Wireguard VPN (paid service) on LTE device

mkuser1 · December 12, 2023, 4:35pm

Hi all.
I read a lot of @anav posts about wg config but I still need a helping hand for configuring my LTE18ax with VPN provider config.
Proton VPN has a manual but as mentioned forum guru recommended I didn’t try their instructions.

I would like to make the following:
-route all Guest wifi (wifi3 and wifi4) )users trough wireguard_guest interface
-BackToHome will still work for wifi1 and wifi2 and ether* devices?

So here is my current config which I would like to preserve as much as possible (DoH, Back to home/ZeroTier)

2023-12-12 16:49:57 by RouterOS 7.12.1

software id = UAT7-31VF

model = S53UG+5HaxD2HaxD&EG18-EA

serial number = ***

/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Serbia .mode=ap .ssid=
“_WiFi 5GHz" disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .encryption=“”
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Serbia .mode=ap .ssid=
"_IoT 2.4GHz” disabled=no mtu=1500 security.authentication-types=wpa2-psk,wpa3-psk .encryption=“”
add configuration.mode=ap .ssid=_Guest disabled=no mac-address= master-interface=wifi1
name=wifi3 security.authentication-types=wpa2-psk,wpa3-psk .encryption=“” .wps=push-button
add configuration.mode=ap .ssid=_Guest disabled=no mac-address= master-interface=wifi2
name=wifi4 security.authentication-types=wpa2-psk,wpa3-psk .encryption=“” .wps=push-button
/interface wireguard
add comment=back-to-home-vpn listen-port=11118 mtu=1420 name=back-to-home-vpn
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] apn=default use-network-apn=no
add apn=internet authentication=pap name=Yettel use-peer-dns=no user=yettel
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=Yettel band=“”
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/zerotier
set zt1 comment="ZeroTier Central controller - > https://my.zerotier.com/> " name=zt1 port=9993
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=zt1 name=zerotier1 network=\

/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add auto-isolate=yes bridge=bridge interface=wifi3
add auto-isolate=yes bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface wireguard peers
add allowed-address=192.168.216.3/32,fc00:0:0:216::3/128 comment=“MikroTik Home | samsung SM-" interface=
back-to-home-vpn persistent-keepalive=30s public-key="”
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip cloud
set back-to-home-vpn=enabled ddns-enabled=yes ddns-update-interval=10m
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes use-doh-server=> https://dns.nextdns.io/> *** verify-doh-cert=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
add address=45.90.28.0 name=dns.nextdns.io
add address=45.90.30.0 name=dns.nextdns.io
add address=2a07:a8c0:: name=dns.nextdns.io type=AAAA
add address=2a07:a8c1:: name=dns.nextdns.io type=AAAA
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=not_in_internet
/ip firewall filter
add action=accept chain=forward comment=“ZeroTier ***” in-interface=zerotier1
add action=accept chain=input comment=“ZeroTier " in-interface=zerotier1
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
add action=drop chain=input comment=“defconf: drop all not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade” ipsec-policy=out,none out-interface-list=WAN
add action=redirect chain=dstnat dst-port=53 protocol=tcp
add action=redirect chain=dstnat dst-port=53 protocol=udp
/ip firewall service-port
set irc disabled=no
set rtsp disabled=no
/ip service
set telnet disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ipv6 firewall address-list
add address=::/128 comment=“defconf: unspecified address” list=bad_ipv6
add address=::1/128 comment=“defconf: lo” list=bad_ipv6
add address=fec0::/10 comment=“defconf: site-local” list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment=“defconf: ipv4-mapped” list=bad_ipv6
add address=::/96 comment=“defconf: ipv4 compat” list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment=“defconf: documentation” list=bad_ipv6
add address=2001:10::/28 comment=“defconf: ORCHID” list=bad_ipv6
add address=3ffe::/16 comment=“defconf: 6bone” list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=input comment=“defconf: accept UDP traceroute” port=33434-33534 protocol=udp
add action=accept chain=input comment=“defconf: accept DHCPv6-Client prefix delegation.” dst-port=546 protocol=udp
src-address=fe80::/10
add action=accept chain=input comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=input comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=input comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=input comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=input comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
add action=accept chain=forward comment=“defconf: accept established,related,untracked” connection-state=
established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
add action=drop chain=forward comment=“defconf: drop packets with bad src ipv6” src-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: drop packets with bad dst ipv6” dst-address-list=bad_ipv6
add action=drop chain=forward comment=“defconf: rfc4890 drop hop-limit=1” hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept ICMPv6” protocol=icmpv6
add action=accept chain=forward comment=“defconf: accept HIP” protocol=139
add action=accept chain=forward comment=“defconf: accept IKE” dst-port=500,4500 protocol=udp
add action=accept chain=forward comment=“defconf: accept ipsec AH” protocol=ipsec-ah
add action=accept chain=forward comment=“defconf: accept ipsec ESP” protocol=ipsec-esp
add action=accept chain=forward comment=“defconf: accept all that matches ipsec policy” ipsec-policy=in,ipsec
add action=drop chain=forward comment=“defconf: drop everything else not coming from LAN” in-interface-list=!LAN
/system clock
set time-zone-name=Europe/Belgrade
/system note
set note=Welcome show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/system routerboard mode-button
set enabled=yes on-event=dark-mode
/system script
add dont-require-permissions=no name=dark-mode owner= policy=
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=”
\n :if ([system leds settings get all-leds-off] = "never") do={
\n /system leds settings set all-leds-off=immediate ;
\n } else={
\n /system leds settings set all-leds-off=never
\n }
\n "
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sms
set port=lte1

