Mikrotik – Setup a Full Router Within 5 Minutes

We setup a LOT of Mikrotik routers, doing everything by the GUI is tedious. Below is a “cheat-sheet”, feel free to customize it to rapidly deploy your own Mikrotik routers.

Apply to a freshly reset and updated router for best effect.

This script assumes you have a static WAN IP, hence the 0.0.0.0/0 static route. It also disables Webfig, and only allows Winbox login to trusted WAN IPs (Management) and LAN (bridge)

Just swap out the settings in quotes at the top, the copy/paste the whole thing into a terminal.

Recommend manually editing the “YourManagementWANhere” networks as well, repeat for each trusted site that needs to login via Winbox.

Of special note, is the automatic updater. Don’t let your forgetfulness leave routers outdated! Have the router check for you every two weeks.

Hoping it helps!

:global CompanyName "Johns Bubblegum Co"
:global Password "YourMikrotikAdminPassword"
:global LANIP "10.10.10.1/24"
:global WANIP "200.200.200.200/29"
:global WANGateway "200.200.200.201"
:global LCDPIN "1234"


#Start code
#Purge the old Firewall Rules
/ip firewall filter remove [find]
/ip firewall nat remove [find]
/ip dhcp-client disable 0
/ip dhcp-server disable 0
/ip pool remove default-dhcp
#
#Configure the Interface
/interface ethernet set [ find default-name=ether1 ] comment="WAN Primary"
#
#Configure the LAN ports to be on a bridge
/interface bridge add name=bridge comment="LAN Bridge"
/interface bridge port add bridge=bridge interface=ether2-master
/interface bridge port add bridge=bridge interface=ether2
/interface bridge port add bridge=bridge interface=ether3
/interface bridge port add bridge=bridge interface=ether4
/interface bridge port add bridge=bridge interface=ether5
/interface bridge port add bridge=bridge interface=ether6-master
/interface bridge port add bridge=bridge interface=ether6
/interface bridge port add bridge=bridge interface=ether7
/interface bridge port add bridge=bridge interface=ether8
/interface bridge port add bridge=bridge interface=ether9
/interface bridge port add bridge=bridge interface=ether10
/interface bridge port add bridge=bridge interface=sfp1
#
#Secure against Route Spoofing
/ip settings set rp-filter=strict
#
#Edit the IPs of the Router
/ip address add address=$LANIP comment="LAN Primary" interface=bridge
/ip address add address=$WANIP comment="WAN Primary" interface=ether1
#
#Set the static LAN to WAN Route (WAN Gateway) Edit the WAN Gateway IP
/ip route add check-gateway=ping comment="WAN Primary" distance=1 gateway=$WANGateway
#
#Create the trusted Management IP list
/ip firewall address-list add address=YourManagementWANHere/29 comment="Trust IP Range" list=Management
/ip firewall address-list add address=YourManagementWANHere/27 comment="Trust IP Range" list=Management
#
#Add the firewall rules
/ip firewall filter add action=accept chain=forward comment="Trusted Management Sites - Forward" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=accept chain=input comment="Trusted Management Sites - Input" in-interface=ether1 src-address-list=Management
/ip firewall filter add action=drop chain=input comment="Drop Blacklisted Hosts to Router" in-interface=ether1 src-address-list=BlackList
/ip firewall filter add action=drop chain=forward comment="Drop Blacklisted Hosts through Router" in-interface=ether1 src-address-list=BlackList
#
#Blacklist Rules -- Add the bad-guys to the BlackList
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Brute Forcers" dst-port=21-23,53,88,135-139,389,445,1433,3306,3389,5900,6667 in-interface=ether1 protocol=tcp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist UDP WAN DNS Lookups to prevent DDoS" dst-port=53 in-interface=ether1 protocol=udp
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input comment="Blacklist Port Scanners" disabled=no protocol=tcp psd=21,3s,3,1 in-interface=ether1
/ip firewall filter add action=add-src-to-address-list address-list=BlackList address-list-timeout=30m chain=input comment="Blacklist SYN Flood Attacks" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn in-interface=ether1
#
#Allow Good Traffic
/ip firewall filter add action=accept chain=forward comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=accept chain=input comment="Accept ICMP, prevent flood" protocol=icmp icmp-options=8:0 limit=1,5
/ip firewall filter add action=accept chain=input comment="Accept established,related" connection-state=established,related
/ip firewall filter add action=drop chain=input comment="Drop all from WAN" in-interface=ether1
/ip firewall filter add action=drop chain=forward comment="Drop invalid" connection-state=invalid
#
#Allow LAN to WAN NAT Traffic
/ip firewall nat add action=masquerade chain=srcnat comment="Office - NAT" out-interface=ether1
#
#Security Lockdown
/ip ssh set strong-crypto=yes
/ip firewall service-port set ftp disabled=yes
/ip firewall service-port set tftp disabled=yes
/ip firewall service-port set irc disabled=yes
/ip firewall service-port set h323 disabled=yes
/ip firewall service-port set sip disabled=yes
/ip firewall service-port set pptp disabled=yes
/ip firewall service-port set udplite disabled=yes
/ip firewall service-port set dccp disabled=yes
/ip firewall service-port set sctp disabled=yes
/ip service set telnet disabled=yes
/ip service set ftp disabled=yes
/ip service set www disabled=yes
/ip service set ssh disabled=yes
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/tool bandwidth-server set enabled=no
/lcd pin set pin-number=$LCDPIN
#
#Misc System Settings
/lcd set backlight-timeout=never default-screen=stat-slideshow
/system clock set time-zone-autodetect=yes
/system ntp client set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4 server-dns-names=time.nist.gov,time.google.com
/system package update set channel=bugfix
/system scheduler add name="Upgrade Router Bi-Weekly and Reboot" on-event="/system package update set channel=bugfix; /system package update check-for-updates; /system package update download; /system reboot;" start-date=Jan/01/2018 start-time=03:00:00 interval=2w
/system routerboard settings set silent-boot=yes
/system identity set name=($CompanyName." Router")
/ip dns set servers=8.8.8.8,8.8.4.4
#
#Cleanup Old Settings
/ip address remove [ find comment=defconf ]
/ip firewall nat remove [ find comment="defconf: masquerade" ]
#Change Admin Password
/user set admin password=$Password
#End Code

 

One thought on “Mikrotik – Setup a Full Router Within 5 Minutes

Leave a Reply

Your email address will not be published. Required fields are marked *