewall filter remove [find comment~"defconf"]
157. /ipv6 firewall filter remove [find comment~"defconf"]
158. /ipv6 firewall address-list remove [find comment~"defconf"]
159. /ip firewall nat remove [find comment~"defconf"]
160. /interface list member remove [find comment~"defconf"]
161. /interface list remove [find comment~"defconf"]
162. /tool mac-server remove [find interface!=all]
163. /tool mac-server set [find] disabled=no
164. /tool mac-server mac-winbox remove [find interface!=all]
165. /tool mac-server mac-winbox set [find] disabled=no
166. /ip neighbor discovery set [find ] discover=yes
167. :local o [/ip dhcp-server network find comment="defconf"]
168. :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
169. :local o [/ip dhcp-server find name="defconf" !disabled]
170. :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
171. /ip pool {
172. :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
173. :if ([:len $o] != 0) do={ remove $o }
174. }
175. :local o [/ip dhcp-client find comment="defconf"]
176. :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
177. /ip dns {
178. set allow-remote-requests=no
179. :local o [static find name=router address=192.168.88.1]
180. :if ([:len $o] != 0) do={ static remove $o }
181. }
182. /ip address {
183. :local o [find comment="defconf"]
184. :if ([:len $o] != 0) do={ remove $o }
185. }
186. :foreach iface in=[/interface ethernet find] do={
187. /interface ethernet set $iface name=[get $iface default-name]
188. }
189. /interface bridge port remove [find comment="defconf"]
190. /interface bridge remove [find comment="defconf"]
191. /interface wireless reset-configuration wlan1
192. }
193. :log info Defconf_script_finished;
194.  
195. caps-mode-script: #-------------------------------------------------------------------------------
196. # Note: script will not execute at all (will throw a syntax error) if
197. # dhcp or wireless-fp packages are not installed
198. #-------------------------------------------------------------------------------
199.  
200. #| CAP configuration
201. #|
202. #| Wireless interfaces are set to be managed by CAPsMAN.
203. #| All ethernet interfaces and CAPsMAN managed interfaces are bridged.
204. #| DHCP client is set on bridge interface.
205.  
206. # bridge port name
207. :global brName "bridgeLocal";
208. :global logPref "defconf:";
209.  
210.  
211. :global action;
212.  
213. :log info $action
214.  
215. :if ($action = "apply") do={
216.  
217. # wait for ethernet interfaces
218. :local count 0;
219. :while ([/interface ethernet find] = "") do={
220. :if ($count = 30) do={
221. :log warning "DefConf: Unable to find ethernet interfaces";
222. /quit;
223. }
224. :delay 1s; :set count ($count + 1);
225. }
226.  
227. :local macSet 0;
228. :local tmpMac "";
229.  
230. :foreach k in=[/interface ethernet find] do={
231. # first ethernet is found; add bridge and set mac address of the ethernet port
232. :if ($macSet = 0) do={
233. :set tmpMac [/interface ethernet get $k mac-address];
234. /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
235. :set macSet 1;
236. }
237. # add bridge ports
238. /interface bridge port add bridge=$brName interface=$k comment="defconf"
239. }
240.  
241. # try to add dhcp client on bridge interface (may fail if already exist)
242. :do {
243. /ip dhcp-client add interface=$brName disabled=no comment="defconf"
244. } on-error={ :log warning "$logPref unable to add dhcp client";}
245.  
246.  
247. # try to configure caps (may fail if for example specified interfaces are missing)
248. :local interfacesList "";
249. :local bFirst 1;
250.  
251. # wait for wireless interfaces
252. :while ([/interface wireless find] = "") do={
253. :if ($count = 30) do={
254. :log warning "DefConf: Unable to find wireless interfaces";
255. /quit;
256. }
257. :delay 1s; :set count ($count + 1);
258. }
259.  
260. # delay just to make sure that all wireless interfaces are loaded
261. :delay 5s;
262. :foreach i in=[/interface wireless find] do={
263. if ($bFirst = 1) do={
264. :set interfacesList [/interface wireless get $i name];
265. :set bFirst 0;
266. } else={
267. :set interfacesList "$interfacesList,$[/interface wireless get $i name]";
268. }
269. }
270. :do {
271. /interface wireless cap
272. set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
273. } on-error={ :log warning "$logPref unable to configure caps";}
274.  
275. }
276.  
277. :if ($action = "revert") do={
278. :do {
279. /interface wireless cap
280. set enabled=no interfaces="" discovery-interfaces="" bridge=none
281. } on-error={ :log warning "$logPref unable to unset caps";}
282.  
283. :local o [/ip dhcp-client find comment="defconf"]
284. :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
285.  
286. /interface bridge port remove [find comment="defconf"]
287. /interface bridge remove [find comment="defconf"]
288.  
289. }