#| Hex5CeDefault script used by customer to reset the unit to CE Defaults and still get in on Ether1 port. 
#| Script Revision R1 02/29/2024
# Version 1.0.1  - fixed issue with last :log info not having quotes 

:global defconfMode;
:log info "Starting Hex5CeDefaults script R1";
#-------------------------------------------------------------------------------
# Apply configuration. 
# these commands are executed after installation or configuration reset
# had to do the sets for variables that are not available to my script. 
#-------------------------------------------------------------------------------
:global defconfPassword;
:global action;
:log info "defconfPassword to start";
:log info $defconfPassword;
:set action "apply";
:set defconfPassword "admin";
:log info "Before first if";

:if ($action = "apply") do={
  # wait for interfaces
  :local count 0;
  :while ([/interface ethernet find] = "") do={
    :if ($count = 30) do={
      :log warning "DefConf: Unable to find ethernet interfaces";
      /quit;
    }
    :delay 1s; :set count ($count +1); 
  };
 :log info "defconf script before interface add";
 /interface list add name=WAN comment="defconf"
 /interface list add name=LAN comment="defconf"
 /interface bridge
   add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf;
 :local bMACIsSet 0;
 :foreach k in=[/interface find where !(slave=yes   || name="ether1" || name~"bridge")] do={
   :local tmpPortName [/interface get $k name];
   :if ($bMACIsSet = 0) do={
     :if ([/interface get $k type] = "ether") do={
       /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address];
       :set bMACIsSet 1;
     }
   }
     :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={
       /interface bridge port
         add bridge=bridge interface=$tmpPortName comment=defconf;
     }
   }
   /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254;
   /ip dhcp-server
     add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no;
   /ip dhcp-server network
     add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment="defconf";
  /ip address add address=192.168.88.1/24 interface=bridge comment="defconf";
 /ip dns {
     set allow-remote-requests=yes
     static add name=router.lan address=192.168.88.1 comment=defconf
 }
:log info "before dhcp client add defconf script";
   /ip dhcp-client add interface=ether1 disabled=no comment="defconf";
 /interface list member add list=LAN interface=bridge comment="defconf"
 /interface list member add list=WAN interface=ether1 comment="defconf"
 /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
 /ip firewall {
   filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
   filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP"
   filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
   filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN"
   filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
   filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
   filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
   filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
   filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
   filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
 }
   /ip neighbor discovery-settings set discover-interface-list=LAN
   /tool mac-server set allowed-interface-list=LAN
   /tool mac-server mac-winbox set allowed-interface-list=LAN
:log info "before password change defconf script R1";
 :if (!($defconfPassword = "" || $defconfPassword = nil)) do={
	:log info "in password change defconf script R1";
   /user set admin password="admin"
#   /user set admin password=$defconfPassword
   /system identity set name=MikroTik_aa
 }
:log info "after password change defconf script R1";
}
	#-------------------------------------------------------------------------------
	# to start lets do a import of the hex5configR2.rsc 
	# 
	#-------------------------------------------------------------------------------
	:log info Defconf_script_finished;
	:set defconfMode;
	# added a delay to let all of the previous statements get fulling completed
	:delay 5s;
	:log info "before import"
	#  to reduce files I have copied all of the hex5configR2.rsc file below 
	#-------------------------------------------------------------------------------
# R2 version -  adds setting name with _aa and adding NTP rule. 
# model = RouterBOARD RB760iGS

/interface list
# add exclude=dynamic name=discover
# add name=mactel
# add name=mac-winbox
/ip neighbor discovery-settings
#set discover-interface-list=discover

:put "Before Lan List"

# add these to the LAN list so winbox will work - have to remove the old ones to start. 
/interface list member    
remove [find comment="defconf"]
remove [find comment="For Winbox"]
add interface=ether2 list=LAN comment="For Winbox"
add interface=ether3 list=LAN comment="For Winbox"
add interface=ether4 list=LAN comment="For Winbox"
add interface=ether5 list=LAN comment="For Winbox"
add interface=ether1 list=WAN comment="defconf"

:put "Before Discoverlist change"
#do this so Winbox can discover the unit from the Wan side.    change all to LAN to turn off the Wan side. 
/ip neighbor discovery-settings set discover-interface-list=all
# this allows Winbox to connect via mac address instead of IP address.  Change all to LAN to turn off the Wan side
/tool mac-server mac-winbox set allowed-interface-list=all
#put rule in firewall so winbox gets through 
# this removes all of the firewall rules of this type. 
/ip firewall filter remove [find comment="Winbox rule"]  
/ip firewall filter add chain=input protocol=tcp dst-port=8291 comment="Winbox rule" disabled=no action=accept place-before=2

#changed logic so will add _aa to name if had _aa to start. 
:put "Before name test if"
:if ([:find [/system identity get name] "_aa"] ) do={
	:put "Inside name test if"
	/system identity set name="Enet-XRBX Hex5_aa"
 } else={
	/system identity set name="Enet-XRBX Hex5"
	:put "Inside name test else"
 }

# this removes all of the firewall rules of this type. so when added latter we do not get two copies.   - R2
/ip firewall filter remove [find comment="udp NTP time"]  
/ip firewall filter add action=drop chain=forward protocol=udp src-port=123 comment="stop udp NTP time update"


:put "Before Bridge port changes"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
# have to disconnect the interfaces from the bridge before we give them the DHCP server connection. 
/interface bridge port remove [find interface="ether2"]
/interface bridge port remove [find interface="ether3"]
/interface bridge port remove [find interface="ether4"]
/interface bridge port remove [find interface="ether5"]
/interface bridge remove [find name="bridge"]

:put "Create Pools"
/ip pool
#remove the default dhcp pool if still around. 
remove [find name="default-dhcp"]

remove [find name="pool1"]
:do { add name=pool1 ranges=172.26.1.20/31 } on-error={} 
remove [find name="pool2"]
:do { add name=pool2 ranges=172.26.2.20/31 } on-error={} 
remove [find name="pool3"]
:do { add name=pool3 ranges=172.26.3.20/31 } on-error={} 
remove [find name="pool4"]
:do { add name=pool4 ranges=172.26.9.20/31 } on-error={} 

:put "Before dhcp servers"

/ip dhcp-server
#remove the default Dhcp server. 
:do { remove defconf } on-error={}

:do { remove server1 } on-error={}
add address-pool=pool1 disabled=no interface=ether2 lease-time=2m name=server1
:do { remove server2 } on-error={}
add address-pool=pool2 disabled=no interface=ether3 lease-time=2m name=server2
:do { remove server3 } on-error={}
add address-pool=pool3 disabled=no interface=ether4 lease-time=2m name=server3
:do { remove server4 } on-error={}
add address-pool=pool4 disabled=no interface=ether5 lease-time=2m name=server4

:put "before add networks"

/ip address
#remove [find comment~"Static"]
#add address=192.168.7.201/24 interface=ether1 network=192.168.7.0 disabled=yes comment="Placeholder for Static Wan"

#remove the default network 
remove [find comment="defconf"]

remove [find interface="ether5"]
add address=172.26.9.1/24 interface=ether5 network=172.26.9.0
remove [find interface="ether4"]
add address=172.26.3.1/24 interface=ether4 network=172.26.3.0
remove [find interface="ether3"]
add address=172.26.2.1/24 interface=ether3 network=172.26.2.0
remove [find interface="ether2"]
add address=172.26.1.1/24 interface=ether2 network=172.26.1.0

:put "before dhcp-server network stuff"

/ip dhcp-server network
#remove the default dhcp-server network. 
remove [find comment~"defconf"]

remove [find comment~"ether2"]
add address=172.26.1.0/24 comment="Network for ether2" gateway=172.26.1.1 \
    netmask=24
remove [find comment~"ether3"]
add address=172.26.2.0/24 comment="Network for ether3" gateway=172.26.2.1 \
    netmask=24
remove [find comment~"ether4"]
add address=172.26.3.0/24 comment="Network for ether4" gateway=172.26.3.1 \
    netmask=24
remove [find comment~"ether5"]
add address=172.26.9.0/24 comment="Network for ether5" gateway=172.26.9.1 \
    netmask=24

