Process/procedural question re: pasting exported script

Josephny · September 15, 2025, 5:37pm

I have a logistics or process question:

I am setting up a new wAP to replace a cAP (need it on the wall, not ceiling), and it should have nearly the same config.

So I exported the cAP config and began editing it.

My question is: What do I do with all the export lines that contain "mac-address="?

Specifically:
/interface/bridge
/interface wifi

Do I simply omit the paramater "mac-address=" and paste the rest of the command?

Do I go into the default settings, note the mac addresses, and paste or include that mac address into the script to be pasted?

Thanks.

Josephny · September 15, 2025, 10:38pm

Maybe it would better be called a "workflow" question.

jaclaz · September 16, 2025, 12:19am

It depends.
If you want to apply the configuration importing It on the new device, very likely those lines are already defined in the new device, so you need to make a "diff" file.
If you want to make a configuration that you apply after a reset with no configuration, you normally need to note the existing MAC's of the new device and include them.
The two common verbs in a configuration are "set" and "add".
Set sets what is explicitly included, leaving the rest as is.(risk of leftovers from pre-existing configuration)
Add adds, no matter if already present (risk of duplicates).
But you can also use remove, which followed by add essentially ends up as being "replace".

rextended · September 16, 2025, 11:12am

Simply remove all mac-address= occurrences, the device use, or recalc, the right one
EXCEPT for bridge, you MUST remove also auto-mac=no (or set it explicitely auto-mac=yes).

When new device is ready, put the MAC of lowest ETHERNET interface ON the bridge as admin mac address of the bridge.

Josephny · September 16, 2025, 1:33pm

I'm still digesting this. (I'm considering including this at the top of every post as a way out when someone yells at me re-read what was previously written (

I understand that we have the commands add, set, and remove. And, that there is a risk or possibility of duplicates. I was hoping for a more straightforward way that doesn't involve working line-by-line.

Do I understand correctly that creating a bridge or interface without including in the command "mac-address=" will result in ROS creating (or assigning) a new mac address for that interface (provided "auto-mac=no" is not included in the command)?

I went ahead and went line by on the "to be pasted" config and copied/pasted into the new device where possible and used Winbox to edit existing items (like the bridge settings) and to remove items.

I think I got it, but I am confused about whether the "ether1" line in the following section should be removed (this is a wAP attached at ether1 to a hex):

/interface bridge port
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=371wAP-2ghz pvid=32
add bridge=bridge comment=defconf frame-types=admit-only-untagged-and-priority-tagged interface=371wAP-5ghz pvid=32
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=2point4 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=Guest-2g pvid=2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=Guest-5g pvid=2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=Ecobee pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=371-2g pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=371-5g pvid=12

I also don't think I need the NAT entry:

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN

Here is the entire config:

# 2025-09-16 09:27:07 by RouterOS 7.18.2
# software id = ZCPR-XWMG
#
# model = wAPG-5HaxD2HaxD
# serial number = HJG0AMBMKVT
/interface bridge
add admin-mac=04:F4:1C:07:8B:4D auto-mac=no comment=defconf frame-types=\
    admit-only-vlan-tagged name=bridge vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] comment=OffBridge
/interface wifi
set [ find default-name=wifi1 ] channel.band=2ghz-n .skip-dfs-channels=all \
    .width=20mhz comment=Master-2g configuration.country="United States" \
    .mode=ap .ssid=371-Wap5g disabled=no name=371wAP-2ghz \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes \
    .passphrase=ilovedaddy1!
set [ find default-name=wifi2 ] channel.band=5ghz-ax .skip-dfs-channels=all \
    .width=20/40/80mhz comment=Master-5g configuration.country=\
    "United States" .mode=ap .ssid=371-Wap5g disabled=no name=371wAP-5ghz \
    security.authentication-types=wpa2-psk .ft=yes .ft-over-ds=yes \
    .passphrase=ilovedaddy1!
add comment=Ecobee configuration.mode=ap .ssid=Ecobee disabled=no \
    mac-address=06:F4:1C:07:8B:4F master-interface=371wAP-2ghz name=Ecobee \
    security.authentication-types=wpa2-psk .passphrase=blueberry
add comment=Guest configuration.mode=ap .ssid=Guest disabled=no mac-address=\
    06:F4:1C:07:8B:50 master-interface=371wAP-2ghz name=Guest-2g \
    security.authentication-types=wpa2-psk .passphrase=blueberry
add comment=Guest configuration.mode=ap .ssid=Guest disabled=no mac-address=\
    06:F4:1C:07:8B:4E master-interface=371wAP-5ghz name=Guest-5g \
    security.authentication-types=wpa2-psk .passphrase=blueberry
/interface vlan
add comment="Management VLAN32" interface=bridge name=vlan-mgmt vlan-id=32
/interface wifi
add comment=2point4 configuration.mode=ap .ssid=2point4 disabled=no \
    mac-address=06:F4:1C:07:8B:51 master-interface=371wAP-2ghz name=2point4 \
    security.authentication-types=wpa2-psk .passphrase=ilovedaddy1!
add comment=371 configuration.mode=ap .ssid=371 disabled=no mac-address=\
    06:F4:1C:07:8B:52 master-interface=371wAP-2ghz name=371-2g \
    security.authentication-types=wpa2-psk .passphrase=ilovedaddy1!
add comment=371 configuration.mode=ap .ssid=371 disabled=no mac-address=\
    06:F4:1C:07:8B:53 master-interface=371wAP-5ghz name=371-5g \
    security.authentication-types=wpa2-psk .passphrase=ilovedaddy1!
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=TRUSTED
/ip pool
add name=Offbridge-pool ranges=192.168.55.100-192.168.55.200
/interface bridge port
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=371wAP-2ghz pvid=32
add bridge=bridge comment=defconf frame-types=\
    admit-only-untagged-and-priority-tagged interface=371wAP-5ghz pvid=32
add bridge=bridge interface=ether1
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=2point4 pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=Guest-2g pvid=2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=Guest-5g pvid=2
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=Ecobee pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=371-2g pvid=12
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=371-5g pvid=12
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/ipv6 settings
set disable-ipv6=yes
/interface bridge vlan
add bridge=bridge comment=MGMT tagged=bridge,ether1 untagged=\
    371wAP-2ghz,371wAP-5ghz vlan-ids=32
add bridge=bridge comment=guest tagged=ether1 untagged=Guest-2g,Guest-5g \
    vlan-ids=2
add bridge=bridge comment=iot tagged=ether1 untagged=2point4 vlan-ids=12
/interface list member
add comment=defconf disabled=yes interface=bridge list=LAN
add interface=vlan-mgmt list=TRUSTED
add interface=ether1 list=TRUSTED
add interface=ether2 list=TRUSTED
/ip address
add address=192.168.55.1/24 interface=ether2 network=192.168.55.0
add address=10.37.32.3/24 interface=vlan-mgmt network=10.37.32.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ether1
/ip dhcp-server
add address-pool=Offbridge-pool interface=ether2 name=Offbridge
/ip dns
set allow-remote-requests=yes servers=10.37.32.1,1.1.1.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan type=A
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" disabled=yes \
    ipsec-policy=out,none out-interface-list=WAN
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.37.32.1 \
    routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes

/system clock
set time-zone-name=America/New_York
/system identity
set name=371wAP
/system logging
add topics=wireless
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.us.pool.ntp.org
add address=1.us.pool.ntp.org
/system scheduler
add interval=1d name=export-download on-event=export-download policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=2025-03-22 start-time=06:04:32
add name=systemresourcesserialize on-event=\
    ":delay 60\
    \n/system script run systemresourcesserialize" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/system script
add dont-require-permissions=yes name=export-download owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n/system\
    \n:local cdate [clock get date] \
    \n:local yyyy  [:pick \$cdate 0  4]\
    \n:local MM    [:pick \$cdate 5  7]\
    \n:local dd    [:pick \$cdate 8 10]\
    \n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\
    \n/export show-sensitive file=\"\$identitydate\"\
    \n\
    \n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$[\$identitydate].\
    rsc\" dst-path=\"/mikrotik-backups/\$[\$identitydate].rsc\" address=192.16\
    8.2.22 port=21 user=mikrotik password=mikrotik\
    \n\
    \n/file remove \"\$identitydate.rsc\"\
    \n\
    \n# /system logging set 0 topics=info\
    \n# /system logging add action=remote prefix=192.168.0.13 topics=info\
    \n\
    \n:log info (\"Uploaded rsc backup to 192.168.2.22 as \".\$identitydate)\
    \n\
    \n# /system logging set 0 topics=info,!script\
    \n# /system logging add action=remote prefix=192.168.0.13 topics=info,!scr\
    ipt"
add dont-require-permissions=yes name=systemresourcesserialize owner=admin \
    policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    source="\
    \n:local identity [/system identity get name]\
    \n#:log info \$identity\
    \n\
    \n:local resources [/system/resource/print as-value] \
    \n#:log info \$identity\\n\$resources\
    \n\
    \n:log info [:serialize to=json [/system/resource/print as-value] option=j\
    son.pretty]\
    \n\
    \n\
    \n\
    \n:log info [:serialize to=json [/ip/address/print as-value] option=json.p\
    retty]\
    \n\
    \n\
    \n\
    \n\
    \n\
    \n:local file1 \"resources.json\"\
    \n:local file2 \"ipaddress.json\"\
    \n\
    \n:global findresult [/file find where name=\"\$file1\"]\
    \n:if ([:len \$findresult] > 0) do={\
    \n    :file/remove \$file1\
    \n}\
    \n\
    \n\
    \n:global findresult [/file find where name=\"\$file2\"]\
    \n:if ([:len \$findresult] > 0) do={\
    \n    :file/remove \$file2\
    \n}\
    \n\
    \n\
    \n/file/add name=\$file1 contents=[:serialize to=json [/system/resource/pr\
    int as-value] option=json.pretty]\
    \n\
    \n\
    \n\
    \n/file/add name=\$file2 contents=[:serialize to=json [/ip/address/print a\
    s-value] option=json.pretty]\
    \n\
    \n\
    \n\
    \n\
    \n\
    \n\
    \n/system\
    \n:local cdate [clock get date] \
    \n:local yyyy  [:pick \$cdate 0  4]\
    \n:local MM    [:pick \$cdate 5  7]\
    \n:local dd    [:pick \$cdate 8 10]\
    \n:local identitydate \"\$[identity get name]_\$yyyy-\$MM-\$dd\"\
    \n\
    \n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$file1\" dst-path=\
    \"/mikrotik-backups/\$[\$identitydate]-systeminfo.txt\" address=192.168.2.\
    22 port=21 user=mikrotik password=mikrotik\
    \n\
    \n/tool fetch upload=yes mode=ftp ascii=no src-path=\"/\$file2\" dst-path=\
    \"/mikrotik-backups/\$[\$identitydate]-IPinfo.txt\" address=192.168.2.22 p\
    ort=21 user=mikrotik password=mikrotik\
    \n"
add dont-require-permissions=yes name=netwatch-5-2025 owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \n\
    \n/tool netwatch\
    \n:local thisBox      [/system identity get name]\
    \n:local lhost        [:toip \$host]\
    \n:local lstatus             \$status\
    \n:local llosspercent      (\$\"loss-percent\" /   10)\
    \n\
    \n:local lcomment \$comment\
    \n\
    \n\
    \n:local lrttavg           (\$\"rtt-avg\"      / 1000)\
    \n:if ((\$\"rtt-avg\" % 1000) > 0) do={ :set lrttavg (\$lrttavg + 1) }\
    \n\
    \n:local netwatchID   ([find where host=\$lhost and type=icmp]->0)\
    \n:local nthravg      [:tonum ([get \$netwatchID thr-avg         ] * 1000)\
    ]\
    \n:local nthrlosspcnt         ([get \$netwatchID thr-loss-percent] /   10)\
    \n\
    \n:log info \"Netwatch \$comment at \$thisBox detected a \$lstatus conditi\
    on to host \$lhost. \\\
    \n           The rtt-avg was \$\"lrttavg\"ms and the loss-percent was \$ll\
    osspercent%. \\\
    \n           The thresholds are thr-avg of \$\"nthravg\"ms and  loss-perce\
    nt of \$nthrlosspcnt%\"\
    \n\
    \n#:log info \"netwatch this is a test of logging action disknetwatch\"\
    \n\
    \n#:tool e-mail send to=<USER>@<DOMAIN>.com subject=\"\$thisBox \$lstat\
    us to \$lhost\" body=( [ :system clock get date ] . \" \" . [ :system cloc\
    k get time ] . \"  \" . \"\$thisBox \$lstatus to \$lhost with rtt-avg of \
    \$lrttavg and loss-percent of \$llosspercent%\" )\
    \n\
    \n:tool e-mail send to=<USER>@<DOMAIN>.com subject=\"\$thisBox \$lstatu\
    s to \$lhost\" body=( [ :system clock get date ] . \" \" . [ :system clock\
    \_get time ] . \"  \" . \"\$comment \$thisBox \$lstatus to \$lhost with rt\
    t-avg of \$lrttavg and loss-percent of \$llosspercent%.  The thresholds ar\
    e thr-avg of \$\"nthravg\"ms and loss-percent of \$nthrlosspcnt%.\" )"
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED
/tool netwatch
add comment=Netwatch-1.1.1.1 disabled=no down-script=netwatch-5-2025 host=\
    1.1.1.1 interval=5m test-script="" type=icmp up-script=netwatch-5-2025
/tool romon
set enabled=yes