briandipalma/router.rsc

## router.rsc
# 2025-12-12 21:15:37 by RouterOS 7.20.5
# software id = GDFK-GAZ7
#
# Upload your latest scripts via Files -> Upload (delete the old one)
# System -> Reset Configuration. Tick `Keep Users`, `No Default Configuration` and in
# `Run After Reset` select the newly uploaded script.

:global defconfMode;
:log info "Starting defconf script";

# wait for interfaces
:local count 0;
:while ([/interface ethernet find] = "") do={
  :if ($count = 30) do={
    :log warning "DefConf: Unable to find ethernet interfaces";
    /quit;
  }
  :delay 1s; :set count ($count +1);
};

:log info "Interfaces wait over"

/interface list add name=WAN comment="defconf"
/interface list add name=LAN comment="defconf"
/interface bridge add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;

:log info "Created bridge"

/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get ether2 mac-address];
/interface bridge port add bridge=bridge interface=ether2 comment=defconf;
/interface bridge port add bridge=bridge interface=ether3 comment=defconf;
/interface bridge port add bridge=bridge interface=ether4 comment=defconf;
# Use ether5 as Grange Lodge's LAN

:log info "Bridge mac set and ports added"

/ip pool add name="default-dhcp" ranges=192.168.1.100-192.168.1.254;
/ip dhcp-server add name=defconf address-pool="default-dhcp" interface=bridge disabled=no;
/ip dhcp-server network
  add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.2,192.168.1.3 domain="test" comment="defconf";

/ip address add address=192.168.1.1/24 interface=bridge comment="defconf";

/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
/interface list member add list=LAN interface=bridge comment="defconf"
/interface list member add list=WAN interface=ether1 comment="defconf"
/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

:log info "Added bridge to LAN"

/ip firewall {
  filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
  filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
  filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
  filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
  filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
}

:log info "IPv4 firewall rules set"

/ipv6 firewall {
  address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
  address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
  address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
  address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
  address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
  address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
  address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
  address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
  address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
  filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
  filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
  filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
  filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
  filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
  filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
  filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
  filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
  filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
  filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
  filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
  filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
  filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
  filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
  filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
  filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
}

:log info "IPv6 firewall rules set"

/ip neighbor discovery-settings set discover-interface-list=LAN
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

:log info "Discovery settings set"

/disk settings set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge

:log info Defconf_script_finished;
:set defconfMode;

## Post default Mikrotik configuration

:local traefikIP 192.168.1.2

:log info "Setting up SIRO"

## Internet access

# The WAN port is ether1, add the SIRO VLAN to it
/interface vlan add interface=ether1 vlan-id=10 name=siro-vlan

# `on-up` script sets `dynwan` address after PPPoE connection, this enables hairpin NAT in firewall
/ppp profile set *0 on-up="\
:log info \"PPPoE connected\";
:local localAddr;
:set localAddr \$\"local-address\";
/ip firewall address-list remove [find list=dynwan];
/ip firewall address-list add list=dynwan address=\$\"localAddr\";"

# Add a pppoe-client to SIRO VLAN, default route so requests fallback to it in the routing table
/interface pppoe-client add interface=siro-vlan user=BLAH password=BLAH disabled=no \
  add-default-route=yes name=pppoe-siro

# WAN list defconf drops !LAN (Internet) packets to router and NAT masquerades packets going out WAN
/interface list member add list=WAN interface=pppoe-siro

:log info "SIRO setup"

## Firewall/NAT

# NAT port forward for WireGuard
/ip firewall nat add chain=dstnat protocol=udp dst-port=51820 in-interface-list=WAN action=dst-nat \
  to-addresses=192.168.1.3 to-ports=51820 comment="WireGuard"

# NAT port forward for Traefik Let's Encrypt renewal
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=WAN action=dst-nat \
  to-addresses=$traefikIP to-ports=80 comment="Traefik Let's Encrypt"

# NAT port forward for Traefik, use `dynwan` instead of `WAN` interface to allow hairpin NAT
/ip firewall nat add chain=dstnat protocol=tcp dst-port=443 dst-address-list=dynwan action=dst-nat \
  to-addresses=$traefikIP to-ports=443 comment="Traefik"

