Tr069-best-practices
This Best Practices Guide shows an example of RouterOS initial setup if it needs safe/preconfigured factory-reset with custom configuration, especially when tr069 is used. It can be useful in cases when the user (or provider unknowingly) has misconfigured device in a non-reversible state. Then factory-reset configuration can be applied using TR069 FactoryReset RPC or through RouterOS /system reset-configuration or by using the reset button on the router.
Overriding factory default-configurations on Netinstall
When performing Netinstall, then the default-configuration script can be adapted to specific needs and installed by overwriting the MikroTik's default one. It should be done by providers who want to have FactoryReset as a backup which could make device "reachable" again in case of some unresolvable misconfiguration. In TR069 case the default-configuration script should at minimum import certificates, setup the IP layer connectivity, enable and configure tr069-client, configure the firewall. After that other configurations can be performed by the ACS.
Warning: On factory-reset all certificates are removed too, so if they are needed after reset, then default-confiugration script must import them
Example script
The example default-configuration script, which assumes that board is using ether1 as WAN port for reaching ACS, a dummy CA certificate and the initial IP configuration is received by DHCP client.
Note: Of course values of certificate, acs-url, username, password must be replaced and extra configurations most probably added
# Install certificate :global acsCaCertTxt "-----BEGIN CERTIFICATE----- MIIDCDCCAfCgAwIBAgIIBQ68Phid9+owDQYJKoZIhvcNAQELBQAwDzENMAsGA1UE AwwEbXlDYTAeFw03MDAxMDIwMDM0MDZaFw03MTAxMDIwMDM0MDZaMA8xDTALBgNV BAMMBG15Q2EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDILvvnEc/8 53jevX3MW4qjn9CNdHLexUZSL8qSXzE5sik1kaNOdckOXC8/Ku0qO95elaBaXmLe QsIQbVtZ768SBQc7q4RaG3AEauLfNl0BS3kl91/nSvYKp20Nvn7LP7CVZj8D81S+ z4lYgab00X6hT65r8cOI4idaJNWkB9+vFujiPpg0H4IEthgslvCu0i2C7VMrZps/ lTI4xD7kUU4ySzpMUDD3SiA1cEtR8SC5gspYFqtUB2Chk4DTeqWzPCT9eIKclIKM eh/5w7eLCKyjqIBDwWixuHGW7uFffHjmkgtmzG35W/qmgXGXG+BC8NomxmKxdxCT ZpQCbisMKieTAgMBAAGjaDBmMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQD AgEGMB0GA1UdDgQWBBR5poVfi8tXHrD3sEidlLLzm1k3xzAkBglghkgBhvhCAQ0E FxYVR2VuZXJhdGVkIGJ5IFJvdXRlck9TMA0GCSqGSIb3DQEBCwUAA4IBAQChVt7s YNL+U7p0OoxdKgCqP3JyrVOAYDs51243IR83BM3WQybWaDcEv50/R668icnnNHgN GKQ6OjgQbia7ZW38JWlD/n59WDjk9T63lHh5RHmrhPlIDUN8Wh89v6N2q8YQy+rj o2lOcbZOJTSIirSBcokMRw45yJNO9HU02E9Bl5nb1hq6/xP4pbTS3t8bL+Xpg0eJ herz/Ap62k/ToRP+yFYN90z8sDHHvKWnq1W60xreLQ95D5IOego0dIWDC8J/a551 Z2AklvEhKfJTQ6zylrhPDy5bySadxy8lAV82+gEZ1AQyS2UXzRAUgCCCzdEmgiWE 6Du6ubASPAEmYfhC -----END CERTIFICATE-----"; /file print file=tmp_acs_ca_cert.txt; delay 2; /file set tmp_acs_ca_cert.txt contents=$acsCaCertTxt; /certificate import file-name=tmp_acs_ca_cert.txt passphrase=""; /file remove tmp_acs_ca_cert.txt; # Wait while ehter ifaces show up :local count 0; :while ([/interface ethernet find] = "") do={ :if ($count = 30) do={ /quit; } :delay 1s; :set count ($count +1); }; # Set as secure settings as possible for tr069-client to work /ip firewall { filter add chain=input action=accept connection-state=established,related comment="defconf: accept established,related" filter add chain=input action=drop in-interface=ether1 comment="defconf: drop all from WAN" } /ip neighbor discovery set [find name="ether1"] discover=no # Cofigure IP level, so that tr069-client can work /ip dhcp-client add interface=ether1 disabled=no comment="defconf"; /tr069-client set acs-url="https://example.com:7777/" enabled=yes username=myusername password=mypassword