henno/mikrotik_base_conf.rsc .ini

## mikrotik_base_conf.rsc .ini
# Mikrotik config derived from the default factory config
# Features:
# - Ether1 is for Internet (WAN) and has DHCP client enabled
# - Ether 2-5 and wlan1 and wlan2 are in a bridge called bridge
# - This bridge has a DHCP server activated serving IPs from $myLanSubnet.10-$myLanSubnet.254
# - Wireless is set up with $mySSID using WPA2 and Sinimustvalge
# - Custom admin user tvv with klaabu is set to protect against hacking
# - Get an email when a user breaks the Internet by connecting his router's WAN port to your LAN
#

{
:local myLanSubnet "172.27.3"
:local mySystemIdentity "my-company"
:local mySSID $mySystemIdentity
:local myWifiPassword "my-wifi-password"
:local myAdminUser "me"
:local myAdminPassword "my-admin-password"
:local myVpnInternalIp "10.11.13.1"
:local myVpnPublicIp "80.215.40.5"
:local myVpnUser $mySystemIdentity
:local myVpnPassword "my-vpn-password"
:local mySmtpHost "173.194.69.109"
:local mySmtpUsername "alerts@example.com"
:local myEmail "device@example.com"
:local mySmtpPassword "my-smtp-pass"
:local myTimezone "Europe/Tallinn"

{

:log warning "[wan] Adding a DHCP client to ether1"
/ip dhcp-client
add comment=baseconf dhcp-options=hostname,clientid disabled=no interface=ether1

:log warning "[clock] Setting timezone to $myTimezone"
/system clock
set time-zone-name="$myTimezone"

:log warning "[bridge] Creating brige"
/interface bridge
add comment=baseconf name=bridge

/interface wireless
:local wirelessInterfaceCount [/interface wireless print count-only]
:if ( $wirelessInterfaceCount > 0) do={
	:log warning "[wireless] Enabling wlan1 with SSID $mySSID-2G and mode ap-bridge"
	/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-2G" wireless-protocol=802.11
}
:if ( $wirelessInterfaceCount > 1) do={
	:log warning "[wireless] Enabling wlan1 with SSID $mySSID-5G and mode ap-bridge"
	set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-5G" wireless-protocol=802.11
}

:log warning "[wireless] Setting default wifi password to $myWifiPassword"
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="$myWifiPassword"

:log warning "[interface list] Creating WAN and LAN"
/interface list
add comment=baseconf name=WAN
add comment=baseconf name=LAN

:log warning "[vpn] Configuring SSTP client to $myVpnPublicIp using user $myVpnUser with password $myVpnPassword"
/interface sstp-client
add connect-to="$myVpnPublicIp" disabled=no name=sstp-out1 password="$myVpnPassword" profile=default-encryption user="$myVpnUser"

:log warning "[dhcp] Creating IP pool $myLanSubnet.10-254 for DHCP"
/ip pool
add name=baseconf-dhcp ranges="$myLanSubnet.10-$myLanSubnet.254"

:log warning "[dhcp] Adding a DHCP server to bridge"
/ip dhcp-server
add address-pool=baseconf-dhcp disabled=no interface=bridge name=baseconf

:log warning "[dhcp] Adding gateway $myLanSubnet.1 for network $myLanSubnet.0/24"
/ip dhcp-server network
add address="$myLanSubnet.0/24" comment=baseconf gateway="$myLanSubnet.1"

:log warning "[bridge] Adding all LAN ports to bridge:"
:foreach i in=[/interface find name~"ether|wlan"]  do={
	:if ([/interface get $i default-name]!="ether1") do={
		:local iname [/interface ethernet get $i name]
		:log "[bridge] Adding port $iname"
		/interface bridge port add bridge=bridge comment=baseconf interface="$iname"
	}
}

:log warning "[discovery] Setting device to be discoverable from every interface"
/ip neighbor discovery-settings
set discover-interface-list=all

:log warning "[list] Adding bridge to LAN list"
/interface list member
add comment=baseconf interface=bridge list=LAN
:log warning "[list] Adding ether1 to WAN list"
add comment=baseconf interface=ether1 list=WAN

:log warning "[bridge] Adding IP address $myLanSubnet.1/24"
/ip address
add address="$myLanSubnet.1/24" comment=baseconf interface=bridge network="$myLanSubnet.0"

:log warning "[dns] Setting DNS server to $myLanSubnet.1"
/ip dns static
add address="$myLanSubnet.1" name=router.lan

:log warning "[dns] Allowing network requests"
/ip dns
set allow-remote-requests=yes

:log warning "[firewall] Adding rules"
/ip firewall filter
add action=accept chain=input comment="baseconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="Allow from our CnC for remote management" src-address="$myVpnInternalIp"
add action=drop chain=input comment="baseconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="baseconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="baseconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="baseconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="baseconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="baseconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="baseconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="baseconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="baseconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

:log warning "[firewall] Enabling NAT when out-interface-list=WAN"
/ip firewall nat
add action=masquerade chain=srcnat comment="baseconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

:log warning "[remote access] Allowing MAC telnet from LAN"
/tool mac-server
set allowed-interface-list=LAN

:log warning "[remote access] Allowing MAC winbox from LAN"
/tool mac-server mac-winbox
set allowed-interface-list=LAN

:log warning "[users] Adding $myAdminUser with password $myAdminPassword"
/user
add name="$myAdminUser" group=full
set $myAdminUser password="$myAdminPassword"
:log warning "[users] Disabling the default admin user"
disable admin

:log warning "[logging] Enabling email activity logging"
/system logging
add topics=e-mail action=memory

:log warning "[email] Configuring SMTP: address=$mySmtpHost, port=587, start-tls=yes, from=$mySystemIdentity <$myEmail>, user=$mySmtpUsername, pass=$mySmtpPassword"
/tool e-mail
set address="$mySmtpHost" from="$mySystemIdentity <$myEmail>" password="$mySmtpPassword" port=587 start-tls=yes user="$mySmtpUsername"

:log warning "[dchp] Setting up email alerting when a rogue DHCP server is detected"
/ip dhcp-server alert
add alert-timeout=1m disabled=no interface=bridge on-alert=":local CurrentTime [/system clock get time];\r\
    \n :local hostname [/system identity get name]\r\
    \n :global date [/system clock get date]\r\
    \n :local int \"\$interface\"\r\
    \n :local addr \"\$address\"\r\
    \n :local mac \$\"mac-address\"\r\
    \n :local dh\r\
    \n \r\
    \n/tool e-mail send to=henno.taht@diara.ee subject=DHCP-Detected body=(\"ROGUE DHCP Server have been detected on \$hostname at \$date  - time \$CurrentTime  - Interface= \$int  - IP Address=\$addr - MAC-Address= \$mac  !! GO HUNT & KILL :D\")"

:beep frequency=500 length=500ms;
:delay 500ms;
:log warning "Done"
}
	# Mikrotik config derived from the default factory config
	# Features:
	# - Ether1 is for Internet (WAN) and has DHCP client enabled
	# - Ether 2-5 and wlan1 and wlan2 are in a bridge called bridge
	# - This bridge has a DHCP server activated serving IPs from $myLanSubnet.10-$myLanSubnet.254
	# - Wireless is set up with $mySSID using WPA2 and Sinimustvalge
	# - Custom admin user tvv with klaabu is set to protect against hacking
	# - Get an email when a user breaks the Internet by connecting his router's WAN port to your LAN
	#

	{
	:local myLanSubnet "172.27.3"
	:local mySystemIdentity "my-company"
	:local mySSID $mySystemIdentity
	:local myWifiPassword "my-wifi-password"
	:local myAdminUser "me"
	:local myAdminPassword "my-admin-password"
	:local myVpnInternalIp "10.11.13.1"
	:local myVpnPublicIp "80.215.40.5"
	:local myVpnUser $mySystemIdentity
	:local myVpnPassword "my-vpn-password"
	:local mySmtpHost "173.194.69.109"
	:local mySmtpUsername "alerts@example.com"
	:local myEmail "device@example.com"
	:local mySmtpPassword "my-smtp-pass"
	:local myTimezone "Europe/Tallinn"

	{

	:log warning "[wan] Adding a DHCP client to ether1"
	/ip dhcp-client
	add comment=baseconf dhcp-options=hostname,clientid disabled=no interface=ether1

	:log warning "[clock] Setting timezone to $myTimezone"
	/system clock
	set time-zone-name="$myTimezone"

	:log warning "[bridge] Creating brige"
	/interface bridge
	add comment=baseconf name=bridge

	/interface wireless
	:local wirelessInterfaceCount [/interface wireless print count-only]
	:if ( $wirelessInterfaceCount > 0) do={
	:log warning "[wireless] Enabling wlan1 with SSID $mySSID-2G and mode ap-bridge"
	/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-2G" wireless-protocol=802.11
	}
	:if ( $wirelessInterfaceCount > 1) do={
	:log warning "[wireless] Enabling wlan1 with SSID $mySSID-5G and mode ap-bridge"
	set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no distance=indoors frequency=auto mode=ap-bridge ssid="$mySSID-5G" wireless-protocol=802.11
	}

	:log warning "[wireless] Setting default wifi password to $myWifiPassword"
	/interface wireless security-profiles
	set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="$myWifiPassword"

	:log warning "[interface list] Creating WAN and LAN"
	/interface list
	add comment=baseconf name=WAN
	add comment=baseconf name=LAN

	:log warning "[vpn] Configuring SSTP client to $myVpnPublicIp using user $myVpnUser with password $myVpnPassword"
	/interface sstp-client
	add connect-to="$myVpnPublicIp" disabled=no name=sstp-out1 password="$myVpnPassword" profile=default-encryption user="$myVpnUser"

	:log warning "[dhcp] Creating IP pool $myLanSubnet.10-254 for DHCP"
	/ip pool
	add name=baseconf-dhcp ranges="$myLanSubnet.10-$myLanSubnet.254"

	:log warning "[dhcp] Adding a DHCP server to bridge"
	/ip dhcp-server
	add address-pool=baseconf-dhcp disabled=no interface=bridge name=baseconf

	:log warning "[dhcp] Adding gateway $myLanSubnet.1 for network $myLanSubnet.0/24"
	/ip dhcp-server network
	add address="$myLanSubnet.0/24" comment=baseconf gateway="$myLanSubnet.1"

	:log warning "[bridge] Adding all LAN ports to bridge:"
	:foreach i in=[/interface find name~"ether\|wlan"] do={
	:if ([/interface get $i default-name]!="ether1") do={
	:local iname [/interface ethernet get $i name]
	:log "[bridge] Adding port $iname"
	/interface bridge port add bridge=bridge comment=baseconf interface="$iname"
	}
	}

	:log warning "[discovery] Setting device to be discoverable from every interface"
	/ip neighbor discovery-settings
	set discover-interface-list=all

	:log warning "[list] Adding bridge to LAN list"
	/interface list member
	add comment=baseconf interface=bridge list=LAN
	:log warning "[list] Adding ether1 to WAN list"
	add comment=baseconf interface=ether1 list=WAN

	:log warning "[bridge] Adding IP address $myLanSubnet.1/24"
	/ip address
	add address="$myLanSubnet.1/24" comment=baseconf interface=bridge network="$myLanSubnet.0"

	:log warning "[dns] Setting DNS server to $myLanSubnet.1"
	/ip dns static
	add address="$myLanSubnet.1" name=router.lan

	:log warning "[dns] Allowing network requests"
	/ip dns
	set allow-remote-requests=yes

	:log warning "[firewall] Adding rules"
	/ip firewall filter
	add action=accept chain=input comment="baseconf: accept established,related,untracked" connection-state=established,related,untracked
	add action=accept chain=input comment="Allow from our CnC for remote management" src-address="$myVpnInternalIp"
	add action=drop chain=input comment="baseconf: drop invalid" connection-state=invalid
	add action=accept chain=input comment="baseconf: accept ICMP" protocol=icmp
	add action=drop chain=input comment="baseconf: drop all not coming from LAN" in-interface-list=!LAN
	add action=accept chain=forward comment="baseconf: accept in ipsec policy" ipsec-policy=in,ipsec
	add action=accept chain=forward comment="baseconf: accept out ipsec policy" ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="baseconf: fasttrack" connection-state=established,related
	add action=accept chain=forward comment="baseconf: accept established,related, untracked" connection-state=established,related,untracked
	add action=drop chain=forward comment="baseconf: drop invalid" connection-state=invalid
	add action=drop chain=forward comment="baseconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN

	:log warning "[firewall] Enabling NAT when out-interface-list=WAN"
	/ip firewall nat
	add action=masquerade chain=srcnat comment="baseconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

	:log warning "[remote access] Allowing MAC telnet from LAN"
	/tool mac-server
	set allowed-interface-list=LAN

	:log warning "[remote access] Allowing MAC winbox from LAN"
	/tool mac-server mac-winbox
	set allowed-interface-list=LAN

	:log warning "[users] Adding $myAdminUser with password $myAdminPassword"
	/user
	add name="$myAdminUser" group=full
	set $myAdminUser password="$myAdminPassword"
	:log warning "[users] Disabling the default admin user"
	disable admin

	:log warning "[logging] Enabling email activity logging"
	/system logging
	add topics=e-mail action=memory

	:log warning "[email] Configuring SMTP: address=$mySmtpHost, port=587, start-tls=yes, from=$mySystemIdentity <$myEmail>, user=$mySmtpUsername, pass=$mySmtpPassword"
	/tool e-mail
	set address="$mySmtpHost" from="$mySystemIdentity <$myEmail>" password="$mySmtpPassword" port=587 start-tls=yes user="$mySmtpUsername"

	:log warning "[dchp] Setting up email alerting when a rogue DHCP server is detected"
	/ip dhcp-server alert
	add alert-timeout=1m disabled=no interface=bridge on-alert=":local CurrentTime [/system clock get time];\r\
	\n :local hostname [/system identity get name]\r\
	\n :global date [/system clock get date]\r\
	\n :local int \"\$interface\"\r\
	\n :local addr \"\$address\"\r\
	\n :local mac \$\"mac-address\"\r\
	\n :local dh\r\
	\n \r\
	\n/tool e-mail send to=henno.taht@diara.ee subject=DHCP-Detected body=(\"ROGUE DHCP Server have been detected on \$hostname at \$date - time \$CurrentTime - Interface= \$int - IP Address=\$addr - MAC-Address= \$mac !! GO HUNT & KILL :D\")"

	:beep frequency=500 length=500ms;
	:delay 500ms;
	:log warning "Done"
	}