They provided me with the following data for the wireguard config:

[Interface]

Key for wg_guest

PrivateKey = ***
Address = 10.2.0.2/32
DNS = 10.2.0.1

[Peer]
PublicKey = ***
AllowedIPs = 0.0.0.0/0
Endpoint = 37.46.115.5:51820

This is an overview of the VPN provider manual and recommendations from @anav (BOLD is an official guide):

/interface wireguard
add listen-port=13231 mtu=1420 name=protonvpnwg1 private-key=”your private key”
/interface/wireguard
add listen-port=13231 name=protonvpnwg1 private-key=“your private key”
/ip address
add address=10.2.0.2/30 interface=protonvpnwg1 network=10.2.0.0
/ip address
add address=10.2.0.2/30 interface=protonvpnwg1
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=protonvpnwg1 persistent-keepalive=25s public-key=“your public key”
/interface/wireguard/peers
add allowed-address=0.0.0.0/0 endpoint-address=x.x.x.x endpoint-port=xxxxx interface=protonvpnwg1 public-key=“your public key” persistent-keep-alive=30s
/ip firewall nat
add action=masquerade chain=srcnat out-interface=protonvpnwg1 src-address=192.168.88.0/24
/ip firewall nat
add action=accept chain=forward in-interface-list=LAN out-interface=protonvpnwg1
add chain=srcnat action=masquerade out-interface=protonvpnwg1
add table
/routing table add fib name=toprotonvpnwg1
add route
add dst-address=0.0.0.0/0 gateway=protonvpnwg1 routing-table=toprotonvpnwg1
add routing rules
add src-address=SINGLE_LANIP action=lookup table=toprotonvpnwg1
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=128.0.0.0/1 gateway=10.2.0.1 pref-src=“” routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip dns
set servers=10.2.0.1
/ip dhcp-client
set 0 use-peer-dns=no
/ip route
add disabled=no dst-address=x.x.x.x/32 gateway=[/ip dhcp-client get [find interface=ether1] gateway] routing-table=main suppress-hw-offload=no

anav · December 12, 2023, 8:19pm

I dont have a clue what you are doing with bridge filters and trying to use one flat network but split into different WLANs.
I would be able to understand using different vlans for each WLAN.

That being said the only comments I would make
A. the wireguard rule for masquerade is good but there is NO need for source address.
B. The routing rule I provided should look like
/routing rule add src-address=192.168.88.0/24 action=lookup table=toprotonvpnwg1

The DNS setting is problematic with the way you organized your subnet…
Normally I would use the PROTON supplied DNS in the dhcp network server for the vlan, in this case you cannot… so thats a mess.

++++++++++++++++++++++++++++++++++
In summary, I have no solution as I dont understand your config.

mkuser1 · December 12, 2023, 8:46pm

Thanks for the fast reply, most of the config is the default for dual wifi LTE AP, bridge filters are made by quick set for dual LTE AP.
So, if we take provider DNS and remove DoH… what then?

