# ========================= # PARAMETRIZED VERSION # ========================= :put "=== START CONFIG ===" :local sites { "HD408FN1902"={"TERN_ZLUKY"; 1 ;"MPqIO5zLD3WgbLdCH7FtsGt301/2tMxNRvxVtPLMf2Q="}; "HD4086DD9S6"={"LANIVTSI"; 2 ;"eJd8hF7QjXwCESIPFDCf1wMo994zeMIyjzfcHrv4Ukc="}; "HD4081EA7M6"={"TERN_LUCHAK"; 3 ;"eE5Lo6A8snNx68GmGQ+kpSH9yD52FFc2Y8YdM2pVclc="}; "HD4088NSD8H"={"TERN_ST.BAND"; 4 ;"iFcv5EfMBvYGRjxuNn+0kHVH//Z8cl3XGzVNN8/fyEo="}; "HD408BVPWSK"={"BEREZOVYTSYA"; 5 ;"cJZJUD8pwoOdVfNHV1oM4AsncDbPOkxyA64bjwdP638="}; "HD4088VMCQC"={"TEREBOVLYA"; 6 ;"6B00zTnQCVhGOhgRNK0WjU+xADhE6dfgNITyEfzBfXI="}; "HD408DK2F47"={"ZBORIV"; 7 ;"yAUuDey3lGOSgUEqjOB8/zthLRyxrmUO67lOsiSW/UE="}; "HCP08E8JF2T"={"BEREGANY"; 8 ;"IDUwF4kMMYxnEXMqPwPkju0qlSKQCSLtUcmZPwnC0FA="}; "HD4086QX97J"={"BORSCHIV"; 9 ;"SJlidu1caJtR7UOoTSo4EVB4gpW/JIodjsrak+A3RXk="}; "HD4088NBP0G"={"BUCHACH"; 10;"yBqqq11aTvVIAQOzak5OVgwSkoQHsd2ar7OAzzUXAUo="}; "HD408212ZPR"={"VOLOCHYSK"; 11;"aN8etil7vivX0u8Or7WCWjq9Ch6jOvFIzHFtYfdjqkU="}; "HE808Y6XPKZ"={"ZALISTSI"; 12;"iDPBzlgoJfaLX4RtxA8KAgo2L1+VYJIZUF8lDSq4c3s="}; "HD4081S3G9J"={"ZALISCHYKY"; 13;"YGLOgkzRvBtjeymxxh6hFOHCWRftaWnkPNzrjHw5/U0="}; "HE808S9M4P9"={"ZBARAG"; 14;"sJM4Eb8+fYZS1CPuWXRmEeDqG/aDFyze1tOFB390mG4="}; "HCP085HM232"={"KOZOVA"; 15;"aHYrA7EnKO4wTkXOvv0Xpe8AnrGbZ3uu5esxdVjEaWA="}; "HD308B162BJ"={"KREM_AVTO"; 16;"QGgLN35kyIKlOgwCA8Wu0Mu8KvfA/XwBvPEmK0+mjWA="}; "HD4084P4YJA"={"KREM_CENTR"; 17;"2G/QKvexLiEVnLlaUn0f/pZmmjQGFNe0TicsbNGpJ0o="}; "HD4087BDKB9"={"KREM_SUGAR"; 18;"YKgsC/hbBDHVotAI7mzucffLpr6/8uVlKmI7i7q6zno="}; "HD40810AB4M"={"MLYNIVCI"; 19;"OHmheN29m5zeSMEAJ03/nktEH3ns5zfIqHzVoqN3YkI="}; "HD4086N2QZ9"={"PIDVOLOCHYSK"; 20;"ACOB9BznZk+8EwXhRFzgJDzvu/Et2FGYfgOGFKxvBlI="}; "HD408D9Z586"={"TERN_ORION"; 21;"MIeVkMqOxabo5b75IMYNRP5r5tvU1UmWRQ8u8nM0Pmw="}; "HD408B4K4RG"={"TERN_TEKSTYLNYK";22;"AKysRFyBr1zeFKwM53cRw2eUTKWG2fOs1UveamknRXo="}; "HD408A8MGY8"={"CHORTKIV_AVTO"; 23;"sDbgef3h/vRxTRpVyUHNRI2vmbYLTbvduab4G/e1u3I="}; "HD4082AY9D2"={"CHORTKIV_CENTR"; 24;"mAeRljGQ3jzXHMxyF9zWWcfr8K9i51tWcfd6x7gc/1A="}; "HD4083ESK0Q"={"SKALAT"; 25;"UIGg7Ltn+LsdB5uSeiwXmvPw9Om5Vb/zxfJHNttR4n4="}; "HD408AYF8PN"={"TERN_ZBROUND"; 26;"OIXe3SsiPfNB8OEe3i9RSY8OIPCCA8uOfM1fNhIy1VA="} } # ---------- USER VARIABLES ---------- :local serial [/system/routerboard/get serial-number as-string] :local site ($sites->$serial) :local baseName ($site->0) :local routerNum ($site->1) :local wgKey ($site->2) # ---------- CALCULATED VARIABLES ---------- :local lanOctet ("192.168." . ($routerNum + 100)) :local wireOctet ("192.168." . ($routerNum + 50)) :local identityName ($baseName . "_ice" . $routerNum) :local lanIp ($lanOctet . ".1/24") :local mngIp ("192.168.50." . ($routerNum + 100) . "/24") :local wireIp ($wireOctet . ".1/24") :local wgIp ("10.30.0." . $routerNum . "/24") :local lanNetwork ($lanOctet . ".0") :local lanSubnet ($lanOctet . ".0/24") :local wireSubnet ($wireOctet . ".0/24") :local lanGateway ($lanOctet . ".1") :local wireGateway ($wireOctet . ".1") :local k 0 :put ("Applying config for: " . $identityName) :put ("LAN subnet: " . $lanSubnet) # --- 1. Interfaces / bridges --- /interface bridge :if ([:len [find where name="br_wire"]] = 0) do={add name=br_wire} # --- 3. LTE APN --- /interface lte apn :if ([:len [find default=yes]] > 0) do={set [find default=yes] apn=KS} # --- 4. Wireless security profiles --- /interface wireless security-profiles :if ([:len [find where name="wifi_pass"]] = 0) do={ add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys \ name=wifi_pass supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=33322333 } :if ([:len [find where name="mgmt_pass"]] = 0) do={ add authentication-types=wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys \ name=mgmt_pass supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa2-pre-shared-key=v670649! } # --- 5. Wireless interfaces --- /interface wireless set [find default-name=wlan1] \ band=2ghz-g/n channel-width=20/40mhz-XX country=ukraine \ disabled=no frequency=auto installation=indoor \ mode=ap-bridge security-profile=wifi_pass ssid=TMPOLUS \ wireless-protocol=802.11 set [find default-name=wlan2] \ band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX \ country=ukraine disabled=no frequency=auto \ installation=indoor mode=ap-bridge security-profile=wifi_pass \ ssid=TMPOLUS_5Ghz wireless-protocol=802.11 :if ([:len [find where name="wlan3"]] = 0) do={add disabled=no master-interface=wlan1 name=wlan3 security-profile=mgmt_pass ssid=POLUS_M} :if ([:len [find where name="wlan4"]] = 0) do={add disabled=no master-interface=wlan2 name=wlan4 security-profile=mgmt_pass ssid=POLUS_M5G} # --- 6. IP pools --- /ip pool :set k [find where name="default-dhcp"] :if ([:len $k] > 0) do={set $k ranges=($lanOctet . ".10-" . $lanOctet . ".254")} :if ([:len [find where name="pool_wire"]] = 0) do={add name=pool_wire ranges=($wireOctet . ".2-" . $wireOctet . ".254")} # --- 7. DHCP servers --- /ip dhcp-server #:if ([:len [find where name="defconf"]] > 0) do={set [find where name="defconf"] address-pool=default-dhcp interface=bridge lease-time=10m} :if ([:len [find where name="dhcp_wire"]] = 0) do={add address-pool=pool_wire interface=br_wire name=dhcp_wire} # --- 8. Bridge ports --- /interface bridge port :set k [find where interface="ether1"]; :if ([:len $k] > 0) do={set $k disabled=yes} :set k [find where interface="ether2"]; :if ([:len $k] > 0) do={set $k bridge=br_wire} :set k [find where interface="ether3"]; :if ([:len $k] > 0) do={set $k bridge=br_wire} :set k [find where interface="ether4"]; :if ([:len $k] > 0) do={set $k bridge=br_wire} :set k [find where interface="ether5"]; :if ([:len $k] > 0) do={set $k bridge=br_wire} :set k [find where interface="wlan1"]; :if ([:len $k] > 0) do={set $k bridge=bridge} :set k [find where interface="wlan2"]; :if ([:len $k] > 0) do={set $k bridge=bridge} :if ([:len [find where interface="wlan3"]] = 0) do={add bridge=br_wire interface=wlan3} :if ([:len [find where interface="wlan4"]] = 0) do={add bridge=br_wire interface=wlan4} # --- 9. Firewall / IP settings / IPv6 --- /ip settings set allow-fast-path=no /ipv6 settings set disable-ipv6=yes # --- 10. Interface list members --- /interface list member :if ([:len [find where interface="ether1" and list="WAN"]] = 0) do={add interface=ether1 list=WAN} :if ([:len [find where interface="br_wire" and list="LAN"]] = 0) do={add interface=br_wire list=LAN} # --- 11. WireGuard --- /interface wireguard :if ([:len [find where name="wireguard1"]] = 0) do={add name=wireguard1 private-key=$wgKey} else={set [find where name="wireguard1"] private-key=$wgKey} /interface list member :if ([:len [find where interface="wireguard1" and list="LAN"]] = 0) do={add interface=wireguard1 list=LAN} /interface wireguard peers :if ([:len [find where name="peer1"]] = 0) do={ add allowed-address=10.30.0.100/32,10.30.0.99/32,192.168.50.100/32 \ endpoint-address=5.58.56.184 endpoint-port=13232 interface=wireguard1 \ name=peer1 persistent-keepalive=25s \ public-key="h7dfJOG+mjNms+9TvdENZ4m6vOddTubXj/XaNF1gPDI=" } else={ set [find where name="peer1"] \ allowed-address=10.30.0.100/32,10.30.0.99/32,192.168.50.100/32 \ endpoint-address=5.58.56.184 endpoint-port=13232 interface=wireguard1 \ persistent-keepalive=25s \ public-key="h7dfJOG+mjNms+9TvdENZ4m6vOddTubXj/XaNF1gPDI=" } # --- 12. IP addresses --- /ip address # міняємо адресу bridge на свою :set k [find where interface="bridge" and address="192.168.88.1/24"] :if ([:len $k] > 0) do={set $k address=$lanIp } else={ # якщо на bridge досі немає LAN адреси, додаємо :if ([:len [find where interface="bridge" and address=$lanIp]] = 0) do={add address=$lanIp interface=bridge} } # адреса для управління в мережі 50 :if ([:len [find where interface="br_wire" and address=$mngIp]] = 0) do={add address=$mngIp interface=br_wire} # wireguard :if ([:len [find where interface="wireguard1" and address=$wgIp]] = 0) do={add address=$wgIp interface=wireguard1} # br_wire :if ([:len [find where interface="br_wire" and address=$wireIp]] = 0) do={add address=$wireIp interface=br_wire} # --- 13. DHCP client on ether1 --- /ip dhcp-client :if ([:len [find where interface="ether1"]] = 0) do={add interface=ether1} # --- 15. DHCP server networks --- /ip dhcp-server network :foreach i in=[find] do={ :local nAddr [get $i address] :if (($nAddr = "192.168.88.0/24") || ($nAddr = $lanSubnet)) do={set $i address=$lanSubnet dns-server=$lanGateway gateway=$lanGateway} } :if ([:len [find where address=$lanSubnet]] = 0) do={add address=$lanSubnet dns-server=$lanGateway gateway=$lanGateway} :if ([:len [find where address=$wireSubnet]] = 0) do={add address=$wireSubnet dns-server=$wireGateway gateway=$wireGateway} # --- 16. DNS --- /ip dns set allow-remote-requests=yes servers=8.8.8.8,1.1.1.1,8.8.4.4,1.0.0.1 # --- 17. Firewall filter --- /ip firewall filter :foreach i in=[find where comment="defconf: fasttrack"] do={set $i disabled=yes} # --- 19. Routes --- /ip route :if ([:len [find where gateway="192.168.50.1"]] = 0) do={add disabled=no distance=10 gateway=192.168.50.1} :if ([:len [find where dst-address="192.168.50.100/32" and gateway="10.30.0.100"]] = 0) do={add disabled=no distance=1 dst-address=192.168.50.100/32 gateway=10.30.0.100} # --- 20. Services --- /ip service set ftp disabled=yes set ssh disabled=yes set telnet disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes # --- 21. SNMP --- /snmp set enabled=yes location=$baseName # --- 22. System identity / NTP / clock --- /system identity set name=$identityName /system ntp client set enabled=yes /system ntp client servers :if ([:len [find where address="0.ua.pool.ntp.org"]] = 0) do={add address=0.ua.pool.ntp.org} :if ([:len [find where address="1.ua.pool.ntp.org"]] = 0) do={add address=1.ua.pool.ntp.org} /system clock set time-zone-name=Europe/Kiev # --- 24. Routerboard / romon --- /system routerboard settings set auto-upgrade=yes /tool mac-server set allowed-interface-list=LAN /tool mac-server mac-winbox set allowed-interface-list=LAN /tool romon set enabled=yes :put ("=== DONE: " . $identityName . " / " . $lanIp . " ===")