# Hairpin NAT to access LAN services using external DNS addresses
/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=$traefikIP out-interface-list=LAN \
  action=masquerade protocol=tcp comment="Hairpin NAT to Traefik"

## Grange Lodge

# Grange Lodge LAN
/ip address add address=192.168.20.1/24 interface=ether5 network=192.168.20.0 comment="Grange Lodge LAN"

# Enable DHCP on Grange Lodge LAN
/ip pool add name=pool_ether5 ranges=192.168.20.2-192.168.20.254
/ip dhcp-server add name=dhcp_ether5 interface=ether5 address-pool=pool_ether5
/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=1.1.1.1,8.8.8.8

:log info "Setup completed"
	# 2025-12-12 21:15:37 by RouterOS 7.20.5
	# software id = GDFK-GAZ7
	#
	# Upload your latest scripts via Files -> Upload (delete the old one)
	# System -> Reset Configuration. Tick `Keep Users`, `No Default Configuration` and in
	# `Run After Reset` select the newly uploaded script.

	:global defconfMode;
	:log info "Starting defconf script";

	# wait for interfaces
	:local count 0;
	:while ([/interface ethernet find] = "") do={
	:if ($count = 30) do={
	:log warning "DefConf: Unable to find ethernet interfaces";
	/quit;
	}
	:delay 1s; :set count ($count +1);
	};

	:log info "Interfaces wait over"

	/interface list add name=WAN comment="defconf"
	/interface list add name=LAN comment="defconf"
	/interface bridge add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;

	:log info "Created bridge"

	/interface bridge set "bridge" auto-mac=no admin-mac=[/interface get ether2 mac-address];
	/interface bridge port add bridge=bridge interface=ether2 comment=defconf;
	/interface bridge port add bridge=bridge interface=ether3 comment=defconf;
	/interface bridge port add bridge=bridge interface=ether4 comment=defconf;
	# Use ether5 as Grange Lodge's LAN

	:log info "Bridge mac set and ports added"

	/ip pool add name="default-dhcp" ranges=192.168.1.100-192.168.1.254;
	/ip dhcp-server add name=defconf address-pool="default-dhcp" interface=bridge disabled=no;
	/ip dhcp-server network
	add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.2,192.168.1.3 domain="test" comment="defconf";

	/ip address add address=192.168.1.1/24 interface=bridge comment="defconf";

	/ip dhcp-client add interface=ether1 disabled=no comment="defconf";
	/interface list member add list=LAN interface=bridge comment="defconf"
	/interface list member add list=WAN interface=ether1 comment="defconf"
	/ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"

	:log info "Added bridge to LAN"

	/ip firewall {
	filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
	filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
	filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
	filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
	filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
	}

	:log info "IPv4 firewall rules set"

	/ipv6 firewall {
	address-list add list=bad_ipv6 address=::/128 comment="defconf: unspecified address"
	address-list add list=bad_ipv6 address=::1 comment="defconf: lo"
	address-list add list=bad_ipv6 address=fec0::/10 comment="defconf: site-local"
	address-list add list=bad_ipv6 address=::ffff:0:0/96 comment="defconf: ipv4-mapped"
	address-list add list=bad_ipv6 address=::/96 comment="defconf: ipv4 compat"
	address-list add list=bad_ipv6 address=100::/64 comment="defconf: discard only "
	address-list add list=bad_ipv6 address=2001:db8::/32 comment="defconf: documentation"
	address-list add list=bad_ipv6 address=2001:10::/28 comment="defconf: ORCHID"
	address-list add list=bad_ipv6 address=3ffe::/16 comment="defconf: 6bone"
	filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
	filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=input action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
	filter add chain=input action=accept protocol=udp dst-port=33434-33534 comment="defconf: accept UDP traceroute"
	filter add chain=input action=accept protocol=udp dst-port=546 src-address=fe80::/10 comment="defconf: accept DHCPv6-Client prefix delegation."
	filter add chain=input action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
	filter add chain=input action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
	filter add chain=input action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
	filter add chain=input action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
	filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
	filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack6"
	filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
	filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
	filter add chain=forward action=drop src-address-list=bad_ipv6 comment="defconf: drop packets with bad src ipv6"
	filter add chain=forward action=drop dst-address-list=bad_ipv6 comment="defconf: drop packets with bad dst ipv6"
	filter add chain=forward action=drop protocol=icmpv6 hop-limit=equal:1 comment="defconf: rfc4890 drop hop-limit=1"
	filter add chain=forward action=accept protocol=icmpv6 comment="defconf: accept ICMPv6"
	filter add chain=forward action=accept protocol=139 comment="defconf: accept HIP"
	filter add chain=forward action=accept protocol=udp dst-port=500,4500 comment="defconf: accept IKE"
	filter add chain=forward action=accept protocol=ipsec-ah comment="defconf: accept ipsec AH"
	filter add chain=forward action=accept protocol=ipsec-esp comment="defconf: accept ipsec ESP"
	filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept all that matches ipsec policy"
	filter add chain=forward action=drop in-interface-list=!LAN comment="defconf: drop everything else not coming from LAN"
	}

	:log info "IPv6 firewall rules set"

	/ip neighbor discovery-settings set discover-interface-list=LAN
	/tool mac-server set allowed-interface-list=LAN
	/tool mac-server mac-winbox set allowed-interface-list=LAN

	:log info "Discovery settings set"

	/disk settings set auto-smb-sharing=yes auto-media-sharing=yes auto-media-interface=bridge

	:log info Defconf_script_finished;
	:set defconfMode;

	## Post default Mikrotik configuration

	:local traefikIP 192.168.1.2

	:log info "Setting up SIRO"

	## Internet access

	# The WAN port is ether1, add the SIRO VLAN to it
	/interface vlan add interface=ether1 vlan-id=10 name=siro-vlan

	# `on-up` script sets `dynwan` address after PPPoE connection, this enables hairpin NAT in firewall
	/ppp profile set *0 on-up="\
	:log info \"PPPoE connected\";
	:local localAddr;
	:set localAddr \$\"local-address\";
	/ip firewall address-list remove [find list=dynwan];
	/ip firewall address-list add list=dynwan address=\$\"localAddr\";"

	# Add a pppoe-client to SIRO VLAN, default route so requests fallback to it in the routing table
	/interface pppoe-client add interface=siro-vlan user=BLAH password=BLAH disabled=no \
	add-default-route=yes name=pppoe-siro

	# WAN list defconf drops !LAN (Internet) packets to router and NAT masquerades packets going out WAN
	/interface list member add list=WAN interface=pppoe-siro

	:log info "SIRO setup"

	## Firewall/NAT

	# NAT port forward for WireGuard
	/ip firewall nat add chain=dstnat protocol=udp dst-port=51820 in-interface-list=WAN action=dst-nat \
	to-addresses=192.168.1.3 to-ports=51820 comment="WireGuard"

	# NAT port forward for Traefik Let's Encrypt renewal
	/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 in-interface-list=WAN action=dst-nat \
	to-addresses=$traefikIP to-ports=80 comment="Traefik Let's Encrypt"

	# NAT port forward for Traefik, use `dynwan` instead of `WAN` interface to allow hairpin NAT
	/ip firewall nat add chain=dstnat protocol=tcp dst-port=443 dst-address-list=dynwan action=dst-nat \
	to-addresses=$traefikIP to-ports=443 comment="Traefik"

	# Hairpin NAT to access LAN services using external DNS addresses
	/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=$traefikIP out-interface-list=LAN \
	action=masquerade protocol=tcp comment="Hairpin NAT to Traefik"

	## Grange Lodge

	# Grange Lodge LAN
	/ip address add address=192.168.20.1/24 interface=ether5 network=192.168.20.0 comment="Grange Lodge LAN"

	# Enable DHCP on Grange Lodge LAN
	/ip pool add name=pool_ether5 ranges=192.168.20.2-192.168.20.254
	/ip dhcp-server add name=dhcp_ether5 interface=ether5 address-pool=pool_ether5
	/ip dhcp-server network add address=192.168.20.0/24 gateway=192.168.20.1 dns-server=1.1.1.1,8.8.8.8

	:log info "Setup completed"
No results found