Last active
May 21, 2019 08:00
-
-
Save henno/45ac4c2458e774ace83b50b4300e0a98 to your computer and use it in GitHub Desktop.
Mikrotik base config
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Mikrotik config derived from the default factory config | |
# Features: | |
# - Ether1 is for Internet (WAN) and has DHCP client enabled | |
# - Ether 2-5 and wlan1 and wlan2 are in a bridge called bridge | |
# - This bridge has a DHCP server activated serving IPs from $myLanSubnet.10-$myLanSubnet.254 | |
# - Wireless is set up with $mySSID using WPA2 and Sinimustvalge | |
# - Custom admin user tvv with klaabu is set to protect against hacking | |
# - Get an email when a user breaks the Internet by connecting his router's WAN port to your LAN | |
# | |
{ | |
:local myLanSubnet "172.27.3" | |
:local mySystemIdentity "my-company" | |
:local mySSID $mySystemIdentity | |
:local myWifiPassword "my-wifi-password" | |
:local myAdminUser "me" | |
:local myAdminPassword "my-admin-password" | |
:local myVpnInternalIp "10.11.13.1" | |
:local myVpnPublicIp "80.215.40.5" | |
:local myVpnUser $mySystemIdentity | |
:local myVpnPassword "my-vpn-password" | |
:local mySmtpHost "173.194.69.109" | |
:local mySmtpUsername "alerts@example.com" | |
:local myEmail "device@example.com" | |
:local mySmtpPassword "my-smtp-pass" | |
:local myTimezone "Europe/Tallinn" | |
{ | |
:log warning "[wan] Adding a DHCP client to ether1" | |
/ip dhcp-client | |
add comment=baseconf dhcp-options=hostname,clientid disabled=no interface=ether1 | |
:log warning "[clock] Setting timezone to $myTimezone" | |
/system clock | |
set time-zone-name="$myTimezone" | |
:log warning "[bridge] Creating brige" | |
/interface bridge | |
add comment=baseconf name=bridge | |
/interface wireless | |
:local wirelessInterfaceCount [/interface wireless print count-only] | |
:if ( $wirelessInterfaceCount > 0) do={ | |
:log warning "[wireless] Enabling wlan1 with SSID $mySSID-2G and mode ap-bridge" | |
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-2G" wireless-protocol=802.11 | |
} | |
:if ( $wirelessInterfaceCount > 1) do={ | |
:log warning "[wireless] Enabling wlan1 with SSID $mySSID-5G and mode ap-bridge" | |
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-5G" wireless-protocol=802.11 | |
} | |
:log warning "[wireless] Setting default wifi password to $myWifiPassword" | |
/interface wireless security-profiles | |
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="$myWifiPassword" | |
:log warning "[interface list] Creating WAN and LAN" | |
/interface list | |
add comment=baseconf name=WAN | |
add comment=baseconf name=LAN | |
:log warning "[vpn] Configuring SSTP client to $myVpnPublicIp using user $myVpnUser with password $myVpnPassword" | |
/interface sstp-client | |
add connect-to="$myVpnPublicIp" disabled=no name=sstp-out1 password="$myVpnPassword" profile=default-encryption user="$myVpnUser" | |
:log warning "[dhcp] Creating IP pool $myLanSubnet.10-254 for DHCP" | |
/ip pool | |
add name=baseconf-dhcp ranges="$myLanSubnet.10-$myLanSubnet.254" | |
:log warning "[dhcp] Adding a DHCP server to bridge" | |
/ip dhcp-server | |
add address-pool=baseconf-dhcp disabled=no interface=bridge name=baseconf | |
:log warning "[dhcp] Adding gateway $myLanSubnet.1 for network $myLanSubnet.0/24" | |
/ip dhcp-server network | |
add address="$myLanSubnet.0/24" comment=baseconf gateway="$myLanSubnet.1" | |
:log warning "[bridge] Adding all LAN ports to bridge:" | |
:foreach i in=[/interface find name~"ether|wlan"] do={ | |
:if ([/interface get $i default-name]!="ether1") do={ | |
:local iname [/interface ethernet get $i name] | |
:log "[bridge] Adding port $iname" | |
/interface bridge port add bridge=bridge comment=baseconf interface="$iname" | |
} | |
} | |
:log warning "[discovery] Setting device to be discoverable from every interface" | |
/ip neighbor discovery-settings | |
set discover-interface-list=all | |
