Guest User

Default config - RouterOS v6.40

a guest
Jul 26th, 2017
366
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # jul/26/2017 22:25: 6 by RouterOS 6.40
  2. # software id = XXXX-XXXX
  3. #
  4. script: :global ssid;
  5. #| RouterMode:
  6. #| * WAN port is protected by firewall and enabled DHCP client
  7. #| * Wireless and Ethernet interfaces (except WAN port ether1)
  8. #| are part of LAN bridge
  9. #| wlan1 Configuration:
  10. #| mode: ap-bridge;
  11. #| band: 2ghz-b/g/n;
  12. #| ht-chains: 0,1;
  13. #| ht-extension: 20/40mhz-Ce;
  14. #| LAN Configuration:
  15. #| IP address 192.168.88.1/24 is set on bridge (LAN port)
  16. #| DHCP Server: enabled;
  17. #| DNS: enabled;
  18. #| WAN (gateway) Configuration:
  19. #| gateway: ether1 ;
  20. #| ip4 firewall: enabled;
  21. #| ip6 firewall: enabled;
  22. #| NAT: enabled;
  23.  
  24. :log info Starting_defconf_script_;
  25. :global action;
  26. #-------------------------------------------------------------------------------
  27. # Apply configuration.
  28. # these commands are executed after installation or configuration reset
  29. #-------------------------------------------------------------------------------
  30. :if ($action = "apply") do={
  31. # wait for interfaces
  32. :local count 0;
  33. :while ([/interface ethernet find] = "") do={
  34. :if ($count = 30) do={
  35. :log warning "DefConf: Unable to find ethernet interfaces";
  36. /quit;
  37. }
  38. :delay 1s; :set count ($count +1);
  39. };
  40.  
  41. :local count 0;
  42. :while ([/interface wireless print count-only] < 1) do={
  43. :set count ($count +1);
  44. :if ($count = 30) do={
  45. :log warning "DefConf: Unable to find wireless interface(s)";
  46. /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
  47. /quit
  48. }
  49. :delay 1s;
  50. };
  51. /interface wireless {
  52. set wlan1 mode=ap-bridge band=2ghz-b/g/n tx-chains=0,1 rx-chains=0,1 \
  53. disabled=no wireless-protocol=802.11 distance=indoors
  54. :local wlanMac [/interface wireless get wlan1 mac-address];
  55. :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
  56. set wlan1 ssid=$ssid
  57. set wlan1 frequency=auto
  58. set wlan1 channel-width=20/40mhz-Ce ;
  59. }
  60. /interface bridge
  61. add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
  62. :local bMACIsSet 0;
  63. :foreach k in=[/interface find where !(slave=yes || name~"ether1" || name~"bridge")] do={
  64. :local tmpPortName [/interface get $k name];
  65. :log info "port: $tmpPortName"
  66. :if ($bMACIsSet = 0) do={
  67. :if ([/interface get $k type] = "ether") do={
  68. /interface bridge set "bridge" auto-mac=no admin-mac=[/interface ethernet get $tmpPortName mac-address];
  69. :set bMACIsSet 1;
  70. }
  71. }
  72. /interface bridge port
  73. add bridge=bridge interface=$tmpPortName comment=defconf;
  74. }
  75. /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
  76. /ip dhcp-server
  77. add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
  78. /ip dhcp-server network
  79. add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf";
  80. /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
  81. /ip dns {
  82. set allow-remote-requests=yes
  83. static add name=router.lan address=192.168.88.1
  84. }
  85.  
  86. /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
  87. /interface list add name=WAN comment="defconf"
  88. /interface list add name=LAN comment="defconf"
  89. /interface list member add list=LAN interface=bridge comment="defconf"
  90. /interface list member add list=WAN interface=ether1 comment="defconf"
  91. /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
  92. /ip firewall {
  93. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  94. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  95. filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
  96. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
  97. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
  98. filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
  99. filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
  100. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
  101. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  102. filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
  103. }
  104. /ipv6 firewall {
  105. address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
  106. address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
  107. address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
  108. address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
  109. address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
  110. address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
  111. address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
  112. address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
  113. address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
  114. address-list add list=bad_ipv6 address=::224.0.0.0/100 comment="defconf: other"
  115. address-list add list=bad_ipv6 address=::127.0.0.0/104 comment="defconf: other"
  116. address-list add list=bad_ipv6 address=::/104 comment="defconf: other"
  117. address-list add list=bad_ipv6 address=::255.0.0.0/104 comment="defconf: other"
  118. filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  119. filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  120. filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  121. filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
  122. filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/16 comment="defconf: accept DHCPv6-Client prefix delegation."
  123. filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  124. filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  125. filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  126. filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  127. filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
  128. filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  129. filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  130. filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
  131. filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
  132. filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
  133. filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  134. filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
  135. filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  136. filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  137. filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  138. filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  139. filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
  140. }
  141. /ip neighbor discovery set [find name="ether1"] discover=no
  142. /tool mac-server disable [find];
  143. /tool mac-server mac-winbox disable [find];
  144. :foreach k in=[/interface find where !(slave=yes || name~"ether1")] do={
  145. :local tmpName [/interface get $k name];
  146. /tool mac-server add interface=$tmpName disabled=no;
  147. /tool mac-server mac-winbox add interface=$tmpName disabled=no;
  148. }
  149. }
  150. #-------------------------------------------------------------------------------
  151. # Revert configuration.
