See also MikroTik.

http://wiki.mikrotik.com/wiki/A_script_to_set_up_WAN/LAN/WLAN_to_get_you_started

1. Reset the router to no configuration
   • /system reset-configuration no-defaults=yes
   • If you don't completely erase the configuration, the script will fail
2. Copy, edit and save the script as configscript.rsc
3. Reconnect to the router using Winbox
4. Drag and drop the script into the File List window
5. Import the script
   • /import configscript.rsc

# Sonora RouterOS Config
# 
# Adapted by Gene Cooper from a script by Nick Barnes (www.vitell.co.uk)
#
# http://www.sonoracomm.com
#
# Save this file as 'configscript.rsc' and drag it to the files window
# in Winbox. Then at the command line, type '/import configscript.rsc'
# and read the logs!
#
#################################################################
#
# The purpose of this script is to create a standard SOHO type
# configuration which can be built on by the user.
# It does not provide a complete solution, but should be enough
# to get you up and running.
#
#################################################################
# WARNING
# As this script stands, it will trash your existing configuration
# so don't run it on a router which has been customised or it won't
# be any more!
#
# DO NOT run this on a live production system.
#
# We accept absolutely no liability whatsoever. If you choose to run
# this script, anything bad that happens is entirely your problem.
#
# We recommend that your configuration be cleared with the command
# '/system reset-configuration no-defaults=yes'
# before this script is run.
#################################################################
#
# Make your changes here:
##########################
#
# Set the 'admin' password
:local adminpassword "bad1egg!";
#
# Set the web management service port
:local adminport "81";
#
#
# Name servers must be IP addresses (i.e. not a FQDN)
:local nsa "8.8.8.8";
:local nsb "8.8.4.4";
#
# Use NAT (yes/no) - Set to 'yes' unless you know what you're doing!
:local natuse "yes";
#
# Add all additional ethernet ports to the bridge (yes/no) - Set to 'yes' if you want all
# other portsto be bridged as in most SOHO routers.
:local bridgetherest "yes";
#
# Fowarding ports with this script is limited to one set of ports to one internal server.
# Add additional ports manually afterwards.
#
# Forward TCP Ports (yes/no) - Set to 'no' unless you know what you're doing!
:local fwdtcpports "yes";
:local tcpports "21,25,80,443,465,993,995,2222";
:local internalserver "192.168.1.2";
#
#
#### Network Time (NTP) Settings
#
## NTP Client Settings
#
# We use two NTP servers and these must be specified as FQDNs
# (Fully qualified domain names) - i.e. not IP addresss.
#
# Note that NTP we cannot assume that at the time configuration is run you will have an
# Internet connection and so we cannot set this up with the addresses you choose
# immediately (if we try to but RouterOS cannot resolve the host names, the script will crash).
# So we set up dummy IP addresses to start with and then configure a script to run regularly
# to ensure that the following addresses are used once the Internet connection is up. This
# sounds long and complicated, but it's actually a better way of doing things anyway.
# it means that if the IP addresses change for these hosts (as they will do if you use the
# pool.ntp.org addresses), your RouterOS will always be connected to a working server.
#
# The defaults are fine, but you may want to closer servers if you don't live in the US.
:local ntpa "0.us.pool.ntp.org";
:local ntpb "1.us.pool.ntp.org";
#
# Now we define the temporary IP addresses to use pending resolution of the FQDNs above.
:local ntptempa "199.241.31.96";
:local ntptempb "173.244.211.10";
#
### NTP Server Settings
#
# Offer NTP to LAN (yes/no) - Leave this as 'no' unless you have installed the NTP package.
# This sets the system up as a NTP server. This probably isn't necessary for simple solutions
# but can save some bandwidth for larger systems
:local ntpserver "no";
#
#
#### PPPoE Settings
#
# Use PPPoE (yes/no) - Set to 'no' unless you know what you're doing!
:local pppoeuse "no";
