Firewall and NAT

Hopefully it’s now attached. Otherwise I’ll empty all the thousands of lines firewall entries and parse the file as text into this topic.

# 2025-05-11 17:03:17 by RouterOS 7.16.2
# software id = UCYE-VK1K
#
# model = RB3011UiAS
# serial number = E7E60FD836A5
/interface bridge
add ingress-filtering=no name=VLAN1_BR port-cost-mode=short vlan-filtering=\
    yes
add admin-mac=hidden-mac auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] name=DMZ
set [ find default-name=ether1 ] mtu=1504 name=Stadtwerke
/interface wireguard
add listen-port=23947 mtu=1420 name=wireguard1
/interface vlan
add interface=ether2 name=vlan1 vlan-id=1
add interface=Stadtwerke name=vlan2 vlan-id=2
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment=bittorrent name=bitorrent regexp=" ^(\\x13bittorrent protocol|azve\
    r\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_has\
    \nh=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\
    "
add name=js regexp="/\\/c\\/version.js\$/g"
/ip pool
add name=pool-vpn ranges=192.168.1.100-192.168.1.150
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/system logging action
add disk-file-name=logg name=logfiless target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set internet-interface-list=WAN lan-interface-list=LAN wan-interface-list=\
    dynamic
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Stadtwerke list=WAN
add interface=ether2 list=LAN
add interface=wireguard1 list=LAN
add interface=DMZ list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.10.5/24 interface=wireguard1 name=ifurz4 \
    public-key="FPBmZgAClxZ8sB0ViS4YQbZYwOdzZ2n+0ujEXK9U/HY="
/ip address
add address=192.168.0.253/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=91.136.133.54/24 interface=Stadtwerke network=91.136.133.0
add address=10.0.0.1 interface=DMZ network=255.0.0.0
add address=192.168.10.1/24 interface=wireguard1 network=192.168.10.0
/ip dhcp-client
add comment=defconf disabled=yes interface=Stadtwerke
/ip dhcp-server
add address-pool=pool-vpn disabled=yes interface=bridge lease-time=10m name=\
    defconf
# No IP address on interface
add interface=vlan1 lease-time=10m name=VLAN1
/ip dhcp-server network
add address=192.168.0.0/24 comment=defconf gateway=192.168.0.253 netmask=24
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,server internal ip
/ip dns static
add address=192.168.0.246 comment=defconf name=router.lan type=A
/ip firewall address-list

******************************************************************
lot's of firewall enteis deleted just for making it more convinient
******************************************************************




/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    disabled=yes protocol=icmp
add action=accept chain=input comment="Ping Reply " disabled=yes protocol=\
    icmp
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=tcp
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=udp
add action=accept chain=output comment="Router Output" protocol=tcp \
    src-address=192.168.0.253
add action=accept chain=output comment="Router Output" protocol=udp \
    src-address=192.168.0.253
add action=accept chain=output comment="Router Output" protocol=icmp \
    src-address=192.168.0.253
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=input comment=Wireguard dst-port=23947 in-interface=\
    wireguard1 log=yes log-prefix=Wireguard_ protocol=udp
add action=accept chain=forward comment="wiregard forward" dst-address=\
    0.0.0.0 dst-address-list="" log=yes out-interface=wireguard1
add action=accept chain=forward comment="Alllowed Adresslist Blacklist" \
    in-interface=Stadtwerke log=yes log-prefix=allowed_blacklist_foward_ \
    src-address-list=allowed_blacklist
add action=accept chain=forward comment="Update Letsencrypt" disabled=yes \
    dst-address-list=server internal ip dst-port=80 in-interface=Stadtwerke log=yes \
    log-prefix=Letsencrypt_update_ protocol=tcp
add action=accept chain=forward comment="allowed russia" disabled=yes \
    in-interface=Stadtwerke log-prefix=allowed_russia protocol=tcp \
    src-address-list=allowed_russia
add action=accept chain=forward comment="Allow input Country List" disabled=\
    yes in-interface=Stadtwerke log=yes log-prefix=Allowed_Country protocol=\
    tcp src-address-list=allowed_country
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=input comment="Wireguard Allow input" disabled=yes \
    in-interface=wireguard1 protocol=udp
add action=accept chain=output comment="UDP Connect towards ptbtime1.ptb.de" \
    dst-address-list="NTP List" dst-port=123 log-prefix=\
    "UDP Out to ptbtime1.ptb.de" protocol=udp
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    "" disabled=yes
add action=accept chain=input comment=\
    "acceppt established and related from the router itself" \
    connection-state=established,related in-interface=Stadtwerke
add action=accept chain=forward log-prefix=gateway____ out-interface=\
    Stadtwerke src-address=91.136.133.54
add action=drop chain=input dst-address=91.136.169.187 log=yes protocol=tcp
add action=drop chain=output comment="Login incorrect" content=\
    "530 Login incorrect" dst-limit=1,5,dst-address/1m40s out-interface=\
    Stadtwerke protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ protocol=tcp src-address-list=black-list
add action=drop chain=forward comment="Adresslist Blacklist" log-prefix=\
    Blacklist___forward protocol=tcp src-address-list=black-list
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Oracle
add action=drop chain=input comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=DGNTEKNO
add action=drop chain=forward comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=DGNTEKNO
add action=drop chain=input comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=Facebook
add action=drop chain=forward comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=Facebook
add action=drop chain=input comment=TENCENT log-prefix=Blacklist___ \
    src-address-list=TENCENT
add action=drop chain=forward comment=TENCENT log-prefix=Blacklist___ \
    src-address-list=TENCENT
add action=drop chain=input comment=PPTECHNOLOGY log-prefix=Blacklist___ \
    src-address-list=PPTECHNOLOGY
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=uCloud.cn
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Changway_AS
add action=drop chain=input comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=privatelayer
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=privatelayer
add action=drop chain=forward comment=PPTECHNOLOGY log-prefix=Blacklist___ \
    src-address-list=PPTECHNOLOGY
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=uCloud.cn
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    out-interface=Stadtwerke src-address-list=Oracle
add action=drop chain=input comment=pfcloud log-prefix=Blacklist___ \
    src-address-list=pfcloud
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Constantmoulin
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Digitalocean_2
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Therecomltd
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Constantmoulin
add action=drop chain=input src-address-list=alibaba
add action=drop chain=input src-address-list=Hurricane
add action=drop chain=input src-address-list=hostpapa
add action=drop chain=input comment=Retelit src-address-list=Retelit
add action=drop chain=forward comment=Retelit src-address-list=Retelit
add action=drop chain=forward comment=pfcloud src-address-list=pfcloud
add action=drop chain=forward comment="Changeway AS" src-address-list=\
    Changway_AS
add action=drop chain=forward comment="Therefore LTD" src-address-list=\
    Therecomltd
add action=drop chain=forward comment=DigitalOcean src-address-list=\
    Digitalocean_2
add action=drop chain=forward comment=Cloud.ru disabled=yes protocol=tcp \
    src-address-list=cloud.ru
add action=drop chain=forward comment=Cloud.ru disabled=yes dst-address=\
    server internal ip in-interface=Stadtwerke protocol=tcp src-address-list=\
    cloud.ru
add action=drop chain=forward comment=Hurricane src-address-list=Hurricane
add action=drop chain=forward src-address-list=alibaba
add action=drop chain=forward src-address-list=hostpapa
add action=drop chain=forward comment="Adresslist Blacklist" dst-address=\
    server internal ip in-interface=Stadtwerke log-prefix=Blacklist___ protocol=tcp \
    src-address-list=black-list
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke protocol=tcp src-address-list=windows_update
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=gaza src-port=""
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=digitalocean
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=outbrain
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke protocol=tcp src-address-list=outbrain
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke protocol=tcp src-address-list=Hetzner
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Hetzner
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=leaseweb_f_ protocol=tcp src-address-list=leaseweb
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=leaseweb
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=colocrossing_f_ protocol=tcp src-address-list=\
    colocrossing
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=colocrossing
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=ohve_f_ protocol=tcp src-address-list=OHV
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=OHV
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=M247
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=M274_forward_ protocol=tcp src-address-list=M247
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Linode
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=Linode_forward_ protocol=tcp src-address-list=\
    Linode
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=hostplus_russia
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=namecheap
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=namecheap
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=godaddy
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=godaddy1
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=godaddy
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=godaddy1
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=ponynet
add action=drop chain=forward disabled=yes dst-address=server internal ip \
    in-interface=Stadtwerke log-prefix=namecheap_ protocol=tcp \
    src-address-list=ponynet
add action=drop chain=input in-interface=Stadtwerke log=yes log-prefix=\
    Romania_block_ protocol=tcp src-address-list=Romania
add action=drop chain=forward dst-address=server internal ip in-interface=\
    Stadtwerke port=25,443 protocol=tcp src-address-list=Romania
add action=drop chain=forward in-interface=Stadtwerke protocol=tcp \
    src-address-list=Scalsways
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Scalsways
add action=drop chain=input comment=CountryBlocks in-interface=Stadtwerke \
    log-prefix=Country_IN_ src-address-list=CountryIPBlocks
add action=drop chain=forward comment=CountryBlocks in-interface=Stadtwerke \
    log-prefix=Country_FORWARD_ src-address-list=CountryIPBlocks
add action=drop chain=input comment="anti Ping Flood" in-interface=Stadtwerke \
    limit=2,2:packet protocol=icmp
add action=drop chain=input comment="drop icmp in general" in-interface=\
    Stadtwerke protocol=icmp
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=log chain=input disabled=yes log=yes
add action=accept chain=forward comment="Router raus" disabled=yes \
    src-address=192.168.0.253
add action=log chain=forward disabled=yes dst-address=server internal ip dst-port=\
    80 protocol=tcp
add action=log chain=forward disabled=yes dst-address=server internal ip dst-port=\
    25 protocol=tcp
add action=log chain=forward disabled=yes dst-address=server internal ip dst-port=\
    443 in-interface=Stadtwerke log-prefix=HTTPS_mxxxx_ protocol=tcp
add action=accept chain=forward comment=CGI protocol=tcp src-address-list=CGI
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="Fasttrack TCP DNS" \
    dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack UDP DNS" \
    dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=input comment=miscellanious disabled=yes \
    src-address-list=miscellanious
add action=drop chain=input comment="Drop UDP Port 17" disabled=yes \
    in-interface=Stadtwerke protocol=udp src-address-list=variable
add action=tarpit chain=input comment="Tarpit SSH" connection-limit=5,32 \
    disabled=yes dst-port=5017 protocol=tcp
add action=accept chain=input comment="ping accepted" disabled=yes \
    in-interface=Stadtwerke limit=1,5:packet protocol=icmp
add action=log chain=forward disabled=yes log=yes log-prefix=Felix__ \
    src-address=192.168.0.36
add action=accept chain=input comment="icmp Echo reply" disabled=yes \
    icmp-options=0:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp echo request" disabled=yes \
    icmp-options=8:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp time exceeded" disabled=yes \
    icmp-options=11:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp dest unreachable" disabled=yes \
    icmp-options=3:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=forward comment="Proxy Port 60941" disabled=yes \
    dst-address=63.161.104.189 log=yes out-interface-list=all src-address=\
    192.168.0.113
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=104.223.135.178 log=yes protocol=tcp src-address=\
    192.168.0.113
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=51.79.50.31 log=yes protocol=tcp src-address=192.168.0.113
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=158.69.118.135 log=yes protocol=tcp src-address=192.168.0.113
add action=accept chain=forward disabled=yes dst-address=13.93.140.77 \
    src-address=192.168.0.113
add action=accept chain=forward disabled=yes log=yes log-prefix=Main_out_ \
    out-interface=all-ethernet protocol=tcp
add action=drop chain=forward disabled=yes dst-address=192.168.0.253 \
    src-address=192.168.0.111
add action=drop chain=forward comment=\
    "Drop all traffic from WIN7 virtual machine (110)" disabled=yes \
    dst-address-list=!windows_update log=yes log-prefix=Win7__drop_110_ \
    src-address=192.168.0.110
add action=accept chain=forward disabled=yes dst-address=189.113.1.234 log=\
    yes protocol=tcp src-address=192.168.0.113
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ETKA83  (113)" \
    log-prefix=113_gen_ src-address=192.168.0.113
add action=drop chain=forward comment="Windows 7" log-prefix=113_gen_ \
    src-address=192.168.0.118
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ODIS  (114)" \
    log-prefix=114_ src-address=192.168.0.114
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 (116)" \
    dst-address-list=!windows_update log-prefix=116_WInUpdate_ src-address=\
    192.168.0.116
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ODIS  (114)" disabled=\
    yes dst-address-list=!windows_update log-prefix=116_WInUpdate_ \
    src-address=192.168.0.113
add action=drop chain=forward comment=\
    "Drop all traffic from virtual machine (94)" src-address=192.168.0.94
add action=drop chain=forward comment=MS_BLOCK dst-address-list=\
    block_commercial log-prefix=MS_BLOCK_ src-address=192.168.0.110
add action=drop chain=forward comment=saveDB disabled=yes dst-address-list=\
    !windows_update log=yes log-prefix=64_ src-address=192.168.0.64
add action=drop chain=output comment="VW Win7 ETKA" disabled=yes log=yes \
    log-prefix=O_110_ out-interface=Stadtwerke src-address=192.168.0.110
add action=drop chain=output comment="WIN98 VM" dst-address-list=\
    windows_update src-address=192.168.0.111
add action=drop chain=output comment=Emotet dst-port=449 log=yes log-prefix=\
    Emotet_ protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 in-interface=\
    Stadtwerke log-prefix=80_input_ protocol=tcp
add action=accept chain=input disabled=yes dst-port=443 in-interface=\
    Stadtwerke log=yes log-prefix=443_input_ protocol=tcp
add action=log chain=forward disabled=yes log=yes log-prefix=114_ protocol=\
    tcp src-address=192.168.0.114
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.36
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.119
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.141
add action=log chain=output disabled=yes protocol=tcp src-address=\
    91.136.133.54
add action=accept chain=forward disabled=yes log=yes src-address=\
    192.168.0.250
add action=log chain=forward disabled=yes src-address=192.168.0.250
add action=accept chain=forward disabled=yes log=yes src-address=192.168.0.17
add action=log chain=forward disabled=yes dst-address=server internal ip dst-port=\
    25 in-interface=Stadtwerke log=yes protocol=tcp
add action=log chain=forward disabled=yes dst-address=server internal ip dst-port=\
    587 in-interface=Stadtwerke log=yes protocol=tcp
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.15
add action=log chain=forward disabled=yes dst-port=2476 in-interface=\
    Stadtwerke out-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment=ltspice.analog.com dst-address=\
    23.196.235.45 log=yes protocol=tcp src-address=192.168.0.113
add action=accept chain=forward comment=ltspice.analog.com disabled=yes \
    dst-address=23.206.18.229 protocol=tcp src-address=192.168.0.113
add action=accept chain=forward comment="BWI CLient" log-prefix=BWI_ \
    src-address=192.168.0.11
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=!LAN_
add action=drop chain=input comment=\
    "defconf: drop all from WAN!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!" \
    in-interface=Stadtwerke
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN packet-mark=""
add action=accept chain=srcnat disabled=yes out-interface=wireguard1
add action=dst-nat chain=dstnat comment="Dovecot access on server" dst-port=\
    993 in-interface=Stadtwerke protocol=tcp to-addresses=server internal ip \
    to-ports=993
add action=dst-nat chain=dstnat comment="smtps on mailserver" dst-port=587 \
    in-interface=Stadtwerke log-prefix=587_ protocol=tcp to-addresses=\
    server internal ip
add action=dst-nat chain=dstnat comment="stmp port on mxxxy" dst-port=25 \
    in-interface=Stadtwerke in-interface-list=WAN log=yes log-prefix=25_ \
    protocol=tcp to-addresses=server internal ip to-ports=25
add action=dst-nat chain=dstnat comment="letsencrypt update" dst-port=80 \
    in-interface=Stadtwerke log=yes log-prefix=NAT_80_ protocol=tcp \
    to-addresses=server internal ip to-ports=80
add action=dst-nat chain=dstnat comment="HG1500 UDP SIP Traffic" disabled=yes \
    dst-port=5060 in-interface=Stadtwerke protocol=udp to-addresses=\
    192.168.0.79 to-ports=5060
add action=dst-nat chain=dstnat comment="SSH Port" disabled=yes dst-port=\
    18729 in-interface=Stadtwerke log=yes protocol=tcp to-addresses=\
    server internal ip to-ports=22
add action=dst-nat chain=dstnat disabled=yes protocol=udp to-addresses=\
    192.168.10.1 to-ports=14856
add action=src-nat chain=srcnat disabled=yes in-interface=Stadtwerke \
    protocol=tcp to-addresses=0.0.0.0
add action=accept chain=dstnat disabled=yes dst-port=18730 log=yes \
    log-prefix=Wiregurd_ protocol=udp
add action=dst-nat chain=dstnat comment="https webserver " dst-port=443 \
    in-interface=Stadtwerke log=yes log-prefix=HTTP___ protocol=tcp src-port=\
    "" to-addresses=server internal ip to-ports=443
/ip firewall raw
add action=accept chain=prerouting dst-address-list=allowed_russia
add action=accept chain=prerouting dst-address-list=allowed_blacklist
add action=drop chain=prerouting dst-address=server internal ip dst-port=80 \
    protocol=tcp
add action=drop chain=prerouting disabled=yes src-address-list=\
    CountryIPBlocks
add action=drop chain=prerouting disabled=yes in-interface=Stadtwerke \
    src-address-list=godaddy
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=91.136.133.53
add disabled=no distance=1 dst-address=0.0.0.0/128 gateway="" routing-table=\
    main scope=30 target-scope=10
/ip service
set www-ssl certificate=Webfig disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=::ffff:192.168.0.253 interface=ether2
/lcd
set backlight-timeout=15m default-screen=stats-all
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=gateway002
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.53.103.108
add address=192.53.103.104
/system package update
set channel=long-term
/system routerboard reset-button
set enabled=yes

