Thanks for the clarification. "What you're complaining about is the flexibility offered by ROS combined with your inexperience." very well said! True I need to learn the basics first, before complain! Thanks to everyone found time replying to my post.

@mkx Thank you for your comments. With all due respect, the example you posted will expose your Mikrotik service port 80 for !MyExternalWhiteList. Since there is no match for NAT go to INPUT! This is what I am humbly complain about in general in this post… @pe1chl “remember the raw firewall has no c...

Thanks for the comments. @TDW, yes obviously the best place for black list is /ip firewall raw @SOB, yes Default Firewall Rules are fine, as long as you do not want to add anything new to them. See the mess here: #NAT /ip firewall nat add action=dst-nat chain=dstnat dst-port=80 in-interface-list=WAN...

Hello Tik community. Proud new owner here with HEX S with latest 6.47.7 firmware. After some testing I witnessed the bitter truth : All WAN inbound traffic that you do not DST-NAT will hit your INPUT chain ( your router). The firewall logic, as far as I understood is: If (DST-NAT) {forward to Forwar...

Marogo, you would need a UDP as well for the same port. As mkx stated you can do hairpin NAT, or a quick split DNS: /ip dns static add address=192.168.88.241 name=servername add address=192.168.88.241 name=servername.yourdoamin.com where servername.yourdoamin.com is the public address for your minec...

Thanks for the reply Anav. Much appreciated. Already tried with pcunite examples ( grateful to him as well !!!) , but I hit the rock and not able to connect to HAP via the trunk. According to "Switch with a separate router" example he is setting: Regarding Router Config: # -- Trunk Ports -...

Hello Tik community, I would be glad if you can give me hints. Fairly simple home setup. I have HEX S (RB760iGS) as a router and a HAP ac2 (RBD52G-5HacD2HnD) as AP. What I would like to accomplish is having 2 vlans, 1 COMMON trusted( all trusted computers and equipment) and a GUEST network. I would ...

I don't use CAPsMAN , so I have disabled it. My big concern is, that this is the "almost" default config, just with few changes, rules seems correct and safe. No rule that will allow remote WinBox 8291 WAN connection, and all of a sudden, in the middle of the night I get "denied winbo...

Thanks, but LAN is not empty. /interface bridge port add bridge=bridge comment=defconf interface=ether2 add bridge=bridge comment=defconf interface=ether3 add bridge=bridge comment=defconf interface=ether4 add bridge=bridge comment=defconf interface=ether5 add bridge=bridge comment=defconf interface...

Hello TIk community. I'm new to mikrotik and learning slowly. Few days ago I got a mysterious 3 warning logs: "denied winbox/dude connect from 117.202.126.x". Question is, how the person behind this address has managed to get inside passing my input rules ? Suggestions will be appreciated!...