Starting out. This guide, after about 30 youtubers talking too fast and numerous web searches, was the first one that finally worked in terms of getting me a basic setup for using the internet with the CCR2004 router.
Thank you, author. Its obvious this router was not prosumer, the config was way harder than a Ubiquiti. With that means there is probably a lot of next steps I need.
Can anyone point me to these “next steps” and next “must do’s” and can an anyone help with:
How “good” is this firewall list? How can it be changed or improved?
0 - Drop invalid connections on the forward chain.
1 - Drop invalid connections on the input chain.
2 - Accept connections from the LAN on the input chain.
3 - Accept established connections on the input chain.
4 - Drop everything else on the input chain as we have allowed everything we want to allow.
5 - Accept connections from the LAN on the forward chain.
6 - Accept related connections on the forward chain.
7 - Accept established connections on the forward chain.
8 - Drop new connections on the forward chain from ether1 as we have allowed everything we want to allow.
I have read that “bridging is bad” - if true - this guide does that, what do I do?
My cisco router has link aggregation, I would like to dedicate a few ports of the router for this on a dedicated IP, can anyone help with a good guide for it? Or just set the IP of 4 ports to “X” and point the link agg screen in the router to them?
Is there a way for this router to create a “network share” —> have something that can be typed in an explorer window? Now I have \nas\share… is there a way I can just go right to share?
(1) I would add,
interface list
add name=WAN
add name=LAN
/inteface list members
add interface=bridge1 list=LAN
add interface=ether1 list=WAN
(2) For a decent Firewall setup here ya go.
/ip firewall filter { order is critical and organization is good practice }
{Input Chain}
(Default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(Admin Rules)
add action=accept chain=input comment=“allow admin” in-interface-list=LAN src-address-list=TRUSTED { to configure router by admin } *******
add action=accept chain=input comment=“users to Router services” in-interface-list=LAN dst-port=53 protocol=tcp
add action=accept chain=input comment=“users to Router services” in-interface-list=LAN dst-port=53 protocol=udp
add action=drop chain=input comment=“Drop all else” { this goes in last so you don’t lock yourself out of the router }
{Forward Chain}
(Default Rules)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec { can remove if not doing ipsec }
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec { can remove if not doing ipsec }
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(Admin Rules)
add action=accept chain=forward comment=“allow internet” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat { optional: can remove if dont have servers }
add action=drop chain=forward comment=“Drop all else”
******* Where firewall address list = TRUSTED contains any Ip addresses the admin uses on the local lan subnet ex.
( based on setting static leases )
add ip-address=Admin_desktop-IP list=TRUSTED
add ip-address=Admin_laptop-IP_wired list=TRUSTED
add ip-address=Admin_laptop-IP_wifi list=TRUSTED
add ip-address=Admin_iphone/ipad IP list=TRUSTED
You mean replace the one I shared, right? Can you comment on it versus the one you posted? I would like to understand the firewall setup better because it tends to cause a lot of problems down the road.
Where is this setting? It’s not under any of the config menus that I see. I tried to run this from the command line and get errors, the others rules worked via the gui. Is there some component that is not present yet that would allow for this offload setting?