#
# Name of PPPoE interface to create if pppoeuse is 'yes'
# You can safely leave this alone.
:local pppoeinterface "pppoe1";
#
# Your PPPoE login details (ignored if PPPoE is not used)
# PPPoE is configured on the WAN interface in addition to the WAN IP addresses defined below.
#
# Username
:local pppoeuser "user@a.1";
# Password
:local pppoepassword "mypassword";
#
# The IP address you expect to have allocated to this interface.
# Set to empty ("") if your address is allocated dynamically.
# This is used to determine whether the link has gone down and you
# have been allocated an incorrect IP address (typically this would
# be when you have BT broadband in the UK!)
# Leaving this variable blank means that a monitoring script will not
# be created.
:local pppoeipaddress "";
#
#
#### Mail Settings
#
# The 'emailserver' must be a FQDN and this setting works in the same way as the NTP servers above
# (i.e. we cannot assume that we can resolve the name right now)
:local emailserver "mail.sonoracomm.com";
#
# Again, in the same way we did for NTP, above, we'll use the following IP address until we
# can resolve the FQDN specified above. You're OK leaving this as the default, but doing so
# may mean that e-mail doesn't work until the FQDN can be resolved.
:local emailservertempip "209.104.9.39";
#
# The default address e-mails will appear to have been sent from.
:local emailfrom "MT Router <router@client>";
#
# The e-mail address which should be notified about things happening on this system.
:local emailto "router@sonoracomm.com";
#
# The e-mail username for SMTP Authentication.
:local emailusername "smtpuser";
#
# The e-mail password for SMTP Authentication.
:local emailpassword "MailFromMachines!";
#
# The SMTP port for mail submission.
:local emailport "25";
#
#
#### Interfaces
#
# You may define one WAN interface plus an ethernet LAN interface and/or a wireless LAN interface.
# If you want both ethernet and wireless, a bridge is created across the two interfaces.
#
# Do we want to have our LAN on Ethernet (yes/no)
:local useetherlan "yes";
#
# Do we want to have our LAN on Wireless (yes/no)
:local usewlan "yes";
#
### Interface Names
#
# WAN interface
:local waninterface "ether1";
#
# Ethernet LAN interface
:local etherlaninterface "ether2";
#
# Wireless LAN interface
:local wlaninterface "wlan1";
#
# Name of bridge to create if both useetherlan and usewlan are 'yes'
:local bridgeinterface "bridge1";
#
#
#### WAN IP Addressing
#
# Use DHCP Client on WAN (yes/no) - Set to 'yes' if your WAN IP is assigned via DHCP (cable modem?).
:local dhcpwan "yes";
#
# The WAN address to use (if not using PPPoE or DHCP), the network it's in and
# the number of bits in the subnet mask.  These are NOT checked!!  Note that even
# if you are using PPPoE, you will still want to define a WAN network so you can
# browse the web pages of your ADSL modem!
:local wanaddress "1.1.1.1";
:local wannetwork "1.1.1.0";
:local wanbits "30";
#
# Define the external gateway
# If we are using PPPoE or DHCP, this is not used, otherwise it's our route out to the world
# and should probably be the address of your ADSL modem/router.
:local wangateway "1.1.1.2";
#
#### LAN IP Addressing
#
# Router IP address, network and subnet mask (24 = 255.255.255.0)
:local lanaddress "192.168.1.1";
:local lannetwork "192.168.1.0";
:local lanbits "24";
#
#
#### Wireless Configuration
#
# This is only used if usewlan, above is "yes"
# If you want a wireless LAN, this script sets one up with WPA and WPA2 security.
# Define the frequency we want to run on. We suggest you leave this at the default and
# tweak it later if required. '2412' is channel 1.
#
:local wlanfreq "2412";
# Your SSID
:local wlanssid "MyWIFI";
# The Key to use.
:local wlankey "baaaaaaaad";
#
#
#### DHCP Server
#
# We must define a pool of addresses and a server to serve out that pool.
#
# Act as DHCP server to LAN (yes/no)
:local dhcpuse "yes";
#
# Define the start and end addresses of the pool to offer.
:local dhcppoolstart "192.168.1.65";
:local dhcppoolend "192.168.1.199";