  152. # these commands are executed if user requests to remove default configuration
  153. #-------------------------------------------------------------------------------
  154. :if ($action = "revert") do={
  155. /user set admin password=""
  156. /ip firewall filter remove [find comment~"defconf"]
  157. /ipv6 firewall filter remove [find comment~"defconf"]
  158. /ipv6 firewall address-list remove [find comment~"defconf"]
  159. /ip firewall nat remove [find comment~"defconf"]
  160. /interface list member remove [find comment~"defconf"]
  161. /interface list remove [find comment~"defconf"]
  162. /tool mac-server remove [find interface!=all]
  163. /tool mac-server set [find] disabled=no
  164. /tool mac-server mac-winbox remove [find interface!=all]
  165. /tool mac-server mac-winbox set [find] disabled=no
  166. /ip neighbor discovery set [find ] discover=yes
  167. :local o [/ip dhcp-server network find comment="defconf"]
  168. :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
  169. :local o [/ip dhcp-server find name="defconf" !disabled]
  170. :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
  171. /ip pool {
  172. :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
  173. :if ([:len $o] != 0) do={ remove $o }
  174. }
  175. :local o [/ip dhcp-client find comment="defconf"]
  176. :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
  177. /ip dns {
  178. set allow-remote-requests=no
  179. :local o [static find name=router address=192.168.88.1]
  180. :if ([:len $o] != 0) do={ static remove $o }
  181. }
  182. /ip address {
  183. :local o [find comment="defconf"]
  184. :if ([:len $o] != 0) do={ remove $o }
  185. }
  186. :foreach iface in=[/interface ethernet find] do={
  187. /interface ethernet set $iface name=[get $iface default-name]
  188. }
  189. /interface bridge port remove [find comment="defconf"]
  190. /interface bridge remove [find comment="defconf"]
  191. /interface wireless reset-configuration wlan1
  192. }
  193. :log info Defconf_script_finished;
  194.  
  195. caps-mode-script: #-------------------------------------------------------------------------------
  196. # Note: script will not execute at all (will throw a syntax error) if
  197. # dhcp or wireless-fp packages are not installed
  198. #-------------------------------------------------------------------------------
  199.  
  200. #| CAP configuration
  201. #|
  202. #| Wireless interfaces are set to be managed by CAPsMAN.
  203. #| All ethernet interfaces and CAPsMAN managed interfaces are bridged.
  204. #| DHCP client is set on bridge interface.
  205.  
  206. # bridge port name
  207. :global brName "bridgeLocal";
  208. :global logPref "defconf:";
  209.  
  210.  
  211. :global action;
  212.  
  213. :log info $action
  214.  
  215. :if ($action = "apply") do={
  216.  
  217. # wait for ethernet interfaces
  218. :local count 0;
  219. :while ([/interface ethernet find] = "") do={
  220. :if ($count = 30) do={
  221. :log warning "DefConf: Unable to find ethernet interfaces";
  222. /quit;
  223. }
  224. :delay 1s; :set count ($count + 1);
  225. }
  226.  
  227. :local macSet 0;
  228. :local tmpMac "";
  229.  
  230. :foreach k in=[/interface ethernet find] do={
  231. # first ethernet is found; add bridge and set mac address of the ethernet port
  232. :if ($macSet = 0) do={
  233. :set tmpMac [/interface ethernet get $k mac-address];
  234. /interface bridge add name=$brName auto-mac=no admin-mac=$tmpMac comment="defconf";
  235. :set macSet 1;
  236. }
  237. # add bridge ports
  238. /interface bridge port add bridge=$brName interface=$k comment="defconf"
  239. }
  240.  
  241. # try to add dhcp client on bridge interface (may fail if already exist)
  242. :do {
  243. /ip dhcp-client add interface=$brName disabled=no comment="defconf"
  244. } on-error={ :log warning "$logPref unable to add dhcp client";}
  245.  
  246.  
  247. # try to configure caps (may fail if for example specified interfaces are missing)
  248. :local interfacesList "";
  249. :local bFirst 1;
  250.  
  251. # wait for wireless interfaces
  252. :while ([/interface wireless find] = "") do={
  253. :if ($count = 30) do={
  254. :log warning "DefConf: Unable to find wireless interfaces";
  255. /quit;
  256. }
  257. :delay 1s; :set count ($count + 1);
  258. }
  259.  
  260. # delay just to make sure that all wireless interfaces are loaded
  261. :delay 5s;
  262. :foreach i in=[/interface wireless find] do={
  263. if ($bFirst = 1) do={
  264. :set interfacesList [/interface wireless get $i name];
  265. :set bFirst 0;
  266. } else={
  267. :set interfacesList "$interfacesList,$[/interface wireless get $i name]";
  268. }
  269. }
  270. :do {
  271. /interface wireless cap
  272. set enabled=yes interfaces=$interfacesList discovery-interfaces=$brName bridge=$brName
  273. } on-error={ :log warning "$logPref unable to configure caps";}
  274.  
  275. }
  276.  
  277. :if ($action = "revert") do={
  278. :do {
  279. /interface wireless cap
  280. set enabled=no interfaces="" discovery-interfaces="" bridge=none
  281. } on-error={ :log warning "$logPref unable to unset caps";}
  282.  
  283. :local o [/ip dhcp-client find comment="defconf"]
  284. :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
  285.  
  286. /interface bridge port remove [find comment="defconf"]
  287. /interface bridge remove [find comment="defconf"]
  288.  
  289. }
RAW Paste Data