:global uname ""
:global passw ""
:global wlssid "1009519BS82-ArjanNet"
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn country=no_country_set \
    disabled=no frequency-mode=superchannel mode=station-pseudobridge \
    scan-list=4900-6100 name=wlan1 ssid=$wlssid radio-name=$uname
:do {set [ find default-name=wlan1 ] channel-width=20/40mhz-XX} \
     on-error={set [ find default-name=wlan1 ] channel-width=20mhz}
:do {/interface list
remove [find builtin=no]
add name=WAN
add name=LAN} on-error={}
/interface bridge port
remove [find dynamic=no]
/interface bridge
remove [find]
/interface pppoe-client
remove [find]
add add-default-route=yes disabled=no interface=wlan1 name=ArjanNet \
    use-peer-dns=yes user=$uname password=$passw
/ip pool
remove [find]
add name=dhcp_pool0 ranges=192.168.1.20-192.168.1.254
add name=VPN ranges=192.168.1.15-192.168.1.19
/ppp profile
remove [find default=no]
add change-tcp-mss=yes local-address=192.168.1.14 name=VPN remote-address=VPN \
    use-encryption=yes address-list=VPN
/ip dhcp-server
remove [find]
add address-pool=dhcp_pool0 disabled=no interface=ether1 name=dhcp1
:do {/ip neighbor discovery-settings set discover-interface-list=all} on-error={}
:do {/interface list member
remove [find dynamic=no]
add interface=ether1 list=LAN
add interface=ArjanNet list=WAN
add interface=wlan1 list=WAN} on-error={}
/ip address
remove [find]
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
/ip dhcp-server network
remove [find]
add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=192.168.1.1
/ip dhcp-client
remove [find]
add add-default-route=yes disabled=no interface=wlan1 script="# this Script should be added to /ip dhcp-client script\r\
    \n{\r\
    \n\t:local \"gateway-local\" ([:pick \$\"gateway-address\" 0 ([:len [\$\"gateway-address\"]]-1) ].\"3\");\r\
    \n\t:local count [/ip route print count-only where comment=\"LocalGW\"];\r\
    \n\t:if (\$bound=1) do={\r\
    \n\t\t:if (\$count = 0) do={\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-local\"] comment=\"LocalGW\" dst-address=192.168.0.0/16 check-gateway=ping;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=192.168.0.0/16 check-gateway=ping distance=2;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-local\"] comment=\"LocalGW\" dst-address=172.20.0.0/16 check-gateway=ping;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=172.20.0.0/16 check-gateway=ping distance=2;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=91.106.77.8/29 check-gateway=ping\r\
    \n\t\t} else={\r\
    \n\t\t\t/ip route remove [find comment=\"LocalGW\"];\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-local\"] comment=\"LocalGW\" dst-address=192.168.0.0/16 check-gateway=ping;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=192.168.0.0/16 check-gateway=ping distance=2;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-local\"] comment=\"LocalGW\" dst-address=172.20.0.0/16 check-gateway=ping;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=172.20.0.0/16 check-gateway=ping distance=2;\r\
    \n\t\t\t/ip route add gateway=[\$\"gateway-address\"] comment=\"LocalGW\" dst-address=91.106.77.8/29 check-gateway=ping\r\
    \n\t\t}\r\
    \n\t}\r\
    \n}" use-peer-dns=yes use-peer-ntp=yes default-route-distance=5
/interface pptp-server server set authentication=\
    pap,chap,mschap1,mschap2 enabled=yes default-profile=VPN
/ppp secret
remove [find]
add name=ali password=996688 profile=VPN
/ip dns
set allow-remote-requests=yes
/ip dns static
remove [find]
/ip firewall filter
remove [find dynamic=no]
add chain=forward in-interface=wlan1 out-interface=all-ppp action=drop
/ip firewall nat
remove [find dynamic=no]
:do {add action=masquerade chain=srcnat out-interface-list=WAN} on-error={\
     add action=masquerade chain=srcnat out-interface=ArjanNet;add \
     action=masquerade chain=srcnat out-interface=wlan1}
add action=masquerade chain=srcnat dst-address=192.168.1.2
add action=masquerade chain=srcnat src-address-list=VPN
add action=dst-nat chain=dstnat dst-address-type=local dst-port=81 protocol=\
    tcp to-addresses=192.168.1.2 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=82 protocol=\
    tcp to-addresses=192.168.1.10 to-ports=80
add action=dst-nat chain=dstnat dst-address-type=local dst-port=\
    443,554,1280,8000,9000,34567,37777 protocol=tcp to-addresses=192.168.1.10
add action=dst-nat chain=dstnat dst-address-type=local dst-port=37778 \
    protocol=udp to-addresses=192.168.1.10
:do {/ip firewall raw
remove [find dynamic=no]
add action=drop chain=prerouting dst-address-type=local \
    dst-port=53 in-interface=!ether1 protocol=udp
add action=drop chain=prerouting dst-address-type=local \
    dst-port=1723 src-address-list=!AllowV protocol=tcp} on-error={/ip firewall filter
add action=drop chain=input dst-address-type=local \
    dst-port=53 in-interface=!ether1 protocol=udp
add action=drop chain=input dst-address-type=local \
    dst-port=1723 src-address-list=!AllowV protocol=tcp}
/ip firewall address-list
remove [find dynamic=no]
add list=AllowV address=91.106.77.0/28
add list=AllowV address=192.168.0.0/16
add list=AllowV address=172.20.0.0/16
/ip upnp
set enabled=yes
/ip upnp interfaces
remove [find dynamic=no]
add interface=ArjanNet type=external
add interface=ether1 type=internal
:if ( ([:len $uname]) != 0 ) do={/system identity set name=$uname} else={\
    /system identity set name="Mikrotik"}
/system clock
set time-zone-name=manual time-zone-autodetect=no
/system clock manual
set time-zone=+03:30
/tool mac-server
:do {set allowed-interface-list=all} on-error={enable [find interface=all]}
/tool mac-server mac-winbox
:do {set allowed-interface-list=all} on-error={enable [find interface=all]}
/system scheduler
remove [find]
add name=Set-Rname-Identity on-event=":local nme [/interface pppoe-client get 0 \
    user];\r\n:if ( ([:len \$nme] !=0) && ([/interface wireless get 0 radio-\
    name]!=\$nme) ) do={/interface wireless set 0 radio-name=\
    \$nme};\r\n:if ( ([:len \$nme] !=0) && ([/system identity get name]!=\$nme) ) \
    do={/system identity set name=\$nme }" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-time=startup
/user group
remove [find where !(name~"full|read|write")]
add name=user policy=local,read,reboot,sniff,telnet,test,tikapp,web,winbox,write
/user aaa
set default-group=write use-radius=yes exclude-groups=full
/user
remove [find name!=admin]
:if ( ([:len $uname]) != 0 ) do={ /user add name=$uname password=$passw group=user disabled=yes}