Revision of ac2-wireless-defaults.rsc

1

+

:global ssid;

2

+

:global defconfMode;

3

+

:log info "Starting defconf script";

4

+

# wait for interfaces

5

+

:local count 0;

6

+

:while ([/interface ethernet find] = "") do={

7

+

:if ($count = 30) do={

8

+

:log warning "DefConf: Unable to find ethernet interfaces";

9

+

/quit;

10

+

}

11

+

:delay 1s; :set count ($count +1);

12

+

};

13

+

:local count 0;

14

+

:while ([/interface wireless print count-only] < 2) do={

15

+

:set count ($count +1);

16

+

:if ($count = 40) do={

17

+

:log warning "DefConf: Unable to find wireless interface(s)";

18

+

/ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";

19

+

/quit

20

+

}

21

+

:delay 1s;

22

+

};

23

+

/interface list add name=WAN comment="defconf"

24

+

/interface list add name=LAN comment="defconf"

25

+

/interface bridge

26

+

add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;

27

+

:local bMACIsSet 0;

28

+

:foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge" \

29

+

|| passthrough=yes || type=loopback)] do={

30

+

:local tmpPortName [/interface get $k name];

31

+

:if ($bMACIsSet = 0) do={

32

+

:if ([/interface get $k type] = "ether") do={

33

+

/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];

34

+

:set bMACIsSet 1;

35

+

}

36

+

}

37

+

:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={

38

+

/interface bridge port

39

+

add bridge=bridge interface=$tmpPortName comment=defconf;

40

+

}

41

+

}

42

+

/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;

43

+

/ip dhcp-server

44

+

add name=defconf address-pool="default-dhcp" interface=bridge disabled=no;

45

+

/ip dhcp-server network

46

+

add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";

47

+

/ip address add address=192.168.88.1/24 interface=bridge comment="defconf";

48

+

/ip dns {

49

+

set allow-remote-requests=yes

50

+

static add name=router.lan address=192.168.88.1 comment=defconf

51

+

}

52

+

/interface wireless {

53

+

:local ifcId [/interface wireless find where default-name=wlan1]

54

+

:local currentName [/interface wireless get $ifcId name]

55

+

security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \

56

+

authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf

57

+

set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \

58

+

distance=indoors installation=any

59

+

set $ifcId channel-width=20/40mhz-XX;

60

+

set $ifcId frequency=auto

61

+

:local wlanMac [/interface wireless get wlan1 mac-address];

62

+

:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"

63

+

set $ifcId ssid=$ssid

64

+

}

65

+

/interface wireless {

66

+

:local ifcId [/interface wireless find where default-name=wlan2]

67

+

:local currentName [/interface wireless get $ifcId name]

68

+

security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \

69

+

authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf

70

+

set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \

71

+

distance=indoors installation=any

72

+

set $ifcId channel-width=20/40/80mhz-XXXX;

73

+

set $ifcId frequency=auto

74

+

:local wlanMac [/interface wireless get wlan1 mac-address];

75

+

:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"

76

+

set $ifcId ssid=$ssid

77

+

}

78

+

/ip dhcp-client add interface=ether1 disabled=no comment="defconf";

79

+

/interface list member add list=LAN interface=bridge comment="defconf"

80

+

/interface list member add list=WAN interface=ether1 comment="defconf"

81

+

/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

82

+

/ip firewall {

83

+

filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

84

+

filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"

85

+

filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"

86

+

filter add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)"

87

+

filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"

88

+

filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"

89

+

filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"

90

+

filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"

91

+

filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"

92

+

filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"

93

+

filter add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"

94

+

}

95

+

/ipv6 firewall {

96

+

address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"

97

+

address-list add list=bad_ipv6 address=::1 comment="defconf: lo"

98

+

address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"

99

+

address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"

100

+

address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"

101

+

address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "

102

+

address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"

103

+

address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"

104

+

address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"

105

+

filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

106

+

filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"

107

+

filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"

108

+

filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"

109

+

filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."

110

+

filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"

111

+

filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"

112

+

filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"

113

+

filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"

114

+

filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

115

+

filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"

116

+

filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"

117

+

filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"

118

+

filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"

119

+

filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"

120

+

filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"

121

+

filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"

122

+

filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"

123

+

filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"

124

+

filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"

125

+

filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"

126

+

filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"

127

+

filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"

