This script assumes the following:

  • A switch capable of VLAN management / passthrough will be used
    • I recommend a ToughSwitch POE 5-8 Port
  • Access point(s) support multiple SSIDs with VLAN assigment
    • I recommend IgniteNet Spark AC WAVE2

The following values need to be configured:

  • Admin Account
    • YOURUSERNAME – The username for your admin account
    • YOURPASSWORD – The password for your admin account
  • NoIP DDNS Configuration — MikroTik does support their internal DDNS however some prefer external DDNS support as well.
    • YOURNOIPPUSERNAME – The username for your NoIP Account (optional)
    • YOURNOIPPASSWORD – The password for your NoIP Account (optional)
    • YOURNOIPHOSTNAME – The hostname for your NoIP Account (optional)

 

#0.0 This script is intended to be run post reset. Tested and confirmed working on RB3011RM models.
#1.0 Interface & DCHP Client Configuration 
#1.1 Set interface names.
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether2 ] name=ether2-LAN-SWITCH
set [ find default-name=ether3 ] name=ether3-LAN
set [ find default-name=ether4 ] name=ether4-LAN
set [ find default-name=ether5 ] name=ether5-MGMT
#1.2 Create DHCP Client
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1-WAN
#1.3 Create interface bridges.
/interface bridge
add name=1-default-bridge auto-mac=yes 
add name=100-customer-bridge
add name=200-employee-bridge
add name=300-securepos-bridge
#1.4 Create interface VLAN - assign all VLAN to ether2-LAN-SWITCH interface.
/interface vlan
add interface=ether2-LAN-SWITCH name=200-employee-vlan vlan-id=200
add interface=ether2-LAN-SWITCH name=100-customer-vlan vlan-id=100
add interface=ether2-LAN-SWITCH name=300-securepos-vlan vlan-id=300
#1.5 Bridge all VLAN to respective bridge, and ether2-5 to default bridge
/interface bridge port
add  bridge=1-default-bridge interface=ether2-LAN-SWITCH
add  bridge=1-default-bridge interface=ether3-LAN
add  bridge=1-default-bridge interface=ether4-LAN
add  bridge=1-default-bridge interface=ether5-MGMT
add bridge=100-customer-bridge interface=100-customer-vlan
add bridge=200-employee-bridge interface=200-employee-vlan
add bridge=300-securepos-bridge interface=300-securepos-vlan
#2.0 IP Address Configuration
#2.1 Create IP Addresses.
/ip address
add address=10.10.88.1/24 interface=1-default-bridge network=10.10.88.0
add address=10.10.4.1/22 interface=100-customer-bridge network=10.10.4.0
add address=10.10.8.1/22 interface=200-employee-bridge network=10.10.8.0
add address=192.168.100.1/24 interface=300-securepos-bridge network=192.168.100.0
#3.0 Configuration of DCHP Server
#3.1 Create IP Pools for DHCP use.
/ip pool
add name=1-default-pool ranges=10.10.88.10-10.10.88.254
add name=100-customer-pool ranges=10.10.4.4-10.10.7.254
add name=200-employee-pool ranges=10.10.8.3-10.10.11.254
add name=300-securepos-pool ranges=192.168.100.10-192.168.100.253
#3.2 Create DHCP Servers
/ip dhcp-server
add address-pool=1-default-pool disabled=no interface=1-default-bridge name=1-default-dhcp lease-time=24h
add address-pool=100-customer-pool disabled=no interface=100-customer-bridge name=100-customer-dhcp lease-time=24h
add address-pool=200-employee-pool disabled=no interface=200-employee-bridge name=200-employee-dhcp lease-time=24h
add address-pool=300-securepos-pool disabled=no interface=300-securepos-bridge name=300-securepos-dhcp lease-time=24h
#3.3 Create DHCP Networks
/ip dhcp-server network
add address=10.10.4.0/22 gateway=10.10.4.1
add address=10.10.8.0/22 gateway=10.10.8.1
add address=192.168.100.0/24 gateway=192.168.100.254
add address=10.10.88.0/24 gateway=10.10.88.1
#5.0 Firewall Configuration
#5.1 Add default NAT masquerade out ether1-WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN
#5.2 Add Basic Firewall rules.
/ip firewall filter
add action=drop chain=input comment=\
    "Drop new connections from blacklisted IP's to this router" \
    connection-state=new in-interface=ether1-WAN src-address-list=blacklist
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1-WAN protocol=tcp
add action=accept chain=forward src-address=8.8.8.8
add action=accept chain=forward src-address=8.8.4.4
add action=drop chain=forward comment="keyword_drop torrent - accidentally blo\
    cks any site referring to torrent in the URL" content=torrent disabled=\
    yes out-interface=ether1-WAN
add action=drop chain=forward comment="trackers_drop - accidentally blocks som\
    e websites containing \"tracker\" in the packet" content=tracker \
    disabled=yes out-interface=ether1-WAN
add action=drop chain=forward comment=get_peers_drop content=getpeers \
    out-interface=ether1-WAN
add action=drop chain=forward comment=info_hash_drop content=info_hash \
    out-interface=ether1-WAN
add action=drop chain=forward comment=announce_peers_drop content=\
    announce_peers out-interface=ether1-WAN
add action=drop chain=forward comment=p2p_drop out-interface=ether1-WAN p2p=\
    all-p2p
#5.3 Block Secure/Employee > Customer
add action=drop chain=forward in-interface=200-employee-bridge out-interface=100-customer-bridge
add action=drop chain=forward in-interface=300-securepos-bridge out-interface=100-customer-bridge
#5.4 Block Customer > Secure/Customer
add action=drop chain=forward in-interface=100-customer-bridge out-interface=200-employee-bridge
add action=drop chain=forward in-interface=100-customer-bridge out-interface=300-securepos-bridge
#5.5 Block Secure > Employee > Secure
add action=drop chain=forward in-interface=200-employee-bridge out-interface=300-securepos-bridge
add action=drop chain=forward in-interface=300-securepos-bridge out-interface=200-employee-bridge
#5.6 Add Layer 7 torrent blocking protocols.
/ip firewall layer7-protocol
add name=commontorrentsites regexp="^.*(get|GET).+(torrent|\\\r\
    \n    piratebay|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|\
    flixflux|\\\r\
    \n    torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|\\\r\
    \n    entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|\\\r\
    \n    flixflux|seedpeer|fenopy|gpirate|commonbits).*\\\$"
#6.0 System Scheduler Configuration
#6.1 Add System Scheduler for Spamhaus, DShield, and malc0de.
/system scheduler
add comment="Download spamnaus list" interval=3d name=DownloadSpamhausList \
    on-event=DownloadSpamhaus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:41:00
add comment="Apply spamnaus List" interval=3d name=InstallSpamhausList \
    on-event=ReplaceSpamhaus policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:46:00
add comment="Download dshield list" interval=3d name=DownloadDShieldList \
    on-event=Download_dshield policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:51:00
add comment="Apply dshield List" interval=3d name=InstallDShieldList \
    on-event=Replace_dshield policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:56:00
add comment="Download malc0de list" interval=3d name=Downloadmalc0deList \
    on-event=Download_malc0de policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:51:00
add comment="Apply malc0de List" interval=3d name=Installmalc0deList \
    on-event=Replace_malc0de policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jan/01/1970 start-time=23:56:00
#6.2 Add System Scripts for Spamhaus, DShield, and malc0de.
/system script
add name=DownloadSpamhaus owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/spamhaus.rsc\" mode=http;\r\
    \n:log info \"Downloaded spamhaus.rsc from Joshaven.com\";\r\
    \n"
add name=ReplaceSpamhaus owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"SpamHaus\"]\r\
    \n/import file-name=spamhaus.rsc;\r\
    \n:log info \"Removed old Spamhaus records and imported new list\";\r\
    \n"
add name=Download_dshield owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/dshield.rsc\" mode=http;\r\
    \n:log info \"Downloaded dshield.rsc from Joshaven.com\";\r\
    \n"
add name=Replace_dshield owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"DShield\"]\r\
    \n/import file-name=dshield.rsc;\r\
    \n:log info \"Removed old dshield records and imported new list\";\r\
    \n"
add name=Download_malc0de owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/tool fetch url=\"https://www.mikrotikexamples.com/tools/malc0de.rsc\" mode=http;\r\
    \n:log info \"Downloaded malc0de.rsc from Joshaven.com\";\r\
    \n"
add name=Replace_malc0de owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="\
    \r\
    \n/ip firewall address-list remove [find where comment=\"malc0de\"]\r\
    \n/import file-name=malc0de.rsc;\r\
    \n:log info \"Removed old malc0de records and imported new list\";\r\
    \n"
#7.0 Complete miscellaneous actions.
#7.1 Set default DNS to Google DNS Servers
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#7.2 Disable various access services for security purposes.
#7.3 Set system clock.
/system clock
set time-zone-name=America/New_York
#7.4 Change default admin username and password
/user set [find name=admin] name=YOURUSERNAME password=YOURPASSWORD
#7.5 Set device name to serial number
/system identity set name=[/system routerboard get serial-number]
#8.0 Heartbeat & Update Functions
#8.1 No-IP Update Function
/system script add name=no-ip_ddns_update owner=admin policy=write,test,read source="# No-IP automatic Dynamic DNS update\r\
    \n\r\
    \n#--------------- Change Values in this section to match your setup ------------------\r\
    \n\r\
    \n# No-IP User account info\r\
    \n:local noipuser \"YOURNOIPUSERNAME\"\r\
    \n:local noippass \"YOURNOIPPASSWORD\"\r\
    \n\r\
    \n# Set the hostname or label of network to be updated.\r\
    \n# Hostnames with spaces are unsupported. Replace the value in the quotations below with your host names.\r\
    \n# To specify multiple hosts, separate them with commas.\r\
    \n:local noiphost [:put (\"YOURNOIPHOSTNAME.ddns.net\") ] \r\
    \n\r\
    \n# Change to the name of interface that gets the dynamic IP address\r\
    \n:local inetinterface \"ether1-WAN\"\r\
    \n\r\
    \n#------------------------------------------------------------------------------------\r\
    \n# No more changes need\r\
    \n\r\
    \n:global previousIP\r\
    \n\r\
    \n:if ([/interface get \$inetinterface value-name=running]) do={\r\
    \n# Get the current IP on the interface\r\
    \n   :local currentIP [/ip address get [find interface=\"\$inetinterface\" disabled=no] address]\r\
    \n\r\
    \n# Strip the net mask off the IP address\r\
    \n   :for i from=( [:len \$currentIP] - 1) to=0 do={\r\
    \n       :if ( [:pick \$currentIP \$i] = \"/\") do={ \r\
    \n           :set currentIP [:pick \$currentIP 0 \$i]\r\
    \n       } \r\
    \n   }\r\
    \n\r\
    \n   :if (\$currentIP != \$previousIP) do={\r\
    \n       :log info \"No-IP: Current IP \$currentIP is not equal to previous IP, update needed\"\r\
    \n       :set previousIP \$currentIP\r\
    \n\r\
    \n# The update URL. Note the \"\\3F\" is hex for question mark (\?). Required since \? is a special character in commands.\r\
    \n       :local url \"http://dynupdate.no-ip.com/nic/update\\3Fmyip=\$currentIP\"\r\
    \n       :local noiphostarray\r\
    \n       :set noiphostarray [:toarray \$noiphost]\r\
    \n       :foreach host in=\$noiphostarray do={\r\
    \n           :log info \"No-IP: Sending update for \$host\"\r\
    \n           /tool fetch url=(\$url . \"&hostname=\$host\") user=\$noipuser password=\$noippass mode=http dst-path=(\"no-ip_ddns_update-\" . \$host . \".txt\")\r\
    \n           :log info \"No-IP: Host \$host updated on No-IP with IP \$currentIP\"\r\
    \n       }\r\
    \n   }  else={\r\
    \n       :log info \"No-IP: Previous IP \$previousIP is equal to current IP, no update needed\"\r\
    \n   }\r\
    \n} else={\r\
    \n   :log info \"No-IP: \$inetinterface is not currently running, so therefore will not update.\"\r\
    \n}"
/system scheduler add comment="Update No-IP DDNS" disabled=no interval=5m name=no-ip_ddns_update on-event=no-ip_ddns_update policy=read,write,test
#Script Finished
:beep frequency=660 length=100ms;
:delay 150ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=510 length=100ms;
:delay 100ms;
:beep frequency=660 length=100ms;
:delay 300ms;
:beep frequency=770 length=100ms;
:delay 550ms;
:beep frequency=380 length=100ms;
:delay 575ms;
#Remove Config Script