Hello all. I have an issue somewhere but i can’t figure it out somehow.
I have a dhcp server 192.168.5.1-254 but on that interface sometimes it gives out addresses like 192.168.10.X or 10.106.X.X. and the devices cannot access the internet.
What do you recoommend?
Somehow it seems to works fine after i dissable firewall rules:
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="Place hotspot rules here" disabled=yes
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid disabled=yes
add action=return chain=detect-ddos disabled=yes dst-limit=32,32,src-and-dst-addresses/10s protocol=tcp tcp-flags=syn,ack
add action=return chain=detect-ddos disabled=yes dst-limit=32,32,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddos-targets address-list-timeout=10m chain=detect-ddos disabled=yes
add action=add-src-to-address-list address-list=ddos-attackers address-list-timeout=10m chain=detect-ddos disabled=yes
add action=jump chain=forward comment="SYN Flood protect" connection-state=new disabled=yes jump-target=SYN-Protect protocol=tcp tcp-flags=syn
add action=accept chain=SYN-Protect connection-state=new disabled=yes limit=400,5:packet protocol=tcp tcp-flags=syn
add action=drop chain=SYN-Protect connection-state=new disabled=yes protocol=tcp tcp-flags=syn
add action=accept chain=forward comment="Allow established/related connections" connection-state=established,related disabled=yes
add action=accept chain=forward comment="Allow internet access" disabled=yes in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow Wireguard To Access LAN" disabled=yes in-interface="Wireguard VPN" out-interface-list=LAN
add action=accept chain=forward comment="Allow Dst NAT" connection-nat-state=dstnat disabled=yes
add action=drop chain=forward comment="Drop everything else" disabled=yes log=yes log-prefix=fwd-else
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=yes
add action=tarpit chain=input comment="Capture and hold connections" connection-limit=3,32 disabled=yes protocol=tcp src-address-list=\
blocked-addr
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=input comment="Limit incoming connections" \
connection-limit=100,32 disabled=yes protocol=tcp
add action=accept chain=input comment="Allow established/related connections" connection-state=established,related disabled=yes
add action=accept chain=input comment="Allow LAN to access the router" disabled=yes in-interface-list=LAN
add action=accept chain=input comment="Allow Winbox" disabled=yes dst-port=XXXX protocol=tcp
add action=accept chain=input comment="Allow SSH" disabled=yes dst-port=XXXX protocol=tcp
add action=accept chain=input comment="Allow API" disabled=yes dst-port=XXXX protocol=tcp
add action=accept chain=input comment="Allow Wireguard VPN" disabled=yes dst-port=XXXXX protocol=udp
add action=accept chain=input comment="Allow ICMP for everyone" disabled=yes protocol=icmp
add action=drop chain=input comment="Drop everything else" disabled=yes
When i enable the firewall filter it gives addresses out of dhcp and shows something like that on the log:
fwd-else forward: in:6- Africa (Ether 6) out:6- Africa (Ether 6), packet-mark:Other Upload connection-mark:Client Upload Connection connection-state:new src-mac 70:a7:41:8c:d5:b2, proto UDP, 192.168.5.84:514->192.168.5.10:5514, len 174
If i add “new connections” exept established/related at
add action=accept chain=forward comment="Allow established/related connections" connection-state=established,related disabled=yes
it seems still to works OK