Hi
i have the following behaviour.
For cleanup reasons i want to start from scratch and i used winbox and "Reset Configuration" Menue.
After the reboot i connected again (via MAC Adress) and acknowledged the initial script execution.
Which resulted in just configuring the SRC-NAT and the IP of the router.
Then i tried QuickSet, but also no success. Mmmh. Is in our days no default FW config deployed ?
tested with:
CCR 1009: 6.49 & 7.1RC4
RB-3011: 6.49
Re: reset configuration doesnt deploy fw rules
These are both devices from "pro" line and come with blank default firewall filters. It is somehow expected that these powerful units won't run simple SOHO networks and a knowledgeable admin will know better than defaults.
I suggest you to get any of "toy" Mikrotiks and execute /system default-configuration print in a really wide terminal window. Scroll down to /ip firewall section and copy-paste config into your pro devices.
I suggest you to get any of "toy" Mikrotiks and execute /system default-configuration print in a really wide terminal window. Scroll down to /ip firewall section and copy-paste config into your pro devices.
Re: reset configuration doesnt deploy fw rules
Here you go;
Code: Select all
#-------------------------------------------------------------------------------
# Apply configuration.
# these commands are executed after installation or configuration reset
#-------------------------------------------------------------------------------
:if ($action = "apply") do={
# wait for interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
:if ($count = 30) do={
:log warning "DefConf: Unable to find ethernet interfaces";
/quit;
}
:delay 1s; :set count ($count +1);
};
:local count 0;
:while ([/interface wireless print count-only] < 2) do={
:set count ($count +1);
:if ($count = 40) do={
:log warning "DefConf: Unable to find wireless interface(s)";
/ip address add address=192.168.88.1/24 interface=ether1 comment="defconf";
/quit
}
:delay 1s;
};
/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface bridge
add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
:local bMACIsSet 0;
:foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge")] do={
:local tmpPortName [/interface get $k name];
:if ($bMACIsSet = 0) do={
:if ([/interface get $k type] = "ether") do={
/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
:set bMACIsSet 1;
}
}
:if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
/interface bridge port
add bridge=bridge interface=$tmpPortName comment=defconf;
}
}
/ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server
add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf";
/ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
/ip dns {
set allow-remote-requests=yes
static add name=router.lan address=192.168.88.1 comment=defconf
}
/interface wireless {
:local ifcId [/interface wireless find where default-name=wlan1]
:local currentName [/interface wireless get $ifcId name]
set $ifcId mode=ap-bridge band=2ghz-b/g/n disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor
set $ifcId channel-width=20/40mhz-XX;
set $ifcId frequency=auto
:local wlanMac [/interface wireless get $ifcId mac-address];
:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
set $ifcId ssid=$ssid
}
/interface wireless {
:local ifcId [/interface wireless find where default-name=wlan2]
:local currentName [/interface wireless get $ifcId name]
set $ifcId mode=ap-bridge band=5ghz-a/n/ac disabled=no wireless-protocol=802.11 \
distance=indoors installation=indoor
set $ifcId channel-width=20/40/80mhz-XXXX;
set $ifcId frequency=auto
:local wlanMac [/interface wireless get $ifcId mac-address];
:set ssid "MikroTik-$[:pick $wlanMac 9 11]$[:pick $wlanMac 12 14]$[:pick $wlanMac 15 17]"
set $ifcId ssid=$ssid
}
/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall {
filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}
/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
Re: reset configuration doesnt deploy fw rules
Here you go;
Do you think I couldn't post this? But that's a rotten favour to OP: defaults evolve and admin, operating "pro" router, should have a smaller "lab" unit handy ... any mikrotik costing 30 euro will do. And that's my main message to owners of "pro" line of routers: invest a few percent of base investment into lab installation. It'll make your life much easier this way or another.
Re: reset configuration doesnt deploy fw rules
hey mks dont take it personally, I am actually quite impressed by a script solution, I would have only passed on the firewall rules myself so call me a bad name!!
I get your point though that the OP should be able to make up the config from scratch if a business IT type.
I have done it enough times as a homeowner.
I get your point though that the OP should be able to make up the config from scratch if a business IT type.
I have done it enough times as a homeowner.
Re: reset configuration doesnt deploy fw rules
hey mks dont take it personally
I'm not. The thing is that I was trying to teach OP how to catch fish. But then somebody came by and dropped lots of fish.
And the problem is that in a few years time somebody will stumble upon this post and take the config ... but at that time we might have a much better default FW ruleset in then current ROS v7.6. ... the very same problem as we see with various tutorials on 3rd party platforms (e.g. youtube) ... even if they are correct, they still get outdated but people are still using them. One can't make tutorial without posting the full story, but answer to some concrete question can be without wanted details if that helps person asking solve the problem and is future proof.
Re: reset configuration doesnt deploy fw rules
HI
the question in the direction if this has been detected by anybody else as i didnt see this in former releases.
And it doesnt matter what type of HW im using. This is about the SW.
In my history i have always cleaned up any device before usage. Only this ensures that you really know what is on the box.
Thanks Dude2048. I assume this script should be there on all devices.
Taking mkx statement i assume he will never drive a Porsche as he is not a professional race driver. Im so sorry for you.
the question in the direction if this has been detected by anybody else as i didnt see this in former releases.
And it doesnt matter what type of HW im using. This is about the SW.
In my history i have always cleaned up any device before usage. Only this ensures that you really know what is on the box.
Thanks Dude2048. I assume this script should be there on all devices.
Taking mkx statement i assume he will never drive a Porsche as he is not a professional race driver. Im so sorry for you.
Re: reset configuration doesnt deploy fw rules
Taking mkx statement i assume he will never drive a Porsche as he is not a professional race driver. Im so sorry for you.
Your comparison is IMHO not right. The right comparison would go like this: how would a person, only ever driving a Tesla model X, handle a 1963 Porsche 911?
Because lack of default config has nothing to do with speed, rather it's about ease of handling of device.
I can see @OP is somehow offended by my (failed?) attempt of teaching him how to catch the fish, so I'll bail out now.