Skip to content

Instantly share code, notes, and snippets.

@colorwebdesigner

colorwebdesigner/mikrotikAutoConfig.rsc

Created February 29, 2020 12:20
Show Gist options
  • Save colorwebdesigner/0765cb04fbfbf4f99ce4879565ddc37b to your computer and use it in GitHub Desktop.
Save colorwebdesigner/0765cb04fbfbf4f99ce4879565ddc37b to your computer and use it in GitHub Desktop.
Download ZIP
Mikrotik configuration script
Raw
mikrotikAutoConfig.rsc
{
# Encoding must be UTF-8!
#-------------------------------------------------------------------------------
# Set the name of the router and its SSID
:local systemName ""
# Set the password you would like to use when logging on as 'admin'.
:local adminPassword ""
# Time Servers (NTP)
:local ntpA "173.230.149.23"
:local ntpB "198.110.48.12"
# Name Servers (DNS) - set to OpenDNS. This should be set to a set of servers that are local and FAST
:local nsA "216.116.96.2"
:local nsB "216.52.254.33"
:local nsC "68.111.16.30"
# DHCP
:local dhcpServer "dhcp-local-server"
:local lanPoolName "dhcp-local-pool"
:local poolStart "192.168.20.100"
:local poolEnd "192.168.20.200"
# Addresses
:local lanAddress "192.168.20.1"
:local lanNetworkAddress "192.168.20.0"
:local lanNetworkBits "24"
# Interfaces
:local ether1 "ether1-wan"
:local ether2 "ether2-slave-lan"
:local ether3 "ether3-slave-lan"
:local ether4 "ether4-master-lan"
:local tap1 "tap1-gateway"
:local tap1Login ""
:local tap1Password ""
:local br1 "br1-local"
# wpa/wpa2 pre-shared key
:local wpaPreSharedKey ""
#-------------------------------------------------------------------------------
:log info "--- Setting timezone ---";
/system clock set time-zone-autodetect=yes;
:log info "--- Setting up the time server client ---";
/system ntp client set enabled=yes primary-ntp=$ntpA secondary-ntp=$ntpB;
:log info "--- Setting the system name ---";
/system identity set name=$systemName;
:log info "--- Setting the admin password ---";
/user set admin password=$adminPassword;
#-------------------------------------------------------------------------------
:log info "--- Clearing all pre-existing settings ---";
:log info "--- Clearing firewall ---";
/ip firewall {
:log info "--- Clearing any existing NATs ---";
:local o [nat find]
:if ([:len $o] != 0) do={ nat remove numbers=$o }
:log info "--- Clearing old filters ---";
:local o [filter find where dynamic=no]
:if ([:len $o] != 0) do={ filter remove $o }
:log info "--- Clearing old address lists ---";
:local o [address-list find]
:if ([:len $o] != 0) do={ address-list remove numbers=$o }
:log info "--- Clearing previous mangles ---";
:local o [mangle find where dynamic=no]
:if ([:len $o] != 0) do={ mangle remove numbers=$o }
:log info "--- Clearing previous layer-7 ---";
:local o [layer7-protocol find]
:if ([:len $o] != 0) do={ layer7-protocol remove numbers=$o }
}
:log info "--- Resetting Mac Server ---";
/tool mac-server remove [find interface!=all]
/tool mac-server set [find] disabled=no
/tool mac-server mac-winbox remove [find interface!=all]
/tool mac-server mac-winbox set [find] disabled=no
:log info "--- Resetting neighbor discovery ---";
/ip neighbor discovery set [find name=$ether1] discover=yes
:log info "--- Reset interfaces to default ---";
:foreach iface in=[/interface ethernet find] do={
/interface ethernet set $iface name=[get $iface default-name]
/interface ethernet set $iface master-port=none
}
:log info "--- Remove old DHCP client ---";
:local o [/ip dhcp-client find]
:if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
:log info "--- Remove old PPPoE client ---";
:local o [/interface pppoe-client find]
:if ([:len $o] != 0) do={ /interface pppoe-client remove $o }
:log info "--- Disable wireless interface ---";
/interface wireless set wlan1 disabled=yes security-profile=default;
:log info "--- Remove old non-default security profiles ---";
:local o [/interface wireless security-profiles find where name!=default]
:if ([:len $o] != 0) do={ /interface wireless security-profiles remove $o }
:log info "--- Remove old bridge interfaces and their ports ---";
:local o [/interface bridge port find where dynamic=no]
:if ([:len $o] != 0) do={ /interface bridge port remove $o }
:local o [/interface bridge find]
:if ([:len $o] != 0) do={ /interface bridge remove $o }
:log info "--- Clearing all pre-existing settings (DHCP) ---";
:local o [/ip dhcp-server network find]
:if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
:local o [/ip dhcp-server find]
:if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
:local o [/ip pool find]
:if ([:len $o] != 0) do={ /ip pool remove $o }
/ip dns {
set allow-remote-requests=no
:local o [static find]
:if ([:len $o] != 0) do={ static remove $o }
}
/ip address {
:local o [find]
:if ([:len $o] != 0) do={ remove $o }
}
:log info "--- Disabling UPnP ---";
:local o [/ip upnp interfaces find]
:if ([:len $o] != 0) do={ /ip upnp interfaces remove $o }
/ip upnp set enabled=no;
#-------------------------------------------------------------------------------
:log info "--- Setup interface(s) ---";
/interface set ether1 name="$ether1";
:log info "--- Setting up a dhcp client on the wan interface ---";
/ip dhcp-client add interface=$ether1 disabled=no comment="Gateway Interface" use-peer-dns=no use-peer-ntp=no add-default-route=no;
:log info "--- Setup switching ---";
/interface ethernet {
set ether4 name="$ether4";
set ether2 name="$ether2" master-port=$ether4;
set ether3 name="$ether3" master-port=$ether4;
}
:log info "--- Setup PPPoE ---";
/interface pppoe-client add interface=$ether1 name=$tap1 disabled=no user=$tap1Login password=$tap1Password use-peer-dns=no add-default-route=yes default-route-distance=0
:log info "--- Add WPA/WPA2 security profile ---";
/interface wireless security-profiles
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
tkip,aes-ccm mode=dynamic-keys name=wpa2-protected supplicant-identity="" \
unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=$wpaPreSharedKey \
wpa2-pre-shared-key=$wpaPreSharedKey
:log info "--- Enable and setting wireless interface ---";
/interface wireless set wlan1 disabled=no ssid="$systemName" mode=ap-bridge band=2ghz-b/g/n \
frequency=2432 bridge-mode=enabled wireless-protocol=802.11 security-profile=wpa2-protected \
default-authentication=yes default-forwarding=yes hide-ssid=no
:log info "--- Disable nstreme protocol ---";
/interface wireless nstreme set wlan1 enable-nstreme=no enable-polling=no disable-csma=no
:log info "--- Setting local network bridge ---";
/interface bridge add name=$br1
/interface bridge port add interface=$ether4 bridge=$br1
/interface bridge port add interface=wlan1 bridge=$br1
#-------------------------------------------------------------------------------
:log info "--- Setting the routers LAN address to $lanAddress/$lanNetworkBits ---";
/ip address add address="$lanAddress/$lanNetworkBits" interface=$br1 network=$lanNetworkAddress comment="router LAN address";
:log info "--- Setting DHCP server on interface, pool $poolStart-$poolEnd ---";
/ip pool add name=$lanPoolName ranges="$poolStart-$poolEnd";
/ip dhcp-server add name="$dhcpServer" address-pool=$lanPoolName interface=$br1 disabled=no lease-time=10m;
/ip dhcp-server network add address="$lanNetworkAddress/$lanNetworkBits" gateway=$lanAddress dns-server=$lanAddress comment="local DHCP network";
:log info "--- Setting DNS servers to $nsA and $nsB ---";
/ip dns {
set allow-remote-requests=yes servers="$nsA,$nsB,$nsC";
static add name=$systemName address=$lanAddress;
}
#-------------------------------------------------------------------------------
# open ports: 8291 - winbox, 22 - ssh, 53 - dns, 123 - ntp
#
/ip firewall filter {
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=new dst-port=8291,22 in-interface=$br1 protocol=tcp src-address="$lanNetworkAddress/$lanNetworkBits"
add action=accept chain=input connection-state=new dst-port=53,123 protocol=udp src-address="$lanNetworkAddress/$lanNetworkBits"
add action=accept chain=input connection-state=established,related comment="Allow established connections"
add action=accept chain=output connection-state=!invalid
add action=accept chain=forward connection-state=established,new in-interface=$br1 out-interface=$tap1 src-address="$lanNetworkAddress/$lanNetworkBits"
add action=accept chain=forward connection-state=established,related in-interface=$tap1 out-interface=$br1
add action=drop chain=input
add action=drop chain=output
add action=drop chain=forward
}
/ip firewall nat {
add action=masquerade chain=srcnat out-interface=$tap1 src-address="$lanNetworkAddress/$lanNetworkBits";
}
#-------------------------------------------------------------------------------
:log info "--- Setting UPnP ---";
/ip upnp set enabled=yes;
/ip upnp interfaces add interface=$tap1 type=external;
/ip upnp interfaces add interface=$br1 type=internal;
#-------------------------------------------------------------------------------
:log info "--- Disabling neighbor discovery ---";
/ip neighbor discovery set [find name=$ether1] discover=no;
/ip neighbor discovery set [find name=$tap1] discover=no;
:log info "--- Disabling bandwidth test server ---";
/tool bandwidth-server set enabled=no;
:log info "--- Disabling router services ---";
/ip service {
:foreach s in=[find where !disabled and name!=winbox] do={
set $s disabled=yes;
}
:log info "--- Enabling secure shell service on port ---";
:local o [find name=ssh !disabled]
:if ([:len $o] = 0) do={
set ssh disabled=no port=22;
}
}
:log info "--- Disabling firewall service ports ---";
/ip firewall service-port {
:foreach o in=[find where !disabled and name!=sip and name!=pptp] do={
set $o disabled=yes;
}
}
:log info "--- Disable mac server tools ---";
/tool mac-server disable [find];
/tool mac-server mac-winbox disable [find];
:log info "Auto configuration ended.";
/system reboot;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment