ac2-wireless-defaults.rsc
· 8.6 KiB · Text
Sin formato
:global ssid;
:global defconfMode;
:log info "Starting defconf script";
# wait for interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s; :set count ($count +1);
};
:local count 0;
:while ([/interface wireless print count-only] < 2) do={
:set count ($count +1);
:if ($count = 40) do={
:log warning "DefConf: Unable to find wireless interface(s)";
/ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
/quit
}
:delay 1s;
};
/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface bridge
add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
:local bMACIsSet 0;
:foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge" \
|| passthrough=yes || type=loopback)] do={
:local tmpPortName [/interface get $k name];
:if ($bMACIsSet = 0) do={
:if ([/interface get $k type] = "ether") do={
/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
:set bMACIsSet 1;
}
}
:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
/interface bridge port
add bridge=bridge interface=$tmpPortName comment=defconf;
}
}
/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server
add name=defconf address-pool="default-dhcp" interface=bridge disabled=no;
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
/ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
/ip dns {
set allow-remote-requests=yes
static add name=router.lan address=192.168.88.1 comment=defconf
}
/interface wireless {
:local ifcId [/interface wireless find where default-name=wlan1]
:local currentName [/interface wireless get $ifcId name]
security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \
authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf
set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \
distance=indoors installation=any
set $ifcId channel-width=20/40mhz-XX;
set $ifcId frequency=auto
:local wlanMac [/interface wireless get wlan1 mac-address];
:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
set $ifcId ssid=$ssid
}
/interface wireless {
:local ifcId [/interface wireless find where default-name=wlan2]
:local currentName [/interface wireless get $ifcId name]
security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \
authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf
set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \
distance=indoors installation=any
set $ifcId channel-width=20/40/80mhz-XXXX;
set $ifcId frequency=auto
:local wlanMac [/interface wireless get wlan1 mac-address];
:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
set $ifcId ssid=$ssid
}
/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
/ipv6 firewall {
address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
:if (!($keepUsers = "yes")) do={
:if (!($defconfPassword = "" || $defconfPassword = nil)) do={
/user set admin password=$defconfPassword
:delay 0.5
/user expire-password admin
}
}
/disk settings
set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge
| 1 | :global ssid; |
| 2 | :global defconfMode; |
| 3 | :log info "Starting defconf script"; |
| 4 | # wait for interfaces |
| 5 | :local count 0; |
| 6 | :while ([/interface ethernet find] = "") do={ |
| 7 | :if ($count = 30) do={ |
| 8 | :log warning "DefConf: Unable to find ethernet interfaces"; |
| 9 | /quit; |
| 10 | } |
| 11 | :delay 1s; :set count ($count +1); |
| 12 | }; |
| 13 | :local count 0; |
| 14 | :while ([/interface wireless print count-only] < 2) do={ |
| 15 | :set count ($count +1); |
| 16 | :if ($count = 40) do={ |
| 17 | :log warning "DefConf: Unable to find wireless interface(s)"; |
| 18 | /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf"; |
| 19 | /quit |
| 20 | } |
| 21 | :delay 1s; |
| 22 | }; |
| 23 | /interface list add name=WAN comment="defconf" |
| 24 | /interface list add name=LAN comment="defconf" |
| 25 | /interface bridge |
| 26 | add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf; |
| 27 | :local bMACIsSet 0; |
| 28 | :foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge" \ |
| 29 | || passthrough=yes || type=loopback)] do={ |
| 30 | :local tmpPortName [/interface get $k name]; |
| 31 | :if ($bMACIsSet = 0) do={ |
| 32 | :if ([/interface get $k type] = "ether") do={ |
| 33 | /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address]; |
| 34 | :set bMACIsSet 1; |
| 35 | } |
| 36 | } |
| 37 | :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={ |
| 38 | /interface bridge port |
| 39 | add bridge=bridge interface=$tmpPortName comment=defconf; |
| 40 | } |
| 41 | } |
| 42 | /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254; |
| 43 | /ip dhcp-server |
| 44 | add name=defconf address-pool="default-dhcp" interface=bridge disabled=no; |
| 45 | /ip dhcp-server network |
| 46 | add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf"; |
| 47 | /ip address add address=192.168.88.1/24 interface=bridge comment="defconf"; |
| 48 | /ip dns { |
| 49 | set allow-remote-requests=yes |
| 50 | static add name=router.lan address=192.168.88.1 comment=defconf |
| 51 | } |
| 52 | /interface wireless { |
| 53 | :local ifcId [/interface wireless find where default-name=wlan1] |
| 54 | :local currentName [/interface wireless get $ifcId name] |
| 55 | security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \ |
| 56 | authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf |
| 57 | set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \ |
| 58 | distance=indoors installation=any |
| 59 | set $ifcId channel-width=20/40mhz-XX; |
| 60 | set $ifcId frequency=auto |
| 61 | :local wlanMac [/interface wireless get wlan1 mac-address]; |
| 62 | :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]" |
| 63 | set $ifcId ssid=$ssid |
| 64 | } |
| 65 | /interface wireless { |
| 66 | :local ifcId [/interface wireless find where default-name=wlan2] |
| 67 | :local currentName [/interface wireless get $ifcId name] |
| 68 | security-profile set default mode=dynamic-keys group-ciphers=aes-ccm unicast-ciphers=aes-ccm \ |
| 69 | authentication-types=wpa2-psk disable-pmkid=yes wpa2-pre-shared-key=$defconfWifiPassword comment=defconf |
| 70 | set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \ |
| 71 | distance=indoors installation=any |
| 72 | set $ifcId channel-width=20/40/80mhz-XXXX; |
| 73 | set $ifcId frequency=auto |
| 74 | :local wlanMac [/interface wireless get wlan1 mac-address]; |
| 75 | :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]" |
| 76 | set $ifcId ssid=$ssid |
| 77 | } |
| 78 | /ip dhcp-client add interface=ether1 disabled=no comment="defconf"; |
| 79 | /interface list member add list=LAN interface=bridge comment="defconf" |
| 80 | /interface list member add list=WAN interface=ether1 comment="defconf" |
| 81 | /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade" |
| 82 | /ip firewall { |
| 83 | filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" |
| 84 | filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" |
| 85 | filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP" |
| 86 | filter add chain=input action=accept src-address=127.0.0.1 dst-address=127.0.0.1 in-interface=lo comment="defconf: accept to local loopback (for CAPsMAN)" |
| 87 | filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" |
| 88 | filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" |
| 89 | filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy" |
| 90 | filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack" |
| 91 | filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" |
| 92 | filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" |
| 93 | filter add chain=forward action=drop connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" |
| 94 | } |
| 95 | /ipv6 firewall { |
| 96 | address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address" |
| 97 | address-list add list=bad_ipv6 address=::1 comment="defconf: lo" |
| 98 | address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local" |
| 99 | address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped" |
| 100 | address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat" |
| 101 | address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only " |
| 102 | address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation" |
| 103 | address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID" |
| 104 | address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone" |
| 105 | filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" |
| 106 | filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" |
| 107 | filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" |
| 108 | filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute" |
| 109 | filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation." |
| 110 | filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" |
| 111 | filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" |
| 112 | filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" |
| 113 | filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" |
| 114 | filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" |
| 115 | filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6" |
| 116 | filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" |
| 117 | filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" |
| 118 | filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6" |
| 119 | filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6" |
| 120 | filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1" |
| 121 | filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6" |
| 122 | filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP" |
| 123 | filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE" |
| 124 | filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH" |
| 125 | filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP" |
| 126 | filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy" |
| 127 | filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN" |
| 128 | } |
| 129 | /ip neighbor discovery-settings set discover-interface-list=LAN |
| 130 | /tool mac-server set allowed-interface-list=LAN |
| 131 | /tool mac-server mac-winbox set allowed-interface-list=LAN |
| 132 | :if (!($keepUsers = "yes")) do={ |
| 133 | :if (!($defconfPassword = "" || $defconfPassword = nil)) do={ |
| 134 | /user set admin password=$defconfPassword |
| 135 | :delay 0.5 |
| 136 | /user expire-password admin |
| 137 | } |
| 138 | } |
| 139 | /disk settings |
| 140 | set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge |