Repeater wifi mikrotik dhcp offering lease

Обсуждение ПО и его настройки
Ответить
aleksandr.portnov
Сообщения: 2
Зарегистрирован: 17 июн 2020, 01:25

Всем привет! Столкнулся с проблемой на rb4011 настраиваю repeater wifi к Cisco AP, все работает, но в журнале появляются события WiFi_Free offering lease 10.16.108.19 for 48:8F:5A:5B:9A:F0 without success и такое же для пяти герцового SSID. Происходит это потому что в DHCP сервере появляется выданные адреса самому микротик. Сейчас сделал эти записи статическими и блокировку по маку, события пропали. Как сделать это по правильному чтобы не выдавались адреса? Вот конфиг.

Код: Выделить всё

# jan/31/2021 05:51:46 by RouterOS 6.48
# software id = 0MZS-TLGI
#
# model = RB4011iGS+5HacQ2HnD
# serial number = D4420C7BFA26
/interface bridge
add disabled=yes name="Storage Bridge" pvid=254 vlan-filtering=yes
add name="Vsphere Bridge" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN"
set [ find default-name=ether2 ] loop-protect=on name="ether2 Cisco 2960"
set [ find default-name=ether3 ] loop-protect=on name="ether3 PC"
set [ find default-name=ether4 ] loop-protect=on name="ether4 Synology"
set [ find default-name=ether5 ] name="ether5 ESXI1"
set [ find default-name=ether6 ] loop-protect=on name="ether6 ESXI2"
set [ find default-name=ether7 ] loop-protect=on name="ether7 ESXI3"
set [ find default-name=ether8 ] loop-protect=on name="ether8 ESXI2 Storage"
set [ find default-name=ether9 ] loop-protect=on name="ether9 ESXI3 Storage"
set [ find default-name=ether10 ] loop-protect=on name="ether10 Cisco 2960C" \
    poe-out=off
set [ find default-name=sfp-sfpplus1 ] advertise=1000M-half loop-protect=on \
    speed=100Mbps
/interface vlan
add interface="Vsphere Bridge" loop-protect=on name="vlan100 MGMT" vlan-id=\
    100
add interface="Vsphere Bridge" loop-protect=on name="vlan101 Service Port" \
    vlan-id=101
add interface="Vsphere Bridge" loop-protect=on name="vlan105 APs" vlan-id=105
add interface="Vsphere Bridge" loop-protect=on name="vlan106 Servers" \
    vlan-id=106
add disabled=yes interface="Storage Bridge" name="vlan106 Switch" vlan-id=106
add interface="Vsphere Bridge" loop-protect=on name="vlan107 IPT" vlan-id=107
add interface="Vsphere Bridge" loop-protect=off name="vlan108 Wi-Fi" vlan-id=\
    108
add interface="Vsphere Bridge" loop-protect=on name="vlan109 Telephones" \
    vlan-id=109
add interface="Vsphere Bridge" loop-protect=on name="vlan110 PCs" vlan-id=110
add interface="Vsphere Bridge" loop-protect=on name="vlan111 VPN" vlan-id=111
add interface="Vsphere Bridge" loop-protect=on name="vlan254 Storage" \
    vlan-id=254
/interface ethernet switch port
set 0 default-vlan-id=0
set 1 default-vlan-id=0
set 2 default-vlan-id=0
set 3 default-vlan-id=0
set 4 default-vlan-id=0
set 5 default-vlan-id=0
set 6 default-vlan-id=0
set 7 default-vlan-id=0
set 8 default-vlan-id=0
set 9 default-vlan-id=0
set 10 default-vlan-id=0
set 11 default-vlan-id=0
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" \
    mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa2-psk mode=dynamic-keys name=\
    "wlan1 5HGz-ITNetSystem_WiFi_Free-repeater" supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n/ac channel-width=20/40mhz-Ce \
    country=russia4 disabled=no frequency=5200 frequency-mode=manual-txpower \
    mode=station-pseudobridge name="wlan1 5HGz" security-profile=\
    "wlan1 5HGz-ITNetSystem_WiFi_Free-repeater" ssid=ITNetSystem_WiFi_Free \
    tx-power=40 tx-power-mode=all-rates-fixed
set [ find default-name=wlan2 ] band=2ghz-b/g/n country=russia4 disabled=no \
    frequency=2437 mode=station-pseudobridge name="wlan2 2.4GHz" \
    security-profile="wlan1 5HGz-ITNetSystem_WiFi_Free-repeater" ssid=\
    ITNetSystem_WiFi_Free
add disabled=no mac-address=4A:8F:5A:9F:57:A3 master-interface="wlan1 5HGz" \
    name=wlan1 security-profile="wlan1 5HGz-ITNetSystem_WiFi_Free-repeater" \
    ssid=ITNetSystem_WiFi_Free vlan-id=108 vlan-mode=use-tag
add disabled=no keepalive-frames=disabled mac-address=4A:8F:5A:5B:9A:F0 \
    master-interface="wlan2 2.4GHz" multicast-buffering=disabled name=wlan2 \
    security-profile="wlan1 5HGz-ITNetSystem_WiFi_Free-repeater" ssid=\
    ITNetSystem_WiFi_Free vlan-id=108 vlan-mode=use-tag wds-cost-range=0 \
    wds-default-cost=0 wps-mode=disabled
/ip dhcp-server option
add code=43 name=Cisco value=0x0a1064f8
/ip dhcp-server option sets
add name="Cisco Controller" options=Cisco
/ip pool
add name=vlan108 ranges=10.16.108.1-10.16.108.199
add name=vlan105 ranges=10.16.105.1-10.16.105.4
/ip dhcp-server
add address-pool=vlan108 conflict-detection=no disabled=no interface=\
    "vlan108 Wi-Fi" lease-time=1w name=WiFi_Free
add address-pool=vlan105 dhcp-option-set="Cisco Controller" disabled=no \
    interface="vlan105 APs" lease-time=52w1d name=APs
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge filter
add action=accept chain=forward disabled=yes dst-address=10.16.109.0/24 \
    dst-port=67-68 ip-protocol=udp log-prefix=ACCEPT_BRIDGE mac-protocol=ip \
    src-address=10.16.109.251/32
add action=accept chain=forward disabled=yes dst-address=10.16.110.0/24 \
    dst-port=67-68 ip-protocol=udp log=yes log-prefix=ACCEPT_BRIDGE \
    mac-protocol=ip src-address=10.16.110.251/32
add action=drop chain=forward disabled=yes dst-port=67-68 ip-protocol=udp \
    log=yes log-prefix=DROP_BRIDGE mac-protocol=ip
/interface bridge port
add bridge="Vsphere Bridge" interface="ether2 Cisco 2960" pvid=105
add bridge="Vsphere Bridge" interface="ether3 PC" pvid=110
add bridge="Vsphere Bridge" interface="ether7 ESXI3"
add bridge="Vsphere Bridge" interface="ether8 ESXI2 Storage"
add bridge="Vsphere Bridge" interface="ether9 ESXI3 Storage"
add bridge="Vsphere Bridge" interface="ether10 Cisco 2960C" pvid=105
add bridge="Vsphere Bridge" interface="ether5 ESXI1"
add bridge="Vsphere Bridge" interface="ether6 ESXI2"
add bridge="Vsphere Bridge" interface="ether4 Synology"
add bridge="Vsphere Bridge" interface=sfp-sfpplus1 pvid=109
add bridge="Vsphere Bridge" interface=wlan1
add bridge="Vsphere Bridge" interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface bridge vlan
add bridge="Vsphere Bridge" tagged="Vsphere Bridge,ether10 Cisco 2960C,ether2 \
    Cisco 2960,ether7 ESXI3,ether6 ESXI2,ether5 ESXI1" untagged="ether3 PC" \
    vlan-ids=100,101,106,107,110,111
add bridge="Vsphere Bridge" tagged="Vsphere Bridge" untagged=\
    "ether10 Cisco 2960C,ether2 Cisco 2960" vlan-ids=105
add bridge="Vsphere Bridge" tagged="Vsphere Bridge,ether5 ESXI1,ether8 ESXI2 S\
    torage,ether9 ESXI3 Storage,ether4 Synology" vlan-ids=254
add bridge="Vsphere Bridge" tagged=\
    "Vsphere Bridge,ether2 Cisco 2960,ether10 Cisco 2960C,wlan1,wlan2" \
    untagged=sfp-sfpplus1 vlan-ids=108,109
add bridge="Storage Bridge" disabled=yes tagged=\
    "Storage Bridge,ether10 Cisco 2960C" vlan-ids=106
/interface detect-internet
set detect-interface-list=all
/interface list member
add interface="ether1 WAN" list=WAN
add interface="vlan100 MGMT" list=LAN
add interface="vlan105 APs" list=LAN
add interface="vlan106 Servers" list=LAN
add interface="vlan107 IPT" list=LAN
add interface="vlan108 Wi-Fi" list=LAN
add interface="vlan109 Telephones" list=LAN
add interface="vlan110 PCs" list=LAN
add interface="vlan111 VPN" list=LAN
add interface="vlan254 Storage" list=LAN
add interface="Vsphere Bridge" list=LAN
/ip address
add address=10.16.106.254/24 interface="vlan106 Servers" network=10.16.106.0
add address=10.16.107.254/24 interface="vlan107 IPT" network=10.16.107.0
add address=10.16.108.254/24 interface="vlan108 Wi-Fi" network=10.16.108.0
add address=10.16.109.254/24 interface="vlan109 Telephones" network=\
    10.16.109.0
add address=10.16.110.254/24 interface="vlan110 PCs" network=10.16.110.0
add address=10.16.111.254/24 interface="vlan111 VPN" network=10.16.111.0
add address=10.16.105.6/29 interface="vlan105 APs" network=10.16.105.0
add address=10.16.254.254/24 interface="vlan254 Storage" network=10.16.254.0
add address=10.16.100.254/24 interface="vlan100 MGMT" network=10.16.100.0
add address=10.16.101.254/24 interface="vlan101 Service Port" network=\
    10.16.101.0
/ip dhcp-client
add disabled=no interface="ether1 WAN" use-peer-ntp=no
/ip dhcp-relay
add dhcp-server=10.16.106.221,10.16.106.220 disabled=no interface=\
    "vlan109 Telephones" local-address=10.16.109.254 name=relay1
add dhcp-server=10.16.106.221,10.16.106.220 disabled=no interface=\
    "vlan110 PCs" local-address=10.16.110.254 name=relay2
[b]/ip dhcp-server lease
add address=10.16.108.11 block-access=yes client-id=1:48:8f:5a:9f:57:a3 \
    mac-address=48:8F:5A:9F:57:A3 server=WiFi_Free
add address=10.16.108.19 block-access=yes client-id=1:48:8f:5a:5b:9a:f0 \
    mac-address=48:8F:5A:5B:9A:F0 server=WiFi_Free[/b]
/ip dhcp-server network
add address=10.16.105.0/29 dhcp-option-set="Cisco Controller" gateway=\
    10.16.105.6
add address=10.16.108.0/24 dns-server=10.16.108.254 gateway=10.16.108.254
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=10.16.106.118 name=mail.itnetsystem.ru
/ip firewall address-list
add address=0.0.0.0/8 list=BOGON
add address=10.0.0.0/8 list=BOGON
add address=100.64.0.0/10 list=BOGON
add address=127.0.0.0/8 list=BOGON
add address=169.254.0.0/16 list=BOGON
add address=172.16.0.0/12 list=BOGON
add address=192.0.0.0/24 list=BOGON
add address=192.0.2.0/24 list=BOGON
add address=192.168.0.0/16 list=BOGON
add address=198.18.0.0/15 list=BOGON
add address=198.51.100.0/24 list=BOGON
add address=203.0.113.0/24 list=BOGON
add address=224.0.0.0/4 list=BOGON
add address=240.0.0.0/4 list=BOGON
add address=0.0.0.0/8 list=BOGON_FRWD
add address=127.0.0.0/8 list=BOGON_FRWD
add address=224.0.0.0/4 list=BOGON_FRWD
add address=www.google-analytics.com list=BlockList
add address=marketingplatform.google.com list=BlockList
add address=10.16.106.220 list=DC
add address=10.16.106.221 list=DC
add address=10.16.107.200 list=IPT
add address=10.16.107.201 list=IPT
add address=10.16.106.200 list=IPT
add address=10.16.107.199 list=IPT
add address=10.16.107.202 list=IPT
add address=10.16.100.250 list=vsphere
add address=10.16.100.251 list=vsphere
add list=10.16.100.252
add address=10.16.100.252 list=vsphere
add address=10.16.111.1 list="VPN Admins"
add address=10.16.111.2 list="VPN Admins"
/ip firewall filter
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - Scan Ports" protocol=\
    tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment=\
    "Scan - NMAP FIN Stealth scan" protocol=tcp tcp-flags=\
    fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - SYN/FIN scan" \
    protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - SYN/RST scan" \
    protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - FIN/PSH/URG scan" \
    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - ALL/ALL scan" \
    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=Port-Scanners \
    address-list-timeout=2w chain=input comment="Scan - NMAP NULL scan" \
    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=accept chain=forward dst-port=22,8443 protocol=tcp src-address=\
    10.16.107.198
add action=accept chain=forward dst-address=10.16.107.198 dst-port=\
    22,8443,6060 protocol=tcp src-address-list=IPT
add action=drop chain=input comment="Drop - port scanners" src-address-list=\
    Port-Scanners
add action=drop chain=forward comment="Drop - port scanners" \
    src-address-list=Port-Scanners
add action=drop chain=input comment="INPUT (Drop --> invalid connections and a\
    ddress-list=BOGON.  Accept --> establieshed,related)" in-interface=\
    "ether1 WAN" src-address-list=BOGON
add action=drop chain=input comment=\
    "INPUT (Drop --> address-list=BLOCK LIST)" in-interface="ether1 WAN" \
    src-address-list=BlockList
add action=drop chain=forward comment=\
    "INPUT (Drop --> address-list=BLOCK LIST)" dst-address-list=BlockList \
    out-interface="ether1 WAN"
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="INPUT Local" connection-state="" \
    dst-port=53 in-interface="vlan108 Wi-Fi" protocol=udp src-address=\
    10.16.108.0/24
add action=accept chain=input connection-state="" dst-port=53 in-interface=\
    "vlan254 Storage" protocol=udp src-address=10.16.254.0/24
add action=accept chain=input connection-state="" dst-port=67-68 \
    in-interface="vlan106 Servers" protocol=udp src-address=10.16.106.0/24
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=\
    "PING_protocol=icmp" protocol=icmp
add action=accept chain=forward protocol=icmp
add action=accept chain=input comment="INPUT Local Control" connection-state=\
    "" dst-port=80,8291,22 in-interface="vlan110 PCs" protocol=tcp \
    src-address=10.16.110.253
add action=accept chain=input connection-state="" dst-port=80,8291,22 \
    in-interface="vlan108 Wi-Fi" protocol=tcp
add action=accept chain=input connection-state="" dst-address=10.16.100.254 \
    dst-port=80,8291,22 in-interface="vlan111 VPN" protocol=tcp \
    src-address-list="VPN Admins"
add action=drop chain=input comment="INPUT (Drop --> all other)"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN
add action=accept chain=output comment=\
    "OUTPUT (accept everything to non internet)" out-interface="!ether1 WAN"
add action=accept chain=output comment=\
    "OUTPUT (accept everything to internet)" connection-nat-state="" \
    connection-state=!invalid out-interface="ether1 WAN"
add action=drop chain=forward src-address-list=BOGON_FRWD
add action=drop chain=forward dst-address-list=BOGON_FRWD
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related protocol=tcp
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related protocol=udp
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment=VIPNET connection-state="" dst-port=\
    55777 protocol=udp
add action=accept chain=forward comment=\
    "WiFi Guest Allow full access to Internet" connection-state="" \
    in-interface="vlan108 Wi-Fi" log-prefix="rule 24_WIFI - >" out-interface=\
    "ether1 WAN" protocol=tcp src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" in-interface=\
    "vlan108 Wi-Fi" log-prefix="rule 24_WIFI - >" out-interface="ether1 WAN" \
    protocol=udp src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" dst-address-list=IPT \
    in-interface="vlan108 Wi-Fi" src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" dst-address=10.16.106.118 \
    dst-port=443 in-interface="vlan108 Wi-Fi" out-interface="vlan106 Servers" \
    protocol=tcp src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" dst-address=10.16.254.201 \
    dst-port=443,445,32400 in-interface="vlan108 Wi-Fi" out-interface=\
    "vlan254 Storage" protocol=tcp src-address=10.16.108.0/24
add action=accept chain=forward comment="MGMT All traffic" connection-state=\
    "" in-interface="vlan110 PCs" src-address=10.16.110.253
add action=accept chain=forward comment="PC Allow" connection-state="" \
    dst-port=80,443 in-interface="vlan110 PCs" out-interface="ether1 WAN" \
    protocol=tcp src-address=10.16.110.0/24
add action=accept chain=forward connection-state="" dst-address=10.16.254.253 \
    dst-port=445,139 in-interface="vlan110 PCs" protocol=tcp src-address=\
    10.16.110.0/24
add action=accept chain=forward connection-state="" dst-address-list=DC \
    in-interface="vlan110 PCs" src-address=10.16.110.0/24
add action=accept chain=forward comment="DLP Infowatch" connection-state="" \
    dst-port=15101 in-interface="vlan110 PCs" protocol=tcp src-address=\
    10.16.110.0/24
add action=accept chain=forward connection-state="" dst-port=15101 \
    in-interface="vlan110 PCs" protocol=udp src-address=10.16.110.0/24
add action=accept chain=forward connection-state="" dst-port=15101 \
    in-interface="vlan108 Wi-Fi" protocol=tcp src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" dst-port=15101 \
    in-interface="vlan108 Wi-Fi" protocol=udp src-address=10.16.108.0/24
add action=accept chain=forward connection-state="" dst-port=15101 \
    in-interface="vlan106 Servers" protocol=tcp src-address=10.16.106.223
add action=accept chain=forward connection-state="" dst-port=15101 \
    in-interface="vlan106 Servers" protocol=udp src-address=10.16.106.223
add action=accept chain=forward connection-state="" dst-address=10.16.106.100 \
    src-address=10.16.254.253
add action=accept chain=forward connection-state="" dst-address=10.16.254.253 \
    dst-port=15004 protocol=tcp
add action=accept chain=forward comment="RDP MGMT" connection-state="" \
    dst-address=10.16.110.253 dst-port=3389 protocol=tcp
add action=accept chain=forward connection-state="" dst-address=10.16.254.249
add action=accept chain=forward comment="Veeam Backup" connection-state="" \
    dst-address-list=vsphere dst-port=902 in-interface="vlan254 Storage" \
    out-interface="vlan100 MGMT" protocol=tcp src-address=10.16.254.249
add action=accept chain=forward connection-state="" dst-address-list=DC \
    in-interface="vlan254 Storage" src-address=10.16.254.249
add action=accept chain=forward connection-state="" dst-address=10.16.106.118 \
    dst-port=25 in-interface="vlan254 Storage" out-interface=\
    "vlan106 Servers" protocol=tcp src-address=10.16.254.249
add action=accept chain=forward connection-state="" dst-port=139,445 \
    in-interface="vlan254 Storage" protocol=tcp src-address=10.16.254.249
add action=accept chain=forward connection-state="" dst-address-list=vsphere \
    dst-port=443 in-interface="vlan254 Storage" out-interface="vlan100 MGMT" \
    protocol=tcp src-address=10.16.254.249
add action=accept chain=forward dst-port=443 protocol=tcp src-address=\
    10.16.100.200
add action=accept chain=forward comment="Accept DHCP,DNS,NTP to DC" \
    dst-address-list=DC dst-port=67,53,123 out-interface="vlan106 Servers" \
    protocol=udp
add action=accept chain=forward in-interface="vlan106 Servers" protocol=udp \
    src-address-list=DC src-port=53
add action=accept chain=forward connection-state="" dst-address=77.88.8.8 \
    dst-port=53 protocol=udp src-address-list=DC
add action=accept chain=forward connection-state="" dst-address=\
    88.147.254.230 dst-port=123 in-interface="vlan106 Servers" out-interface=\
    "ether1 WAN" protocol=udp src-address-list=DC
add action=accept chain=forward comment="Cisco Controller" dst-address=\
    10.16.100.248 dst-port=5246,5247 in-interface="vlan105 APs" \
    out-interface="vlan100 MGMT" protocol=udp src-address=10.16.105.0/29
add action=accept chain=forward comment=CUBE dst-address=213.167.57.106 \
    in-interface="vlan107 IPT" log-prefix="FORWARD SIP  to PROVAIDER" \
    out-interface="ether1 WAN" src-address=10.16.107.199
add action=accept chain=forward dst-address=10.16.107.199 in-interface=\
    "ether1 WAN" log-prefix="FORWARD SIP  to CUBE" out-interface=\
    "vlan107 IPT" src-address=213.167.57.106
add action=accept chain=forward comment=IPT disabled=yes dst-address-list=IPT \
    dst-port=69,5060,8000-65000 in-interface="vlan109 Telephones" log-prefix=\
    IPT protocol=udp src-address=10.16.109.0/24
add action=accept chain=forward disabled=yes dst-address-list=IPT dst-port=\
    5060,2445,6970,8000,9444,49152-65535 in-interface="vlan109 Telephones" \
    protocol=tcp src-address=10.16.109.0/24
add action=accept chain=forward comment=IPT dst-address-list=IPT \
    in-interface="vlan109 Telephones" src-address=10.16.109.0/24
add action=accept chain=forward dst-address=10.16.109.0/24 src-address-list=\
    IPT
add action=accept chain=forward dst-address-list=IPT src-address-list=IPT
add action=accept chain=forward dst-address-list=DC src-address-list=IPT
add action=accept chain=forward dst-address=10.16.106.118 dst-port=25 \
    protocol=tcp src-address-list=IPT
add action=accept chain=forward comment=MAIL dst-address=10.16.106.224 \
    dst-port=25 in-interface="ether1 WAN" out-interface="vlan106 Servers" \
    protocol=tcp
add action=accept chain=forward dst-port=25,80,443 protocol=tcp src-address=\
    10.16.106.224
add action=accept chain=forward dst-address-list=DC dst-port=123 protocol=udp \
    src-address=10.16.106.224
add action=accept chain=forward dst-address=10.16.106.118 dst-port=443 \
    in-interface="ether1 WAN" out-interface="vlan106 Servers" protocol=tcp
add action=accept chain=forward comment=KES dst-port=80,443 in-interface=\
    "vlan106 Servers" out-interface="ether1 WAN" protocol=tcp src-address=\
    10.16.106.222
add action=accept chain=forward dst-address=10.16.106.222 dst-port=\
    1433,139,13000 out-interface="vlan106 Servers" protocol=tcp
add action=accept chain=forward comment=WSUS dst-address=10.16.106.130 \
    dst-port=8530 out-interface="vlan106 Servers" protocol=tcp
add action=accept chain=forward dst-port=443,80 in-interface=\
    "vlan106 Servers" out-interface="ether1 WAN" protocol=tcp src-address=\
    10.16.106.130
add action=accept chain=forward comment=VPN dst-address=10.16.111.115 \
    dst-port=4500,500 in-interface="ether1 WAN" out-interface="vlan111 VPN" \
    protocol=udp
add action=accept chain=forward dst-port=80,139,443,445,5000,3389 \
    in-interface="vlan111 VPN" protocol=tcp src-address-list="VPN Admins"
add action=accept chain=forward dst-address-list=IPT dst-port=\
    8443,5222,5060,6970,6972,2748 in-interface="vlan111 VPN" protocol=tcp \
    src-address=10.16.111.0/24
add action=accept chain=forward dst-address-list=IPT dst-port=69,8000-65000 \
    in-interface="vlan111 VPN" protocol=udp src-address=10.16.111.0/24
add action=accept chain=forward dst-address-list=DC in-interface=\
    "vlan111 VPN" src-address=10.16.111.115
add action=accept chain=forward dst-address=10.16.109.0/24 in-interface=\
    "vlan111 VPN" out-interface="vlan109 Telephones" protocol=udp \
    src-address=10.16.111.0/24
add action=accept chain=forward dst-address=10.16.106.118 in-interface=\
    "vlan111 VPN" out-interface="vlan106 Servers" src-address=10.16.111.0/24
add action=accept chain=forward in-interface="vlan111 VPN" out-interface=\
    "ether1 WAN" src-address=10.16.111.0/24
add action=accept chain=forward comment=TS dst-port=443,80 in-interface=\
    "vlan106 Servers" out-interface="ether1 WAN" protocol=tcp src-address=\
    10.16.106.223 src-address-list=""
add action=accept chain=forward comment=NAS dst-address=10.16.254.253 \
    dst-port=445,139 protocol=tcp
add action=accept chain=forward dst-address-list=DC src-address=10.16.254.253
add action=accept chain=forward dst-address-list=DC dst-port=389 protocol=udp \
    src-address=10.16.254.253
add action=accept chain=forward dst-address-list=DC dst-port=\
    88,445,139,389,135,49670 protocol=tcp src-address=10.16.254.253
add action=accept chain=forward comment=Synology dst-address-list=DC \
    src-address=10.16.254.201
add action=accept chain=forward dst-address=10.16.106.118 dst-port=25 \
    protocol=tcp src-address=10.16.254.201
add action=accept chain=forward dst-address=10.16.254.201 src-address-list=DC
add action=accept chain=forward dst-port=80,443 in-interface=\
    "vlan254 Storage" out-interface="ether1 WAN" protocol=tcp src-address=\
    10.16.254.201
add action=accept chain=forward disabled=yes dst-address=10.16.254.201 \
    dst-port=80,443 in-interface="ether1 WAN" out-interface="vlan254 Storage" \
    protocol=tcp
add action=accept chain=forward comment="Synology QuickConnect" disabled=yes \
    dst-address=10.16.254.201
add action=accept chain=forward comment="Synology QuickConnect" disabled=yes \
    src-address=10.16.254.201
add action=accept chain=forward comment="TFTP MGMT" dst-address=10.16.110.253 \
    dst-port=69 protocol=udp src-address=10.16.100.0/24
add action=accept chain=forward comment="TFTP MGMT" dst-address=10.16.110.253 \
    src-address-list=IPT
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN
add action=drop chain=forward out-interface="ether1 WAN" protocol=udp
add action=drop chain=forward comment="Deny HTTP and HTTPS output" dst-port=\
    80,443 log-prefix=DENY_HTTP_AND_HTTPS_ protocol=tcp
add action=drop chain=forward comment="Deny All output" log=yes log-prefix=\
    DENY_ALL_
/ip firewall nat
add action=src-nat chain=srcnat comment="defconf: masquerade" dst-address=\
    !10.16.108.0/24 out-interface="ether1 WAN" src-address=10.16.108.0/24 \
    to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.106.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.106.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.107.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.107.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.110.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.110.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.254.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.254.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.111.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.111.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat dst-address=!10.16.100.0/24 out-interface=\
    "ether1 WAN" src-address=10.16.100.0/24 to-addresses=46.188.16.243
add action=src-nat chain=srcnat disabled=yes dst-address=!10.16.105.0/24 \
    out-interface="ether1 WAN" src-address=10.16.105.0/24 to-addresses=\
    46.188.16.243
add action=dst-nat chain=dstnat comment=MAIL dst-address=46.188.16.243 \
    dst-port=25 protocol=tcp to-addresses=10.16.106.224 to-ports=25
add action=dst-nat chain=dstnat dst-address=46.188.16.243 dst-port=443 \
    protocol=tcp to-addresses=10.16.106.118 to-ports=443
add action=dst-nat chain=dstnat comment=RDP dst-address=46.188.16.243 \
    dst-port=3389 protocol=tcp to-addresses=10.16.110.253 to-ports=3389
add action=dst-nat chain=dstnat comment=SIP dst-address=46.188.16.243 \
    dst-port=8000-65000 log=yes log-prefix="NAT SIP UDP" protocol=udp \
    src-address=213.167.57.106 to-addresses=10.16.107.199 to-ports=8000-65000
add action=dst-nat chain=dstnat comment=VPN disabled=yes dst-address=\
    46.188.16.243 dst-port=1701 protocol=udp to-addresses=10.16.111.115 \
    to-ports=1701
add action=dst-nat chain=dstnat dst-address=46.188.16.243 dst-port=4500 \
    protocol=udp to-addresses=10.16.111.115 to-ports=4500
add action=dst-nat chain=dstnat dst-address=46.188.16.243 dst-port=500 \
    protocol=udp to-addresses=10.16.111.115 to-ports=500
add action=dst-nat chain=dstnat comment=PLEX dst-address=46.188.16.243 \
    dst-port=32400 protocol=tcp to-addresses=10.16.254.201 to-ports=32400
add action=dst-nat chain=dstnat comment=Synology disabled=yes dst-address=\
    46.188.16.243 dst-port=443 protocol=tcp to-addresses=10.16.254.201 \
    to-ports=443
/ip firewall service-port
set sip disabled=yes sip-timeout=5m
/ip route
add distance=1 gateway=46.188.16.5
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Moscow
/system identity
set name=mikrotik-core
/system leds
add interface="wlan2 2.4GHz" leds="wlan2 2.4GHz_signal1-led,wlan2 2.4GHz_signa\
    l2-led,wlan2 2.4GHz_signal3-led,wlan2 2.4GHz_signal4-led,wlan2 2.4GHz_sign\
    al5-led" type=wireless-signal-strength
add interface="wlan2 2.4GHz" leds="wlan2 2.4GHz_tx-led" type=\
    interface-transmit
add interface="wlan2 2.4GHz" leds="wlan2 2.4GHz_rx-led" type=\
    interface-receive
/system logging
set 0 topics=info,!dhcp
/system ntp client
set enabled=yes primary-ntp=10.16.106.220 secondary-ntp=10.16.106.221
/system scheduler
add interval=1d name="Backup And Update" on-event=\
    "/system script run BackupAndUpdate;" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=oct/31/2020 start-time=00:30:00
/system script
add dont-require-permissions=no name=BackupAndUpdate owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="#\
    \_Script name: BackupAndUpdate\
    \n# Script:  Mikrotik RouterOS automatic backup & update\
    \n# Version: 20.04.17\
    \n#----------MODIFY THIS SECTION AS NEEDED--------------------------------\
    --------\
    \n## Notification e-mail\
    \n## (Make sure you have configurated Email settings in Tools -> Email)\
    \n:local emailAddress \"support@itnetsystem.ru\";\
    \n\
    \n## Script mode, possible values: backup, osupdate, osnotify.\
    \n# backup \t- \tOnly backup will be performed. (default value, if none pr\
    ovided)\
    \n#\
    \n# osupdate \t- \tThe Script will install a new RouterOS if it is availab\
    le.\
    \n#\t\t\t\tIt will also create backups before and after update process.\
    \n#\t\t\t\tEmail will be sent only if a new RouterOS version is available.\
    \n#\t\t\t\tChange parameter `forceBackup` if you need the script to create\
    \_backups every time when it runs.\
    \n#\
    \n# osnotify \t- \tThe script will send email notification only (without b\
    ackups) if a new RouterOS is available.\
    \n#\t\t\t\tChange parameter `forceBackup` if you need the script to create\
    \_backups every time when it runs.\
    \n:local scriptMode \"osupdate\";\
    \n\
    \n## Additional parameter if you set `scriptMode` to `osupdate` or `osnoti\
    fy`\
    \n# Set `true` if you want the script to perform backup every time it's fi\
    red, whatever script mode is set.\
    \n:local forceBackup true;\
    \n\
    \n## Backup encryption password, no encryption if no password.\
    \n:local backupPassword \"\"\
    \n\
    \n## If true, passwords will be included in exported config.\
    \n:local sensetiveDataInConfig false;\
    \n\
    \n## Update channel. Possible values: stable, long-term, testing, developm\
    ent\
    \n:local updateChannel \"stable\";\
    \n\
    \n## Install only patch versions of RouterOS updates.\
    \n## Works only if you set scriptMode to \"osupdate\"\
    \n## Means that new update will be installed only if MAJOR and MINOR versi\
    on numbers remained the same as currently installed RouterOS.\
    \n## Example: v6.43.6 => major.minor.PATCH\
    \n## Script will send information if new version is greater than just patc\
    h.\
    \n:local installOnlyPatchUpdates\tfalse;\
    \n\
    \n##----------------------------------------------------------------------\
    --------------------##\
    \n#  !!!! DO NOT CHANGE ANYTHING BELOW THIS LINE, IF YOU ARE NOT SURE WHAT\
    \_YOU ARE DOING !!!!  #\
    \n##----------------------------------------------------------------------\
    --------------------##\
    \n\
    \n#Script messages prefix\
    \n:local SMP \"Bkp&Upd:\"\
    \n\
    \n:log info \"\\r\\n\$SMP script \\\"Mikrotik RouterOS automatic backup & \
    update\\\" started.\";\
    \n:log info \"\$SMP Script Mode: \$scriptMode, forceBackup: \$forceBackup\
    \";\
    \n\
    \n#Check proper email config\
    \n:if ([:len \$emailAddress] = 0 or [:len [/tool e-mail get address]] = 0 \
    or [:len [/tool e-mail get from]] = 0) do={\
    \n\t:log error (\"\$SMP Email configuration is not correct, please check T\
    ools -> Email. Script stopped.\");   \
    \n\t:error \"\$SMP bye!\";\
    \n}\
    \n\
    \n#Check if proper identity name is set\
    \nif ([:len [/system identity get name]] = 0 or [/system identity get name\
    ] = \"MikroTik\") do={\
    \n\t:log warning (\"\$SMP Please set identity name of your device (System \
    -> Identity), keep it short and informative.\");  \
    \n};\
    \n\
    \n############### vvvvvvvvv GLOBALS vvvvvvvvv ###############\
    \n# Function converts standard mikrotik build versions to the number.\
    \n# Possible arguments: paramOsVer\
    \n# Example:\
    \n# :put [\$buGlobalFuncGetOsVerNum paramOsVer=[/system routerboard get cu\
    rrent-RouterOS]];\
    \n# result will be: 64301, because current RouterOS version is: 6.43.1\
    \n:global buGlobalFuncGetOsVerNum do={\
    \n\t:local osVer \$paramOsVer;\
    \n\t:local osVerNum;\
    \n\t:local osVerMicroPart;\
    \n\t:local zro 0;\
    \n\t:local tmp;\
    \n\t\
    \n\t# Replace word `beta` with dot\
    \n\t:local isBetaPos [:tonum [:find \$osVer \"beta\" 0]];\
    \n\t:if (\$isBetaPos > 1) do={\
    \n\t\t:set osVer ([:pick \$osVer 0 \$isBetaPos] . \".\" . [:pick \$osVer (\
    \$isBetaPos + 4) [:len \$osVer]]);\
    \n\t}\
    \n\t\
    \n\t:local dotPos1 [:find \$osVer \".\" 0];\
    \n\
    \n\t:if (\$dotPos1 > 0) do={ \
    \n\
    \n\t\t# AA\
    \n\t\t:set osVerNum  [:pick \$osVer 0 \$dotPos1];\
    \n\t\t\
    \n\t\t:local dotPos2 [:find \$osVer \".\" \$dotPos1];\
    \n\t\t\t\t#Taking minor version, everything after first dot\
    \n\t\t:if ([:len \$dotPos2] = 0) \tdo={:set tmp [:pick \$osVer (\$dotPos1+\
    1) [:len \$osVer]];}\
    \n\t\t#Taking minor version, everything between first and second dots\
    \n\t\t:if (\$dotPos2 > 0) \t\t\tdo={:set tmp [:pick \$osVer (\$dotPos1+1) \
    \$dotPos2];}\
    \n\t\t\
    \n\t\t# AA 0B\
    \n\t\t:if ([:len \$tmp] = 1) \tdo={:set osVerNum \"\$osVerNum\$zro\$tmp\";\
    }\
    \n\t\t# AA BB\
    \n\t\t:if ([:len \$tmp] = 2) \tdo={:set osVerNum \"\$osVerNum\$tmp\";}\
    \n\t\t\
    \n\t\t:if (\$dotPos2 > 0) do={ \
    \n\t\t\t:set tmp [:pick \$osVer (\$dotPos2+1) [:len \$osVer]];\
    \n\t\t\t# AA BB 0C\
    \n\t\t\t:if ([:len \$tmp] = 1) do={:set osVerNum \"\$osVerNum\$zro\$tmp\";\
    }\
    \n\t\t\t# AA BB CC\
    \n\t\t\t:if ([:len \$tmp] = 2) do={:set osVerNum \"\$osVerNum\$tmp\";}\
    \n\t\t} else={\
    \n\t\t\t# AA BB 00\
    \n\t\t\t:set osVerNum \"\$osVerNum\$zro\$zro\";\
    \n\t\t}\
    \n\t} else={\
    \n\t\t# AA 00 00\
    \n\t\t:set osVerNum \"\$osVer\$zro\$zro\$zro\$zro\";\
    \n\t}\
    \n\
    \n\t:return \$osVerNum;\
    \n}\
    \n\
    \n# Function creates backups (system and config) and returns array with na\
    mes\
    \n# Possible arguments: \
    \n#\t`backupName` \t\t\t| string\t| backup file name, without extension!\
    \n#\t`backupPassword`\t\t| string \t|\
    \n#\t`sensetiveDataInConfig`\t| boolean \t|\
    \n# Example:\
    \n# :put [\$buGlobalFuncCreateBackups name=\"daily-backup\"];\
    \n:global buGlobalFuncCreateBackups do={\
    \n\t:log info (\"\$SMP Global function \\\"buGlobalFuncCreateBackups\\\" w\
    as fired.\");  \
    \n\t\
    \n\t:local backupFileSys \"\$backupName.backup\";\
    \n\t:local backupFileConfig \"\$backupName.rsc\";\
    \n\t:local backupNames {\$backupFileSys;\$backupFileConfig};\
    \n\
    \n\t## Make system backup\
    \n\t:if ([:len \$backupPassword] = 0) do={\
    \n\t\t/system backup save dont-encrypt=yes name=\$backupName;\
    \n\t} else={\
    \n\t\t/system backup save password=\$backupPassword name=\$backupName;\
    \n\t}\
    \n\t:log info (\"\$SMP System backup created. \$backupFileSys\");   \
    \n\
    \n\t## Export config file\
    \n\t:if (\$sensetiveDataInConfig = true) do={\
    \n\t\t/export compact file=\$backupName;\
    \n\t} else={\
    \n\t\t/export compact hide-sensitive file=\$backupName;\
    \n\t}\
    \n\t:log info (\"\$SMP Config file was exported. \$backupFileConfig\");   \
    \n\
    \n\t#Delay after creating backups\
    \n\t:delay 5s;\t\
    \n\t:return \$backupNames;\
    \n}\
    \n\
    \n:global buGlobalVarUpdateStep;\
    \n############### ^^^^^^^^^ GLOBALS ^^^^^^^^^ ###############\
    \n\
    \n#Current date time in format: 2020jan15-221324 \
    \n:local dateTime ([:pick [/system clock get date] 7 11] . [:pick [/system\
    \_clock get date] 0 3] . [:pick [/system clock get date] 4 6] . \"-\" . [:\
    pick [/system clock get time] 0 2] . [:pick [/system clock get time] 3 5] \
    . [:pick [/system clock get time] 6 8]);\
    \n\
    \n:local deviceOsVerInst \t\t\t[/system package update get installed-versi\
    on];\
    \n:local deviceOsVerInstNum \t\t[\$buGlobalFuncGetOsVerNum paramOsVer=\$de\
    viceOsVerInst];\
    \n:local deviceOsVerAvail \t\t\"\";\
    \n:local deviceOsVerAvailNum \t\t0;\
    \n:local deviceRbModel\t\t\t[/system routerboard get model];\
    \n:local deviceRbSerialNumber \t[/system routerboard get serial-number];\
    \n:local deviceRbCurrentFw \t\t[/system routerboard get current-firmware];\
    \n:local deviceRbUpgradeFw \t\t[/system routerboard get upgrade-firmware];\
    \n:local deviceIdentityName \t\t[/system identity get name];\
    \n:local deviceIdentityNameShort \t[:pick \$deviceIdentityName 0 18]\
    \n:local deviceUpdateChannel \t\t[/system package update get channel];\
    \n\
    \n:local isOsUpdateAvailable \tfalse;\
    \n:local isOsNeedsToBeUpdated\tfalse;\
    \n\
    \n:local isSendEmailRequired\ttrue;\
    \n\
    \n:local mailSubject   \t\t\"\$SMP Device - \$deviceIdentityNameShort.\";\
    \n:local mailBody \t \t\t\"\";\
    \n\
    \n:local mailBodyDeviceInfo\t\"\\r\\n\\r\\nDevice information: \\r\\nIdent\
    ity: \$deviceIdentityName \\r\\nModel: \$deviceRbModel \\r\\nSerial number\
    : \$deviceRbSerialNumber \\r\\nCurrent RouterOS: \$deviceOsVerInst (\$[/sy\
    stem package update get channel]) \$[/system resource get build-time] \\r\
    \\nCurrent routerboard FW: \$deviceRbCurrentFw \\r\\nDevice uptime: \$[/sy\
    stem resource get uptime]\";\
    \n:local mailBodyCopyright \t\"\\r\\n\\r\\nMikrotik RouterOS automatic bac\
    kup & update \\r\\nhttps://github.com/beeyev/Mikrotik-RouterOS-automatic-b\
    ackup-and-update\";\
    \n:local changelogUrl\t\t\t(\"Check RouterOS changelog: https://mikrotik.c\
    om/download/changelogs/\" . \$updateChannel . \"-release-tree\");\
    \n\
    \n:local backupName \t\t\t\"\$deviceIdentityName.\$deviceRbModel.\$deviceR\
    bSerialNumber.v\$deviceOsVerInst.\$deviceUpdateChannel.\$dateTime\";\
    \n:local backupNameBeforeUpd\t\"backup_before_update_\$backupName\";\
    \n:local backupNameAfterUpd\t\"backup_after_update_\$backupName\";\
    \n\
    \n:local backupNameFinal\t\t\$backupName;\
    \n:local mailAttachments\t\t[:toarray \"\"];\
    \n\
    \n:local updateStep \$buGlobalVarUpdateStep;\
    \n:do {/system script environment remove buGlobalVarUpdateStep;} on-error=\
    {}\
    \n:if ([:len \$updateStep] = 0) do={\
    \n\t:set updateStep 1;\
    \n}\
    \n\
    \n\
    \n## \tSTEP ONE: Creating backups, checking for new RouterOs version and s\
    ending email with backups,\
    \n## \tsteps 2 and 3 are fired only if script is set to automatically upda\
    te device and if new RouterOs is available.\
    \n:if (\$updateStep = 1) do={\
    \n\t:log info (\"\$SMP Performing the first step.\");   \
    \n\
    \n\t# Checking for new RouterOS version\
    \n\tif (\$scriptMode = \"osupdate\" or \$scriptMode = \"osnotify\") do={\
    \n\t\tlog info (\"\$SMP Checking for new RouterOS version. Current version\
    \_is: \$deviceOsVerInst\");\
    \n\t\t/system package update set channel=\$updateChannel;\
    \n\t\t/system package update check-for-updates;\
    \n\t\t:delay 5s;\
    \n\t\t:set deviceOsVerAvail [/system package update get latest-version];\
    \n\
    \n\t\t# If there is a problem getting information about available RouterOS\
    \_from server\
    \n\t\t:if ([:len \$deviceOsVerAvail] = 0) do={\
    \n\t\t\t:log warning (\"\$SMP There is a problem getting information about\
    \_new RouterOS from server.\");\
    \n\t\t\t:set mailSubject\t(\$mailSubject . \" Error: No data about new Rou\
    terOS!\")\
    \n\t\t\t:set mailBody \t\t(\$mailBody . \"Error occured! \\r\\nMikrotik co\
    uldn't get any information about new RouterOS from server! \\r\\nWatch add\
    itional information in device logs.\")\
    \n\t\t} else={\
    \n\t\t\t#Get numeric version of OS\
    \n\t\t\t:set deviceOsVerAvailNum [\$buGlobalFuncGetOsVerNum paramOsVer=\$d\
    eviceOsVerAvail];\
    \n\
    \n\t\t\t# Checking if OS on server is greater than installed one.\
    \n\t\t\t:if (\$deviceOsVerAvailNum > \$deviceOsVerInstNum) do={\
    \n\t\t\t\t:set isOsUpdateAvailable true;\
    \n\t\t\t\t:log info (\"\$SMP New RouterOS is available! \$deviceOsVerAvail\
    \");\
    \n\t\t\t} else={\
    \n\t\t\t\t:set isSendEmailRequired false;\
    \n\t\t\t\t:log info (\"\$SMP System is already up to date.\");\
    \n\t\t\t\t:set mailSubject (\$mailSubject . \" No new OS updates.\");\
    \n\t\t\t\t:set mailBody \t (\$mailBody . \"Your system is up to date.\");\
    \n\t\t\t}\
    \n\t\t};\
    \n\t} else={\
    \n\t\t:set scriptMode \"backup\";\
    \n\t};\
    \n\
    \n\tif (\$forceBackup = true) do={\
    \n\t\t# In this case the script will always send email, because it has to \
    create backups\
    \n\t\t:set isSendEmailRequired true;\
    \n\t}\
    \n\
    \n\t# if new OS version is available to install\
    \n\tif (\$isOsUpdateAvailable = true and \$isSendEmailRequired = true) do=\
    {\
    \n\t\t# If we only need to notify about new available version\
    \n\t\tif (\$scriptMode = \"osnotify\") do={\
    \n\t\t\t:set mailSubject \t(\$mailSubject . \" New RouterOS is available! \
    v.\$deviceOsVerAvail.\")\
    \n\t\t\t:set mailBody \t\t(\$mailBody . \"New RouterOS version is availabl\
    e to install: v.\$deviceOsVerAvail (\$updateChannel) \\r\\n\$changelogUrl\
    \")\
    \n\t\t}\
    \n\
    \n\t\t# if we need to initiate RouterOs update process\
    \n\t\tif (\$scriptMode = \"osupdate\") do={\
    \n\t\t\t:set isOsNeedsToBeUpdated true;\
    \n\t\t\t# if we need to install only patch updates\
    \n\t\t\t:if (\$installOnlyPatchUpdates = true) do={\
    \n\t\t\t\t#Check if Major and Minor builds are the same.\
    \n\t\t\t\t:if ([:pick \$deviceOsVerInstNum 0 ([:len \$deviceOsVerInstNum]-\
    2)] = [:pick \$deviceOsVerAvailNum 0 ([:len \$deviceOsVerAvailNum]-2)]) do\
    ={\
    \n\t\t\t\t\t:log info (\"\$SMP New patch version of RouterOS firmware is a\
    vailable.\");   \
    \n\t\t\t\t} else={\
    \n\t\t\t\t\t:log info (\"\$SMP New major or minor version of RouterOS firm\
    ware is available. You need to update it manually.\");\
    \n\t\t\t\t\t:set mailSubject \t(\$mailSubject . \" New RouterOS: v.\$devic\
    eOsVerAvail needs to be installed manually.\");\
    \n\t\t\t\t\t:set mailBody \t\t(\$mailBody . \"New major or minor RouterOS \
    version is available to install: v.\$deviceOsVerAvail (\$updateChannel). \
    \\r\\nYou chose to automatically install only patch updates, so this major\
    \_update you need to install manually. \\r\\n\$changelogUrl\");\
    \n\t\t\t\t\t:set isOsNeedsToBeUpdated false;\
    \n\t\t\t\t}\
    \n\t\t\t}\
    \n\
    \n\t\t\t#Check again, because this variable could be changed during checki\
    ng for installing only patch updats\
    \n\t\t\tif (\$isOsNeedsToBeUpdated = true) do={\
    \n\t\t\t\t:log info (\"\$SMP New RouterOS is going to be installed! v.\$de\
    viceOsVerInst -> v.\$deviceOsVerAvail\");\
    \n\t\t\t\t:set mailSubject\t(\$mailSubject . \" New RouterOS is going to b\
    e installed! v.\$deviceOsVerInst -> v.\$deviceOsVerAvail.\");\
    \n\t\t\t\t:set mailBody \t\t(\$mailBody . \"Your Mikrotik will be updated \
    to the new RouterOS version from v.\$deviceOsVerInst to v.\$deviceOsVerAva\
    il (Update channel: \$updateChannel) \\r\\nFinal report with the detailed \
    information will be sent when update process is completed. \\r\\nIf you ha\
    ve not received second email in the next 5 minutes, then probably somethin\
    g went wrong. (Check your device logs)\");\
    \n\t\t\t\t#!! There is more code connected to this part and first step at \
    the end of the script.\
    \n\t\t\t}\
    \n\t\t\
    \n\t\t}\
    \n\t}\
    \n\
    \n\t## Checking If the script needs to create a backup\
    \n\t:log info (\"\$SMP Checking If the script needs to create a backup.\")\
    ;\
    \n\tif (\$forceBackup = true or \$scriptMode = \"backup\" or \$isOsNeedsTo\
    BeUpdated = true) do={\
    \n\t\t:log info (\"\$SMP Creating system backups.\");\
    \n\t\tif (\$isOsNeedsToBeUpdated = true) do={\
    \n\t\t\t:set backupNameFinal \$backupNameBeforeUpd;\
    \n\t\t};\
    \n\t\tif (\$scriptMode != \"backup\") do={\
    \n\t\t\t:set mailBody (\$mailBody . \"\\r\\n\\r\\n\");\
    \n\t\t};\
    \n\
    \n\t\t:set mailSubject\t(\$mailSubject . \" Backup was created.\");\
    \n\t\t:set mailBody\t\t(\$mailBody . \"System backups were created and att\
    ached to this email.\");\
    \n\
    \n\t\t:set mailAttachments [\$buGlobalFuncCreateBackups backupName=\$backu\
    pNameFinal backupPassword=\$backupPassword sensetiveDataInConfig=\$senseti\
    veDataInConfig];\
    \n\t} else={\
    \n\t\t:log info (\"\$SMP There is no need to create a backup.\");\
    \n\t}\
    \n\
    \n\t# Combine fisrst step email\
    \n\t:set mailBody (\$mailBody . \$mailBodyDeviceInfo . \$mailBodyCopyright\
    );\
    \n}\
    \n\
    \n## \tSTEP TWO: (after first reboot) routerboard firmware upgrade\
    \n## \tsteps 2 and 3 are fired only if script is set to automatically upda\
    te device and if new RouterOs is available.\
    \n:if (\$updateStep = 2) do={\
    \n\t:log info (\"\$SMP Performing the second step.\");   \
    \n\t## RouterOS is the latest, let's check for upgraded routerboard firmwa\
    re\
    \n\tif (\$deviceRbCurrentFw != \$deviceRbUpgradeFw) do={\
    \n\t\t:set isSendEmailRequired false;\
    \n\t\t:delay 10s;\
    \n\t\t:log info \"\$SMP Upgrading routerboard firmware from v.\$deviceRbCu\
    rrentFw to v.\$deviceRbUpgradeFw\";\
    \n\t\t## Start the upgrading process\
    \n\t\t/system routerboard upgrade;\
    \n\t\t## Wait until the upgrade is completed\
    \n\t\t:delay 5s;\
    \n\t\t:log info \"\$SMP routerboard upgrade process was completed, going t\
    o reboot in a moment!\";\
    \n\t\t## Set scheduled task to send final report on the next boot, task wi\
    ll be deleted when is is done. (That is why you should keep original scrip\
    t name)\
    \n\t\t/system schedule add name=BKPUPD-FINAL-REPORT-ON-NEXT-BOOT on-event=\
    \":delay 5s; /system scheduler remove BKPUPD-FINAL-REPORT-ON-NEXT-BOOT; :g\
    lobal buGlobalVarUpdateStep 3; :delay 10s; /system script run BackupAndUpd\
    ate;\" start-time=startup interval=0;\
    \n\t\t## Reboot system to boot with new firmware\
    \n\t\t/system reboot;\
    \n\t} else={\
    \n\t\t:log info \"\$SMP It appers that your routerboard is already up to d\
    ate, skipping this step.\";\
    \n\t\t:set updateStep 3;\
    \n\t};\
    \n}\
    \n\
    \n## \tSTEP THREE: Last step (after second reboot) sending final report\
    \n## \tsteps 2 and 3 are fired only if script is set to automatically upda\
    te device and if new RouterOs is available.\
    \n:if (\$updateStep = 3) do={\
    \n\t:log info (\"\$SMP Performing the third step.\");   \
    \n\t:log info \"Bkp&Upd: RouterOS and routerboard upgrade process was comp\
    leted. New RouterOS version: v.\$deviceOsVerInst, routerboard firmware: v.\
    \$deviceRbCurrentFw.\";\
    \n\t## Small delay in case mikrotik needs some time to initialize connecti\
    ons\
    \n\t:log info \"\$SMP The final email with report and backups of upgraded \
    system will be sent in a minute.\";\
    \n\t:delay 1m;\
    \n\t:set mailSubject\t(\$mailSubject . \" RouterOS Upgrade is completed, n\
    ew version: v.\$deviceOsVerInst!\");\
    \n\t:set mailBody \t  \t\"RouterOS and routerboard upgrade process was com\
    pleted. \\r\\nNew RouterOS version: v.\$deviceOsVerInst, routerboard firmw\
    are: v.\$deviceRbCurrentFw. \\r\\n\$changelogUrl \\r\\n\\r\\nBackups of th\
    e upgraded system are in the attachment of this email.  \$mailBodyDeviceIn\
    fo \$mailBodyCopyright\";\
    \n\t:set mailAttachments [\$buGlobalFuncCreateBackups backupName=\$backupN\
    ameAfterUpd backupPassword=\$backupPassword sensetiveDataInConfig=\$senset\
    iveDataInConfig];\
    \n}\
    \n\
    \n# Remove functions from global environment to keep it fresh and clean.\
    \n:do {/system script environment remove buGlobalFuncGetOsVerNum;} on-erro\
    r={}\
    \n:do {/system script environment remove buGlobalFuncCreateBackups;} on-er\
    ror={}\
    \n\
    \n##\
    \n## SENDING EMAIL\
    \n##\
    \n# Trying to send email with backups in attachment.\
    \n\
    \n:if (\$isSendEmailRequired = true) do={\
    \n\t:log info \"\$SMP Sending email message, it will take around half a mi\
    nute...\";\
    \n\t:do {/tool e-mail send to=\$emailAddress subject=\$mailSubject body=\$\
    mailBody file=\$mailAttachments;} on-error={\
    \n\t\t:delay 5s;\
    \n\t\t:log error \"\$SMP could not send email message (\$[/tool e-mail get\
    \_last-status]). Going to try it again in a while.\"\
    \n\
    \n\t\t:delay 5m;\
    \n\
    \n\t\t:do {/tool e-mail send to=\$emailAddress subject=\$mailSubject body=\
    \$mailBody file=\$mailAttachments;} on-error={\
    \n\t\t\t:delay 5s;\
    \n\t\t\t:log error \"\$SMP could not send email message (\$[/tool e-mail g\
    et last-status]) for the second time.\"\
    \n\
    \n\t\t\tif (\$isOsNeedsToBeUpdated = true) do={\
    \n\t\t\t\t:set isOsNeedsToBeUpdated false;\
    \n\t\t\t\t:log warning \"\$SMP script is not going to initialise update pr\
    ocess due to inability to send backups to email.\"\
    \n\t\t\t}\
    \n\t\t}\
    \n\t}\
    \n\
    \n\t:delay 30s;\
    \n\t\
    \n\t:if ([:len \$mailAttachments] > 0 and [/tool e-mail get last-status] =\
    \_\"succeeded\") do={\
    \n\t\t:log info \"\$SMP File system cleanup.\"\
    \n\t\t/file remove \$mailAttachments; \
    \n\t\t:delay 2s;\
    \n\t}\
    \n\t\
    \n}\
    \n\
    \n\
    \n# Fire RouterOs update process\
    \nif (\$isOsNeedsToBeUpdated = true) do={\
    \n\
    \n\t## Set scheduled task to upgrade routerboard firmware on the next boot\
    , task will be deleted when upgrade is done. (That is why you should keep \
    original script name)\
    \n\t/system schedule add name=BKPUPD-UPGRADE-ON-NEXT-BOOT on-event=\":dela\
    y 5s; /system scheduler remove BKPUPD-UPGRADE-ON-NEXT-BOOT; :global buGlob\
    alVarUpdateStep 2; :delay 10s; /system script run BackupAndUpdate;\" start\
    -time=startup interval=0;\
    \n   \
    \n   :log info \"\$SMP everything is ready to install new RouterOS, going \
    to reboot in a moment!\"\
    \n\t## command is reincarnation of the \"upgrade\" command - doing exactly\
    \_the same but under a different name\
    \n\t/system package update install;\
    \n}\
    \n\
    \n:log info \"\$SMP script \\\"Mikrotik RouterOS automatic backup & update\
    \\\" completed it's job.\\r\\n\";"
/tool e-mail
set address=10.16.106.118 from=mikrotik@itnetsystem.ru
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


Ответить