Use Prison Island /pi-net-gateway repo main-branch
Target device: MikroTik L009UiGS-2HaxD
Target RouterOS: long-term channel, RouterOS 7.21.4 or newer
1. Start and connect to the MikroTik
Power on the MikroTik.
Connect directly to the router.
Log in with WinBox, preferably by MAC address during first setup.
Confirm that the router is reachable and responsive.
Check basic info:
/system resource print
/system package update print
/system device-mode print
2. Upload helper scripts to MikroTik root
Upload these files from the repo extras/ folder to the MikroTik file root:
149-device-mode-full-reset-prep.rsc
150-routeros-upgrade-longterm.rsc
151-first-run-before-reset.rsc
153-admin-cleanup-before-shipping.rsc
Note:
152 is only needed for legacy/no-bond mode. For normal PI-NET 2.0 baseline rollout, not needed.
3. Run pre-reset helper scripts
Import the scripts in this order:
/import file-name=149-device-mode-full-reset-prep.rsc
If 149 requests device-mode confirmation, physically confirm it on the router and let it reboot.
After reconnecting, continue:
/import file-name=150-routeros-upgrade-longterm.rsc
If 150 upgrades RouterOS or RouterBOARD firmware, let the router reboot and reconnect again.
Then run:
/import file-name=151-first-run-before-reset.rsc
For a normal new PI-NET 2.0 install, baseline mode is expected.
Confirm marker:
/file print where name~"installmode"
Expected:
pi-net-markers/installmode.baseline
4. Generate the site-specific installer
On your computer, from the repo root, run:
python3 tools/merge.py --siteid <SITEID> --ipwg <WG_IP>
Example:
python3 tools/merge.py --siteid TMPID --ipwg 10.0.0.123
Expected output in releases/:
pi-net-main-install.rsc run-after-reset-bootstrap.rsc <SITEID>_<YYYYMMDD_HHMMSS>.rsc
Keep the timestamped file as archive/proof of what was generated.
5. Upload generated install files and secrets
Upload these files from releases/ to the MikroTik file root:
pi-net-main-install.rsc run-after-reset-bootstrap.rsc <SITEID>_<YYYYMMDD_HHMMSS>.rsc
Also upload the full secrets/ folder to the MikroTik file root.
The router should now have at least:
run-after-reset-bootstrap.rsc pi-net-main-install.rsc 149-device-mode-full-reset-prep.rsc 150-routeros-upgrade-longterm.rsc 151-first-run-before-reset.rsc 152_legacy_access_no_bond_delta.rsc 153-admin-cleanup-before-shipping.rsc secrets/
6. Reset and apply PI-NET 2.0 config
Run:
/system reset-configuration no-defaults=yes skip-backup=yes keep-users=yes run-after-reset=run-after-reset-bootstrap.rsc
Wait for the router to reset, reboot, and apply the generated PI-NET config.
Do not power off the router during this step.
7. Reconnect and verify install
Reconnect to the MikroTik.
Check PI-NET markers:
/file print where name~"pi-net-markers"
Expected markers include:
pi-net-markers/version.2.0 pi-net-markers/profile.full pi-net-markers/role.gateway pi-net-markers/installmode.baseline
Check log for install result:
/log print where message~"PI-NET|bootstrap|rollback|error"
Check that rollback has been disarmed:
/system scheduler print where name~"rollback" /system script print where name~"rollback"
There should be no active rollback scheduler/script after a successful install.
8. Register and test WireGuard
Find the router WireGuard public key and confirm the configured WG IP:
/interface wireguard print detail /ip address print where interface=wireguard1 /interface wireguard peers print detail
Add the MikroTik as a peer on the WG server.
Use:
Public key: from the MikroTik wireguard interface Allowed address: <WG_IP>/32 Preshared key: from the matching site secret
Then test from the WG/server side:
ping <WG_IP>
Also test management access over WireGuard, for example WinBox or SSH to the router WG IP.
Do not continue to cleanup before WG access is confirmed.
9. Set identity and admin passwords
Set the correct system identity:
/system identity set name="<SITEID>-NETGW00"
Set final admin passwords according to current internal credential routine:
/user set [find name="admin"] password="<FINAL_PASSWORD>" /user set [find name="pi-net-siteadmin"] password="<FINAL_PASSWORD>"
Confirm users:
/user print
10. Reboot and verify again
Reboot the MikroTik:
/system reboot
After reboot, verify:
/system identity print /interface wireguard print /ip address print /ip route print /log print where message~"error|warning|wireguard|PI-NET"
From HQ/WG side, confirm again:
ping <WG_IP>
Also confirm WinBox/SSH access over WireGuard.
11. Final cleanup before shipping / handover
Only run this after:
- WG access works - identity is correct - passwords are changed - router has been rebooted - access still works after reboot
Run:
/import file-name=153-admin-cleanup-before-shipping.rsc
This creates a final encrypted shipping backup and removes temporary install files, secrets, logs, and old backup material.
After running 153, manually download/archive the final shipping backup from the MikroTik file list.
12. Final report back
Report back with:
Site ID: Router identity: RouterOS version: WG IP: WG test result: Final backup filename: Install markers confirmed: yes/no Rollback disarmed: yes/no 153 cleanup completed: yes/no Notes/errors:
The MikroTik is done when it is reachable over WireGuard after reboot and the final cleanup has completed.