#
# If required, define the domain. You can probably leave this as the default.
:local dhcpdomain "";
#
#
################################################################
# Don't change anything below this line.
################################################################
#
:put "";
#
# Set up logging so we get more than the standard 100 lines.
/system logging action set memory memory-lines=500
#
:log info "Starting pre-flight checks";
#
:local failedtests "0";
#
# Check that if we're using an ethernet LAN, the interface defined exists.
:if ($useetherlan = "yes" and [/interface find name=$etherlaninterface] = "") do={
    :log error "Specified Ethernet LAN interface '$etherlaninterface' doesn't exist.";
	:set failedtests "1";
  }
# Check that if we're using a wireless LAN, we have the wireless package installed.
:if ($usewlan = "yes" and [/system package find name=wireless disabled=no] = "") do={
    :log error "\$usewlan=\"yes\", but wireless package is not installed.";
	:set failedtests "1";
  }
# Check that if we're using a wireless LAN, the interface exists.
:if ($usewlan = "yes" and [/interface find name=$wlaninterface] = "") do={
    :log error "Specified Wireless LAN interface '$wlaninterface' doesn't exist.";
	:set failedtests "1";
  }
# Check that the WAN interface exists
:if ([/interface find name=$waninterface] = "") do={
    :log error "Specified WAN interface '$waninterface' doesn't exist.";
	:set failedtests "1";
  }
# Check that we aren't using the same interface for different purposes
:if ((($useetherlan = "yes") and ($usewlan = "yes") and ($etherlaninterface = $wlaninterface)) or \
  (($useetherlan = "yes") and ($etherlaninterface = $waninterface)) or \
  (($usewlan = "yes") and ($wlaninterface = $waninterface))) do={
    :log error "two or all of eLAN, wLAN and WAN interfaces are set to the same value";
	:set failedtests "1";
	}
# If we want PPPoE, we need the PPP package.
:if ($pppoeuse = "yes" and [/system package find name=ppp disabled=no] = "") do={
    :log error "\$pppoeuse=\"yes\", but PPP package is not installed.";
	:set failedtests "1";
  }
# If we want to be a NTP server, we need the NTP package.
:if ($ntpserver = "yes" and [/system package find name=ntp disabled=no] = "") do={
    :log error "\$ntpserver=\"yes\", but NTP package is not installed.";
	:set failedtests "1";
  }
#
# If we've failed any of the tests above, die!
:if ($failedtests != "0") do={
  :put "";
  :put "";
  :error "Script execution stopped under error condition. Please see the system log for details.";
  }
#
# Clearing out the garbage.
/system scheduler remove [find];
/interface bridge remove [find];
/interface bridge port remove [find];
/ip address remove [find];
/ip route remove [find dst-address=0.0.0.0/0];
/ip dhcp-server remove [find];
/ip pool remove [find];
/ip dhcp-server network remove [find];
/system script remove [find];
/ip firewall address-list remove [find];
/ip firewall nat remove [find];
/ip firewall filter remove [find];
#
# Set admin password
:log info "Setting admin password";
/user set admin password="$adminpassword";
#
# Configure e-mail
:log info "Configuring e-mail details";
/tool e-mail set from="$emailfrom" password="$emailpassword" address="$emailservertempip"\
   port="$emailport" user="$emailusername";
#
#
# Get wireless working if required.
:if ($usewlan = "yes") do={
  :log info "Setting Wireless LAN security";
  /interface wireless reset-configuration $wlaninterface;
  /interface wireless security-profiles remove [find name!=default];
  /interface wireless security-profiles add \
    authentication-types=wpa-psk,wpa2-psk group-ciphers=aes-ccm \
    unicast-ciphers=aes-ccm mode=dynamic-keys name=autoconfig \
    wpa-pre-shared-key=$wlankey wpa2-pre-shared-key=$wlankey;
  /interface wireless set $wlaninterface band=2ghz-b/g/n \
    default-authentication=yes default-forwarding=yes disabled=no \
    frequency=$wlanfreq mode=ap-bridge wireless-protocol=any\
    security-profile=autoconfig channel-width=20/40mhz-ht-above\
    ssid=$wlanssid ht-txchains=0,1 ht-rxchains=0,1 arp=enabled l2mtu=2290\
    mtu=1500 distance=indoors country="united states";
  }
#
# If using an Ethernet as the WAN interface and the bridge interface as the LAN,
# we add the wireless and other Ethernet ports to the LAN bridge.
#
:local internalinterface;
:if ($useetherlan = "yes") do={
  :if ($usewlan = "yes") do={
    :set internalinterface "$bridgeinterface";
    } else={
	:set internalinterface "$etherlaninterface";
	}
  } else={
  :if ($usewlan = "yes") do={
    :set internalinterface "$wlaninterface";
    } else={
	:set internalinterface "$bridgeinterface";
	}
  }
#
# Set up the bridge and add the interfaces if required.
#
:if ( $internalinterface = $bridgeinterface ) do={
  /interface bridge add comment="LAN Bridge" disabled=no name=$bridgeinterface;
#
  /interface bridge port add bridge=$bridgeinterface comment="Master Bridge Port" disabled=no\
    edge=auto external-fdb=auto horizon=none interface=$etherlaninterface path-cost=10\
    point-to-point=auto priority=0x80;
#
  :if ( $bridgetherest = "yes" ) do={
     :local etherports [ /interface ethernet find ];
     :local totaletherports [ len $etherports ];
     :local ethername "";
     :foreach etherport in=$etherports do={
       :set ethername [/interface get $etherport name];
       :if (( $ethername != "$waninterface" ) and ( $ethername != "$etherlaninterface" )) do={
         /interface bridge port add bridge=$bridgeinterface comment="Bridged Port" disabled=no\
            interface=$ethername;
         :log info "Added $ethername to $bridgeinterface";
         }
       }
     }
# Add the wireless LAN to the bridge
  /interface bridge port add bridge=$bridgeinterface comment="Wireless Bridge Port" disabled=no\
     interface=$wlaninterface;
  }
#
:log info "Using $internalinterface as the internal interface.";
#
# Set up interfaces with the correct addresses
#
:if ($dhcpwan = "yes") do={
  /ip dhcp-client add comment="DHCP on WAN" disabled=no interface=$waninterface;
  :log info "Setting WAN IP address dynamically";
  } else={
      :log info "Setting WAN IP address to $wanaddress/$wanbits on interface $waninterface";
      /ip address add address="$wanaddress/$wanbits" comment="WAN" disabled=no interface=$waninterface;
      }
#
# Set LAN address
:log info "Setting LAN IP address to $lanaddress/$lanbits on interface $internalinterface";
/ip address add address="$lanaddress/$lanbits" comment="LAN" disabled=no interface=$internalinterface;
#
#
# Sort out gateway
:if (($pppoeuse != "yes") and ($dhcpwan != "yes")) do={
  :log info "Setting gateway to $wangateway";
  /ip route add comment="Default route" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=$wangateway;
} else={
  :log info "Not setting gateway as this will be provided by PPPoE or DHCP.";
}
#
#
# And DNS
:log info "Setting DNS servers to $nsa and $nsb"
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 servers="$nsa,$nsb";
#
#
# Set up DHCP server if required
:if ($dhcpuse = "yes") do={
  :log info "Setting DHCP server on interface $internalinterface, pool $dhcppoolstart-$dhcppoolend";
  /ip pool add name=DHCPpool ranges="$dhcppoolstart-$dhcppoolend";
  /ip dhcp-server network add address="$lannetwork/$lanbits" comment="DHCP" \
    dns-server="$lanaddress,$nsa" domain=$dhcpdomain gateway=$lanaddress;
  /ip dhcp-server add address-pool=DHCPpool authoritative=yes disabled=no \
    interface=$internalinterface lease-time=3d name=DHCPserver;
} else={
  :log info "Skipping DHCP server configuration.";
}
#
#
# Set up PPPoE if required
:if ($pppoeuse = "yes") do={
  /interface pppoe-client remove [find];
  :log info "Setting up PPPoE";
  /interface pppoe-client add add-default-route=yes allow=chap comment="PPPoE" \
    dial-on-demand=no disabled=no interface=$waninterface max-mru=1492 max-mtu=1492 \
    mrru=disabled name="$pppoeinterface" password=$pppoepassword profile=default \
    service-name="" use-peer-dns=no user=$pppoeuser;
  } else={
    :log info "Skipping PPPoE configuration.";
  }
#
#
# Set up NTP client (doesn't matter what addresses we specify here as long as there's something there)
:log info "Setting up NTP client with dummy addresses.";
/system ntp client set enabled=yes mode=unicast primary-ntp="$ntptempa" secondary-ntp="$ntptempb";
:log info "Creating script to update with NTP servers $ntpa and $ntpb";
/system script add name=setntpip policy=ftp,write,winbox source="# Get the current client status\r\
\n:local ntpclientstatus [/system ntp client get status];\r\
\n:if (\$ntpclientstatus=\"synchronized\") do={:error \"Already synchronised\"};\r\
\n# Resolve the two ntp hostnames\r\
    \n:local ntpipa [:resolve \"$ntpa\"];\r\
    \n:local ntpipb [:resolve \"$ntpb\"];\r\
    \n/system ntp client set primary-ntp=\"\$ntpipa\" secondary-ntp=\"\$ntpipb\";";
:log info "Scheduling script.";
/system scheduler add comment="Set the correct NTP addresses" disabled=no interval=1h name=setntpservers\
   on-event=setntpip policy=write,test start-date=jan/01/1970 start-time=12:34:56;
:log info "Running script on the offchance all interfaces are set up and it will work."
:execute setntpip;
#
#
# Set up as NTP server
:if ($ntpserver = "yes") do={
  :log info "Setting up NTP server";
  /system ntp server set broadcast=no enabled=yes manycast=yes multicast=no;
  } else={
    :log info "Skipping NTP server configuration.";
  }
#
#
# Start with the firewall stuff.
# First, define local addresses.
:log info "Adding $lannetwork/$lanbits to local address list.";
/ip firewall address-list add address="$lannetwork/$lanbits" comment="LAN" disabled=no list=local
#
#
# Set up NAT if required. We need to know which interface to use (PPPoE or WAN)
:local natinterface;
:if ($natuse = "yes") do={
  :if ($pppoeuse = "yes") do={
    :log info "Using PPPoE interface for NAT";
    :set natinterface "$pppoeinterface";
  } else={
    :log info "Using WAN interface for NAT";
    :set natinterface "$waninterface";
  }
  :log info "NATting to interface $natinterface";
  /ip firewall nat add action=masquerade chain=srcnat comment="NAT" disabled=no out-interface="$natinterface"
} else={
  :log info "Skipping NAT configuration.";
}
#
# Enable connection tracking
#
:log info "Enabling connection tracking";
#
/ip firewall connection tracking 
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s\
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s\
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s;
#
# Add filter rules
:log info "Setting firewall rules";
#
/ip firewall filter
add chain=input comment="Allow limited ICMP" limit=50/5s,2 protocol=icmp;
add chain=input comment="Drop excess ICMP" protocol=icmp action=drop;
add chain=input comment="Allow established connections" connection-state=established;
add chain=input comment="Allow related connections" connection-state=related;
add chain=input protocol=udp action=accept comment="Allow all UDP";
add chain=input comment="Allow all from Sonora Comm" src-address=209.193.64.248/29;
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else";
add action=drop chain=input comment="Drop everything else from outside"\
 in-interface=$waninterface;
#
#
# Configure Port Forwarding
#
:if ($fwdtcpports = "yes") do={
  /ip firewall nat add chain=dstnat in-interface=$waninterface protocol=tcp action=dst-nat\
     dst-port=$tcpports to-addresses=$internalserver;
  }
#
#
#### Set up some useful scripts
#
/system script
#
:log info "Creating automatic mail server setting script";
/system script add name=setmail policy=ftp,write,winbox source="# Resolve the mail server hostname\r\
  \n:local emailserverip [:resolve \"$emailserver\"];\r\
  \n/tool e-mail set server=\"\$emailserverip\";"
:log info "Scheduling automatic mail server setting script to run hourly.";
/system scheduler add comment="Set the correct mail server addresses" disabled=no interval=1h name=setmailserver\
   on-event=setmail policy=reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970\
   start-time=12:34:56;
:log info "Running script on the offchance all interfaces are set up and it will work."
:execute setmail;
#
# Automatic backup
:log info "Creating automatic backup script";
/system script add name=makebackup policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive\
    source="\r\n:log info \"Starting Backup Script\";\r\
    \n:local SYSname [/system identity get name];\r\
    \n:put \"\$SYSname\";\r\
    \n/export file=\"\$SYSname\";\r\
    \n:log info \"Finished exporting configuration\";\r\
    \n/tool e-mail send to=\"$emailto\" tls=yes subject=(\$SYSname . \" backup\") file=(\$SYSname . \".rsc\");\r\
	\n:delay 10s;\r\
    \n/file remove (\$SYSname . \".rsc\");\r\
    \n:log info \"Finished Backup Script\"";
:log info "Scheduling automatic backup script to run weekly.";
/system scheduler add comment="Set the correct mail server addresses" disabled=no interval=7d name=runbackup\
    on-event=makebackup policy=reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970\
    start-time=12:34:56;
#
# System startup notification
:log info "Creating system startup notification script";
/system script add name=Systemstartupnotification policy=ftp,reboot,read,write,policy,test,winbox,sniff source="\r\
    \n:local date ([:pick [/system clock get date] 7 11] . [:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4 6]);\r\
    \n\r\
    \n:log info \"Running system startup script\";\r\
    \n\r\
    \n:local filename ([/system identity get name] . \"Log-\" . \$date);\r\
    \n:local fullfilename (\$filename . \".txt\");\r\
    \n\r\
    \n/log print file=\$fullfilename;\r\
    \n\r\
    \n/tool e-mail send to=\"$emailto\" subject=(\"Routerboard reboot - \" . \$filename) file=\$filename \\\r\
	\n  body=\"RouterOS was restarted (RB rebooted?). Recent logs attached.\";\r\
    \n\r\
    \n:delay 10s;\r\
    \n\r\
    \n/file remove \$fullfilename;\r\
    \n\r\
    \n:log info (\"System Log emailed at \" . [/system clock get time] . \" \" . \$date);\r\
    \n";
:log info "Scheduling system startup notification script to run on startup.";
/system scheduler add comment="We've been rebooted" disabled=no interval=0s name=reboot on-event=Systemstartupnotification \
    policy=reboot,read,write,policy,test,password,sniff,sensitive start-time=startup;
#
#
# Restart PPPoE if the IP address isn't what we expect
:if ($pppoeuse = "yes" and $pppoeipaddress != "") do={
/system script add name=checkpppoe policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive source="\r\
    \n# Define the following two\r\
    \n#\r\
    \n# Name of the PPPoE interface\r\
    \n:local pppoeint \"$pppoeinterface\";\r\
    \n:local expectedip \"$pppoeipaddress/32\";\r\
    \n\r\
    \n:local curip [/ip address get [find interface=\$pppoeint] address];\r\
    \n\r\
    \n:if (\$curip != \$expectedip) do={\r\
    \n  /interface disable \"\$pppoeint\";\r\
    \n  :delay 1s;\r\
    \n  /interface enable \"\$pppoeint\";\r\
    \n}\r\
    \n\r\
    \n"
/system scheduler add comment="Check PPPoE" disabled=no interval=2m name=checkpppoe on-event=checkpppoe \
    policy=reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=12:34:56;
}
#
# Change the admin service port for web browser management
/ip service set www port=$adminport;
#
:log info "Auto configuration ended.";
:put "";
:put "";
:put "Auto configuration ended. Please check the system log.";
:put "";
:put "To access the router with a web browser, you must now use port $adminport";
:put "";