#port forwarding 
/ip firewall nat
# this removes all of the firewall rules of this type. 
remove [find comment~"Channel"]  
add action=dst-nat chain=dstnat dst-port=5120 in-interface=ether1 protocol=tcp to-addresses=172.26.1.20 to-ports=5120 comment="Channel 1 forwards"
add action=dst-nat chain=dstnat dst-port=5121 in-interface=ether1 protocol=tcp to-addresses=172.26.1.21 to-ports=5120 comment="Channel 1 forwards"
add action=dst-nat chain=dstnat dst-port=5122 in-interface=ether1 protocol=tcp to-addresses=172.26.2.20 to-ports=5120 comment="Channel 2 forwards"
add action=dst-nat chain=dstnat dst-port=5123 in-interface=ether1 protocol=tcp to-addresses=172.26.2.21 to-ports=5120 comment="Channel 2 forwards"
add action=dst-nat chain=dstnat dst-port=5124 in-interface=ether1 protocol=tcp to-addresses=172.26.3.20 to-ports=5120 comment="Channel 3 forwards"
add action=dst-nat chain=dstnat dst-port=5125 in-interface=ether1 protocol=tcp to-addresses=172.26.3.21 to-ports=5120 comment="Channel 3 forwards"
add action=dst-nat chain=dstnat dst-port=5140 in-interface=ether1 protocol=tcp to-addresses=172.26.9.20 to-ports=80 comment="Channel 9 Encoder forwards"
add action=dst-nat chain=dstnat dst-port=5141 in-interface=ether1 protocol=tcp to-addresses=172.26.9.21 to-ports=80 comment="Channel 9 Encoder forwards"

#port forwarding for Ether5 so can connect laptop up in machine room and work. 
add action=dst-nat chain=dstnat dst-port=5120 in-interface=ether5 protocol=tcp to-addresses=172.26.1.20 to-ports=5120 comment="Channel 1 forwards"
add action=dst-nat chain=dstnat dst-port=5121 in-interface=ether5 protocol=tcp to-addresses=172.26.1.21 to-ports=5120 comment="Channel 1 forwards"
add action=dst-nat chain=dstnat dst-port=5122 in-interface=ether5 protocol=tcp to-addresses=172.26.2.20 to-ports=5120 comment="Channel 2 forwards"
add action=dst-nat chain=dstnat dst-port=5123 in-interface=ether5 protocol=tcp to-addresses=172.26.2.21 to-ports=5120 comment="Channel 2 forwards"
add action=dst-nat chain=dstnat dst-port=5124 in-interface=ether5 protocol=tcp to-addresses=172.26.3.20 to-ports=5120 comment="Channel 3 forwards"
add action=dst-nat chain=dstnat dst-port=5125 in-interface=ether5 protocol=tcp to-addresses=172.26.3.21 to-ports=5120 comment="Channel 3 forwards"


# still need to add in the firewall stuff. 
# do I allow the Winbox to work on the lan. - yes    Do I allow it to discover on the Wan. -no but may open port
# HTTP web interface will be off for Wan but on for Lan. 

:put "Add MultiCast support"

# here we turn on IGMP-proxy stuff so that Multicast will work. Source ether10 outputs Ether2 - 9. 
/routing igmp-proxy interface remove [find comment="multicast"]
/routing igmp-proxy interface add interface=ether5 upstream=yes comment="multicast"
/routing igmp-proxy interface add interface=ether2               comment="multicast"
/routing igmp-proxy interface add interface=ether3               comment="multicast"
/routing igmp-proxy interface add interface=ether4               comment="multicast"


	#-------------------------------------------------------------------------------

:log info "Hex5CeDefaults V1.0.0 script finished";
:set defconfMode;