garymm/router.rsc

## router.rsc
# mar/31/2020 09:09:09 by RouterOS 6.45.7
# software id = V76F-PB93
#
# model = RB750Gr3
# serial number = 8B000A516329
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
add interface=BR1 name=BLUE_VLAN vlan-id=10
add interface=BR1 name=GREEN_VLAN vlan-id=20
/interface list
add name=WAN
add name=VLAN
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add comment="Leave 10.0.10.2 for main IP address of router.asus.com" name=\
    BLUE_POOL ranges=10.0.10.3-10.0.10.254
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
/ip dhcp-server
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
/interface bridge port
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether3
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether4
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
/interface list member
add interface=ether1 list=WAN
add interface=BASE_VLAN list=VLAN
add interface=BLUE_VLAN list=VLAN
add interface=GREEN_VLAN list=VLAN
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
    ether1
/ip dhcp-server lease
add address=10.0.10.3 comment=bougain.lan mac-address=00:02:C9:E9:72:E0 \
    server=BLUE_DHCP
add address=10.0.10.4 client-id=1:24:5E:BE:42:38:17 comment=media.lan \
    mac-address=24:5E:BE:42:38:17 server=BLUE_DHCP
add address=10.0.10.6 client-id=\
    ff:19:e6:db:ac:0:1:0:1:22:21:d4:d4:c8:fd:19:e6:db:ac comment=\
    lutron-caseta-bridge.lan mac-address=C8:FD:19:E6:DB:AC server=BLUE_DHCP
/ip dhcp-server network
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
/ip dns static
add address=192.168.0.1 name=router.lan
add address=192.168.0.2 name=switch.lan
add address=10.0.10.3 name=bougain.lan
add address=10.0.10.4 name=media.lan
add address=10.0.10.6 name=lutron-caseta-bridge.lan
add address=10.0.10.2 name=router.asus.com
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all coming from WAN" \
    in-interface-list=WAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
add action=dst-nat chain=dstnat comment="home assistant" dst-address=\
    !10.0.10.1 dst-port=8023 in-interface-list=WAN protocol=tcp to-addresses=\
    10.0.10.3
add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \
    dst-address=!10.0.10.1 dst-port=80 in-interface-list=WAN protocol=tcp \
    to-addresses=10.0.10.3 to-ports=80
add action=dst-nat chain=dstnat comment=Plex dst-address=!10.0.10.1 dst-port=\
    15088 in-interface-list=WAN protocol=tcp to-addresses=10.0.10.3 to-ports=\
    32400
add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\
    !10.0.10.1 dst-port=65268 in-interface-list=WAN protocol=tcp \
    to-addresses=10.0.10.3
add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\
    !10.0.10.1 dst-port=65267 in-interface-list=WAN protocol=tcp \
    to-addresses=10.0.10.3
add action=masquerade chain=srcnat comment=\
    "hairpin NAT so LAN can access bougain using WAN IP" disabled=yes \
    dst-address=10.0.10.0/24 src-address=10.0.10.0/24
/ip ssh
set allow-none-crypto=yes forwarding-enabled=remote
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=Router
/system scheduler
add interval=10m name=ddns on-event=namecheap-ddns policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=nov/10/2019 start-time=06:10:37
/system script
add dont-require-permissions=no name=namecheap-ddns owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_from https://forum.mikrotik.com/viewtopic.php\?f=9&t=107264&p=533043\
    \n# the name (within the domain) to update -- must already exist!\
    \n:local hosts [:toarray value=\"hass,www\"];\
    \n# the domain name\
    \n:local domain \"starships.enterprises\"\
    \n# key for namecheap updates\
    \n:local password \"CENSORED\"\
    \n# get wan IP\
    \n:local ddnsip [ /ip address get [/ip address find interface=ether1 ] add\
    ress ]\
    \n:log info \"WAN IP is \$ddnsip\"\
    \n# Strip the net mask off the IP address\
    \n:for i from=( [:len \$ddnsip] - 1) to=0 do={\
    \n    :if ( [:pick \$ddnsip \$i] = \"/\") do={ \
    \n        :set ddnsip [:pick \$ddnsip 0 \$i]\
    \n       } \
    \n   }\
    \n:foreach host in \$hosts do={\
    \n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host\
    &domain=\$domain&password=\$password&ip=\$ddnsip\"\
    \n:log info \"URL args: \$url\"\
    \n/tool fetch url=\$url mode=https keep-result=no\
    \n}"
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE

## services-start.sh
#!/bin/sh
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

# For ASUS RT-AC68U running Asuswrt-Merlin firmware in Acccess Point mode.

# Based on
# https://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/#post-171178
# https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187
# https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

# Interfaces before this script runs (default access point configuration):
#   eth0: WAN port
#   eth1: WiFi 2.4GHz
#   eth2: WiFi 5GHz
#   wl0.{1,2,3}: WiFi 2.4GHz guest network
#   vlan1: I think this is the 4 LAN ports
#   vlan2: Also WAN?
#   br0: bridges vlan1, eth1, eth2, wl0.1

# To use:
# * Put in access point mode.
# * Manually configure IP address. Should match router.asus.lan in
#   router.rsc.
# * Enable SSH access on the access point
# * Enable JFFS scripts
# * SCP to /jffs/scripts/servies-start
# * SSH to router
# * chmod a+x /jffs/scripts/servies-start
# * Test by rebooting
# * Check log file in /jffs/scripts/log for debug info

echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
ip a >> /jffs/scripts/log
ip r >> /jffs/scripts/log
brctl show >> /jffs/scripts/log
echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

MainVLAN=10
GuestVLAN=20
# wl10.1 = Guest SSID 1, 2.4 GHz
# Can get this from `nvram show | grep _ssid=`
GuestIFs="wl0.1"

# Switch default vlan from 1 to MainVLAN
if [ ! -z "$MainVLAN" -a "$MainVLAN" != "1" ]; then
    robocfg vlan 1 ports ""
    # 0t is WAN port, 5t is CPU port
    robocfg port 0 state disabled vlan ${MainVLAN} ports "0t 1 2 3 4 5t" port 0 state enabled
    vconfig rem vlan1 # Removes it from br0 as well.
    vconfig add eth0 ${MainVLAN}
    ifconfig vlan${MainVLAN} up
    brctl addif br0 vlan${MainVLAN}
fi

# Check the GuestIFs have been set up in the GUI
for wlIF in ${GuestIFs}; do
    ifconfig | grep -cq $wlIF
    if [ $? -ne 0 ]; then
        echo Guest Interface not found
        echo Set up in GUI first
        exit 1
    fi
done

# 0t is WAN port, 5t is CPU port
robocfg vlan ${GuestVLAN} ports "0t 5t"
vconfig add eth0 ${GuestVLAN}
ifconfig vlan${GuestVLAN} up
brctl addbr br1
for wlIF in ${GuestIFs}; do
    brctl delif br0 ${wlIF}
    brctl addif br1 ${wlIF}
done
brctl addif br1 vlan${GuestVLAN}
ifconfig br1 up

nvram set lan_ifnames="vlan10 eth1 eth2"
nvram set lan_ifname="br0"

nvram set lan1_ifnames="vlan20 wl0.1"
nvram set lan1_ifname="br1"

nvram commit
killall eapd
eapd

echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
ip a >> /jffs/scripts/log
ip r >> /jffs/scripts/log
brctl show >> /jffs/scripts/log
echo "============== END 2 $(date) ==================" >> /jffs/scripts/log

## switch.rsc
# jan/08/1970 13:33:33 by RouterOS 6.45.7
# software id = LQU7-KVAY
#
# model = CRS326-24G-2S+
# serial number = 94560A635F12
/interface bridge
add name=BR1 protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\
    100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" \
    comment=media.lan
/interface vlan
add interface=BR1 name=BASE_VLAN vlan-id=99
/interface list
add name=BASE
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=sfp-sfpplus1 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=sfp-sfpplus2 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether3 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether4 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether5 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether6 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether7 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether8 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether9 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether10 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether11 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether12 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether13 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether14 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether15 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether16 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether17 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether18 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether19 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether20 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether21 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether22 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether23 pvid=10
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
    ingress-filtering=yes interface=ether24 pvid=99
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether1
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
    interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=BASE
/interface bridge vlan
add bridge=BR1 comment=BLUE_VLAN tagged=ether1,ether2 untagged="sfp-sfpplus1,s\
    fp-sfpplus2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether\
    11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20\
    ,ether21,ether22,ether23" vlan-ids=10
add bridge=BR1 tagged=BR1,ether1,ether2 vlan-ids=99
add bridge=BR1 comment=GREEN_VLAN tagged=ether1,ether2 vlan-ids=20
/interface list member
add interface=BASE_VLAN list=BASE
/ip address
add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0
/ip route
add distance=1 gateway=192.168.0.1
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=Switch
/system routerboard settings
set boot-os=router-os
/tool mac-server
set allowed-interface-list=BASE
/tool mac-server mac-winbox
set allowed-interface-list=BASE
/tool sniffer
set filter-interface=ether2 filter-ip-address=!10.0.10.0/24 \
    filter-operator-between-entries=and only-headers=yes
	# mar/31/2020 09:09:09 by RouterOS 6.45.7
	# software id = V76F-PB93
	#
	# model = RB750Gr3
	# serial number = 8B000A516329
	/interface bridge
	add name=BR1 protocol-mode=none vlan-filtering=yes
	/interface vlan
	add interface=BR1 name=BASE_VLAN vlan-id=99
	add interface=BR1 name=BLUE_VLAN vlan-id=10
	add interface=BR1 name=GREEN_VLAN vlan-id=20
	/interface list
	add name=WAN
	add name=VLAN
	add name=BASE
	/interface wireless security-profiles
	set [ find default=yes ] supplicant-identity=MikroTik
	/ip hotspot profile
	set [ find default=yes ] html-directory=flash/hotspot
	/ip pool
	add comment="Leave 10.0.10.2 for main IP address of router.asus.com" name=\
	BLUE_POOL ranges=10.0.10.3-10.0.10.254
	add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254
	add name=BASE_POOL ranges=192.168.0.10-192.168.0.254
	/ip dhcp-server
	add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP
	add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP
	add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP
	/interface bridge port
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether2
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether3
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether4
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether5
	/ip neighbor discovery-settings
	set discover-interface-list=BASE
	/interface bridge vlan
	add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=10
	add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20
	add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99
	/interface list member
	add interface=ether1 list=WAN
	add interface=BASE_VLAN list=VLAN
	add interface=BLUE_VLAN list=VLAN
	add interface=GREEN_VLAN list=VLAN
	add interface=BASE_VLAN list=BASE
	/ip address
	add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0
	add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0
	add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0
	/ip dhcp-client
	add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\
	ether1
	/ip dhcp-server lease
	add address=10.0.10.3 comment=bougain.lan mac-address=00:02:C9:E9:72:E0 \
	server=BLUE_DHCP
	add address=10.0.10.4 client-id=1:24:5E:BE:42:38:17 comment=media.lan \
	mac-address=24:5E:BE:42:38:17 server=BLUE_DHCP
	add address=10.0.10.6 client-id=\
	ff:19:e6:db:ac:0:1:0:1:22:21:d4:d4:c8:fd:19:e6:db:ac comment=\
	lutron-caseta-bridge.lan mac-address=C8:FD:19:E6:DB:AC server=BLUE_DHCP
	/ip dhcp-server network
	add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1
	add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1
	add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1
	/ip dns
	set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8
	/ip dns static
	add address=192.168.0.1 name=router.lan
	add address=192.168.0.2 name=switch.lan
	add address=10.0.10.3 name=bougain.lan
	add address=10.0.10.4 name=media.lan
	add address=10.0.10.6 name=lutron-caseta-bridge.lan
	add address=10.0.10.2 name=router.asus.com
	/ip firewall filter
	add action=accept chain=input comment=\
	"defconf: accept established,related,untracked" connection-state=\
	established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=\
	invalid
	add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
	add action=drop chain=input comment="drop all coming from WAN" \
	in-interface-list=WAN
	add action=accept chain=forward comment="defconf: accept in ipsec policy" \
	ipsec-policy=in,ipsec
	add action=accept chain=forward comment="defconf: accept out ipsec policy" \
	ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
	connection-state=established,related
	add action=accept chain=forward comment=\
	"defconf: accept established,related, untracked" connection-state=\
	established,related,untracked
	add action=drop chain=forward comment="defconf: drop invalid" \
	connection-state=invalid
	add action=drop chain=forward comment=\
	"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
	connection-state=new in-interface-list=WAN
	/ip firewall nat
	add action=masquerade chain=srcnat comment="defconf: masquerade" \
	ipsec-policy=out,none out-interface-list=WAN
	add action=dst-nat chain=dstnat comment="home assistant" dst-address=\
	!10.0.10.1 dst-port=8023 in-interface-list=WAN protocol=tcp to-addresses=\
	10.0.10.3
	add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \
	dst-address=!10.0.10.1 dst-port=80 in-interface-list=WAN protocol=tcp \
	to-addresses=10.0.10.3 to-ports=80
	add action=dst-nat chain=dstnat comment=Plex dst-address=!10.0.10.1 dst-port=\
	15088 in-interface-list=WAN protocol=tcp to-addresses=10.0.10.3 to-ports=\
	32400
	add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\
	!10.0.10.1 dst-port=65268 in-interface-list=WAN protocol=tcp \
	to-addresses=10.0.10.3
	add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\
	!10.0.10.1 dst-port=65267 in-interface-list=WAN protocol=tcp \
	to-addresses=10.0.10.3
	add action=masquerade chain=srcnat comment=\
	"hairpin NAT so LAN can access bougain using WAN IP" disabled=yes \
	dst-address=10.0.10.0/24 src-address=10.0.10.0/24
	/ip ssh
	set allow-none-crypto=yes forwarding-enabled=remote
	/system clock
	set time-zone-name=America/Los_Angeles
	/system identity
	set name=Router
	/system scheduler
	add interval=10m name=ddns on-event=namecheap-ddns policy=\
	ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
	start-date=nov/10/2019 start-time=06:10:37
	/system script
	add dont-require-permissions=no name=namecheap-ddns owner=admin policy=\
	ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
	\_from https://forum.mikrotik.com/viewtopic.php\?f=9&t=107264&p=533043\
	\n# the name (within the domain) to update -- must already exist!\
	\n:local hosts [:toarray value=\"hass,www\"];\
	\n# the domain name\
	\n:local domain \"starships.enterprises\"\
	\n# key for namecheap updates\
	\n:local password \"CENSORED\"\
	\n# get wan IP\
	\n:local ddnsip [ /ip address get [/ip address find interface=ether1 ] add\
	ress ]\
	\n:log info \"WAN IP is \$ddnsip\"\
	\n# Strip the net mask off the IP address\
	\n:for i from=( [:len \$ddnsip] - 1) to=0 do={\
	\n :if ( [:pick \$ddnsip \$i] = \"/\") do={ \
	\n :set ddnsip [:pick \$ddnsip 0 \$i]\
	\n } \
	\n }\
	\n:foreach host in \$hosts do={\
	\n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host\
	&domain=\$domain&password=\$password&ip=\$ddnsip\"\
	\n:log info \"URL args: \$url\"\
	\n/tool fetch url=\$url mode=https keep-result=no\
	\n}"
	/tool mac-server
	set allowed-interface-list=BASE
	/tool mac-server mac-winbox
	set allowed-interface-list=BASE
	#!/bin/sh
	PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}"

	# For ASUS RT-AC68U running Asuswrt-Merlin firmware in Acccess Point mode.

	# Based on
	# https://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/#post-171178
	# https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187
	# https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4

	# Interfaces before this script runs (default access point configuration):
	# eth0: WAN port
	# eth1: WiFi 2.4GHz
	# eth2: WiFi 5GHz
	# wl0.{1,2,3}: WiFi 2.4GHz guest network
	# vlan1: I think this is the 4 LAN ports
	# vlan2: Also WAN?
	# br0: bridges vlan1, eth1, eth2, wl0.1

	# To use:
	# * Put in access point mode.
	# * Manually configure IP address. Should match router.asus.lan in
	# router.rsc.
	# * Enable SSH access on the access point
	# * Enable JFFS scripts
	# * SCP to /jffs/scripts/servies-start
	# * SSH to router
	# * chmod a+x /jffs/scripts/servies-start
	# * Test by rebooting
	# * Check log file in /jffs/scripts/log for debug info

	echo "============== START 1 $(date) ==================" >> /jffs/scripts/log
	ip a >> /jffs/scripts/log
	ip r >> /jffs/scripts/log
	brctl show >> /jffs/scripts/log
	echo "============== END 1 $(date) ==================" >> /jffs/scripts/log

	MainVLAN=10
	GuestVLAN=20
	# wl10.1 = Guest SSID 1, 2.4 GHz
	# Can get this from `nvram show \| grep _ssid=`
	GuestIFs="wl0.1"

	# Switch default vlan from 1 to MainVLAN
	if [ ! -z "$MainVLAN" -a "$MainVLAN" != "1" ]; then
	robocfg vlan 1 ports ""
	# 0t is WAN port, 5t is CPU port
	robocfg port 0 state disabled vlan ${MainVLAN} ports "0t 1 2 3 4 5t" port 0 state enabled
	vconfig rem vlan1 # Removes it from br0 as well.
	vconfig add eth0 ${MainVLAN}
	ifconfig vlan${MainVLAN} up
	brctl addif br0 vlan${MainVLAN}
	fi

	# Check the GuestIFs have been set up in the GUI
	for wlIF in ${GuestIFs}; do
	ifconfig \| grep -cq $wlIF
	if [ $? -ne 0 ]; then
	echo Guest Interface not found
	echo Set up in GUI first
	exit 1
	fi
	done

	# 0t is WAN port, 5t is CPU port
	robocfg vlan ${GuestVLAN} ports "0t 5t"
	vconfig add eth0 ${GuestVLAN}
	ifconfig vlan${GuestVLAN} up
	brctl addbr br1
	for wlIF in ${GuestIFs}; do
	brctl delif br0 ${wlIF}
	brctl addif br1 ${wlIF}
	done
	brctl addif br1 vlan${GuestVLAN}
	ifconfig br1 up

	nvram set lan_ifnames="vlan10 eth1 eth2"
	nvram set lan_ifname="br0"

	nvram set lan1_ifnames="vlan20 wl0.1"
	nvram set lan1_ifname="br1"

	nvram commit
	killall eapd
	eapd

	echo "============== START 2 $(date) ==================" >> /jffs/scripts/log
	ip a >> /jffs/scripts/log
	ip r >> /jffs/scripts/log
	brctl show >> /jffs/scripts/log
	echo "============== END 2 $(date) ==================" >> /jffs/scripts/log
	# jan/08/1970 13:33:33 by RouterOS 6.45.7
	# software id = LQU7-KVAY
	#
	# model = CRS326-24G-2S+
	# serial number = 94560A635F12
	/interface bridge
	add name=BR1 protocol-mode=none vlan-filtering=yes
	/interface ethernet
	set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\
	100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" \
	comment=media.lan
	/interface vlan
	add interface=BR1 name=BASE_VLAN vlan-id=99
	/interface list
	add name=BASE
	/interface wireless security-profiles
	set [ find default=yes ] supplicant-identity=MikroTik
	/ip hotspot profile
	set [ find default=yes ] html-directory=flash/hotspot
	/interface bridge port
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=sfp-sfpplus1 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=sfp-sfpplus2 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether3 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether4 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether5 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether6 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether7 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether8 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether9 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether10 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether11 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether12 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether13 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether14 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether15 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether16 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether17 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether18 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether19 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether20 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether21 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether22 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether23 pvid=10
	add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \
	ingress-filtering=yes interface=ether24 pvid=99
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether1
	add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \
	interface=ether2
	/ip neighbor discovery-settings
	set discover-interface-list=BASE
	/interface bridge vlan
	add bridge=BR1 comment=BLUE_VLAN tagged=ether1,ether2 untagged="sfp-sfpplus1,s\
	fp-sfpplus2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether\
	11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20\
	,ether21,ether22,ether23" vlan-ids=10
	add bridge=BR1 tagged=BR1,ether1,ether2 vlan-ids=99
	add bridge=BR1 comment=GREEN_VLAN tagged=ether1,ether2 vlan-ids=20
	/interface list member
	add interface=BASE_VLAN list=BASE
	/ip address
	add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0
	/ip route
	add distance=1 gateway=192.168.0.1
	/system clock
	set time-zone-name=America/Los_Angeles
	/system identity
	set name=Switch
	/system routerboard settings
	set boot-os=router-os
	/tool mac-server
	set allowed-interface-list=BASE
	/tool mac-server mac-winbox
	set allowed-interface-list=BASE
	/tool sniffer
	set filter-interface=ether2 filter-ip-address=!10.0.10.0/24 \
	filter-operator-between-entries=and only-headers=yes