Community discussions

MikroTik App
 
JSP73
just joined
Topic Author
Posts: 1
Joined: Mon Oct 19, 2020 10:03 am

a better defconf script

Sun Sep 26, 2021 12:35 pm

Hi All,
two years ago I bought my first router board and I wondered about the poor defconf. It took me some time to find out the router board can provide me with all desired features and more.
So I created my own script that will restore my system config. I collected these settings from several threads and manuals and tutorials and the original defconf (thanks to all).
The aim of this should be to provide the most common functions (guest wifi, dhcp lease mail) and a basic security configuration (ssl, disabling everything not needed), not to miss an
important setting is good as well. I used this with my 'Hex S' - 'CAPac' setup at home.
You may upload it to your router via 'scp setup.rsc admin@192.168.88.1:/flash/setup.rsc'. There you can simply chose it from
the 'Run After Reset' popup in Webfig under System - Reset Configuration. Please be sure to have 'No Default Configuration' enabled.

Please use this script as a draft, you may remove some parts (capsman) or add something. Be sure to set proper passwords!
Please let me know if something is not correct or insecure or bad. I hope it will help someone, please contribute.

Best regards, Steffen.

This script contains:
  • basic bridge and interface config
  • basic IP config
  • basic WAN config (ether1)
  • basic config for a separated guest wifi via VLAN filtering
  • capsman config for admin wifi and guest wifi for 2Ghz and 5 Ghz
  • dhcp config with lease script
  • basic DNS config for using the router as a DNS Server
  • SSL confi to use https with a self signed certificate
  • VPN access for maintenance
  • disabling unused services (for security, webfig to port 444, freeing 443)
  • creating a non 'admin' account and removing the 'admin' account
  • enable the email too for notification, disabling all unused Tools (for security)
  • setting the hostname (identity)
  • basic firewall configuration (including allow VPN, forbid DNS from WAN, VLAN isolation)
  • basic nat config (example for a port forwarding to a service in the LAN)
Script:
{  
 
# Wait for interfaces to initialize
:delay 15s
 
# Beep Functions
 :local doStartBeep [:parse ":beep frequency=1000 length=300ms;:delay 150ms;:beep frequency=1500 length=300ms;"];
 :local doFinishBeep [:parse ":beep frequency=1000 length=.6;:delay .5s;:beep frequency=1600 length=.6;:delay .5s;:beep frequency=2100 length=.3;:delay .3s;:beep frequency=2500 length=.3;:delay .3s;:beep frequency=2400 length=1;"];
 
# Play Audible Start Sequence
$doStartBeep

:log info "BEGIN SETUP SCRIPT"

# first IP on ether3 Router is accessible when script fails

/ip address
add address=192.168.99.1/24 interface=ether3

# bridge config with vlan

/interface bridge
add name=bridge vlan-filtering=no

/interface bridge port
add bridge=bridge interface=ether2
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=sfp1
add bridge=bridge interface=ether5 pvid=10

/interface vlan
add interface=bridge name=GUEST-VLAN vlan-id=10

/interface bridge vlan
add bridge=bridge tagged=bridge,ether2,ether3,ether4,sfp1 untagged=ether5 vlan-ids=10

/interface bridge
set [find name="bridge"] vlan-filtering=yes

# IP config

/ip address
add address=192.168.10.1/24 interface=GUEST-VLAN

/ip pool
add name=LAN ranges=192.168.99.10-192.168.99.250
add name=GUEST-LAN ranges=192.168.10.2-192.168.10.250

/ip dhcp-server
add address-pool=LAN disabled=no interface=bridge name=DHCP-LAN lease-script="{\r:local recipient \"admin@me.com\"\r/ip dhcp-server lease\r:if (\$leaseBound = 1 && [ get [ find where mac-address=\$leaseActMAC ] dynamic ] = true) do={\r:do {\r:tool e-mail send to=\$recipient subject=\"IP Adresse per DHCP([\$\"leaseServerName\"]) vergeben an [\$\"lease-hostname\"]\" body=\"Der Host [\$\"lease-hostname\"]  mit der MAC Adresse [\$leaseActMAC] hat die IP [\$leaseActIP] erhalten\"\r:log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r}on-error={:log error \"Failed to send alert email to \$recipient\"}\r}\r"
add address-pool=GUEST-LAN disabled=no interface=GUEST-VLAN name=DHCP-GUEST lease-script="{\r:local recipient \"admin@me.com\"\r/ip dhcp-server lease\r:if (\$leaseBound = 1 && [ get [ find where mac-address=\$leaseActMAC ] dynamic ] = true) do={\r:do {\r:tool e-mail send to=\$recipient subject=\"IP Adresse per DHCP([\$\"leaseServerName\"]) vergeben an [\$\"lease-hostname\"]\" body=\"Der Host [\$\"lease-hostname\"]  mit der MAC Adresse [\$leaseActMAC] hat die IP [\$leaseActIP] erhalten\"\r:log info \"Sent DHCP alert for MAC \$leaseActMAC\"\r}on-error={:log error \"Failed to send alert email to \$recipient\"}\r}\r"

/ip dhcp-server network
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1
add address=192.168.10.0/24 dns-server=192.168.10.1 gateway=192.168.10.1

/ip dhcp-client
add interface=ether1 disabled=no

# caps-man config for capAC 2Ghz and 5 Ghz

/caps-man channel
add name=5Ghz band=5ghz-n/ac skip-dfs-channels=yes
add name=2Ghz band=2ghz-g/n skip-dfs-channels=yes

/caps-man configuration
add country=germany datapath.local-forwarding=yes name=INT security.authentication-types=wpa-psk,wpa2-psk security.passphrase=08154711 ssid=adminwifissid rates.basic=12Mbps rates.supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add country=germany datapath.local-forwarding=yes name=INT5Ghz security.authentication-types=wpa-psk,wpa2-psk security.passphrase=08154711 ssid=adminwifissid channel=5Ghz rates.basic=12Mbps rates.supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add country=germany datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=EXT security.authentication-types=wpa-psk,wpa2-psk security.passphrase=08154711 ssid=wifissid rates.basic=12Mbps rates.supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
add country=germany datapath.local-forwarding=yes datapath.vlan-id=10 datapath.vlan-mode=use-tag name=EXT5Ghz security.authentication-types=wpa-psk,wpa2-psk security.passphrase=08154711 ssid=wifissid channel=5Ghz rates.basic=12Mbps rates.supported=12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps

/caps-man provisioning
add action=create-dynamic-enabled master-configuration=INT slave-configurations=EXT hw-supported-modes=gn
add action=create-dynamic-enabled master-configuration=INT5Ghz slave-configurations=EXT5Ghz hw-supported-modes=ac,an

/caps-man access-list
add action=accept signal-range=-70..100
add action=reject signal-range=-100..120

/caps-man manager
set enabled=yes

# interface lists
/interface list 
add name=WAN
add name=LAN
add name=GUEST-LAN
/interface list member
add list=WAN interface=ether1
add list=LAN interface=ether2
add list=LAN interface=ether3
add list=LAN interface=ether4
add list=LAN interface=sfp1
add list=GUEST-LAN interface=ether5 

# DNS config
/ip dns
set servers=1.1.1.2 allow-remote-requests=yes
/ip dns static
add address=192.168.99.1 name=router.lan type=A

# ssl config self signed cert
/certificate
add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
sign LocalCA
add name=Webfig common-name=router.lan
sign Webfig ca=LocalCA

# VPN config

/ppp profile add name=ipsec_vpn local-address=192.168.99.9 dns-server=1.1.1.1
/ppp secret add name="USERNAME" password="STRONG PASSWORD" service=l2tp profile=ipsec_vpn remote-address=192.168.99.9
/interface l2tp-server server set enabled=yes default-profile=ipsec_vpn authentication=mschap1,mschap2

/ip ipsec peer add exchange-mode=main passive=yes name=l2tpserver
/ip ipsec identity add generate-policy=port-override auth-method=pre-shared-key secret="STRONG_SECRET_HERE" peer=l2tpserver
/ip ipsec proposal set default auth-algorithms=sha1 enc-algorithms=3des pfs-group=modp1024

# service config
/ip service
set www-ssl certificate=Webfig address=192.168.99.0/24 port=444 disabled=no
set www disabled=yes
set api disable=yes
set api-ssl disable=yes
set ftp disable=yes
set telnet disable=yes
set winbox disable=yes

# security config
/user 
add name=mktadmin password="08154711" group=full address=192.168.99.0/24
remove admin
/ip neighbor discovery-settings set discover-interface-list=none
/ip ssh set strong-crypto=yes

# tool config

/tool e-mail set address="smtp.server.de" port=465 start-tls=tls-only user="admin@me.com" password="08154711" from="router@me.com"
/tool mac-server set allowed-interface=none
/tool mac-server mac-winbox set allowed-interface=none
/tool mac-server ping set enabled=no
/tool bandwidth-server set enabled=no

# misc

/system identity set name=MKTIKRouter

# FireWall config
 
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="from defconf: accept established,related,untracked" disabled=no
add chain=input action=drop connection-state=invalid comment="from defconf: drop invalid" disabled=no
add chain=input action=accept protocol=udp port=1701,500,4500 comment="open ports for VPM" disabled=no
add chain=input action=accept protocol=ipsec-esp comment="allow IPSEC" disabled=no
add chain=input in-interface-list=WAN protocol=udp dst-port=53 action=drop comment="block DNS queries from WAN" disabled=no
add chain=input in-interface-list=WAN protocol=tcp dst-port=53 action=drop comment="block DNS queries from WAN" disabled=no
add chain=input action=accept protocol=icmp comment="from defconf: accept ICMP" disabled=no
add chain=input action=accept dst-address=127.0.0.1 comment="from defconf: accept to local loopback (for CAPsMAN)" disabled=no
add chain=input action=drop in-interface-list=WAN comment="from defconf: drop all not coming from LAN - MODIFIED(!LAN to WAN)" disabled=no
add chain=forward action=accept ipsec-policy=in,ipsec comment="from defconf: accept in ipsec policy" disabled=no
add chain=forward action=accept ipsec-policy=out,ipsec comment="from defconf: accept out ipsec policy" disabled=no
add chain=forward action=fasttrack-connection connection-state=established,related comment="from defconf: fasttrack" disabled=no
add chain=forward action=accept connection-state=established,related,untracked comment="from defconf: accept established,related, untracked" disabled=no
add chain=input action=drop src-address=192.168.10.0/24 dst-address=192.168.99.0/24 comment="isolate VLAN IP Ranges" disabled=no
add chain=forward action=drop connection-state=invalid comment="from defconf: drop invalid" disabled=no
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="from defconf: drop all from WAN not DSTNAT" disabled=no

/ip firewall nat
add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="from defconf: masquerade"
add chain=dstnat action=dst-nat dst-port=443 to-addresses=192.168.99.3 to-ports=443 protocol=tcp

:log info "END SETUP SCRIPT"
 
# Post import delay
:delay 10s
 
# Play Audible Finish Sequence
$doFinishBeep

}

Who is online

Users browsing this forum: ko00000000001 and 22 guests