Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

check my settings

Post Reply
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

check my settings

Mon Feb 12, 2024 7:55 pm

Halo.
Please check my settings.
Thank you.
Code: Select all
# 2024-02-12 18:45:17 by RouterOS 7.12
# software id = 4NGD-NHR9
#
# model = RBD53iG-5HacD2HnD
# serial number = <edit>
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:AA auto-mac=no comment=defconf name=bridge
/interface wireguard
add listen-port=13231 mtu=1420 name=wireguard1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" mode=dynamic-keys name=Prdel \
    supplicant-identity=""
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-XX \
    country="czech republic" disabled=no distance=indoors frequency=2427 \
    installation=indoor mode=ap-bridge security-profile=Prdel ssid=MT24 \
    wireless-protocol=802.11 wps-mode=disabled
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
    20/40/80mhz-XXXX country="czech republic" disabled=no distance=indoors \
    frequency=5260 installation=indoor mode=ap-bridge security-profile=Prdel \
    ssid=MT50 wireless-protocol=802.11 wps-mode=disabled
/ip pool
add name=default-dhcp ranges=192.168.88.20-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge lease-time=5m name=defconf
/interface bridge port
add bridge=bridge comment=defconf interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=ether1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.77.2/32 comment="Mobil Jenda" interface=\
    wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
add allowed-address=192.168.77.3/32 comment="Notebook HP" interface=\
    wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
add allowed-address=192.168.77.4/32 comment="Mobil M\ED\9Aa" interface=\
    wireguard1 public-key="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa="
/ip address
add address=192.168.88.1/24 comment=defconf interface=bridge network=\
    192.168.88.0
add address=192.168.77.1/24 interface=wireguard1 network=192.168.77.0
/ip dhcp-client
add comment=defconf interface=ether1
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf dns-server=192.168.88.1 gateway=\
    192.168.88.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,1.0.0.1
/ip dns static
add address=192.168.88.1 comment=defconf name=router.lan
/ip firewall filter
add action=passthrough chain=comment-test comment=\
    "-- SECTION -- test and info rules"
add action=passthrough chain=comment-established comment=\
    "-- SECTION -- established rules"
add chain=forward comment="allow established forward" connection-state=\
    established
add chain=forward comment="povol related forward" connection-state=related
add chain=input comment="Allow esatblished connections forward" \
    connection-state=established
add chain=input comment="Allow related connections input" connection-state=\
    related
add chain=output comment="Allow esatblished connections output" \
    connection-state=established
add chain=output comment="Allow related connections output" connection-state=\
    related
add action=passthrough chain=comment-drop comment="-- SECTION -- drop rules"
add action=log chain=input comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=output comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=output comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=forward comment="drop all BANNED IPs" log-prefix=\
    drop_banned src-address-list=all_banned
add action=drop chain=forward comment="drop all BANNED IPs" src-address-list=\
    all_banned
add action=log chain=input comment="Block broadcasts packets" disabled=yes \
    dst-address=255.255.255.255 log-prefix=255
add action=drop chain=input comment="Block broadcasts packets" dst-address=\
    255.255.255.255
add action=drop chain=input comment="Block broadcasts packets" \
    dst-address-type=broadcast,multicast
add action=passthrough chain=comment-VOIP comment="-- SECTION -- VOIP rules"
add action=passthrough chain=comment-DDOS comment=\
    "-- SECTION -- block ddos rules"
add action=log chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 log-prefix=drop-ssh-brute protocol=tcp src-address-list=\
    ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=20m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=10m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward comment=Jump_to_block-ddos disabled=yes \
    dst-port=!53,514 jump-target=block-ddos protocol=udp
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53,514 jump-target=block-ddos protocol=udp
add action=return chain=block-ddos disabled=yes limit=16,32:packet
add action=log chain=block-ddos disabled=yes log-prefix=DDOS_ATTACK:
add action=drop chain=block-ddos disabled=yes limit=16,32:packet
