tobiasmcnulty/neighbor_wifi_sharing.rsc

## neighbor_wifi_sharing.rsc
# Configure a bridge with vlan-filtering enabled (might want to enable VLAN filtering at the end, on a new device)
/interface bridge
add ingress-filtering=yes name=bridge vlan-filtering=yes
# Configure interface lists for firewall rules
/interface list
add name=WAN
add name=LAN
# Configure wireless security profiles (these have passwords stripped; be sure to add some)
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Neighbor-Wifi supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=My-Outside-Wifi supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=MikroTik-Mgmt supplicant-identity=MikroTik
/interface wireless
# Configure 2G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no frequency=auto name=wlan-2g security-profile=Neighbor-Wifi ssid=Neighbor-Wifi
# Configure 2G AP (share my wifi with neighbor)
add disabled=no master-interface=wlan-2g name=wlan-2g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-2G wds-default-bridge=bridge \
    wps-mode=disabled
# Configure 5G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto name=wlan-5g security-profile=Neighbor-Wifi ssid=\
    Neighbor-Wifi-5G
# Configure 5G AP (share my wifi with neighbor)
add disabled=no master-interface=wlan-5g name=wlan-5g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-5G wds-default-bridge=bridge \
    wps-mode=disabled
# Add a dedicated AP I can use to login if I lock myself out through other means
add disabled=no master-interface=wlan-5g name=wlan-5g-ap-mgmt security-profile=MikroTik-Mgmt ssid=MikroTik-Mgmt wds-default-bridge=\
    bridge wps-mode=disabled
# Configuration for local network
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge name=lan
/interface bridge port
add bridge=bridge ingress-filtering=yes interface=ether1
# 2G and 5G APs get a VLAN ID of 999 (assumes you have a separate router for your primary internet connection that connects this VLAN to your guest network to provide DHCP, etc.)
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-2g-ap pvid=999
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-5g-ap pvid=999
# The Management network traffic goes directly to the bridge (PVID=1)
add bridge=bridge interface=wlan-5g-ap-mgmt
/ip neighbor discovery-settings
set discover-interface-list=LAN
# Configure VLANs on the bridge for VLAN filtering
/interface bridge vlan
add bridge=bridge untagged=bridge,ether1,wlan-5g-ap-mgmt vlan-ids=1
add bridge=bridge tagged=ether1 untagged=wlan-2g-ap,wlan-5g-ap vlan-ids=999
/interface list member
# bridge and ether1 are on the LAN side
add interface=bridge list=LAN
add interface=ether1 list=LAN
# Station (clients of neighbor's wifi) are WAN interfaces
add interface=wlan-2g list=WAN
add interface=wlan-5g list=WAN
# LAN IP
/ip address
add address=192.168.88.1/24 interface=bridge network=192.168.88.0
# WAN DHCP clients
/ip dhcp-client
# 2G client gets a larger route distance so packets will prefer the 5G network
add default-route-distance=100 disabled=no interface=wlan-2g use-peer-dns=no
add disabled=no interface=wlan-5g use-peer-dns=no
# DHCP server for local network
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
# Configure some DNS settings
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
# Default firewall config that comes with RouterOS these days
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
# Disable services we don't use
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
# Configure a few system settings
/system clock
set time-zone-name=America/New_York
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
	# Configure a bridge with vlan-filtering enabled (might want to enable VLAN filtering at the end, on a new device)
	/interface bridge
	add ingress-filtering=yes name=bridge vlan-filtering=yes
	# Configure interface lists for firewall rules
	/interface list
	add name=WAN
	add name=LAN
	# Configure wireless security profiles (these have passwords stripped; be sure to add some)
	/interface wireless security-profiles
	set [ find default=yes ] supplicant-identity=MikroTik
	add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=Neighbor-Wifi supplicant-identity=MikroTik
	add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=My-Outside-Wifi supplicant-identity=MikroTik
	add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=MikroTik-Mgmt supplicant-identity=MikroTik
	/interface wireless
	# Configure 2G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency
	set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX disabled=no frequency=auto name=wlan-2g security-profile=Neighbor-Wifi ssid=Neighbor-Wifi
	# Configure 2G AP (share my wifi with neighbor)
	add disabled=no master-interface=wlan-2g name=wlan-2g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-2G wds-default-bridge=bridge \
	wps-mode=disabled
	# Configure 5G station (client of neighbor's wifi); MUST be the primary config for wlan1 since all other virtual wireless interfaces will use the same frequency
	set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX disabled=no frequency=auto name=wlan-5g security-profile=Neighbor-Wifi ssid=\
	Neighbor-Wifi-5G
	# Configure 5G AP (share my wifi with neighbor)
	add disabled=no master-interface=wlan-5g name=wlan-5g-ap security-profile=My-Outside-Wifi ssid=My-Outside-Wifi-5G wds-default-bridge=bridge \
	wps-mode=disabled
	# Add a dedicated AP I can use to login if I lock myself out through other means
	add disabled=no master-interface=wlan-5g name=wlan-5g-ap-mgmt security-profile=MikroTik-Mgmt ssid=MikroTik-Mgmt wds-default-bridge=\
	bridge wps-mode=disabled
	# Configuration for local network
	/ip pool
	add name=default-dhcp ranges=192.168.88.10-192.168.88.254
	/ip dhcp-server
	add address-pool=default-dhcp disabled=no interface=bridge name=lan
	/interface bridge port
	add bridge=bridge ingress-filtering=yes interface=ether1
	# 2G and 5G APs get a VLAN ID of 999 (assumes you have a separate router for your primary internet connection that connects this VLAN to your guest network to provide DHCP, etc.)
	add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-2g-ap pvid=999
	add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=wlan-5g-ap pvid=999
	# The Management network traffic goes directly to the bridge (PVID=1)
	add bridge=bridge interface=wlan-5g-ap-mgmt
	/ip neighbor discovery-settings
	set discover-interface-list=LAN
	# Configure VLANs on the bridge for VLAN filtering
	/interface bridge vlan
	add bridge=bridge untagged=bridge,ether1,wlan-5g-ap-mgmt vlan-ids=1
	add bridge=bridge tagged=ether1 untagged=wlan-2g-ap,wlan-5g-ap vlan-ids=999
	/interface list member
	# bridge and ether1 are on the LAN side
	add interface=bridge list=LAN
	add interface=ether1 list=LAN
	# Station (clients of neighbor's wifi) are WAN interfaces
	add interface=wlan-2g list=WAN
	add interface=wlan-5g list=WAN
	# LAN IP
	/ip address
	add address=192.168.88.1/24 interface=bridge network=192.168.88.0
	# WAN DHCP clients
	/ip dhcp-client
	# 2G client gets a larger route distance so packets will prefer the 5G network
	add default-route-distance=100 disabled=no interface=wlan-2g use-peer-dns=no
	add disabled=no interface=wlan-5g use-peer-dns=no
	# DHCP server for local network
	/ip dhcp-server network
	add address=192.168.88.0/24 gateway=192.168.88.1
	# Configure some DNS settings
	/ip dns
	set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
	/ip dns static
	add address=192.168.88.1 comment=defconf name=router.lan
	# Default firewall config that comes with RouterOS these days
	/ip firewall filter
	add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
	add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
	add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
	add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
	add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
	add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
	add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
	add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
	add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
	add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
	add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
	/ip firewall nat
	add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
	# Disable services we don't use
	/ip service
	set telnet disabled=yes
	set ftp disabled=yes
	set api disabled=yes
	set winbox disabled=yes
	set api-ssl disabled=yes
	# Configure a few system settings
	/system clock
	set time-zone-name=America/New_York
	/system package update
	set channel=long-term
	/system routerboard settings
	set auto-upgrade=yes
	/tool mac-server
	set allowed-interface-list=LAN
	/tool mac-server mac-winbox
	set allowed-interface-list=LAN