This is default settings dump:

#| Welcome to RouterOS!
#|    1) Set a strong router password in the System > Users menu
#|    2) Upgrade the software in the System > Packages menu
#|    3) Enable firewall on untrusted networks
#|    4) Set your country name to observe wireless regulations
#| -----------------------------------------------------------------------------
#| LTE CPE Router with wireless AP:
#|  * lte interface connected to providers network (WAN port);
#|  * WAN port is protected by firewall and enabled DHCP client
#| LAN Configuration:
#|     IP address 192.168.88.1/24 is set on bridge (LAN port)
#|     DHCP Server: enabled;
#|     DNS: enabled;
#| wifi1 Configuration:
#|     mode:                ap;
#|     band:                5ghz-ax;
#|     tx-chains:           0;1;
#|     rx-chains:           0;1;
#|     installation:        indoor;
#|     ht-extension:        20/40/80mhz;
#|     wpa2:          yes;
#| wifi2 Configuration:
#|     mode:                ap;
#|     band:                2ghz-ax;
#|     tx-chains:           0;1;
#|     rx-chains:           0;1;
#|     installation:        indoor;
#|     ht-extension:        20/40mhz;
#|     wpa2:          yes;
#| WAN (gateway) Configuration:
#|     gateway:  lte1 ;
#|     ip4 firewall:  enabled;
#|     ip6 firewall:  enabled;
#|     NAT:   enabled;
#| Login
#|     admin user protected by password

:global ssid;
:global defconfMode;
:log info "Starting defconf script";
#-------------------------------------------------------------------------------
# Apply configuration.
# these commands are executed after installation or configuration reset
#-------------------------------------------------------------------------------
:if ($action = "apply") do={
  # wait for interfaces
  :local count 0;
  :while ([/interface ethernet find] = "") do={
    :if ($count = 30) do={
      :log warning "DefConf: Unable to find ethernet interfaces";
      /quit;
    }
    :delay 1s; :set count ($count +1); 
  };
  :local count 0;
  :while ([/interface wifiwave2 print count-only] < 2) do={ 
    :set count ($count +1);
    :if ($count = 40) do={
      :log warning "DefConf: Unable to find wireless interface(s)"; 
      /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
      /quit
    }
    :delay 1s;
  };
  :local count 0;
  :while ([/interface lte find] = "") do={ 
    :set count ($count +1);
    :if ($count = 40) do={
      :log warning "DefConf: Unable to find LTE interface(s)"; 
      /ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
      /quit
    }
    :delay 1s;
  };
 /interface list add name=WAN comment="defconf"
 /interface list add name=LAN comment="defconf"
 /interface bridge
   add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
 :local bMACIsSet 0;
 :foreach k in=[/interface find where !(slave=yes   || name="lte1" || passthrough=yes   || name="lte1" || name~"bridge")] do={
   :local tmpPortName [/interface get $k name];
   :if ($bMACIsSet = 0) do={
     :if ([/interface get $k type] = "ether") do={
       /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
       :set bMACIsSet 1;
     }
   }
     :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
       /interface bridge port
         add bridge=bridge interface=$tmpPortName comment=defconf;
     }
   }
   /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
   /ip dhcp-server
     add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
   /ip dhcp-server network
     add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
  /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
 /ip dns {
     set allow-remote-requests=yes
     static add name=router.lan address=192.168.88.1 comment=defconf
 }

  /interface wifiwave2 {
:local ifcId [/interface wifiwave2 find where default-name=wifi1]
    set $ifcId configuration.mode=ap channel.band=5ghz-ax disabled=no
    set $ifcId channel.width=20/40/80mhz;
    set $ifcId channel.skip-dfs-channels=10min-cac;
   set $ifcId security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=$defconfWifiPassword
    :local wlanMac  [/interface get [/interface find where default-name=wifi1] mac-address];
    :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
    set $ifcId configuration.ssid=$ssid
  }
  /interface wifiwave2 {
:local ifcId [/interface wifiwave2 find where default-name=wifi2]
    set $ifcId configuration.mode=ap channel.band=2ghz-ax disabled=no
    set $ifcId channel.width=20/40mhz;
    set $ifcId channel.skip-dfs-channels=10min-cac;
   set $ifcId security.authentication-types=wpa2-psk,wpa3-psk security.passphrase=$defconfWifiPassword
    :local wlanMac  [/interface get [/interface find where default-name=wifi2] mac-address];
    :set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
    set $ifcId configuration.ssid=$ssid
  }
 /interface list member add list=LAN interface=bridge comment="defconf"
 /interface list member add list=WAN interface=lte1 comment="defconf"
 /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
 /ip firewall {
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
   filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
   filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
   filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
 }
 /ipv6 firewall {
   address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
   address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
   address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
   address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
   address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
   address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
   address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
   address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
   address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
   filter add chain=input action=accept protocol=udp port=33434-33534 comment="defconf: accept UDP traceroute"
   filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
   filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
   filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
   filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
   filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
   filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
   filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
   filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
   filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
   filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
   filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
   filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
   filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
 }
   /ip neighbor discovery-settings set discover-interface-list=LAN
   /tool mac-server set allowed-interface-list=LAN
   /tool mac-server mac-winbox set allowed-interface-list=LAN
 :if (!($keepUsers = "yes")) do={
   :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
     /user set admin password=$defconfPassword
     :delay 0.5
     /user expire-password admin 
   }
 }
}
#-------------------------------------------------------------------------------
# Revert configuration.
# these commands are executed if user requests to remove default configuration
#-------------------------------------------------------------------------------
:if ($action = "revert") do={
 :if (!($keepUsers = "yes")) do={
   /user set admin password=""
 }
 /system routerboard mode-button set enabled=no
 /system routerboard mode-button set on-event=""
 /system script remove [find comment~"defconf"]
 /ip firewall filter remove [find comment~"defconf"]
 /ipv6 firewall filter remove [find comment~"defconf"]
 /ipv6 firewall address-list remove [find comment~"defconf"]
 /ip firewall nat remove [find comment~"defconf"]
 /interface list member remove [find comment~"defconf"]
 /interface detect-internet set detect-interface-list=none
 /interface detect-internet set lan-interface-list=none
 /interface detect-internet set wan-interface-list=none
 /interface detect-internet set internet-interface-list=none
 /interface list remove [find comment~"defconf"]
 /tool mac-server set allowed-interface-list=all
 /tool mac-server mac-winbox set allowed-interface-list=all
 /ip neighbor discovery-settings set discover-interface-list=!dynamic
   :local o [/ip dhcp-server network find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }
   :local o [/ip dhcp-server find name="defconf" !disabled]
   :if ([:len $o] != 0) do={ /ip dhcp-server remove $o }
   /ip pool {
     :local o [find name="default-dhcp" ranges=192.168.88.10-192.168.88.254]
     :if ([:len $o] != 0) do={ remove $o }
   }
   :local o [/ip dhcp-client find comment="defconf"]
   :if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
 /ip dns {
   set allow-remote-requests=no
   :local o [static find comment="defconf"]
   :if ([:len $o] != 0) do={ static remove $o }
 }
 /ip address {
   :local o [find comment="defconf"]
   :if ([:len $o] != 0) do={ remove $o }
 }
 :foreach iface in=[/interface ethernet find] do={
   /interface ethernet set $iface name=[get $iface default-name]
 }
 /interface bridge port remove [find comment="defconf"]
 /interface bridge remove [find comment="defconf"]
 /interface bonding remove [find comment="defconf"]
 /interface wifiwave2 reset wifi1
 /interface wifiwave2 reset wifi2
}
:log info Defconf_script_finished;
:set defconfMode;
:set ssid;

And this is after quick set:

# 1970-01-02 00:07:46 by RouterOS 7.12.1
# software id = UAT7-31VF
#
# model = S53UG+5HaxD2HaxD&EG18-EA
# serial number = ***
/interface bridge
add admin-mac=*** auto-mac=no comment=defconf name=bridge
/interface wifiwave2
set [ find default-name=wifi1 ] channel.skip-dfs-channels=10min-cac configuration.country=Serbia .mode=ap .ssid=\
    MikroTik-8920A0 disabled=no security.authentication-types=wpa2-psk,wpa3-psk
set [ find default-name=wifi2 ] channel.skip-dfs-channels=10min-cac configuration.country=Serbia .mode=ap .ssid=\
    MikroTik-8920A1 disabled=no security.authentication-types=wpa2-psk,wpa3-psk
add configuration.ssid="MikroTik-8920A0's Guests" disabled=no mac-address=*** master-interface=wifi1 \
    name=wifi3
add configuration.ssid="MikroTik-8920A0's Guests" disabled=no mac-address=*** master-interface=wifi2 \
    name=wifi4
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=10m name=defconf
/zerotier
set zt1 comment="ZeroTier Central controller - https://my.zerotier.com/" disabled=yes disabled=yes name=zt1 port=9993
/interface lte
set [ find default-name=lte1 ] allow-roaming=no apn-profiles=yettel band=""
/interface bridge filter
add action=drop chain=forward in-interface=wifi3
add action=drop chain=forward out-interface=wifi3
add action=drop chain=forward in-interface=wifi4
add action=drop chain=forward out-interface=wifi4
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wifi1
add bridge=bridge comment=defconf interface=wifi2
add bridge=bridge interface=wifi3
add bridge=bridge interface=wifi4
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=lte1 list=WAN
/interface lte apn
add apn=internet authentication=pap ipv6-interface=lte1 name=yettel user=yettel
/interface lte settings
set external-antenna=auto
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=bridge type=internal
add interface=lte1 type=external
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp \
    src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN
/system note
set show-at-login=no
/system routerboard settings
set auto-upgrade=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN