# ======================================== # ROUTER SPECIFIC CONFIGURATION # Serial: 8AFF0B93FD9B # Auto-fetched and applied on every bootup # ======================================== :log info "=== Applying Router Configuration for 8AFF0B93FD9B ===" # Get serial number for dynamic URL construction :local sn [/system routerboard get serial-number] :log info "Router Serial: $sn" # ======================================== # WAN CONFIGURATION # ======================================== :log info "Configuring WAN interface..." # Set WAN interface name (skip if already named) :do { /interface ethernet set [find name=ether1] name=WAN } on-error={ :log info "WAN interface already configured" } # Add DHCP client only if it doesn't exist :if ([:len [/ip dhcp-client find interface=WAN]] = 0) do={ /ip dhcp-client add interface=WAN disabled=no :log info "DHCP client added to WAN" } else={ :log info "DHCP client already exists on WAN" } # ======================================== # LAN BRIDGE CONFIGURATION # ======================================== :log info "Configuring LAN Bridge..." # Create bridge only if it doesn't exist :if ([:len [/interface bridge find name=LAN_BRIDGE]] = 0) do={ /interface bridge add name=LAN_BRIDGE :log info "LAN_BRIDGE created" } else={ :log info "LAN_BRIDGE already exists" } # Add bridge ports (skip if already added) - with proper interface checking :foreach port in={ether2;ether3;ether4;ether5} do={ # Check if this specific interface is already in ANY bridge :local alreadyBridged false :foreach bp in=[/interface bridge port find] do={ :local iface [/interface bridge port get $bp interface] :if ($iface = $port) do={ :set alreadyBridged true :local currentBridge [/interface bridge port get $bp bridge] :if ($currentBridge != "LAN_BRIDGE") do={ # Remove from other bridge and add to LAN_BRIDGE /interface bridge port remove $bp :delay 0.5s /interface bridge port add bridge=LAN_BRIDGE interface=$port :log info "Moved $port from $currentBridge to LAN_BRIDGE" } else={ :log info "$port already in LAN_BRIDGE" } } } # If not in any bridge, add it :if (!$alreadyBridged) do={ /interface bridge port add bridge=LAN_BRIDGE interface=$port :log info "Added $port to LAN_BRIDGE" } } # Add IP address only if it doesn't exist on LAN_BRIDGE :local ipExists false :foreach addr in=[/ip address find] do={ :local addrIface [/ip address get $addr interface] :local addrValue [/ip address get $addr address] :if ($addrIface = "LAN_BRIDGE" && $addrValue = "172.26.4.1/24") do={ :set ipExists true } } :if (!$ipExists) do={ # Remove any existing IP on LAN_BRIDGE with different address :foreach addr in=[/ip address find interface=LAN_BRIDGE] do={ :local addrValue [/ip address get $addr address] :if ($addrValue != "172.26.4.1/24") do={ /ip address remove $addr :log info "Removed old IP $addrValue from LAN_BRIDGE" } } /ip address add address=172.26.4.1/24 interface=LAN_BRIDGE :log info "LAN IP address configured" } else={ :log info "LAN IP address already exists" } # ======================================== # DHCP SERVER CONFIGURATION # ======================================== :log info "Configuring DHCP Server..." # Add IP pool only if it doesn't exist :if ([:len [/ip pool find name=LAN_POOL]] = 0) do={ /ip pool add name=LAN_POOL ranges=172.26.4.3-172.26.4.254 :log info "DHCP pool created" } else={ # Update pool ranges if it exists /ip pool set [find name=LAN_POOL] ranges=172.26.4.3-172.26.4.254 :log info "DHCP pool updated" } # Add DHCP server only if it doesn't exist :if ([:len [/ip dhcp-server find name=LAN_DHCP]] = 0) do={ :do { /ip dhcp-server add name=LAN_DHCP interface=LAN_BRIDGE address-pool=LAN_POOL disabled=no :log info "DHCP server created" } on-error={ :log error "Failed to create DHCP server - interface may not be ready" } } else={ # Update existing DHCP server /ip dhcp-server set [find name=LAN_DHCP] interface=LAN_BRIDGE address-pool=LAN_POOL disabled=no :log info "DHCP server updated" } # Add DHCP network only if it doesn't exist :local networkExists false :foreach net in=[/ip dhcp-server network find] do={ :local netAddr [/ip dhcp-server network get $net address] :if ($netAddr = "172.26.4.0/24") do={ :set networkExists true # Update existing network /ip dhcp-server network set $net gateway=172.26.4.1 dns-server=8.8.8.8,8.8.4.4 :log info "DHCP network updated" } } :if (!$networkExists) do={ /ip dhcp-server network add address=172.26.4.0/24 gateway=172.26.4.1 dns-server=8.8.8.8,8.8.4.4 :log info "DHCP network configured" } # ======================================== # USER MANAGEMENT (DISABLED) # ======================================== :log info "User management skipped (manage passwords manually)" # ======================================== # CERTIFICATE DOWNLOAD & IMPORT # ======================================== :log info "Downloading certificates..." # Remove old certificates if they exist :do { /certificate remove [find name~"cert_export"] } on-error={} :do { /file remove [find name~"cert_export"] } on-error={} # Build base URL with serial number :local baseUrl "https://bootstrap.camview.in/configs/$sn" # Download CA Certificate :log info "Downloading CA certificate from: $baseUrl/cert_export_CA.crt" :do { /tool fetch url="$baseUrl/cert_export_CA.crt" mode=https dst-path=cert_export_CA.crt check-certificate=no :delay 2s :log info "CA certificate downloaded" } on-error={ :log error "Failed to download CA certificate" } # Download Client Certificate :log info "Downloading client certificate from: $baseUrl/cert_export_client.crt" :do { /tool fetch url="$baseUrl/cert_export_client.crt" mode=https dst-path=cert_export_client.crt check-certificate=no :delay 2s :log info "Client certificate downloaded" } on-error={ :log error "Failed to download client certificate" } # Download Client Key :log info "Downloading client key from: $baseUrl/cert_export_client.key" :do { /tool fetch url="$baseUrl/cert_export_client.key" mode=https dst-path=cert_export_client.key check-certificate=no :delay 2s :log info "Client key downloaded" } on-error={ :log error "Failed to download client key" } # ======================================== # IMPORT CERTIFICATES # ======================================== :log info "Importing certificates..." # Import CA Certificate :do { /certificate import file-name=cert_export_CA.crt :delay 1s :log info "CA certificate imported successfully" } on-error={ :log error "Failed to import CA certificate" } # Import Client Key :do { /certificate import file-name=cert_export_client.key passphrase="12345678" :delay 1s :log info "Client key imported successfully" } on-error={ :log error "Failed to import client key" } # Import Client Certificate :do { /certificate import file-name=cert_export_client.crt :delay 1s :log info "Client certificate imported successfully" } on-error={ :log error "Failed to import client certificate" } # Wait for certificate processing :delay 3s # ======================================== # OVPN CLIENT CONFIGURATION # ======================================== :log info "Configuring OVPN client..." # Remove existing OVPN client if exists :do { /interface ovpn-client remove [find name=OVPN-CLIENT] } on-error={} # Get certificate name (MikroTik appends _0, _1, etc.) :local certname "" :foreach cert in=[/certificate find where name~"cert_export_client"] do={ :set certname [/certificate get $cert name] :log info "Found certificate: $certname" } :if ([:len $certname] > 0) do={ :log info "Using certificate: $certname" :do { /interface ovpn-client add \ name=OVPN-CLIENT \ user=8AFF0B93FD9B \ password=8AFF0B93FD9B \ mode=ip \ connect-to=3.111.211.97 \ port=1194 \ certificate=$certname \ auth=sha1 \ cipher=aes256 \ profile=default \ add-default-route=yes \ disabled=no :log info "OVPN client configured successfully" } on-error={ :log error "Failed to create OVPN client" } } else={ :log error "No client certificate found, OVPN client not configured" } # ======================================== # NAT CONFIGURATION # ======================================== :log info "Configuring NAT..." # Remove any existing NAT rules with our comments to avoid duplicates :do { :foreach rule in=[/ip firewall nat find comment="NAT for WAN"] do={ /ip firewall nat remove $rule } :foreach rule in=[/ip firewall nat find comment="NAT for VPN"] do={ /ip firewall nat remove $rule } } on-error={} # Add NAT rules :do { /ip firewall nat add chain=srcnat out-interface=WAN action=masquerade comment="NAT for WAN" :log info "WAN NAT rule added" } on-error={ :log warning "Failed to add WAN NAT rule" } :do { /ip firewall nat add chain=srcnat out-interface=OVPN-CLIENT action=masquerade comment="NAT for VPN" :log info "VPN NAT rule added" } on-error={ :log warning "Failed to add VPN NAT rule" } # ======================================== # FIREWALL RULES # ======================================== :log info "Configuring firewall..." # Remove all existing filter rules (to avoid duplicates on re-run) :do { /ip firewall filter remove [find comment~"Accept established"] /ip firewall filter remove [find comment~"Drop invalid"] /ip firewall filter remove [find comment~"Allow LAN"] /ip firewall filter remove [find