elicro a révisé ce gist . Aller à la révision
1 file changed, 140 insertions
ac2-wireless-defaults.rsc(fichier créé)
| @@ -0,0 +1,140 @@ | |||
| 1 | + | :global ssid; | |
| 2 | + | :global defconfMode; | |
| 3 | + | :log info "Starting defconf script"; | |
| 4 | + | # wait for interfaces | |
| 5 | + | :local count 0; | |
| 6 | + | :while ([/interface ethernet find] = "") do={ | |
| 7 | + | :if ($count = 30) do={ | |
| 8 | + | :log warning "DefConf: Unable to find ethernet interfaces"; | |
| 9 | + | /quit; | |
| 10 | + | } | |
| 11 | + | :delay 1s; :set count ($count +1); | |
| 12 | + | }; | |
| 13 | + | :local count 0; | |
| 14 | + | :while ([/interface wireless print count-only] < 2) do={ | |
| 15 | + | :set count ($count +1); | |
| 16 | + | :if ($count = 40) do={ | |
| 17 | + | :log warning "DefConf: Unable to find wireless interface(s)"; | |
| 18 | + | /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf"; | |
| 19 | + | /quit | |
| 20 | + | } | |
| 21 | + | :delay 1s; | |
| 22 | + | }; | |
| 23 | + | /interface list add name=WAN comment="defconf" | |
| 24 | + | /interface list add name=LAN comment="defconf" | |
| 25 | + | /interface bridge | |
| 26 | + | add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf; | |
| 27 | + | :local bMACIsSet 0; | |
| 28 | + | :foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge" \ | |
| 29 | + | || passthrough=yes || type=loopback)] do={ | |
| 30 | + | :local tmpPortName [/interface get $k name]; | |
| 31 | + | :if ($bMACIsSet = 0) do={ | |
| 32 | + | :if ([/interface get $k type] = "ether") do={ | |
| 33 | + | /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address]; | |
| 34 | + | :set bMACIsSet 1; | |
| 35 | + | } | |
| 36 | + | } | |
| 37 | + | :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={ | |
| 38 | + | /interface bridge port | |
| 39 | + | add bridge=bridge interface=$tmpPortName comment=defconf; | |
| 40 | + | } | |
| 41 | + | } | |
| 42 | + | /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254; | |
| 43 | + | /ip dhcp-server | |
| 44 | + | add name=defconf address-pool="default-dhcp" interface=bridge disabled=no; | |
| 45 | + | /ip dhcp-server network | |
| 46 | + | add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf"; | |
| 47 | + | /ip address add address=192.168.88.1/24 interface=bridge comment="defconf"; | |
| 48 | + | /ip dns { | |
| 49 | + | set allow-remote-requests=yes | |
| 50 | + | static add name=router.lan address=192.168.88.1 comment=defconf | |
| 51 | + | } | |
| 52 | + | /interface wireless { | |
| 53 | + | :local ifcId [/interface wireless find where default-name=wlan1] | |
| 54 | + | :local currentName [/interface wireless get $ifcId name] | |
| 55 | + | security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \ | |
| 56 | + | authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf | |
| 57 | + | set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \ | |
| 58 | + | distance=indoors installation=any | |
| 59 | + | set $ifcId channel-width=20/40mhz-XX; | |
| 60 | + | set $ifcId frequency=auto | |
| 61 | + | :local wlanMac [/interface wireless get wlan1 mac-address]; | |
| 62 | + | :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]" | |
| 63 | + | set $ifcId ssid=$ssid | |
| 64 | + | } | |
| 65 | + | /interface wireless { | |
| 66 | + | :local ifcId [/interface wireless find where default-name=wlan2] | |
| 67 | + | :local currentName [/interface wireless get $ifcId name] | |
| 68 | + | security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \ | |
| 69 | + | authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf | |
| 70 | + | set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \ | |
| 71 | + | distance=indoors installation=any | |
| 72 | + | set $ifcId channel-width=20/40/80mhz-XXXX; | |
| 73 | + | set $ifcId frequency=auto | |
| 74 | + | :local wlanMac [/interface wireless get wlan1 mac-address]; | |
| 75 | + | :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]" | |
| 76 | + | set $ifcId ssid=$ssid | |
| 77 | + | } | |
| 78 | + | /ip dhcp-client add interface=ether1 disabled=no comment="defconf"; | |
| 79 | + | /interface list member add list=LAN interface=bridge comment="defconf" | |
| 80 | + | /interface list member add list=WAN interface=ether1 comment="defconf" | |
| 81 | + | /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade" | |
| 82 | + | /ip firewall { | |
| 83 | + | filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" | |
| 84 | + | filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" | |
| 85 | + | filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP" | |
| 86 | + | filter add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)" | |
| 87 | + | filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" | |
| 88 | + | filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" | |
| 89 | + | filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy" | |
| 90 | + | filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack" | |
| 91 | + | filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" | |
| 92 | + | filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" | |
| 93 | + | filter add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" | |
| 94 | + | } | |
| 95 | + | /ipv6 firewall { | |
| 96 | + | address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" | |
| 97 | + | address-list add list=bad_ipv6 address=::1 comment="defconf: lo" | |
| 98 | + | address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" | |
| 99 | + | address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" | |
| 100 | + | address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" | |
| 101 | + | address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " | |
| 102 | + | address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" | |
| 103 | + | address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" | |
| 104 | + | address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" | |
| 105 | + | filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" | |
| 106 | + | filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" | |
| 107 | + | filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" | |
| 108 | + | filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute" | |
| 109 | + | filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." | |
| 110 | + | filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" | |
| 111 | + | filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" | |
| 112 | + | filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" | |
| 113 | + | filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" | |
| 114 | + | filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" | |
| 115 | + | filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6" | |
| 116 | + | filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" | |
| 117 | + | filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" | |
| 118 | + | filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" | |
| 119 | + | filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" | |
| 120 | + | filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" | |
| 121 | + | filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" | |
| 122 | + | filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" | |
| 123 | + | filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" | |
| 124 | + | filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" | |
| 125 | + | filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" | |
| 126 | + | filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" | |
| 127 | + | filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" | |
| 128 | + | } | |
| 129 | + | /ip neighbor discovery-settings set discover-interface-list=LAN | |
| 130 | + | /tool mac-server set allowed-interface-list=LAN | |
| 131 | + | /tool mac-server mac-winbox set allowed-interface-list=LAN | |
| 132 | + | :if (!($keepUsers = "yes")) do={ | |
| 133 | + | :if (!($defconfPassword = "" || $defconfPassword = nil)) do={ | |
| 134 | + | /user set admin password=$defconfPassword | |
| 135 | + | :delay 0.5 | |
| 136 | + | /user expire-password admin | |
| 137 | + | } | |
| 138 | + | } | |
| 139 | + | /disk settings | |
| 140 | + | set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge | |
Plus récent
Plus ancien