:log warning "[list] Adding bridge to LAN list" | |
/interface list member | |
add comment=baseconf interface=bridge list=LAN | |
:log warning "[list] Adding ether1 to WAN list" | |
add comment=baseconf interface=ether1 list=WAN | |
:log warning "[bridge] Adding IP address $myLanSubnet.1/24" | |
/ip address | |
add address="$myLanSubnet.1/24" comment=baseconf interface=bridge network="$myLanSubnet.0" | |
:log warning "[dns] Setting DNS server to $myLanSubnet.1" | |
/ip dns static | |
add address="$myLanSubnet.1" name=router.lan | |
:log warning "[dns] Allowing network requests" | |
/ip dns | |
set allow-remote-requests=yes | |
:log warning "[firewall] Adding rules" | |
/ip firewall filter | |
add action=accept chain=input comment="baseconf: accept established,related,untracked" connection-state=established,related,untracked | |
add action=accept chain=input comment="Allow from our CnC for remote management" src-address="$myVpnInternalIp" | |
add action=drop chain=input comment="baseconf: drop invalid" connection-state=invalid | |
add action=accept chain=input comment="baseconf: accept ICMP" protocol=icmp | |
add action=drop chain=input comment="baseconf: drop all not coming from LAN" in-interface-list=!LAN | |
add action=accept chain=forward comment="baseconf: accept in ipsec policy" ipsec-policy=in,ipsec | |
add action=accept chain=forward comment="baseconf: accept out ipsec policy" ipsec-policy=out,ipsec | |
add action=fasttrack-connection chain=forward comment="baseconf: fasttrack" connection-state=established,related | |
add action=accept chain=forward comment="baseconf: accept established,related, untracked" connection-state=established,related,untracked | |
add action=drop chain=forward comment="baseconf: drop invalid" connection-state=invalid | |
add action=drop chain=forward comment="baseconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN | |
:log warning "[firewall] Enabling NAT when out-interface-list=WAN" | |
/ip firewall nat | |
add action=masquerade chain=srcnat comment="baseconf: masquerade" ipsec-policy=out,none out-interface-list=WAN | |
:log warning "[remote access] Allowing MAC telnet from LAN" | |
/tool mac-server | |
set allowed-interface-list=LAN | |
:log warning "[remote access] Allowing MAC winbox from LAN" | |
/tool mac-server mac-winbox | |
set allowed-interface-list=LAN | |
:log warning "[users] Adding $myAdminUser with password $myAdminPassword" | |
/user | |
add name="$myAdminUser" group=full | |
set $myAdminUser password="$myAdminPassword" | |
:log warning "[users] Disabling the default admin user" | |
disable admin | |
:log warning "[logging] Enabling email activity logging" | |
/system logging | |
add topics=e-mail action=memory | |
:log warning "[email] Configuring SMTP: address=$mySmtpHost, port=587, start-tls=yes, from=$mySystemIdentity <$myEmail>, user=$mySmtpUsername, pass=$mySmtpPassword" | |
/tool e-mail | |
set address="$mySmtpHost" from="$mySystemIdentity <$myEmail>" password="$mySmtpPassword" port=587 start-tls=yes user="$mySmtpUsername" | |
:log warning "[dchp] Setting up email alerting when a rogue DHCP server is detected" | |
/ip dhcp-server alert | |
add alert-timeout=1m disabled=no interface=bridge on-alert=":local CurrentTime [/system clock get time];\r\ | |
\n :local hostname [/system identity get name]\r\ | |
\n :global date [/system clock get date]\r\ | |
\n :local int \"\$interface\"\r\ | |
\n :local addr \"\$address\"\r\ | |
\n :local mac \$\"mac-address\"\r\ | |
\n :local dh\r\ | |
\n \r\ | |
\n/tool e-mail send to=henno.taht@diara.ee subject=DHCP-Detected body=(\"ROGUE DHCP Server have been detected on \$hostname at \$date - time \$CurrentTime - Interface= \$int - IP Address=\$addr - MAC-Address= \$mac !! GO HUNT & KILL :D\")" | |
:beep frequency=500 length=500ms; | |
:delay 500ms; | |
:log warning "Done" | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment