Last active
June 6, 2022 15:49
-
-
Save DJviolin/b722fc4f3ef1ab3661c32f26bd5280a3 to your computer and use it in GitHub Desktop.
RouterOS configuration script based on defconf
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# $ /sys default-configuration print | |
# $ /export terse file=config-back-default.rsc | |
# $ /export terse file=config-back-lanti.rsc | |
# $ /export terse file=config-back-lanti-bridge.rsc | |
# $ /export terse file=default_RB951G-2HnD-back-lanti.rsc | |
# $ /import config-without-default-lanti.rsc | |
# $ /system default-configuration print | |
# $ /system default-configuration print file=config-20220525-002.rsc | |
# $ /system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=config-without-default-lanti.rsc | |
# https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration | |
# https://wiki.mikrotik.com/wiki/Manual:Scripting | |
# https://wiki.mikrotik.com/wiki/Manual:Scripting-examples | |
# https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks | |
# https://forum.mikrotik.com/viewforum.php?f=9 | |
# https://wiki.mikrotik.com/wiki/Category:Scripting | |
:log info "Starting $logPref script"; | |
################################################################################ | |
# Global variables | |
################################################################################ | |
:global logPref "lanticonf"; | |
# values: router, bridge | |
:global confMode "router"; | |
#:global confMode "bridge"; | |
:global ipBase "192.168.88"; | |
:global brName "bridge"; | |
:global dhcpPool "default-dhcp"; | |
:global dhcpServer "$logPref"; | |
:global wanName "WAN"; | |
:global lanName "LAN"; | |
:global timeZone "Europe/Budapest"; | |
:global ntpServers "0.hu.pool.ntp.org,1.hu.pool.ntp.org,\ | |
2.hu.pool.ntp.org,3.hu.pool.ntp.org"; | |
:global ssid; | |
:if ($confMode = "bridge") do={ | |
:log info "confMode is set to $confMode"; | |
:global dhcpPool "dhcp"; | |
} | |
################################################################################ | |
# Apply configuration. | |
# these commands are executed after installation or configuration reset | |
################################################################################ | |
# wait for ethernet interfaces | |
:local count 0; | |
:while ([/interface ethernet find] = "") do={ | |
:if ($count = 30) do={ | |
:log warning "$logPref: Unable to find ethernet interfaces"; | |
/quit; | |
} | |
:delay 1s; :set count ($count + 1); | |
}; | |
:local count 0; | |
# wait for wireless interfaces | |
# When no specific configuration is found, | |
# IP address 192.168.88.1/24 is set on ether1 or combo1, or sfp1 | |
:while ([/interface wireless print count-only] < 0) do={ | |
:set count ($count +1); | |
:if ($count = 40) do={ | |
:log warning "$logPref: Unable to find wireless interface(s)"; | |
/ip address | |
add address="$ipBase.1/24" interface=ether1 comment="$logPref"; | |
/quit | |
} | |
:delay 1s; | |
}; | |
/interface list { | |
add name=$wanName comment="$logPref" | |
add name=$lanName comment="$logPref" | |
} | |
# Configuring IP Access | |
# Bridge IGMP/MLD snooping | |
# "/interface bridge mdb print" command to monitor the active multicast groups. | |
# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403 | |
/interface bridge | |
add name=$brName disabled=no auto-mac=yes protocol-mode=rstp comment=$logPref \ | |
igmp-snooping=yes multicast-querier=yes; | |
:if ($confMode = "bridge") do={ | |
/interface bridge filter | |
add action=drop chain=input dst-port=68 in-interface=ether1 \ | |
ip-protocol=udp mac-protocol=ip; | |
} | |
:local bMACIsSet 0; | |
:foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"$brName")] do={ | |
:local tmpPortName [/interface get $k name]; | |
# first ethernet is found; add bridge and set mac address of the ethernet port | |
:if ($bMACIsSet = 0) do={ | |
:if ([/interface get $k type] = "ether") do={ | |
/interface bridge | |
set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address]; | |
:set bMACIsSet 1; | |
} | |
} | |
:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={ | |
# add bridge ports | |
/interface bridge port | |
add bridge=$brName interface=$tmpPortName comment=$logPref; | |
} | |
:if ($confMode = "bridge") do={ | |
/interface list member | |
add list=$lanName interface=$tmpPortName; | |
} | |
} | |
:if ($confMode = "bridge") do={ | |
/interface bridge port | |
add bridge=$brName interface=ether1; | |
} | |
/ip address | |
add address="$ipBase.1/24" interface=$brName comment="$logPref"; | |
:if ($confMode = "bridge") do={ | |
:local ipAddrId [/ip address find where address="$ipBase.1/24"]; | |
/ip address | |
set $ipAddrId disabled=yes; | |
} | |
# DHCP Server setup | |
/ip pool | |
add name=$dhcpPool ranges="$ipBase.10-$ipBase.254"; | |
/ip dhcp-server | |
add name=$dhcpServer address-pool=$dhcpPool interface=$brName lease-time=10m disabled=no; | |
/ip dhcp-server network | |
add address="$ipBase.0/24" gateway="$ipBase.1" dns-server="$ipBase.1" comment="$logPref"; | |
:if ($confMode = "bridge") do={ | |
:local dhcpServerId [/ip dhcp-server network find where address="$ipBase.0/24"]; | |
/ip dhcp-server network | |
set $dhcpServerId address=0.0.0.0/24 gateway=0.0.0.0 netmask=24; | |
} | |
/ip dns { | |
set allow-remote-requests=yes | |
static add name=router.lan address="$ipBase.1" comment=$logPref | |
} | |
:do { | |
:if ([/interface wireless print count-only] > 0) do={ | |
/interface wireless { | |
:local ifcId [/interface wireless find where default-name=wlan1] | |
:local currentName [/interface wireless get $ifcId name] | |
set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 distance=indoors installation=indoor | |
set $ifcId channel-width=20/40mhz-XX; | |
set $ifcId frequency=auto | |
:local wlanMac [/interface wireless get $ifcId mac-address]; | |
:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]" | |
set $ifcId ssid=$ssid | |
} | |
} | |
} on-error={ :log warning "$logPref: unable to configure wireless";} | |
# Configuring Internet Connection | |
# Dynamic Public IP | |
# try to add dhcp client on bridge interface | |
:if ($confMode = "bridge") do={ | |
/ip dhcp-client | |
add interface=$brName disabled=no comment="$logPref"; | |
} else={ | |
/ip dhcp-client | |
add interface=ether1 disabled=no comment="$logPref"; | |
} | |
/interface list member { | |
:if ($confMode != "bridge") do={ | |
add list=$lanName interface=$brName comment="$logPref"; | |
} | |
add list=$wanName interface=ether1 comment="$logPref"; | |
} | |
# Firewall rules | |
/ip firewall nat | |
add chain=srcnat out-interface-list=$wanName ipsec-policy=out,none action=masquerade comment="$logPref: masquerade" | |
/ip firewall { | |
filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked" | |
filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid" | |
filter add chain=input action=accept protocol=icmp comment="$logPref: accept ICMP" | |
filter add chain=input action=accept dst-address=127.0.0.1 comment="$logPref: accept to local loopback (for CAPsMAN)" | |
filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop all not coming from $lanName" | |
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept in ipsec policy" | |
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="$logPref: accept out ipsec policy" | |
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="$logPref: fasttrack" | |
filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related, untracked" | |
filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid" | |
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=$wanName comment="$logPref: drop all from $wanName not DSTNATed" | |
} | |
/ipv6 firewall { | |
address-list add list=bad_ipv6 address=::/128 comment="$logPref: unspecified address" | |
address-list add list=bad_ipv6 address=::1 comment="$logPref: lo" | |
address-list add list=bad_ipv6 address=fec0::/10 comment="$logPref: site-local" | |
address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="$logPref: ipv4-mapped" | |
address-list add list=bad_ipv6 address=::/96 comment="$logPref: ipv4 compat" | |
address-list add list=bad_ipv6 address=100::/64 comment="$logPref: discard only " | |
address-list add list=bad_ipv6 address=2001:db8::/32 comment="$logPref: documentation" | |
address-list add list=bad_ipv6 address=2001:10::/28 comment="$logPref: ORCHID" | |
address-list add list=bad_ipv6 address=3ffe::/16 comment="$logPref: 6bone" | |
filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked" | |
filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid" | |
filter add chain=input action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6" | |
filter add chain=input action=accept protocol=udp port=33434-33534 comment="$logPref: accept UDP traceroute" | |
filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="$logPref: accept DHCPv6-Client prefix delegation." | |
filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE" | |
filter add chain=input action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH" | |
filter add chain=input action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP" | |
filter add chain=input action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy" | |
filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName" | |
filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked" | |
filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid" | |
filter add chain=forward action=drop src-address-list=bad_ipv6 comment="$logPref: drop packets with bad src ipv6" | |
filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="$logPref: drop packets with bad dst ipv6" | |
filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="$logPref: rfc4890 drop hop-limit=1" | |
filter add chain=forward action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6" | |
filter add chain=forward action=accept protocol=139 comment="$logPref: accept HIP" | |
filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE" | |
filter add chain=forward action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH" | |
filter add chain=forward action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP" | |
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy" | |
filter add chain=forward action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName" | |
} | |
# Protecting the Router | |
/ip neighbor discovery-settings | |
set discover-interface-list=$lanName | |
/tool mac-server | |
set allowed-interface-list=$lanName | |
/tool mac-server mac-winbox | |
set allowed-interface-list=$lanName | |
# User Password Access | |
:if (!($defconfPassword = "" || $defconfPassword = nil)) do={ | |
/user | |
set admin password=$defconfPassword | |
:delay 0.5 | |
/user expire-password admin | |
} | |
################################################################################ | |
# Administrative Services | |
################################################################################ | |
/ip service { | |
# Keep only secure ones | |
disable api,api-ssl,ftp,telnet,www,www-ssl; | |
# Change default service ports, this will immediately stop | |
# most of the random SSH brute force login attempts | |
set ssh port=2200; | |
# Additionally, each service can be secured by allowed IP address | |
# or address range (the address service will reply to), although | |
# more preferred method is to block unwanted access in firewall because | |
# the firewall will not even allow to open socket | |
set winbox address="$ipBase.0/24"; | |
} | |
################################################################################ | |
# Other Services | |
################################################################################ | |
# A bandwidth server is used to test throughput between two MikroTik routers. | |
# Disable it in the production environment. | |
/tool bandwidth-server | |
set enabled=no; | |
# RouterOS utilizes stronger crypto for SSH, most newer programs use it, | |
# to turn on SSH strong crypto | |
/ip ssh | |
set strong-crypto=yes; | |
# Following services are disabled by default, nevertheless, | |
# it is better to make sure that none of then were enabled accidentally | |
# MikroTik caching proxy | |
/ip proxy | |
set enabled=no; | |
# MikroTik socks proxy | |
/ip socks | |
set enabled=no; | |
# MikroTik UPNP service | |
/ip upnp | |
set enabled=no; | |
# MikroTik dynamic name service or IP cloud | |
/ip cloud | |
set ddns-enabled=no update-time=no; | |
################################################################################ | |
# Custom settings | |
################################################################################ | |
# Set timezone | |
/system clock { | |
set time-zone-autodetect=no; | |
set time-zone-name=$timeZone; | |
} | |
# NTP (SNTP Client) | |
# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=40992869 | |
/system ntp client | |
set enabled=yes server=$ntpServers; | |
:delay 1s; | |
:log info "Script named $logPref finished"; |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment