Last active
November 22, 2020 04:05
-
-
Save garymm/50f155000139f61cae4ba2a0abc665ef to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# mar/31/2020 09:09:09 by RouterOS 6.45.7 | |
# software id = V76F-PB93 | |
# | |
# model = RB750Gr3 | |
# serial number = 8B000A516329 | |
/interface bridge | |
add name=BR1 protocol-mode=none vlan-filtering=yes | |
/interface vlan | |
add interface=BR1 name=BASE_VLAN vlan-id=99 | |
add interface=BR1 name=BLUE_VLAN vlan-id=10 | |
add interface=BR1 name=GREEN_VLAN vlan-id=20 | |
/interface list | |
add name=WAN | |
add name=VLAN | |
add name=BASE | |
/interface wireless security-profiles | |
set [ find default=yes ] supplicant-identity=MikroTik | |
/ip hotspot profile | |
set [ find default=yes ] html-directory=flash/hotspot | |
/ip pool | |
add comment="Leave 10.0.10.2 for main IP address of router.asus.com" name=\ | |
BLUE_POOL ranges=10.0.10.3-10.0.10.254 | |
add name=GREEN_POOL ranges=10.0.20.2-10.0.20.254 | |
add name=BASE_POOL ranges=192.168.0.10-192.168.0.254 | |
/ip dhcp-server | |
add address-pool=BLUE_POOL disabled=no interface=BLUE_VLAN name=BLUE_DHCP | |
add address-pool=GREEN_POOL disabled=no interface=GREEN_VLAN name=GREEN_DHCP | |
add address-pool=BASE_POOL disabled=no interface=BASE_VLAN name=BASE_DHCP | |
/interface bridge port | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether2 | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether3 | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether4 | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether5 | |
/ip neighbor discovery-settings | |
set discover-interface-list=BASE | |
/interface bridge vlan | |
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=10 | |
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=20 | |
add bridge=BR1 tagged=BR1,ether2,ether3,ether4,ether5 vlan-ids=99 | |
/interface list member | |
add interface=ether1 list=WAN | |
add interface=BASE_VLAN list=VLAN | |
add interface=BLUE_VLAN list=VLAN | |
add interface=GREEN_VLAN list=VLAN | |
add interface=BASE_VLAN list=BASE | |
/ip address | |
add address=192.168.0.1/24 interface=BASE_VLAN network=192.168.0.0 | |
add address=10.0.10.1/24 interface=BLUE_VLAN network=10.0.10.0 | |
add address=10.0.20.1/24 interface=GREEN_VLAN network=10.0.20.0 | |
/ip dhcp-client | |
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=\ | |
ether1 | |
/ip dhcp-server lease | |
add address=10.0.10.3 comment=bougain.lan mac-address=00:02:C9:E9:72:E0 \ | |
server=BLUE_DHCP | |
add address=10.0.10.4 client-id=1:24:5E:BE:42:38:17 comment=media.lan \ | |
mac-address=24:5E:BE:42:38:17 server=BLUE_DHCP | |
add address=10.0.10.6 client-id=\ | |
ff:19:e6:db:ac:0:1:0:1:22:21:d4:d4:c8:fd:19:e6:db:ac comment=\ | |
lutron-caseta-bridge.lan mac-address=C8:FD:19:E6:DB:AC server=BLUE_DHCP | |
/ip dhcp-server network | |
add address=10.0.10.0/24 dns-server=192.168.0.1 gateway=10.0.10.1 | |
add address=10.0.20.0/24 dns-server=192.168.0.1 gateway=10.0.20.1 | |
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 | |
/ip dns | |
set allow-remote-requests=yes servers=8.8.4.4,8.8.8.8 | |
/ip dns static | |
add address=192.168.0.1 name=router.lan | |
add address=192.168.0.2 name=switch.lan | |
add address=10.0.10.3 name=bougain.lan | |
add address=10.0.10.4 name=media.lan | |
add address=10.0.10.6 name=lutron-caseta-bridge.lan | |
add address=10.0.10.2 name=router.asus.com | |
/ip firewall filter | |
add action=accept chain=input comment=\ | |
"defconf: accept established,related,untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=input comment="defconf: drop invalid" connection-state=\ | |
invalid | |
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp | |
add action=drop chain=input comment="drop all coming from WAN" \ | |
in-interface-list=WAN | |
add action=accept chain=forward comment="defconf: accept in ipsec policy" \ | |
ipsec-policy=in,ipsec | |
add action=accept chain=forward comment="defconf: accept out ipsec policy" \ | |
ipsec-policy=out,ipsec | |
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ | |
connection-state=established,related | |
add action=accept chain=forward comment=\ | |
"defconf: accept established,related, untracked" connection-state=\ | |
established,related,untracked | |
add action=drop chain=forward comment="defconf: drop invalid" \ | |
connection-state=invalid | |
add action=drop chain=forward comment=\ | |
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ | |
connection-state=new in-interface-list=WAN | |
/ip firewall nat | |
add action=masquerade chain=srcnat comment="defconf: masquerade" \ | |
ipsec-policy=out,none out-interface-list=WAN | |
add action=dst-nat chain=dstnat comment="home assistant" dst-address=\ | |
!10.0.10.1 dst-port=8023 in-interface-list=WAN protocol=tcp to-addresses=\ | |
10.0.10.3 | |
add action=dst-nat chain=dstnat comment="web (for certbot)" disabled=yes \ | |
dst-address=!10.0.10.1 dst-port=80 in-interface-list=WAN protocol=tcp \ | |
to-addresses=10.0.10.3 to-ports=80 | |
add action=dst-nat chain=dstnat comment=Plex dst-address=!10.0.10.1 dst-port=\ | |
15088 in-interface-list=WAN protocol=tcp to-addresses=10.0.10.3 to-ports=\ | |
32400 | |
add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\ | |
!10.0.10.1 dst-port=65268 in-interface-list=WAN protocol=tcp \ | |
to-addresses=10.0.10.3 | |
add action=dst-nat chain=dstnat comment="deluge torrents" dst-address=\ | |
!10.0.10.1 dst-port=65267 in-interface-list=WAN protocol=tcp \ | |
to-addresses=10.0.10.3 | |
add action=masquerade chain=srcnat comment=\ | |
"hairpin NAT so LAN can access bougain using WAN IP" disabled=yes \ | |
dst-address=10.0.10.0/24 src-address=10.0.10.0/24 | |
/ip ssh | |
set allow-none-crypto=yes forwarding-enabled=remote | |
/system clock | |
set time-zone-name=America/Los_Angeles | |
/system identity | |
set name=Router | |
/system scheduler | |
add interval=10m name=ddns on-event=namecheap-ddns policy=\ | |
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \ | |
start-date=nov/10/2019 start-time=06:10:37 | |
/system script | |
add dont-require-permissions=no name=namecheap-ddns owner=admin policy=\ | |
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\ | |
\_from https://forum.mikrotik.com/viewtopic.php\?f=9&t=107264&p=533043\ | |
\n# the name (within the domain) to update -- must already exist!\ | |
\n:local hosts [:toarray value=\"hass,www\"];\ | |
\n# the domain name\ | |
\n:local domain \"starships.enterprises\"\ | |
\n# key for namecheap updates\ | |
\n:local password \"CENSORED\"\ | |
\n# get wan IP\ | |
\n:local ddnsip [ /ip address get [/ip address find interface=ether1 ] add\ | |
ress ]\ | |
\n:log info \"WAN IP is \$ddnsip\"\ | |
\n# Strip the net mask off the IP address\ | |
\n:for i from=( [:len \$ddnsip] - 1) to=0 do={\ | |
\n :if ( [:pick \$ddnsip \$i] = \"/\") do={ \ | |
\n :set ddnsip [:pick \$ddnsip 0 \$i]\ | |
\n } \ | |
\n }\ | |
\n:foreach host in \$hosts do={\ | |
\n:local url \"https://dynamicdns.park-your-domain.com/update\?host=\$host\ | |
&domain=\$domain&password=\$password&ip=\$ddnsip\"\ | |
\n:log info \"URL args: \$url\"\ | |
\n/tool fetch url=\$url mode=https keep-result=no\ | |
\n}" | |
/tool mac-server | |
set allowed-interface-list=BASE | |
/tool mac-server mac-winbox | |
set allowed-interface-list=BASE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
PATH="/sbin:/usr/sbin:/bin:/usr/bin:${PATH}" | |
# For ASUS RT-AC68U running Asuswrt-Merlin firmware in Acccess Point mode. | |
# Based on | |
# https://www.snbforums.com/threads/wap-guest-ssid-port-based-vlan.12750/#post-171178 | |
# https://www.snbforums.com/threads/ssid-to-vlan.24791/#post-191187 | |
# https://gist.github.com/Jimmy-Z/6120988090b9696c420385e7e42c64c4 | |
# Interfaces before this script runs (default access point configuration): | |
# eth0: WAN port | |
# eth1: WiFi 2.4GHz | |
# eth2: WiFi 5GHz | |
# wl0.{1,2,3}: WiFi 2.4GHz guest network | |
# vlan1: I think this is the 4 LAN ports | |
# vlan2: Also WAN? | |
# br0: bridges vlan1, eth1, eth2, wl0.1 | |
# To use: | |
# * Put in access point mode. | |
# * Manually configure IP address. Should match router.asus.lan in | |
# router.rsc. | |
# * Enable SSH access on the access point | |
# * Enable JFFS scripts | |
# * SCP to /jffs/scripts/servies-start | |
# * SSH to router | |
# * chmod a+x /jffs/scripts/servies-start | |
# * Test by rebooting | |
# * Check log file in /jffs/scripts/log for debug info | |
echo "============== START 1 $(date) ==================" >> /jffs/scripts/log | |
ip a >> /jffs/scripts/log | |
ip r >> /jffs/scripts/log | |
brctl show >> /jffs/scripts/log | |
echo "============== END 1 $(date) ==================" >> /jffs/scripts/log | |
MainVLAN=10 | |
GuestVLAN=20 | |
# wl10.1 = Guest SSID 1, 2.4 GHz | |
# Can get this from `nvram show | grep _ssid=` | |
GuestIFs="wl0.1" | |
# Switch default vlan from 1 to MainVLAN | |
if [ ! -z "$MainVLAN" -a "$MainVLAN" != "1" ]; then | |
robocfg vlan 1 ports "" | |
# 0t is WAN port, 5t is CPU port | |
robocfg port 0 state disabled vlan ${MainVLAN} ports "0t 1 2 3 4 5t" port 0 state enabled | |
vconfig rem vlan1 # Removes it from br0 as well. | |
vconfig add eth0 ${MainVLAN} | |
ifconfig vlan${MainVLAN} up | |
brctl addif br0 vlan${MainVLAN} | |
fi | |
# Check the GuestIFs have been set up in the GUI | |
for wlIF in ${GuestIFs}; do | |
ifconfig | grep -cq $wlIF | |
if [ $? -ne 0 ]; then | |
echo Guest Interface not found | |
echo Set up in GUI first | |
exit 1 | |
fi | |
done | |
# 0t is WAN port, 5t is CPU port | |
robocfg vlan ${GuestVLAN} ports "0t 5t" | |
vconfig add eth0 ${GuestVLAN} | |
ifconfig vlan${GuestVLAN} up | |
brctl addbr br1 | |
for wlIF in ${GuestIFs}; do | |
brctl delif br0 ${wlIF} | |
brctl addif br1 ${wlIF} | |
done | |
brctl addif br1 vlan${GuestVLAN} | |
ifconfig br1 up | |
nvram set lan_ifnames="vlan10 eth1 eth2" | |
nvram set lan_ifname="br0" | |
nvram set lan1_ifnames="vlan20 wl0.1" | |
nvram set lan1_ifname="br1" | |
nvram commit | |
killall eapd | |
eapd | |
echo "============== START 2 $(date) ==================" >> /jffs/scripts/log | |
ip a >> /jffs/scripts/log | |
ip r >> /jffs/scripts/log | |
brctl show >> /jffs/scripts/log | |
echo "============== END 2 $(date) ==================" >> /jffs/scripts/log |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# jan/08/1970 13:33:33 by RouterOS 6.45.7 | |
# software id = LQU7-KVAY | |
# | |
# model = CRS326-24G-2S+ | |
# serial number = 94560A635F12 | |
/interface bridge | |
add name=BR1 protocol-mode=none vlan-filtering=yes | |
/interface ethernet | |
set [ find default-name=sfp-sfpplus1 ] advertise="10M-half,10M-full,100M-half,\ | |
100M-full,1000M-half,1000M-full,2500M-full,5000M-full,10000M-full" \ | |
comment=media.lan | |
/interface vlan | |
add interface=BR1 name=BASE_VLAN vlan-id=99 | |
/interface list | |
add name=BASE | |
/interface wireless security-profiles | |
set [ find default=yes ] supplicant-identity=MikroTik | |
/ip hotspot profile | |
set [ find default=yes ] html-directory=flash/hotspot | |
/interface bridge port | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=sfp-sfpplus1 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=sfp-sfpplus2 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether3 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether4 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether5 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether6 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether7 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether8 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether9 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether10 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether11 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether12 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether13 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether14 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether15 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether16 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether17 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether18 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether19 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether20 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether21 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether22 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether23 pvid=10 | |
add bridge=BR1 frame-types=admit-only-untagged-and-priority-tagged \ | |
ingress-filtering=yes interface=ether24 pvid=99 | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether1 | |
add bridge=BR1 frame-types=admit-only-vlan-tagged ingress-filtering=yes \ | |
interface=ether2 | |
/ip neighbor discovery-settings | |
set discover-interface-list=BASE | |
/interface bridge vlan | |
add bridge=BR1 comment=BLUE_VLAN tagged=ether1,ether2 untagged="sfp-sfpplus1,s\ | |
fp-sfpplus2,ether3,ether4,ether5,ether6,ether7,ether8,ether9,ether10,ether\ | |
11,ether12,ether13,ether14,ether15,ether16,ether17,ether18,ether19,ether20\ | |
,ether21,ether22,ether23" vlan-ids=10 | |
add bridge=BR1 tagged=BR1,ether1,ether2 vlan-ids=99 | |
add bridge=BR1 comment=GREEN_VLAN tagged=ether1,ether2 vlan-ids=20 | |
/interface list member | |
add interface=BASE_VLAN list=BASE | |
/ip address | |
add address=192.168.0.2/24 interface=BASE_VLAN network=192.168.0.0 | |
/ip route | |
add distance=1 gateway=192.168.0.1 | |
/system clock | |
set time-zone-name=America/Los_Angeles | |
/system identity | |
set name=Switch | |
/system routerboard settings | |
set boot-os=router-os | |
/tool mac-server | |
set allowed-interface-list=BASE | |
/tool mac-server mac-winbox | |
set allowed-interface-list=BASE | |
/tool sniffer | |
set filter-interface=ether2 filter-ip-address=!10.0.10.0/24 \ | |
filter-operator-between-entries=and only-headers=yes |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment