This subnet will have full access to the router. Pay attention for all comments before apply each DROP rules.įirst we need to create our ADDRESS LIST with all IPs we will use most timesīelow you need to change x.x.x.x/x for your technical subnet. This script has basic rules to protect your router and avoid some unnecessary forwarding traffic. /system reset-configuration run-after-reset=flash/nycmesh-omni-#.This is a basic firewall that can be applied to any Router.Run After Reset: flash/nycmesh-omni-#.rsc.WebFig > System > Reset Configuration.Factory Reset the device with the option to restore this script.Pscp -scp nycmesh-omni-#.rsc You should see the file in the WebUI as flash/nycmesh-omni-#.rsc From a Windows desktop, you must have PuTTY installed and run the following command from the command prompt:.Scp nycmesh-omni-#.rsc may need to confirm the SSH key ( typical with SSH )
From a Mac or Linux desktop, upload the file using scp:.Instead you need to upload the file using scp.However, there is no way to create a folder from the device. The file needs to be in the flash/ folder.
Update firmware to latest on your device ( see Mikrotik Firmware ).Factory Reset device if needed ( see MikroTik Specifics for details ).Save as nycmesh-omni-#.rsc where # is your node number. Fill in config file parameters at the top of the script.Acquire config parameters ( BGP ASN, IP range, node number, etc.system clock set time-zone-name=America/New_York ".129") netmask=25Īdd action=accept chain=input protocol=icmpĪdd action=drop chain=forward in-interface=publicaccess out-interface=tenantsĪdd action=drop chain=input in-interface=publicaccess ".0/24") synchronize=noĪdd address=($ipprefix. ".128")Īdd name=publicaccess ranges=$ippublicrangeĪdd address-pool=tenants disabled=no interface=tenants name=tenantsdhcpĪdd address-pool=publicaccess disabled=no interface=publicaccess name=publicaccessdhcpĪdd network=($ipprefix. ".129/26") interface=publicaccess network=($ipprefix. ".1/25") interface=tenants network=($ipprefix. "-omni") wireless-protocol=802.11 wps-mode=disabledĪdd disabled=no master-interface=wlan1 name=wlan2 ssid="-NYC Mesh Community WiFi-" wps-mode=disabledĪdd address=($ipprefix. Set band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee disabled=no distance=indoors frequency=auto mode=ap-bridge security-profile=nycmeshnet ssid=("nycmesh-". Wpa-pre-shared-key=nycmeshnet wpa2-pre-shared-key=nycmeshnet Set poe-out=forced-onĪdd authentication-types=wpa-psk,wpa2-psk management-protection=allowed mode=\ĭynamic-keys name=nycmeshnet supplicant-identity=nycmesh \ This script only works on the OmniTik 5ac PoE modelīetter firewall rules :global nodenumber 1111 The is our obsolete 3.2 template script which needs some variables filled in. Here is a slideshow of configuring an OmniTikĮxpand for OLD nycmesh-omnitik-v3.2.rsc example
We now have a script generator you can find here As discussed in the MikroTik Specifics page, these devices need a script to be generated and loaded onto the device rather than a saved config file. Here are the current config instructions.
Please be sure to see MikroTik Specifics for extra info about Mikrotik devices, how to connect, etc. It acts as an AP for the rooftop, and also runs our config of WDS and OSPF so it will mesh with other OmniTiks or SXTsqs within a few blocks We can plug in other devices such as a LiteBeam, or run cables down to apartments. The OmniTik serves a few purposes for us. The Omnitik 5ac is an outdoor switch/router with a built-in 5Ghz 802.11ac access point, omnidirectional antenna, and 5 gigabit ethernet ports.