Dual Wan Failover + Firewall Setup

howser99 · February 22, 2018, 12:40am

Hi All,

I have successfully setup a new mikkrotik router (steep learning curve) and believe I have setup our dual wan failover correctly as well. However, I just wanted to check with the brains trust. Here is the print of my routes:

DST-ADDRESS PREF-SRC GATEWAY DISTANCE

0 ADS 0.0.0.0/0 xxx.1.1.101 0
1 DS 0.0.0.0/0 xxx.45.255.1 1
2 ADC 10.1.1.101/32 xxx.75.205.112 pppoe-out1-xxxx 0
3 ADC 192.168.1.0/24 xxx.168.1.1 ether2-master 0
4 ADC 203.45.255.1/32 xxx.139.88.56 pppoe-out1-xxxx123 0

Secondly, I have setup firewall as per basic script, as well as enabling telnet from local subnet only. However Im still getting external login attempts. Is that correct?
:
0 D ;;; special dummy rule to show fasttrack counters
chain=forward
1 ;;; defconf: fasttrack
chain=forward action=fasttrack-connection connection-state=established,related
2 ;;; defconf: accept established,related
chain=forward action=accept connection-state=established,related
3 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
4 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=ether1
5 chain=input action=accept protocol=icmp
6 chain=input action=accept connection-state=established
7 chain=input action=accept connection-state=related
8 chain=input action=drop in-interface=pppoe-out1-UNITI
9 ;;; Add Syn Flood IP to the list
chain=input action=add-src-to-address-list tcp-flags=syn connection-limit=30,32 protocol=tcp address-list=Syn_Flooder address-list-timeout=30m
10 ;;; Drop to syn flood list
chain=input action=drop src-address-list=Syn_Flooder
11 ;;; Port Scanner Detect
chain=input action=add-src-to-address-list protocol=tcp psd=21,3s,3,1 address-list=Port_Scanner address-list-timeout=1w
12 ;;; Drop to port scan list
chain=input action=drop src-address-list=Port_Scanner
13 ;;; Jump for icmp input flow
chain=input action=jump jump-target=ICMP protocol=icm
14 XI ;;; Block all access to the winbox - except to support list # DO NOT ENABLE THIS RULE BEFORE ADD YOUR SUBNET IN THE SUPPORT ADDRESS LIST
chain=input action=drop protocol=tcp src-address-list=!support dst-port=8291
15 ;;; Jump for icmp forward flow
chain=forward action=jump jump-target=ICMP protocol=icmp
16 ;;; Drop to bogon list
chain=forward action=drop dst-address-list=bogons
17 ;;; Avoid spammers action
chain=forward action=drop protocol=tcp src-address-list=spammers dst-port=25,587
18 ;;; Accept DNS - UDP
chain=input action=accept protocol=udp port=53
19 ;;; Accept DNS - TCP
chain=input action=accept protocol=tcp port=53
20 ;;; Accept to established connections
chain=input action=accept connection-state=established
21 ;;; Accept to related connections
chain=input action=accept connection-state=related
22 ;;; Full access to SUPPORT address list
chain=input action=accept src-address-list=support
23 XI ;;; Drop anything else! # DO NOT ENABLE THIS RULE BEFORE YOU MAKE SURE ABOUT ALL ACCEPT RULES YOU NEED
chain=input action=drop
24 ;;; Echo reply
chain=ICMP action=accept protocol=icmp icmp-options=0:0
25 ;;; Time Exceeded
chain=ICMP action=accept protocol=icmp icmp-options=11:0
26 ;;; Destination unreachable
chain=ICMP action=accept protocol=icmp icmp-options=3:0-1
27 ;;; PMTUD
chain=ICMP action=accept protocol=icmp icmp-options=3:4
28 ;;; Drop to the other ICMPs
chain=ICMP action=drop protocol=icmp
29 ;;; Jump for icmp output
chain=output action=jump jump-target=ICMP protocol=icmp