DJviolin/config-without-default-lanti.rsc

## config-without-default-lanti.rsc
# $ /sys default-configuration print
# $ /export terse file=config-back-default.rsc
# $ /export terse file=config-back-lanti.rsc
# $ /export terse file=config-back-lanti-bridge.rsc

# $ /export terse file=default_RB951G-2HnD-back-lanti.rsc
# $ /import config-without-default-lanti.rsc
# $ /system default-configuration print
# $ /system default-configuration print file=config-20220525-002.rsc
# $ /system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=config-without-default-lanti.rsc

# https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
# https://wiki.mikrotik.com/wiki/Manual:Scripting
# https://wiki.mikrotik.com/wiki/Manual:Scripting-examples
# https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks
# https://forum.mikrotik.com/viewforum.php?f=9
# https://wiki.mikrotik.com/wiki/Category:Scripting

:log info "Starting $logPref script";

################################################################################
# Global variables
################################################################################

:global logPref "lanticonf";
# values: router, bridge
:global confMode "router";
#:global confMode "bridge";

:global ipBase "192.168.88";
:global brName "bridge";
:global dhcpPool "default-dhcp";
:global dhcpServer "$logPref";

:global wanName "WAN";
:global lanName "LAN";

:global timeZone "Europe/Budapest";
:global ntpServers "0.hu.pool.ntp.org,1.hu.pool.ntp.org,\
	2.hu.pool.ntp.org,3.hu.pool.ntp.org";

:global ssid;

:if ($confMode = "bridge") do={
	:log info "confMode is set to $confMode";
	:global dhcpPool "dhcp";
}

################################################################################
# Apply configuration.
# these commands are executed after installation or configuration reset
################################################################################

# wait for ethernet interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
	:if ($count = 30) do={
		:log warning "$logPref: Unable to find ethernet interfaces";
		/quit;
	}
	:delay 1s; :set count ($count + 1);
};
:local count 0;
# wait for wireless interfaces
# When no specific configuration is found,
# IP address 192.168.88.1/24 is set on ether1 or combo1, or sfp1
:while ([/interface wireless print count-only] < 0) do={
	:set count ($count +1);
	:if ($count = 40) do={
	:log warning "$logPref: Unable to find wireless interface(s)";
		/ip address
			add address="$ipBase.1/24" interface=ether1 comment="$logPref";
		/quit
	}
	:delay 1s;
};

/interface list {
	add name=$wanName comment="$logPref"
	add name=$lanName comment="$logPref"
}

# Configuring IP Access
# Bridge IGMP/MLD snooping
# "/interface bridge mdb print" command to monitor the active multicast groups.
# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403
/interface bridge
	add name=$brName disabled=no auto-mac=yes protocol-mode=rstp comment=$logPref \
		igmp-snooping=yes multicast-querier=yes;

:if ($confMode = "bridge") do={
	/interface bridge filter
		add action=drop chain=input dst-port=68 in-interface=ether1 \
		ip-protocol=udp mac-protocol=ip;
}

:local bMACIsSet 0;
:foreach k in=[/interface find where !(slave=yes   || name="ether1" || name~"$brName")] do={
	:local tmpPortName [/interface get $k name];
	# first ethernet is found; add bridge and set mac address of the ethernet port
	:if ($bMACIsSet = 0) do={
		:if ([/interface get $k type] = "ether") do={
			/interface bridge
				set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
			:set bMACIsSet 1;
		}
	}
	:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
		# add bridge ports
		/interface bridge port
			add bridge=$brName interface=$tmpPortName comment=$logPref;
	}

	:if ($confMode = "bridge") do={
		/interface list member
			add list=$lanName interface=$tmpPortName;
	}
}

:if ($confMode = "bridge") do={
	/interface bridge port
		add bridge=$brName interface=ether1;
}

/ip address
	add address="$ipBase.1/24" interface=$brName comment="$logPref";
:if ($confMode = "bridge") do={
	:local ipAddrId [/ip address find where address="$ipBase.1/24"];
	/ip address
		set $ipAddrId disabled=yes;
}

# DHCP Server setup
/ip pool
	add name=$dhcpPool ranges="$ipBase.10-$ipBase.254";
/ip dhcp-server
	add name=$dhcpServer address-pool=$dhcpPool interface=$brName lease-time=10m disabled=no;
/ip dhcp-server network
	add address="$ipBase.0/24" gateway="$ipBase.1" dns-server="$ipBase.1" comment="$logPref";
:if ($confMode = "bridge") do={
	:local dhcpServerId [/ip dhcp-server network find where address="$ipBase.0/24"];
	/ip dhcp-server network
		set $dhcpServerId address=0.0.0.0/24 gateway=0.0.0.0 netmask=24;
}
/ip dns {
	set allow-remote-requests=yes
	static add name=router.lan address="$ipBase.1" comment=$logPref
}

:do {
	:if ([/interface wireless print count-only] > 0) do={
			/interface wireless {
				:local ifcId [/interface wireless find where default-name=wlan1]
				:local currentName [/interface wireless get $ifcId name]
				set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 distance=indoors installation=indoor
				set $ifcId channel-width=20/40mhz-XX;
				set $ifcId frequency=auto
				:local wlanMac  [/interface wireless get $ifcId mac-address];
				:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
				set $ifcId ssid=$ssid
			}
	}
} on-error={ :log warning "$logPref: unable to configure wireless";}

# Configuring Internet Connection
# Dynamic Public IP
# try to add dhcp client on bridge interface
:if ($confMode = "bridge") do={
	/ip dhcp-client
		add interface=$brName disabled=no comment="$logPref";
} else={
	/ip dhcp-client
		add interface=ether1 disabled=no comment="$logPref";
}

/interface list member {
	:if ($confMode != "bridge") do={
		add list=$lanName interface=$brName comment="$logPref";
	}
	add list=$wanName interface=ether1 comment="$logPref";
}

# Firewall rules
/ip firewall nat
	add chain=srcnat out-interface-list=$wanName ipsec-policy=out,none action=masquerade comment="$logPref: masquerade"
/ip firewall {
	filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=input action=accept protocol=icmp comment="$logPref: accept ICMP"
	filter add chain=input action=accept dst-address=127.0.0.1 comment="$logPref: accept to local loopback (for CAPsMAN)"
	filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop all not coming from $lanName"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept in ipsec policy"
	filter add chain=forward action=accept ipsec-policy=out,ipsec comment="$logPref: accept out ipsec policy"
	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="$logPref: fasttrack"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related, untracked"
	filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=$wanName comment="$logPref: drop all from $wanName not DSTNATed"
}
/ipv6 firewall {
	address-list add list=bad_ipv6 address=::/128 comment="$logPref: unspecified address"
	address-list add list=bad_ipv6 address=::1 comment="$logPref: lo"
	address-list add list=bad_ipv6 address=fec0::/10 comment="$logPref: site-local"
	address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="$logPref: ipv4-mapped"
	address-list add list=bad_ipv6 address=::/96 comment="$logPref: ipv4 compat"
	address-list add list=bad_ipv6 address=100::/64 comment="$logPref: discard only "
	address-list add list=bad_ipv6 address=2001:db8::/32 comment="$logPref: documentation"
	address-list add list=bad_ipv6 address=2001:10::/28 comment="$logPref: ORCHID"
	address-list add list=bad_ipv6 address=3ffe::/16 comment="$logPref: 6bone"
	filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=input action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6"
	filter add chain=input action=accept protocol=udp port=33434-33534 comment="$logPref: accept UDP traceroute"
	filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="$logPref: accept DHCPv6-Client prefix delegation."
	filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE"
	filter add chain=input action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH"
	filter add chain=input action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP"
	filter add chain=input action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy"
	filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=forward action=drop src-address-list=bad_ipv6 comment="$logPref: drop packets with bad src ipv6"
	filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="$logPref: drop packets with bad dst ipv6"
	filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="$logPref: rfc4890 drop hop-limit=1"
	filter add chain=forward action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6"
	filter add chain=forward action=accept protocol=139 comment="$logPref: accept HIP"
	filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE"
	filter add chain=forward action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH"
	filter add chain=forward action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy"
	filter add chain=forward action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName"
}

# Protecting the Router
/ip neighbor discovery-settings
	set discover-interface-list=$lanName
/tool mac-server
	set allowed-interface-list=$lanName
/tool mac-server mac-winbox
	set allowed-interface-list=$lanName
# User Password Access
:if (!($defconfPassword = "" || $defconfPassword = nil)) do={
	/user
		set admin password=$defconfPassword
	:delay 0.5
	/user expire-password admin
}

################################################################################
# Administrative Services
################################################################################

/ip service {
	# Keep only secure ones
	disable api,api-ssl,ftp,telnet,www,www-ssl;

	# Change default service ports, this will immediately stop
	# most of the random SSH brute force login attempts
	set ssh port=2200;

	# Additionally, each service can be secured by allowed IP address
	# or address range (the address service will reply to), although
	# more preferred method is to block unwanted access in firewall because
	# the firewall will not even allow to open socket
	set winbox address="$ipBase.0/24";
}

################################################################################
# Other Services
################################################################################

# A bandwidth server is used to test throughput between two MikroTik routers.
# Disable it in the production environment.
/tool bandwidth-server
	set enabled=no;
# RouterOS utilizes stronger crypto for SSH, most newer programs use it,
# to turn on SSH strong crypto
/ip ssh
	set strong-crypto=yes;

# Following services are disabled by default, nevertheless,
# it is better to make sure that none of then were enabled accidentally

# MikroTik caching proxy
/ip proxy
	set enabled=no;
# MikroTik socks proxy
/ip socks
	set enabled=no;
# MikroTik UPNP service
/ip upnp
	set enabled=no;
# MikroTik dynamic name service or IP cloud
/ip cloud
	set ddns-enabled=no update-time=no;

################################################################################
# Custom settings
################################################################################

# Set timezone
/system clock {
	set time-zone-autodetect=no;
	set time-zone-name=$timeZone;
}

# NTP (SNTP Client)
# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=40992869
/system ntp client
	set enabled=yes server=$ntpServers;

:delay 1s;
:log info "Script named $logPref finished";
	# $ /sys default-configuration print
	# $ /export terse file=config-back-default.rsc
	# $ /export terse file=config-back-lanti.rsc
	# $ /export terse file=config-back-lanti-bridge.rsc

	# $ /export terse file=default_RB951G-2HnD-back-lanti.rsc
	# $ /import config-without-default-lanti.rsc
	# $ /system default-configuration print
	# $ /system default-configuration print file=config-20220525-002.rsc
	# $ /system reset-configuration no-defaults=yes skip-backup=yes run-after-reset=config-without-default-lanti.rsc

	# https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
	# https://wiki.mikrotik.com/wiki/Manual:Scripting
	# https://wiki.mikrotik.com/wiki/Manual:Scripting-examples
	# https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks
	# https://forum.mikrotik.com/viewforum.php?f=9
	# https://wiki.mikrotik.com/wiki/Category:Scripting

	:log info "Starting $logPref script";

	################################################################################
	# Global variables
	################################################################################

	:global logPref "lanticonf";
	# values: router, bridge
	:global confMode "router";
	#:global confMode "bridge";

	:global ipBase "192.168.88";
	:global brName "bridge";
	:global dhcpPool "default-dhcp";
	:global dhcpServer "$logPref";

	:global wanName "WAN";
	:global lanName "LAN";

	:global timeZone "Europe/Budapest";
	:global ntpServers "0.hu.pool.ntp.org,1.hu.pool.ntp.org,\
	2.hu.pool.ntp.org,3.hu.pool.ntp.org";

	:global ssid;

	:if ($confMode = "bridge") do={
	:log info "confMode is set to $confMode";
	:global dhcpPool "dhcp";
	}

	################################################################################
	# Apply configuration.
	# these commands are executed after installation or configuration reset
	################################################################################

	# wait for ethernet interfaces
	:local count 0;
	:while ([/interface ethernet find] = "") do={
	:if ($count = 30) do={
	:log warning "$logPref: Unable to find ethernet interfaces";
	/quit;
	}
	:delay 1s; :set count ($count + 1);
	};
	:local count 0;
	# wait for wireless interfaces
	# When no specific configuration is found,
	# IP address 192.168.88.1/24 is set on ether1 or combo1, or sfp1
	:while ([/interface wireless print count-only] < 0) do={
	:set count ($count +1);
	:if ($count = 40) do={
	:log warning "$logPref: Unable to find wireless interface(s)";
	/ip address
	add address="$ipBase.1/24" interface=ether1 comment="$logPref";
	/quit
	}
	:delay 1s;
	};

	/interface list {
	add name=$wanName comment="$logPref"
	add name=$lanName comment="$logPref"
	}

	# Configuring IP Access
	# Bridge IGMP/MLD snooping
	# "/interface bridge mdb print" command to monitor the active multicast groups.
	# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=59277403
	/interface bridge
	add name=$brName disabled=no auto-mac=yes protocol-mode=rstp comment=$logPref \
	igmp-snooping=yes multicast-querier=yes;

	:if ($confMode = "bridge") do={
	/interface bridge filter
	add action=drop chain=input dst-port=68 in-interface=ether1 \
	ip-protocol=udp mac-protocol=ip;
	}

	:local bMACIsSet 0;
	:foreach k in=[/interface find where !(slave=yes \|\| name="ether1" \|\| name~"$brName")] do={
	:local tmpPortName [/interface get $k name];
	# first ethernet is found; add bridge and set mac address of the ethernet port
	:if ($bMACIsSet = 0) do={
	:if ([/interface get $k type] = "ether") do={
	/interface bridge
	set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
	:set bMACIsSet 1;
	}
	}
	:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
	# add bridge ports
	/interface bridge port
	add bridge=$brName interface=$tmpPortName comment=$logPref;
	}

	:if ($confMode = "bridge") do={
	/interface list member
	add list=$lanName interface=$tmpPortName;
	}
	}

	:if ($confMode = "bridge") do={
	/interface bridge port
	add bridge=$brName interface=ether1;
	}

	/ip address
	add address="$ipBase.1/24" interface=$brName comment="$logPref";
	:if ($confMode = "bridge") do={
	:local ipAddrId [/ip address find where address="$ipBase.1/24"];
	/ip address
	set $ipAddrId disabled=yes;
	}

	# DHCP Server setup
	/ip pool
	add name=$dhcpPool ranges="$ipBase.10-$ipBase.254";
	/ip dhcp-server
	add name=$dhcpServer address-pool=$dhcpPool interface=$brName lease-time=10m disabled=no;
	/ip dhcp-server network
	add address="$ipBase.0/24" gateway="$ipBase.1" dns-server="$ipBase.1" comment="$logPref";
	:if ($confMode = "bridge") do={
	:local dhcpServerId [/ip dhcp-server network find where address="$ipBase.0/24"];
	/ip dhcp-server network
	set $dhcpServerId address=0.0.0.0/24 gateway=0.0.0.0 netmask=24;
	}
	/ip dns {
	set allow-remote-requests=yes
	static add name=router.lan address="$ipBase.1" comment=$logPref
	}

	:do {
	:if ([/interface wireless print count-only] > 0) do={
	/interface wireless {
	:local ifcId [/interface wireless find where default-name=wlan1]
	:local currentName [/interface wireless get $ifcId name]
	set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 distance=indoors installation=indoor
	set $ifcId channel-width=20/40mhz-XX;
	set $ifcId frequency=auto
	:local wlanMac [/interface wireless get $ifcId mac-address];
	:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
	set $ifcId ssid=$ssid
	}
	}
	} on-error={ :log warning "$logPref: unable to configure wireless";}

	# Configuring Internet Connection
	# Dynamic Public IP
	# try to add dhcp client on bridge interface
	:if ($confMode = "bridge") do={
	/ip dhcp-client
	add interface=$brName disabled=no comment="$logPref";
	} else={
	/ip dhcp-client
	add interface=ether1 disabled=no comment="$logPref";
	}

	/interface list member {
	:if ($confMode != "bridge") do={
	add list=$lanName interface=$brName comment="$logPref";
	}
	add list=$wanName interface=ether1 comment="$logPref";
	}

	# Firewall rules
	/ip firewall nat
	add chain=srcnat out-interface-list=$wanName ipsec-policy=out,none action=masquerade comment="$logPref: masquerade"
	/ip firewall {
	filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=input action=accept protocol=icmp comment="$logPref: accept ICMP"
	filter add chain=input action=accept dst-address=127.0.0.1 comment="$logPref: accept to local loopback (for CAPsMAN)"
	filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop all not coming from $lanName"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept in ipsec policy"
	filter add chain=forward action=accept ipsec-policy=out,ipsec comment="$logPref: accept out ipsec policy"
	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="$logPref: fasttrack"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related, untracked"
	filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=$wanName comment="$logPref: drop all from $wanName not DSTNATed"
	}
	/ipv6 firewall {
	address-list add list=bad_ipv6 address=::/128 comment="$logPref: unspecified address"
	address-list add list=bad_ipv6 address=::1 comment="$logPref: lo"
	address-list add list=bad_ipv6 address=fec0::/10 comment="$logPref: site-local"
	address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="$logPref: ipv4-mapped"
	address-list add list=bad_ipv6 address=::/96 comment="$logPref: ipv4 compat"
	address-list add list=bad_ipv6 address=100::/64 comment="$logPref: discard only "
	address-list add list=bad_ipv6 address=2001:db8::/32 comment="$logPref: documentation"
	address-list add list=bad_ipv6 address=2001:10::/28 comment="$logPref: ORCHID"
	address-list add list=bad_ipv6 address=3ffe::/16 comment="$logPref: 6bone"
	filter add chain=input action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=input action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6"
	filter add chain=input action=accept protocol=udp port=33434-33534 comment="$logPref: accept UDP traceroute"
	filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="$logPref: accept DHCPv6-Client prefix delegation."
	filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE"
	filter add chain=input action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH"
	filter add chain=input action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP"
	filter add chain=input action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy"
	filter add chain=input action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="$logPref: accept established,related,untracked"
	filter add chain=forward action=drop connection-state=invalid comment="$logPref: drop invalid"
	filter add chain=forward action=drop src-address-list=bad_ipv6 comment="$logPref: drop packets with bad src ipv6"
	filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="$logPref: drop packets with bad dst ipv6"
	filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="$logPref: rfc4890 drop hop-limit=1"
	filter add chain=forward action=accept protocol=icmpv6 comment="$logPref: accept ICMPv6"
	filter add chain=forward action=accept protocol=139 comment="$logPref: accept HIP"
	filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="$logPref: accept IKE"
	filter add chain=forward action=accept protocol=ipsec-ah comment="$logPref: accept ipsec AH"
	filter add chain=forward action=accept protocol=ipsec-esp comment="$logPref: accept ipsec ESP"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="$logPref: accept all that matches ipsec policy"
	filter add chain=forward action=drop in-interface-list="!$lanName" comment="$logPref: drop everything else not coming from $lanName"
	}

	# Protecting the Router
	/ip neighbor discovery-settings
	set discover-interface-list=$lanName
	/tool mac-server
	set allowed-interface-list=$lanName
	/tool mac-server mac-winbox
	set allowed-interface-list=$lanName
	# User Password Access
	:if (!($defconfPassword = "" \|\| $defconfPassword = nil)) do={
	/user
	set admin password=$defconfPassword
	:delay 0.5
	/user expire-password admin
	}

	################################################################################
	# Administrative Services
	################################################################################

	/ip service {
	# Keep only secure ones
	disable api,api-ssl,ftp,telnet,www,www-ssl;

	# Change default service ports, this will immediately stop
	# most of the random SSH brute force login attempts
	set ssh port=2200;

	# Additionally, each service can be secured by allowed IP address
	# or address range (the address service will reply to), although
	# more preferred method is to block unwanted access in firewall because
	# the firewall will not even allow to open socket
	set winbox address="$ipBase.0/24";
	}

	################################################################################
	# Other Services
	################################################################################

	# A bandwidth server is used to test throughput between two MikroTik routers.
	# Disable it in the production environment.
	/tool bandwidth-server
	set enabled=no;
	# RouterOS utilizes stronger crypto for SSH, most newer programs use it,
	# to turn on SSH strong crypto
	/ip ssh
	set strong-crypto=yes;

	# Following services are disabled by default, nevertheless,
	# it is better to make sure that none of then were enabled accidentally

	# MikroTik caching proxy
	/ip proxy
	set enabled=no;
	# MikroTik socks proxy
	/ip socks
	set enabled=no;
	# MikroTik UPNP service
	/ip upnp
	set enabled=no;
	# MikroTik dynamic name service or IP cloud
	/ip cloud
	set ddns-enabled=no update-time=no;

	################################################################################
	# Custom settings
	################################################################################

	# Set timezone
	/system clock {
	set time-zone-autodetect=no;
	set time-zone-name=$timeZone;
	}

	# NTP (SNTP Client)
	# https://help.mikrotik.com/docs/pages/viewpage.action?pageId=40992869
	/system ntp client
	set enabled=yes server=$ntpServers;

	:delay 1s;
	:log info "Script named $logPref finished";