Dear All,

I got a mini-pc to host a public game server. I would like to have this mini-PC connected to the eth5 of my Chateau 5g AX, with full connection to Internet and pingable from all the other hosts on my LAN (to be able to set ithe game server up by keeping the Mini-PC on remote desktop control) but at the same time I would like to avoid any kind of connection from the Mini-PC to the LAN.

So far I've implemented these steps:
- I've removed the eth5 from the bridge called bridge (the only one I have):
- I've created a new bridge called bridge-gs;
- I've added the port eth5 to the bridge-gs;
- I've created a new range of addresses: 10.10.10.1/24;
- I've created the firewal NAT role to have the internet connection available for the bridge-gs;
- I've created a new DHCP server using the range addresses listed here above and linked it to the bridge-gs.

Now, before to create the firewall role to avoid a connection between the Mini-PC to the LAN I've connected the Mini-PC to the eth5 and in fact the right address was distributed to it: 10.10.10.2. At this point I've tried the inbternet connection from the Mini-PC and it was running. I've also tried to ping a client in the LAN from the Mini-PC and it was working, Unfortunately I was not able to ping the Mini-PC from any client on the LAN, which is actually the option I need to the set the game server by remote desktop.

So, all these things I've done here were with the meaning to keep my LAN more secured as possible from this client with a couple of port opened in order to have the game server online.
As you can understand by my message I'm a beginner on this field. Is there anyone can suggest me what I can implement to have the needed functionalities up and running with the best "secure" solution from any potential external attacks?

Many thanks,
sbonfa

Could you export your config and post it here?

On the CLI:
/export file=anynameyouwish (minus sensitive information like serial number, public IP, passwords, etc.)

Dear @TheCat12,

Here attached my setup.
Thank you very much for helping.

With kind regards,
Sbonfa

No need for second bridge.
Keep ether5 separate from bridge is fine.
Firewall rules determine the rest.


/interface list
add name=WAN
add name=LAN

/interface list members
add interface=ether1 list=WAN
add interface=bridge list=LAN
add interface=ether5 list=LAN

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=accept chain=forwarding comment="access to server" in-interface=bridge out-interface=ether5
add action=drop chain=forward comment="Drop all else"


However, I would not provide the server and all the lan users access to the router in the input chain.
/ip firewall address-list
add address=192.168.88.X list=Authorized comment="admin desktop"
add address=192.168.88.Y list=Authorized comment="admin laptop"

/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="admin access" in-interface=bridge src-address-list=Authorized
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=udp
add action=accept chain=input comment="users to services" in-interface-list=LAN dst-port=53 protocol=tcp
add action=drop chain=input comment="Drop all else" { ensure you add this rule last }

Dear @anav,

Thank you very muc indeed for your kind reply and support.
My actual knowledge doesn't allow me to implement all the suggested settings just following your intructions.
Do you know if there is a video tutorial based to solve the same needs?

Many thanks,
sbonfa