128

+

}

129

+

/ip neighbor discovery-settings set discover-interface-list=LAN

130

+

/tool mac-server set allowed-interface-list=LAN

131

+

/tool mac-server mac-winbox set allowed-interface-list=LAN

132

+

:if (!($keepUsers = "yes")) do={

133

+

:if (!($defconfPassword = "" || $defconfPassword = nil)) do={

134

+

/user set admin password=$defconfPassword

135

+

:delay 0.5

136

+

/user expire-password admin

137

+

}

138

+

}

139

+

/disk settings

140

+

set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge

elicro / ac2-wireless-defaults.rsc

elicro revised this gist 1775405455. Go to revision

		@@ -0,0 +1,140 @@
1	+	:global ssid;
2	+	:global defconfMode;
3	+	:log info "Starting defconf script";
4	+	# wait for interfaces
5	+	:local count 0;
6	+	:while ([/interface ethernet find] = "") do={
7	+	:if ($count = 30) do={
8	+	:log warning "DefConf: Unable to find ethernet interfaces";
9	+	/quit;
10	+	}
11	+	:delay 1s; :set count ($count +1);
12	+	};
13	+	:local count 0;
14	+	:while ([/interface wireless print count-only] < 2) do={
15	+	:set count ($count +1);
16	+	:if ($count = 40) do={
17	+	:log warning "DefConf: Unable to find wireless interface(s)";
18	+	/ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
19	+	/quit
20	+	}
21	+	:delay 1s;
22	+	};
23	+	/interface list add name=WAN comment="defconf"
24	+	/interface list add name=LAN comment="defconf"
25	+	/interface bridge
26	+	add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
27	+	:local bMACIsSet 0;
28	+	:foreach k in=[/interface find where !(slave=yes \|\| name="ether1" \|\| name~"bridge" \
29	+	\|\| passthrough=yes \|\| type=loopback)] do={
30	+	:local tmpPortName [/interface get $k name];
31	+	:if ($bMACIsSet = 0) do={
32	+	:if ([/interface get $k type] = "ether") do={
33	+	/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
34	+	:set bMACIsSet 1;
35	+	}
36	+	}
37	+	:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
38	+	/interface bridge port
39	+	add bridge=bridge interface=$tmpPortName comment=defconf;
40	+	}
41	+	}
42	+	/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
43	+	/ip dhcp-server
44	+	add name=defconf address-pool="default-dhcp" interface=bridge disabled=no;
45	+	/ip dhcp-server network
46	+	add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
47	+	/ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
48	+	/ip dns {
49	+	set allow-remote-requests=yes
50	+	static add name=router.lan address=192.168.88.1 comment=defconf
51	+	}
52	+	/interface wireless {
53	+	:local ifcId [/interface wireless find where default-name=wlan1]
54	+	:local currentName [/interface wireless get $ifcId name]
55	+	security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \
56	+	authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf
57	+	set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \
58	+	distance=indoors installation=any
59	+	set $ifcId channel-width=20/40mhz-XX;
60	+	set $ifcId frequency=auto
61	+	:local wlanMac [/interface wireless get wlan1 mac-address];
62	+	:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
63	+	set $ifcId ssid=$ssid
64	+	}
65	+	/interface wireless {
66	+	:local ifcId [/interface wireless find where default-name=wlan2]
67	+	:local currentName [/interface wireless get $ifcId name]
68	+	security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \
69	+	authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf
70	+	set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \
71	+	distance=indoors installation=any
72	+	set $ifcId channel-width=20/40/80mhz-XXXX;
73	+	set $ifcId frequency=auto
74	+	:local wlanMac [/interface wireless get wlan1 mac-address];
75	+	:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
76	+	set $ifcId ssid=$ssid
77	+	}
78	+	/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
79	+	/interface list member add list=LAN interface=bridge comment="defconf"
80	+	/interface list member add list=WAN interface=ether1 comment="defconf"
81	+	/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
82	+	/ip firewall {
83	+	filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
84	+	filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
85	+	filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
86	+	filter add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)"
87	+	filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
88	+	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
89	+	filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
90	+	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
91	+	filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
92	+	filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
93	+	filter add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
94	+	}
95	+	/ipv6 firewall {
96	+	address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
97	+	address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
98	+	address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
99	+	address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
100	+	address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
101	+	address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
102	+	address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
103	+	address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
104	+	address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
105	+	filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
106	+	filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
107	+	filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
108	+	filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
109	+	filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
110	+	filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
111	+	filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
112	+	filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
113	+	filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
114	+	filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
115	+	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
116	+	filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
117	+	filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
118	+	filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
119	+	filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
120	+	filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
121	+	filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
122	+	filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
123	+	filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
124	+	filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
125	+	filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
126	+	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
127	+	filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
128	+	}
129	+	/ip neighbor discovery-settings set discover-interface-list=LAN
130	+	/tool mac-server set allowed-interface-list=LAN
131	+	/tool mac-server mac-winbox set allowed-interface-list=LAN
132	+	:if (!($keepUsers = "yes")) do={
133	+	:if (!($defconfPassword = "" \|\| $defconfPassword = nil)) do={
134	+	/user set admin password=$defconfPassword
135	+	:delay 0.5
136	+	/user expire-password admin
137	+	}
138	+	}
139	+	/disk settings
140	+	set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge