Portal Networks Logo

+44 (0)1745 369922

support@portal-networks.co.uk

Quick Script Builder

How this all works! firstly we need to know a few things, like is it a WiFi enabled device, LTE will it need a firewall so on and so on.. yer its not as quick as fist implied!

Device:
Identity:
Bridge Name:
WAN Interfaces:
Instance:
Instance:
DHCP:

How this script Works

Firstly a breakdown on how each part of the script work.

Basic settings

Settings needed to create the script

:local IDENTITY "ROUTER";
:local DEFAULTINTMAC [/interface ethernet get [/interface ethernet find default-name=ether1] mac-address ];
:local BRIDGENAME "bridge1";

:local WANIF {"ether1";};

:local PPPOEENABLED 1;
:local PPPOECONNECTIONS {{interface="ether1"; username="test1"; password="test1";};};

:local WANDHCPENABLED 1;
:local WANDHCP {{interface="ether1"; use-peer-dns="yes"; add-default-route="yes"; default-route-distance="1"; disabled="yes"};};

:local IPDHCPENABLED 1;
:local IPDHCP {{IP="192.168.88.1"; IPRANGE="192.168.88.2-192.168.88.254"; IPBLOCK="192.168.88.0/24"; IPSUBNET="24"; IPFULL="192.168.88.1/24"; IPDOMAIN="local.lan"; INTERFACE="$BRIDGENAME"};};

Create Bridge Interface

we need to first check if a bridge interface is already present. if it's not we can go ahead and create the bridge using the default interface MAC of ether1

:if ([:len [/interface bridge find name=bridge1]]=0) do={
/interface bridge add admin-mac=$DEFAULTINTMAC auto-mac=no name=$BRIDGENAME 
  }

look for all the Ethernet Interfaces and add them to a bridge

:foreach i in=[/interface find where type=ether] do={
/interface bridge port add bridge=$BRIDGENAME interface=[/interface get $i name];
}

Add WAN

We added all the interfaces to the bridge now we need remove the WAN interfaces from the bridge

Must remember that interfaces in the array of WANIF require {"ether1";"ether2";"etherN";...} 
:foreach w in=$WANIF do={
/interface bridge port remove [/interface find name=$w];
}

Add DHCP Client to each WAN Port

:if ($WANDHCPENABLED=1) do={
:foreach DHCP in=$WANDHCP do={
 /ip dhcp-client/add interface=$DHCP->"interface" use-peer-dns=$DHCP->"use-peer-dns" add-default-route=$DHCP->"add-default-route" default-route-distance=$DHCP->"default-route-distance" disabled=$DHCP->"disabled"
}
  }

Add WAN/LAN to Interface List & Member List

/interface/list add name=LAN comment="Local Area Network";
/interface/list add name=WAN comment="Wide Area Network";

:foreach i in=[/interface find where type=ether] do={
/interface list member add interface=[/interface get $i name] list=LAN
}

 :foreach w in=$WANIF do={
/interface list member remove [/interface list member find interface=$w]
/interface list member add interface=[/interface get $i name] list=WAN
}

Add PPPoE based off of $WANIF

Only If PPPoE is enabled, we need to add a profile under PPP this is to give you some flexibility if you require updating profile.

:if ($PPPOEENABLED==1) do={
/ppp profile add change-tcp-mss=yes name=INTERNET
:foreach p in=$WANIF do={
/interface/pppoe-client/add user=$p->"username" password=$p->"password" interface=$p->"interface" profile=INTERNET
}
}

Basic DHCP Setup

:if ($IPDHCPENABLED=1) do={
:foreach IP in=$IPDHCP do={  
/ip pool/add name=dhcp-pool ranges=$IP->"IPRANGE";
/ip dhcp-server/network/add address=$IP->"IPBLOCK" gateway=$IP->"IP" netmask=$IP->"IPSUBNET" domain=$IP->"IPDOMAIN" ntp-server=$IP->"IP"
/ip/dhcp-server/add server-address=$IP->"IP" name="dhcp-server" interface=$BRIDGENAME address-pool="dhcp-pool"
}
}

Firewall Filter Rules

The interface list is required

/ip firewall filter
add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp src-address-list=LE
add action=accept chain=input comment=LetsEncrypt disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=input comment="Remote Access" dst-port=8291 protocol=tcp
add action=accept chain=input  protocol=icmp
add action=drop chain=input comment="Drop Bad DNS" dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_DROP comment=BLOCKLIST
add action=drop chain=input in-interface-list=WAN src-address-list=SPAMHAUS_EDROP comment=BLOCKLIST
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL1 comment=BLOCKLIST
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL2 comment=BLOCKLIST
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL3 comment=BLOCKLIST
add action=drop chain=input in-interface-list=WAN src-address-list=FIREHOL_LEVEL4 comment=BLOCKLIST
add action=accept chain=input in-interface-list=WAN protocol=gre
add action=accept chain=input in-interface-list=WAN protocol=ipsec-ah
add action=accept chain=input in-interface-list=WAN protocol=ipsec-esp
add action=accept chain=input dst-port=500 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=1701 in-interface-list=WAN protocol=udp
add action=accept chain=input dst-port=4500 in-interface-list=WAN protocol=udp
add action=accept chain=input connection-state=established,related in-interface-list=WAN
add action=drop chain=input in-interface-list=WAN
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=accept chain=forward connection-state=established,related in-interface-list=WAN out-interface-list=LAN
add action=accept chain=forward connection-state=established,related in-interface-list=LAN out-interface-list=LAN
add action=drop chain=forward connection-state=invalid in-interface-list=WAN out-interface-list=LAN
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN out-interface-list=LAN

FirewallNat Rules

The interface list is required for WAN

/ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN

Firewall Mangle Rules

The interface list is required for WAN this is specifically required for VDSL/FTTC/FTTP and Lease Line Lite BT Circuits

/ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu out-interface-list=WAN protocol=tcp tcp-flags=syn

Basic Settings

General settings 

/system clock set time-zone-name=Europe/London

/system identity setname=$IDENTITY

/system ntp client set enabled=yes

/system ntp client servers add address=0.uk.pool.ntp.org
/system ntp client servers add address=1.uk.pool.ntp.org
/system ntp client servers add address=2.uk.pool.ntp.org