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53 jump-target=block-ddos protocol=udp
add action=passthrough chain=comment-important-basic comment=\
    "-- SECTION -- important and basic rules"
add action=accept chain=input dst-port=8291,22 in-interface=!ether1 protocol=\
    tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=tcp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=udp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=tcp
add chain=output comment="allow router NTP queries" dst-port=123 protocol=udp
add action=accept chain=forward comment="allow router NTP queries" dst-port=\
    123 in-interface=!ether1 protocol=udp
add chain=output comment="allow ping z routeru" protocol=icmp
add action=accept chain=forward comment="povol PING forward" in-interface=\
    !ether1 protocol=icmp
add action=accept chain=input comment="povol PING input" in-interface=!ether1 \
    limit=10,50:packet protocol=icmp
add action=passthrough chain=comment-VPNs comment="-- SECTION -- VPNs rules"
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard src-address=192.168.77.0/24
add action=accept chain=forward comment=wireguard src-address=192.168.77.0/24
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    dst-port=1723 protocol=tcp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=4500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input L2TP" disabled=yes \
    dst-port=1701 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    protocol=gre
add action=accept chain=input comment="allow input IPSEC-esp" disabled=yes \
    protocol=ipsec-esp
add action=passthrough chain=comment-PUBLIC-DMZ comment=\
    "-- SECTION -- public DMZ, webserver etc rules"
add action=passthrough chain=comment-INET-access comment=\
    "-- SECTION -- Internet access RULES"
add action=accept chain=forward comment="povolene vse z LAN" in-interface=\
    bridge out-interface=ether1
add chain=forward comment="povolene sluzby obecne TCP z LAN" disabled=yes \
    out-interface=ether1 protocol=tcp
add chain=forward comment="povolene sluzby obecne UDP z LAN" disabled=yes \
    out-interface=ether1 protocol=udp src-address-list=!servers_RANGE_vlan
add action=passthrough chain=comment-OTHER comment=\
    "-- SECTION -- other rules"
add action=passthrough chain=comment-DROP-FINAL comment=\
    "-- SECTION -- FINAL DROPs"
add action=log chain=forward comment="Drop everything all FORWARD" \
    log-prefix=DROP_forward
add action=drop chain=forward comment="Drop everything all FORWARD"
add action=log chain=input comment="Drop everything all INPUT" log-prefix=\
    DROP_input
add action=drop chain=input comment="Drop everything all INPUT"
add action=log chain=output comment="Drop everything all OUTPUT" log-prefix=\
    DROP_output
add action=drop chain=output comment="Drop everything all OUTPUT"
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN
/ip firewall service-port
set sip disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=no
set api disabled=yes
set api-ssl disabled=yes
/ip upnp interfaces
add forced-ip=123.456.789.000 interface=ether1 type=external
add interface=bridge type=internal
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
/ipv6 firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" port=\
    33434-33534 protocol=udp
add action=accept chain=input comment=\
    "defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=\
    udp src-address=fe80::/10
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 \
    protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=input comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=input comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
add action=accept chain=forward comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=forward comment=\
    "defconf: drop packets with bad src ipv6" src-address-list=bad_ipv6
add action=drop chain=forward comment=\
    "defconf: drop packets with bad dst ipv6" dst-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=1" \
    hop-limit=equal:1 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=\
    icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=\
    500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=\
    ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=\
    ipsec-esp
add action=accept chain=forward comment=\
    "defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=drop chain=forward comment=\
    "defconf: drop everything else not coming from LAN" in-interface-list=\
    !LAN
/system clock
set time-zone-name=Europe/Prague
/system logging
add topics=firewall
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=0.cz.pool.ntp.org
add address=1.cz.pool.ntp.org
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
Last edited by holvoetn on Mon Feb 12, 2024 8:39 pm, edited 1 time in total.
Reason: removed serial
Top
 
holvoetn
Forum Guru
Forum Guru
Posts: 5500
Joined: Tue Apr 13, 2021 2:14 am
Location: Belgium

Re: check my settings

Mon Feb 12, 2024 8:39 pm

And what is there to check ?

What do you want it to do ?
What does work ? What does not work ?

You need to be a bit more specific with your question.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: check my settings

Mon Feb 12, 2024 8:48 pm

If one looks at the config, the request can be deduced. ;-P

Yes, the config except the firewall rules is actually very good.
My recommendation is go back to default firewall rules and make minor adjustments.
Move from allow all concept and block some things ( and hopefully guess right) to block all and only allow needed traffic.
Top
 
gigabyte091
Forum Guru
Forum Guru
Posts: 1207
Joined: Fri Dec 31, 2021 11:44 am
Location: Croatia

Re: check my settings

Mon Feb 12, 2024 8:52 pm

And maybe increase dhcp lease time, now is 5 min...
Top
 
erlinden
Forum Guru
Forum Guru
Posts: 1975
Joined: Wed Jun 12, 2013 1:59 pm
Location: Netherlands

Re: check my settings

Mon Feb 12, 2024 8:55 pm

And while we are at it: upgrade to wifi-qcom-ac driver, which is available from RouterOS v7.13.x and up. Consider 7.14 which is better working (for me).
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: check my settings

Mon Feb 12, 2024 8:57 pm

If not using IPV6, then disable it and remove firewall settings for it.
Top
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

Re: check my settings

Mon Feb 12, 2024 10:19 pm

If one looks at the config, the request can be deduced. ;-P

Yes, the config except the firewall rules is actually very good.
My recommendation is go back to default firewall rules and make minor adjustments.
Move from allow all concept and block some things ( and hopefully guess right) to block all and only allow needed traffic.
Everything works, how would you modify the firewall configuration?
Top
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

Re: check my settings

Mon Feb 12, 2024 10:21 pm

And what is there to check ?

What do you want it to do ?
What does work ? What does not work ?

You need to be a bit more specific with your question.
what rule should i set to get online update?
Top
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

Re: check my settings

Mon Feb 12, 2024 10:23 pm

And while we are at it: upgrade to wifi-qcom-ac driver, which is available from RouterOS v7.13.x and up. Consider 7.14 which is better working (for me).
I'll get to that when I have time. I might get a newer router.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: check my settings

Mon Feb 12, 2024 10:52 pm

If one looks at the config, the request can be deduced. ;-P

Yes, the config except the firewall rules is actually very good.
My recommendation is go back to default firewall rules and make minor adjustments.
Move from allow all concept and block some things ( and hopefully guess right) to block all and only allow needed traffic.
Everything works, how would you modify the firewall configuration?
As stated.....
input rules= default.
change drop !LAN to allow LAN
add any rules you need for router services VPN etc.
add last rule drop all.

Forward chain rules=default
modify block wan dstn nat rule to simple allow dstnat rule
allow lan to wan
add any other allow rules needed
add last rule drop all.

All the extra stuff you added, gone!,
Top
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

Re: check my settings

Mon Feb 12, 2024 11:31 pm

thank you, but I'm a beginner and I don't understand much.
Top
 
Mesquite
Member
Member
Posts: 420
Joined: Tue Jan 23, 2024 9:16 pm

Re: check my settings

Tue Feb 13, 2024 12:40 am

Okay to be clear a beginner does not come up with these firewall rules............
Where did you get them from??
........
Code: Select all
/ip firewall filter
add action=passthrough chain=comment-test comment=\
    "-- SECTION -- test and info rules"
add action=passthrough chain=comment-established comment=\
    "-- SECTION -- established rules"
add chain=forward comment="allow established forward" connection-state=\
    established
add chain=forward comment="povol related forward" connection-state=related
add chain=input comment="Allow esatblished connections forward" \
    connection-state=established
add chain=input comment="Allow related connections input" connection-state=\
    related
add chain=output comment="Allow esatblished connections output" \
    connection-state=established
add chain=output comment="Allow related connections output" connection-state=\
    related
add action=passthrough chain=comment-drop comment="-- SECTION -- drop rules"
add action=log chain=input comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=input comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=output comment="Drop invalid connections" \
    connection-state=invalid log-prefix=drop_invalid
add action=drop chain=output comment="Drop invalid connections" \
    connection-state=invalid
add action=log chain=forward comment="drop all BANNED IPs" log-prefix=\
    drop_banned src-address-list=all_banned
add action=drop chain=forward comment="drop all BANNED IPs" src-address-list=\
    all_banned
add action=log chain=input comment="Block broadcasts packets" disabled=yes \
    dst-address=255.255.255.255 log-prefix=255
add action=drop chain=input comment="Block broadcasts packets" dst-address=\
    255.255.255.255
add action=drop chain=input comment="Block broadcasts packets" \
    dst-address-type=broadcast,multicast
add action=passthrough chain=comment-VOIP comment="-- SECTION -- VOIP rules"
add action=passthrough chain=comment-DDOS comment=\
    "-- SECTION -- block ddos rules"
add action=log chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 log-prefix=drop-ssh-brute protocol=tcp src-address-list=\
    ssh_blacklist
add action=drop chain=input comment="drop ssh brute forcers for 10days" \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=20m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=10m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=5m chain=input comment="ssh black_list" \
    connection-state=new dst-port=22 protocol=tcp
add action=jump chain=forward comment=Jump_to_block-ddos disabled=yes \
    dst-port=!53,514 jump-target=block-ddos protocol=udp
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53,514 jump-target=block-ddos protocol=udp
add action=return chain=block-ddos disabled=yes limit=16,32:packet
add action=log chain=block-ddos disabled=yes log-prefix=DDOS_ATTACK:
add action=drop chain=block-ddos disabled=yes limit=16,32:packet
add action=jump chain=input comment=Jump_to_block-ddos disabled=yes dst-port=\
    !53 jump-target=block-ddos protocol=udp
add action=passthrough chain=comment-important-basic comment=\
    "-- SECTION -- important and basic rules"
add action=accept chain=input dst-port=8291,22 in-interface=!ether1 protocol=\
    tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=tcp
add chain=output comment="allow router DNS queries" dst-port=53 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=udp
add action=accept chain=input comment="allow router DNS queries" dst-port=53 \
    in-interface=!ether1 protocol=tcp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=udp
add action=accept chain=forward comment="allow router DNS queries" dst-port=\
    53 in-interface=!ether1 protocol=tcp
add chain=output comment="allow router NTP queries" dst-port=123 protocol=udp
add action=accept chain=forward comment="allow router NTP queries" dst-port=\
    123 in-interface=!ether1 protocol=udp
add chain=output comment="allow ping z routeru" protocol=icmp
add action=accept chain=forward comment="povol PING forward" in-interface=\
    !ether1 protocol=icmp
add action=accept chain=input comment="povol PING input" in-interface=!ether1 \
    limit=10,50:packet protocol=icmp
add action=passthrough chain=comment-VPNs comment="-- SECTION -- VPNs rules"
add action=accept chain=input comment=wireguard dst-port=13231 protocol=udp
add action=accept chain=input comment=wireguard src-address=192.168.77.0/24
add action=accept chain=forward comment=wireguard src-address=192.168.77.0/24
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    dst-port=1723 protocol=tcp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input IPSEC" disabled=yes \
    dst-port=4500 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input L2TP" disabled=yes \
    dst-port=1701 protocol=udp src-port=1024-65535
add action=accept chain=input comment="allow input PPTP" disabled=yes \
    protocol=gre
add action=accept chain=input comment="allow input IPSEC-esp" disabled=yes \
    protocol=ipsec-esp
add action=passthrough chain=comment-PUBLIC-DMZ comment=\
    "-- SECTION -- public DMZ, webserver etc rules"
add action=passthrough chain=comment-INET-access comment=\
    "-- SECTION -- Internet access RULES"
add action=accept chain=forward comment="povolene vse z LAN" in-interface=\
    bridge out-interface=ether1
add chain=forward comment="povolene sluzby obecne TCP z LAN" disabled=yes \
    out-interface=ether1 protocol=tcp
add chain=forward comment="povolene sluzby obecne UDP z LAN" disabled=yes \
    out-interface=ether1 protocol=udp src-address-list=!servers_RANGE_vlan
add action=passthrough chain=comment-OTHER comment=\
    "-- SECTION -- other rules"
add action=passthrough chain=comment-DROP-FINAL comment=\
    "-- SECTION -- FINAL DROPs"
add action=log chain=forward comment="Drop everything all FORWARD" \
    log-prefix=DROP_forward
add action=drop chain=forward comment="Drop everything all FORWARD"
add action=log chain=input comment="Drop everything all INPUT" log-prefix=\
    DROP_input
add action=drop chain=input comment="Drop everything all INPUT"
add action=log chain=output comment="Drop everything all OUTPUT" log-prefix=\
    DROP_output
add action=drop chain=output comment="Drop everything all OUTPUT"
Top
 
johnudu
just joined
Topic Author
Posts: 6
Joined: Wed Apr 26, 2023 8:26 pm

Re: check my settings

Tue Feb 13, 2024 8:49 am

A colleague once set it up for me.
I needed to know if the setting is OK.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 16 guests
  4. RouterOS
  5. Beginner Basics