I am quite new on Mikrotik but have done some basic setups already with no issues. Doing a new one I am getting a problem on router itself to resolve DNS (only required for updates honestly); disabling the rule to block traffic from WAN ("defconf: drop all not coming from LAN") it works but, of course I don't want to remove it (have also tried to do !LAN instead of WAN but same result), Can you please help me? Here you can find my config:
Code: Select all
# mar/19/2024 10:47:41 by RouterOS 6.49.13
# software id = **ELIDED**
#
# model = RB3011UiAS
/interface bridge
add name=bridge_LAN
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN1
set [ find default-name=ether2 ] name=ether2-WAN2
set [ find default-name=ether3 ] disabled=yes
set [ find default-name=ether4 ] disabled=yes
set [ find default-name=ether5 ] disabled=yes
set [ find default-name=sfp1 ] disabled=yes
/interface vrrp
add interface=bridge_LAN name=VRRP
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_LAN ranges=20.1.0.50-20.1.1.254
/ip dhcp-server
add address-pool=dhcp_pool_LAN disabled=no interface=VRRP name=dhcp_LAN
/queue simple
add disabled=yes dst=ether1-WAN1 max-limit=10M/10M name=LimitWAN1 target=""
/interface bridge port
add bridge=bridge_LAN interface=ether6
add bridge=bridge_LAN interface=ether7
add bridge=bridge_LAN interface=ether8
add bridge=bridge_LAN interface=ether9
add bridge=bridge_LAN interface=ether10
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface list member
add interface=bridge_LAN list=LAN
add interface=ether1-WAN1 list=WAN
add interface=ether2-WAN2 list=WAN
/ip address
add address=20.1.0.2/23 interface=bridge_LAN network=20.1.0.0
add address=20.1.0.1/23 interface=VRRP network=20.1.0.0
add address=10.10.2.250/24 interface=ether1-WAN1 network=10.10.2.0
add address=10.10.1.250/24 interface=ether2-WAN2 network=10.10.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add add-default-route=no interface=ether1-WAN1 use-peer-dns=no
add add-default-route=no disabled=no interface=ether2-WAN2
/ip dhcp-server network
add address=20.1.0.0/23 dns-server=8.8.8.8,1.1.1.1 gateway=20.1.0.1
/ip dns
set servers=8.8.8.8,1.1.1.1
/ip firewall filter
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=WAN
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-WAN1
add action=masquerade chain=srcnat out-interface=ether2-WAN2
/ip route
add check-gateway=ping distance=1 gateway=1.1.1.1 target-scope=32
add check-gateway=ping distance=2 gateway=8.8.8.8 target-scope=32
add check-gateway=ping distance=4 gateway=10.10.1.1
add distance=1 dst-address=1.1.1.1/32 gateway=10.10.2.1 target-scope=31
add distance=1 dst-address=8.8.8.8/32 gateway=10.10.2.1 target-scope=31
/system clock
set time-zone-name=Europe/London
Thanks in advance