# jan/ 2/1970 3:57:21 by RouterOS 6.48.7 # software id = IZL7-N9S2 # # RB3011CeDefaults.rsc # Version 1.0.0 # This can be run at reset and will put the RB3011 router back to CE Defaults. # :global defconfMode; :log info "Starting RB3022CeDefaults script"; :put "Before Apply if" local action set action "apply" #------------------------------------------------------------------------------- # Apply configuration. # these commands are executed after installation or configuration reset #------------------------------------------------------------------------------- :if ($action = "apply") do={ # wait for interfaces :put "Inside Apply if" :local count 0; :while ([/interface ethernet find] = "") do={ :if ($count = 30) do={ :log warning "DefConf: Unable to find ethernet interfaces"; /quit; } :delay 1s; :set count ($count +1); }; /interface list add name=WAN comment="defconf" /interface list add name=LAN comment="defconf" /interface bridge add name=bridge disabled=no auto-mac=yes protocol-mode=rstp comment=defconf; :local bMACIsSet 0; :foreach k in=[/interface find where !(slave=yes || name="ether1" || name~"bridge")] do={ :local tmpPortName [/interface get $k name]; :if ($bMACIsSet = 0) do={ :if ([/interface get $k type] = "ether") do={ /interface bridge set "bridge" auto-mac=no admin-mac=[/interface get $tmpPortName mac-address]; :set bMACIsSet 1; } } :if (([/interface get $k type] != "ppp-out") && ([/interface get $k type] != "lte")) do={ /interface bridge port add bridge=bridge interface=$tmpPortName comment=defconf; } } /ip pool add name="default-dhcp" ranges=192.168.88.10-192.168.88.254; /ip dhcp-server add name=defconf address-pool="default-dhcp" interface=bridge lease-time=10m disabled=no; /ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 comment="defconf"; /ip address add address=192.168.88.1/24 interface=bridge comment="defconf"; /ip dns { set allow-remote-requests=yes static add name=router.lan address=192.168.88.1 comment=defconf } /ip dhcp-client add interface=ether1 disabled=no comment="defconf"; /interface list member add list=LAN interface=bridge comment="defconf" /interface list member add list=WAN interface=ether1 comment="defconf" /ip firewall nat add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade" /ip firewall { filter add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked" filter add chain=input action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=input action=accept protocol=icmp comment="defconf: accept ICMP" filter add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)" filter add chain=input action=drop in-interface-list=!LAN comment="defconf: drop all not coming from LAN" filter add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" filter add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy" filter add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack" filter add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked" filter add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid" filter add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" } /ip neighbor discovery-settings set discover-interface-list=LAN /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /system identity set name=MikroTik_rscv1 } #------------------------------------------------------------------------------- # to start lets do a import of the full config stuff. # #------------------------------------------------------------------------------- :log info Defconf_script_finished; :set defconfMode; # added a delay to let all of the previous statements get fulling completed :delay 5s; :log info "before import of full" # to reduce files I have copied all of the fullconfigplusE10.rsc file below #------------------------------------------------------------------------------- # jun/08/2018 19:07:54 by RouterOS 6.42.3 # software id = J3K2-ZYJC # # model = RouterBOARD 3011UiAS /interface list # add exclude=dynamic name=discover # add name=mactel # add name=mac-winbox /ip neighbor discovery-settings #set discover-interface-list=discover :put "Before Lan List" # add these to the LAN list so winbox will work - have to remove the old ones to start. /interface list member remove [find comment="defconf"] remove [find comment="For Winbox"] add interface=ether2 list=LAN comment="For Winbox" add interface=ether3 list=LAN comment="For Winbox" add interface=ether4 list=LAN comment="For Winbox" add interface=ether5 list=LAN comment="For Winbox" add interface=ether6 list=LAN comment="For Winbox" add interface=ether7 list=LAN comment="For Winbox" add interface=ether8 list=LAN comment="For Winbox" add interface=ether9 list=LAN comment="For Winbox" add interface=ether10 list=LAN comment="For Winbox" # add interface=ether1 list=LAN comment="For Winbox" I removed this because it made the HTTP stuff work also. add interface=ether1 list=WAN comment="defconf" :put "Before Discoverlist change" #do this so Winbox can discover the unit from the Wan side. change all to LAN to turn off the Wan side. /ip neighbor discovery-settings set discover-interface-list=all # this allows Winbox to connect via mac address instead of IP address. Change all to LAN to turn off the Wan side /tool mac-server mac-winbox set allowed-interface-list=all #put rule in firewall so winbox gets through # this removes all of the firewall rules of this type. /ip firewall filter remove [find comment="Winbox rule"] /ip firewall filter add chain=input protocol=tcp dst-port=8291 comment="Winbox rule" disabled=no action=accept place-before=2 /system identity set name="Enet-XRCX" :put "Before Bridge port changes" /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik # have to disconnect the interfaces from the bridge before we give them the DHCP server connection. /interface bridge port remove [find interface="ether2"] /interface bridge port remove [find interface="ether3"] /interface bridge port remove [find interface="ether4"] /interface bridge port remove [find interface="ether5"] /interface bridge port remove [find interface="ether6"] /interface bridge port remove [find interface="ether7"] /interface bridge port remove [find interface="ether8"] /interface bridge port remove [find interface="ether9"] /interface bridge port remove [find interface="ether10"] /interface bridge remove [find name="bridge"] :put "Create Pools" /ip pool #remove the default dhcp pool if still around. remove [find name="default-dhcp"] remove [find name="pool1"] :do { add name=pool1 ranges=172.26.1.20/31 } on-error={} remove [find name="pool2"] :do { add name=pool2 ranges=172.26.2.20/31 } on-error={} remove [find name="pool3"] :do { add name=pool3 ranges=172.26.3.20/31 } on-error={} remove [find name="pool4"] :do { add name=pool4 ranges=172.26.4.20/31 } on-error={} remove [find name="pool5"] :do { add name=pool5 ranges=172.26.5.20/31 } on-error={} remove [find name="pool6"] :do { add name=pool6 ranges=172.26.6.20/31 } on-error={} remove [find name="pool7"] :do { add name=pool7 ranges=172.26.7.20/31 } on-error={} remove [find name="pool8"] :do { add name=pool8 ranges=172.26.8.20/31 } on-error={} remove [find name="pool9"] :do { add name=pool9 ranges=172.26.9.20/31 } on-error={} :put "Before dhcp servers" /ip dhcp-server #remove the default Dhcp server. :do { remove defconf } on-error={} :do { remove server1 } on-error={} add address-pool=pool1 disabled=no interface=ether2 lease-time=2m name=server1 :do { remove server2 } on-error={} add address-pool=pool2 disabled=no interface=ether3 lease-time=2m name=server2 :do { remove server3 } on-error={} add address-pool=pool3 disabled=no interface=ether4 lease-time=2m name=server3 :do { remove server4 } on-error={} add address-pool=pool4 disabled=no interface=ether5 lease-time=2m name=server4 :do { remove server5 } on-error={} add address-pool=pool5 disabled=no interface=ether6 lease-time=2m name=server5 :do { remove server6 } on-error={} add address-pool=pool6 disabled=no interface=ether7 lease-time=2m name=server6 :do { remove server7 } on-error={} add address-pool=pool7 disabled=no interface=ether8 lease-time=2m name=server7 :do { remove server8 } on-error={} add address-pool=pool8 disabled=no interface=ether9 lease-time=2m name=server8 :do { remove server9 } on-error={} add address-pool=pool9 disabled=no interface=ether10 lease-time=2m name=server9 :put "before add networks" /ip address #remove [find comment~"Static"] #add address=192.168.7.201/24 interface=ether1 network=192.168.7.0 disabled=yes comment="Placeholder for Static Wan" #remove the default network remove [find comment="defconf"] remove [find interface="ether10"] add address=172.26.9.1/24 interface=ether10 network=172.26.9.0 remove [find interface="ether9"] add address=172.26.8.1/24 interface=ether9 network=172.26.8.0 remove [find interface="ether8"] add address=172.26.7.1/24 interface=ether8 network=172.26.7.0 remove [find interface="ether7"] add address=172.26.6.1/24 interface=ether7 network=172.26.6.0 remove [find interface="ether6"] add address=172.26.5.1/24 interface=ether6 network=172.26.5.0 remove [find interface="ether5"] add address=172.26.4.1/24 interface=ether5 network=172.26.4.0 remove [find interface="ether4"] add address=172.26.3.1/24 interface=ether4 network=172.26.3.0 remove [find interface="ether3"] add address=172.26.2.1/24 interface=ether3 network=172.26.2.0 remove [find interface="ether2"] add address=172.26.1.1/24 interface=ether2 network=172.26.1.0 :put "before dhcp-server network stuff" /ip dhcp-server network #remove the default dhcp-server network. remove [find comment~"defconf"] remove [find comment~"ether2"] add address=172.26.1.0/24 comment="Network for ether2" gateway=172.26.1.1 \ netmask=24 remove [find comment~"ether3"] add address=172.26.2.0/24 comment="Network for ether3" gateway=172.26.2.1 \ netmask=24 remove [find comment~"ether4"] add address=172.26.3.0/24 comment="Network for ether4" gateway=172.26.3.1 \ netmask=24 remove [find comment~"ether5"] add address=172.26.4.0/24 comment="Network for ether5" gateway=172.26.4.1 \ netmask=24 remove [find comment~"ether6"] add address=172.26.5.0/24 comment="Network for ether6" gateway=172.26.5.1 \ netmask=24 remove [find comment~"ether7"] add address=172.26.6.0/24 comment="Network for ether7" gateway=172.26.6.1 \ netmask=24 remove [find comment~"ether8"] add address=172.26.7.0/24 comment="Network for ether8" gateway=172.26.7.1 \ netmask=24 remove [find comment~"ether9"] add address=172.26.8.0/24 comment="Network for ether9" gateway=172.26.8.1 \ netmask=24 remove [find comment~"ether10"] add address=172.26.9.0/24 comment="Network for ether10" gateway=172.26.9.1 \ netmask=24 #port forwarding /ip firewall nat # this removes all of the firewall rules of this type. remove [find comment~"Channel"] add action=dst-nat chain=dstnat dst-port=5120 in-interface=ether1 protocol=tcp to-addresses=172.26.1.20 to-ports=5120 comment="Channel 1 forwards" add action=dst-nat chain=dstnat dst-port=5121 in-interface=ether1 protocol=tcp to-addresses=172.26.1.21 to-ports=5120 comment="Channel 1 forwards" add action=dst-nat chain=dstnat dst-port=5122 in-interface=ether1 protocol=tcp to-addresses=172.26.2.20 to-ports=5120 comment="Channel 2 forwards" add action=dst-nat chain=dstnat dst-port=5123 in-interface=ether1 protocol=tcp to-addresses=172.26.2.21 to-ports=5120 comment="Channel 2 forwards" add action=dst-nat chain=dstnat dst-port=5124 in-interface=ether1 protocol=tcp to-addresses=172.26.3.20 to-ports=5120 comment="Channel 3 forwards" add action=dst-nat chain=dstnat dst-port=5125 in-interface=ether1 protocol=tcp to-addresses=172.26.3.21 to-ports=5120 comment="Channel 3 forwards" add action=dst-nat chain=dstnat dst-port=5126 in-interface=ether1 protocol=tcp to-addresses=172.26.4.20 to-ports=5120 comment="Channel 4 forwards" add action=dst-nat chain=dstnat dst-port=5127 in-interface=ether1 protocol=tcp to-addresses=172.26.4.21 to-ports=5120 comment="Channel 4 forwards" add action=dst-nat chain=dstnat dst-port=5128 in-interface=ether1 protocol=tcp to-addresses=172.26.5.20 to-ports=5120 comment="Channel 5 forwards" add action=dst-nat chain=dstnat dst-port=5129 in-interface=ether1 protocol=tcp to-addresses=172.26.5.21 to-ports=5120 comment="Channel 5 forwards" add action=dst-nat chain=dstnat dst-port=5130 in-interface=ether1 protocol=tcp to-addresses=172.26.6.20 to-ports=5120 comment="Channel 6 forwards" add action=dst-nat chain=dstnat dst-port=5131 in-interface=ether1 protocol=tcp to-addresses=172.26.6.21 to-ports=5120 comment="Channel 6 forwards" add action=dst-nat chain=dstnat dst-port=5132 in-interface=ether1 protocol=tcp to-addresses=172.26.7.20 to-ports=5120 comment="Channel 7 forwards" add action=dst-nat chain=dstnat dst-port=5133 in-interface=ether1 protocol=tcp to-addresses=172.26.7.21 to-ports=5120 comment="Channel 7 forwards" add action=dst-nat chain=dstnat dst-port=5134 in-interface=ether1 protocol=tcp to-addresses=172.26.8.20 to-ports=5120 comment="Channel 8 forwards" add action=dst-nat chain=dstnat dst-port=5135 in-interface=ether1 protocol=tcp to-addresses=172.26.8.21 to-ports=5120 comment="Channel 8 forwards" add action=dst-nat chain=dstnat dst-port=5140 in-interface=ether1 protocol=tcp to-addresses=172.26.9.20 to-ports=80 comment="Channel 9 Encoder forwards" add action=dst-nat chain=dstnat dst-port=5141 in-interface=ether1 protocol=tcp to-addresses=172.26.9.21 to-ports=80 comment="Channel 9 Encoder forwards" #port forwarding for Ether10 so can connect laptop up in machine room and work. add action=dst-nat chain=dstnat dst-port=5120 in-interface=ether10 protocol=tcp to-addresses=172.26.1.20 to-ports=5120 comment="Channel 1 forwards" add action=dst-nat chain=dstnat dst-port=5121 in-interface=ether10 protocol=tcp to-addresses=172.26.1.21 to-ports=5120 comment="Channel 1 forwards" add action=dst-nat chain=dstnat dst-port=5122 in-interface=ether10 protocol=tcp to-addresses=172.26.2.20 to-ports=5120 comment="Channel 2 forwards" add action=dst-nat chain=dstnat dst-port=5123 in-interface=ether10 protocol=tcp to-addresses=172.26.2.21 to-ports=5120 comment="Channel 2 forwards" add action=dst-nat chain=dstnat dst-port=5124 in-interface=ether10 protocol=tcp to-addresses=172.26.3.20 to-ports=5120 comment="Channel 3 forwards" add action=dst-nat chain=dstnat dst-port=5125 in-interface=ether10 protocol=tcp to-addresses=172.26.3.21 to-ports=5120 comment="Channel 3 forwards" add action=dst-nat chain=dstnat dst-port=5126 in-interface=ether10 protocol=tcp to-addresses=172.26.4.20 to-ports=5120 comment="Channel 4 forwards" add action=dst-nat chain=dstnat dst-port=5127 in-interface=ether10 protocol=tcp to-addresses=172.26.4.21 to-ports=5120 comment="Channel 4 forwards" add action=dst-nat chain=dstnat dst-port=5128 in-interface=ether10 protocol=tcp to-addresses=172.26.5.20 to-ports=5120 comment="Channel 5 forwards" add action=dst-nat chain=dstnat dst-port=5129 in-interface=ether10 protocol=tcp to-addresses=172.26.5.21 to-ports=5120 comment="Channel 5 forwards" add action=dst-nat chain=dstnat dst-port=5130 in-interface=ether10 protocol=tcp to-addresses=172.26.6.20 to-ports=5120 comment="Channel 6 forwards" add action=dst-nat chain=dstnat dst-port=5131 in-interface=ether10 protocol=tcp to-addresses=172.26.6.21 to-ports=5120 comment="Channel 6 forwards" add action=dst-nat chain=dstnat dst-port=5132 in-interface=ether10 protocol=tcp to-addresses=172.26.7.20 to-ports=5120 comment="Channel 7 forwards" add action=dst-nat chain=dstnat dst-port=5133 in-interface=ether10 protocol=tcp to-addresses=172.26.7.21 to-ports=5120 comment="Channel 7 forwards" add action=dst-nat chain=dstnat dst-port=5134 in-interface=ether10 protocol=tcp to-addresses=172.26.8.20 to-ports=5120 comment="Channel 8 forwards" add action=dst-nat chain=dstnat dst-port=5135 in-interface=ether10 protocol=tcp to-addresses=172.26.8.21 to-ports=5120 comment="Channel 8 forwards" # still need to add in the firewall stuff. # do I allow the Winbox to work on the lan. - yes Do I allow it to discover on the Wan. -no but may open port # HTTP web interface will be off for Wan but on for Lan. :put "Add MultiCast support" # here we turn on IGMP-proxy stuff so that Multicast will work. Source ether10 outputs Ether2 - 9. /routing igmp-proxy interface remove [find comment="multicast"] /routing igmp-proxy interface add interface=ether10 upstream=yes comment="multicast" /routing igmp-proxy interface add interface=ether2 comment="multicast" /routing igmp-proxy interface add interface=ether3 comment="multicast" /routing igmp-proxy interface add interface=ether4 comment="multicast" /routing igmp-proxy interface add interface=ether5 comment="multicast" /routing igmp-proxy interface add interface=ether6 comment="multicast" /routing igmp-proxy interface add interface=ether7 comment="multicast" /routing igmp-proxy interface add interface=ether8 comment="multicast" /routing igmp-proxy interface add interface=ether9 comment="multicast" #------------------------------------------------------------------------------- :log info "after import of full" :log info "End of RB3011CeDefaults script V1.0.0";