comment~"Allow ICMP"] /ip firewall filter remove [find comment~"Drop all"] } on-error={} # Add firewall rules /ip firewall filter add chain=input connection-state=established,related action=accept comment="Accept established/related" /ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid" /ip firewall filter add chain=input in-interface=LAN_BRIDGE action=accept comment="Allow LAN" /ip firewall filter add chain=input protocol=icmp action=accept comment="Allow ICMP" /ip firewall filter add chain=input action=drop comment="Drop all other input" /ip firewall filter add chain=forward connection-state=established,related action=accept comment="Accept established/related" /ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid" /ip firewall filter add chain=forward in-interface=LAN_BRIDGE action=accept comment="Allow LAN to WAN/VPN" :log info "Firewall rules configured" # ======================================== # DNS CONFIGURATION # ======================================== :log info "Configuring DNS..." /ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes :log info "DNS servers configured" # ======================================== # SYSTEM IDENTITY # ======================================== :log info "Setting system identity..." /system identity set name="CamView-Router-$sn" :log info "System identity set to: CamView-Router-$sn" # ======================================== # CLEANUP CERTIFICATE FILES # ======================================== :delay 2s :do { /file remove cert_export_CA.crt } on-error={} :do { /file remove cert_export_client.crt } on-error={} :do { /file remove cert_export_client.key } on-error={} :log info "Certificate files cleaned up" # ======================================== # CONFIGURATION COMPLETE # ======================================== :log info "" :log info "=== BOOTSTRAP CONFIGURATION COMPLETE ===" :log info "Router Serial: $sn" :log info "Router Identity: CamView-Router-$sn" :log info "WAN Interface: ether1 (DHCP)" :log info "LAN Bridge: LAN_BRIDGE (ether2-5)" :log info "LAN IP: 172.26.4.1/24" :log info "DHCP Range: 172.26.4.3-254" :log info "VPN: OVPN-CLIENT" :log info "" :log info "Configuration applied successfully!" :log info "==========================================="# ======================================== # ROUTER SPECIFIC CONFIGURATION # Serial: 8AFF0B93FD9B # Auto-fetched and applied on every bootup # ======================================== :log info "=== Applying Router Configuration for 8AFF0B93FD9B ===" # Get serial number for dynamic URL construction :local sn [/system routerboard get serial-number] :log info "Router Serial: $sn" # ======================================== # WAN CONFIGURATION # ======================================== :log info "Configuring WAN interface..." # Set WAN interface name (skip if already named) :do { /interface ethernet set [find name=ether1] name=WAN } on-error={ :log info "WAN interface already configured" } # Add DHCP client only if it doesn't exist :if ([:len [/ip dhcp-client find interface=WAN]] = 0) do={ /ip dhcp-client add interface=WAN disabled=no :log info "DHCP client added to WAN" } else={ :log info "DHCP client already exists on WAN" } # ======================================== # LAN BRIDGE CONFIGURATION # ======================================== :log info "Configuring LAN Bridge..." # Create bridge only if it doesn't exist :if ([:len [/interface bridge find name=LAN_BRIDGE]] = 0) do={ /interface bridge add name=LAN_BRIDGE :log info "LAN_BRIDGE created" } else={ :log info "LAN_BRIDGE already exists" } # Add bridge ports (skip if already added) - with proper interface checking :foreach port in={ether2;ether3;ether4;ether5} do={ # Check if this specific interface is already in ANY bridge :local alreadyBridged false :foreach bp in=[/interface bridge port find] do={ :local iface [/interface bridge port get $bp interface] :if ($iface = $port) do={ :set alreadyBridged true :local currentBridge [/interface bridge port get $bp bridge] :if ($currentBridge != "LAN_BRIDGE") do={ # Remove from other bridge and add to LAN_BRIDGE /interface bridge port remove $bp :delay 0.5s /interface bridge port add bridge=LAN_BRIDGE interface=$port :log info "Moved $port from $currentBridge to LAN_BRIDGE" } else={ :log info "$port already in LAN_BRIDGE" } } } # If not in any bridge, add it :if (!$alreadyBridged) do={ /interface bridge port add bridge=LAN_BRIDGE interface=$port :log info "Added $port to LAN_BRIDGE" } } # Add IP address only if it doesn't exist on LAN_BRIDGE :local ipExists false :foreach addr in=[/ip address find] do={ :local addrIface [/ip address get $addr interface] :local addrValue [/ip address get $addr address] :if ($addrIface = "LAN_BRIDGE" && $addrValue = "172.26.4.1/24") do={ :set ipExists true } } :if (!$ipExists) do={ # Remove any existing IP on LAN_BRIDGE with different address :foreach addr in=[/ip address find interface=LAN_BRIDGE] do={ :local addrValue [/ip address get $addr address] :if ($addrValue != "172.26.4.1/24") do={ /ip address remove $addr :log info "Removed old IP $addrValue from LAN_BRIDGE" } } /ip address add address=172.26.4.1/24 interface=LAN_BRIDGE :log info "LAN IP address configured" } else={ :log info "LAN IP address already exists" } # ======================================== # DHCP SERVER CONFIGURATION # ======================================== :log info "Configuring DHCP Server..." # Add IP pool only if it doesn't exist :if ([:len [/ip pool find name=LAN_POOL]] = 0) do={ /ip pool add name=LAN_POOL ranges=172.26.4.3-172.26.4.254 :log info "DHCP pool created" } else={ # Update pool ranges if it exists /ip pool set [find name=LAN_POOL] ranges=172.26.4.3-172.26.4.254 :log info "DHCP pool updated" } # Add DHCP server only if it doesn't exist :if ([:len [/ip dhcp-server find name=LAN_DHCP]] = 0) do={ :do { /ip dhcp-server add name=LAN_DHCP interface=LAN_BRIDGE address-pool=LAN_POOL disabled=no :log info "DHCP server created" } on-error={ :log error "Failed to create DHCP server - interface may not be ready" } } else={ # Update existing DHCP server /ip dhcp-server set [find name=LAN_DHCP] interface=LAN_BRIDGE address-pool=LAN_POOL disabled=no :log info "DHCP server updated" } # Add DHCP network only if it doesn't exist :local networkExists false :foreach net in=[/ip dhcp-server network find] do={ :local netAddr [/ip dhcp-server network get $net address] :if ($netAddr = "172.26.4.0/24") do={ :set networkExists true # Update existing network /ip dhcp-server network set $net gateway=172.26.4.1 dns-server=8.8.8.8,8.8.4.4 :log info "DHCP network updated" } } :if (!$networkExists) do={ /ip dhcp-server network add address=172.26.4.0/24 gateway=172.26.4.1 dns-server=8.8.8.8,8.8.4.4 :log info "DHCP network configured" } # ======================================== # USER MANAGEMENT (DISABLED) # ======================================== :log info "User management skipped (manage passwords manually)" # ======================================== # CERTIFICATE DOWNLOAD & IMPORT # ======================================== :log info "Downloading certificates..." # Remove old certificates if they exist :do { /certificate remove [find name~"cert_export"] } on-error={} :do { /file remove [find name~"cert_export"] } on-error={} # Build base URL with serial number :local baseUrl "https://bootstrap.camview.in/configs/$sn" # Download CA Certificate :log info "Downloading CA certificate from: $baseUrl/cert_export_CA.crt" :do { /tool fetch url="$baseUrl/cert_export_CA.crt" mode=https dst-path=cert_export_CA.crt check-certificate=no :delay 2s :log info "CA certificate downloaded" } on-error={ :log error "Failed to download CA certificate" } # Download Client Certificate :log info "Downloading client certificate from: $baseUrl/cert_export_client.crt" :do { /tool fetch url="$baseUrl/cert_export_client.crt" mode=https dst-path=cert_export_client.crt check-certificate=no :delay 2s :log info "Client certificate downloaded" } on-error={ :log error "Failed to download client certificate" } # Download Client Key :log info "Downloading client key from: $baseUrl/cert_export_client.key" :do { /tool fetch url="$baseUrl/cert_export_client.key" mode=https dst-path=cert_export_client.key check-certificate=no :delay 2s :log info "Client key downloaded" } on-error={ :log error "Failed to download client key" } # ======================================== # IMPORT CERTIFICATES # ======================================== :log info "Importing certificates..." # Import CA Certificate :do { /certificate import file-name=cert_export_CA.crt :delay 1s :log info "CA certificate imported successfully" } on-error={ :log error "Failed to import CA certificate" } # Import Client Key :do { /certificate import file-name=cert_export_client.key passphrase="12345678" :delay 1s :log info "Client key imported successfully" } on-error={ :log error "Failed to import client key" } # Import Client Certificate :do { /certificate import file-name=cert_export_client.crt :delay 1s :log info "Client certificate imported successfully" } on-error={ :log error "Failed to import client certificate" } # Wait for certificate processing :delay 3s # ======================================== # OVPN CLIENT CONFIGURATION # ======================================== :log info "Configuring OVPN client..." # Remove existing OVPN client if exists :do { /interface ovpn-client remove [find name=OVPN-CLIENT] } on-error={} # Get certificate name (MikroTik appends _0, _1, etc.) :local certname "" :foreach cert in=[/certificate find where name~"cert_export_client"] do={ :set certname [/certificate get $cert name] :log info "Found certificate: $certname" } :if ([:len $certname] > 0) do={ :log info "Using certificate: $certname" :do { /interface ovpn-client add \ name=OVPN-CLIENT \ user=8AFF0B93FD9B \ password=8AFF0B93FD9B \ mode=ip \ connect-to=3.111.211.97 \ port=1194 \ certificate=$certname \ auth=sha1 \ cipher=aes256 \ profile=default \ add-default-route=yes \ disabled=no :log info "OVPN client configured successfully" } on-error={ :log error "Failed to create OVPN client" } } else={ :log error "No client certificate found, OVPN client not configured" } # ======================================== # NAT CONFIGURATION # ======================================== :log info "Configuring NAT..." # Remove any existing NAT rules with our comments to avoid duplicates :do { :foreach rule in=[/ip firewall nat find comment="NAT for WAN"] do={ /ip firewall nat remove $rule } :foreach rule in=[/ip firewall nat find comment="NAT for VPN"] do={ /ip firewall nat remove $rule } } on-error={} # Add NAT rules :do { /ip firewall nat add chain=srcnat out-interface=WAN action=masquerade comment="NAT for WAN" :log info "WAN NAT rule added" } on-error={ :log warning "Failed to add WAN NAT rule" } :do { /ip firewall nat add chain=srcnat out-interface=OVPN-CLIENT action=masquerade comment="NAT for VPN" :log info "VPN NAT rule added" } on-error={ :log warning "Failed to add VPN NAT rule" } # ======================================== # FIREWALL RULES # ======================================== :log info "Configuring firewall..." # Remove all existing filter rules (to avoid duplicates on re-run) :do { /ip firewall filter remove [find comment~"Accept established"] /ip firewall filter remove [find comment~"Drop invalid"] /ip firewall filter remove [find comment~"Allow LAN"] /ip firewall filter remove [find comment~"Allow ICMP"] /ip firewall filter remove [find comment~"Drop all"] } on-error={} # Add firewall rules /ip firewall filter add chain=input connection-state=established,related action=accept comment="Accept established/related" /ip firewall filter add chain=input connection-state=invalid action=drop comment="Drop invalid" /ip firewall filter add chain=input in-interface=LAN_BRIDGE action=accept comment="Allow LAN" /ip firewall filter add chain=input protocol=icmp action=accept comment="Allow ICMP" /ip firewall filter add chain=input action=drop comment="Drop all other input" /ip firewall filter add chain=forward connection-state=established,related action=accept comment="Accept established/related" /ip firewall filter add chain=forward connection-state=invalid action=drop comment="Drop invalid" /ip firewall filter add chain=forward in-interface=LAN_BRIDGE action=accept comment="Allow LAN to WAN/VPN" :log info "Firewall rules configured" # ======================================== # DNS CONFIGURATION # ======================================== :log info "Configuring DNS..." /ip dns set servers=8.8.8.8,8.8.4.4 allow-remote-requests=yes :log info "DNS servers configured" # ======================================== # SYSTEM IDENTITY # ======================================== :log info "Setting system identity..." /system identity set name="CamView-Router-$sn" :log info "System identity set to: CamView-Router-$sn" # ======================================== # CLEANUP CERTIFICATE FILES # ======================================== :delay 2s :do { /file remove cert_export_CA.crt } on-error={} :do { /file remove cert_export_client.crt } on-error={} :do { /file remove cert_export_client.key } on-error={} :log info "Certificate files cleaned up" # ======================================== # CONFIGURATION COMPLETE # ======================================== :log info "" :log info "=== BOOTSTRAP CONFIGURATION COMPLETE ===" :log info "Router Serial: $sn" :log info "Router Identity: CamView-Router-$sn" :log info "WAN Interface: ether1 (DHCP)" :log info "LAN Bridge: LAN_BRIDGE (ether2-5)" :log info "LAN IP: 172.26.4.1/24" :log info "DHCP Range: 172.26.4.3-254" :log info "VPN: OVPN-CLIENT" :log info "" :log info "Configuration applied successfully!" :log info "==========================================="