*************************************************
Scheduler scripts removed
*************************************************

/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=Stadtwerke name=In_Stadtwerke threshold=10 traffic=received

First, please note you can attach a file using the “Attachments” tab underneath the compose window. Second, check the “code” tag - this makes the messages a lot more readable.

Already, there are quite a few issues in your configuration.

Multiple bridges - avoid multiple bridges like the plague. Furthermore the bridge VLAN1_BR is not used.

/interface bridge
add ingress-filtering=no name=VLAN1_BR port-cost-mode=short vlan-filtering=\
yes
add admin-mac=hidden-mac auto-mac=no comment=defconf name=bridge \
port-cost-mode=short

Interface ether2 is part of the bridge but has a VLAN subinterface AND an IP address assigned. If it is supposed to be part of the bridge, it doesn’t need an IP address nor subinterface (the bridge VLAN interface gets an IP). If it is a L3 interface, it shouldn’t be part of the bridge.

/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
internal-path-cost=10 path-cost=10
...
/interface vlan
add interface=ether2 name=vlan1 vlan-id=1
...
/ip address
add address=192.168.0.253/24 comment=defconf interface=ether2 network=\
192.168.0.0
...
/ipv6 address
add address=::ffff:192.168.0.253 interface=ether2

You have an subinterface vlan1 on ether2 which has no IP but a DHCP server attached.

/ip dhcp-server
...
# No IP address on interface
add interface=vlan1 lease-time=10m name=VLAN1

Interface DMZ is part of the bridge but has an IP address. Same has above: if it is part of the bridge, don’t give it an IP address (the IP address goes to the bridge VLAN interface), if it is a L3 interface, remove it from the bridge. Also, check the netmask for your DMZ - this is currently a /8.

/interface bridge port
...
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ \
internal-path-cost=10 path-cost=10
...
/ip address
...
add address=10.0.0.1 interface=DMZ network=255.0.0.0
...

At this point, I recommend that you take an interface out of the bridge and assign an IP to it. just in case any change made to fix your config breaks your connectivity. Assuming that ether9 is not used and that the subnet 192.168.255.0/24 is not assigned.

# Remove ether9 from the bridge
/interface bridge port/remove where interface=ether9

# Add it to the LAN list
/interface/list/member/add interface=ether9 list=LAN

# Assign a static IP
/ip address/add interface=ether9  address=192.168.255.1/24 disabled=no

# Create a DHCP network for the break-the-glass interface
/ip/dhcp-server/network/add network=192.168.255.0/24 gateway=192.168.255.1 comment="Break the glass" netmask=24 dns-server=192.168.255.1

# Create a DHCP pool for the break-the-glass interface
/ip/pool/add name=breaktheglass ranges=192.168.255.10-192.168.255.254 comment="Pool for emergency access"

# Attach the server to the interface
/ip/dhcp-server/add address-pool=breaktheglass interface=ether9 lease-time=1h name=breaktheglass

And verify that it works by connecting a laptop to ether9 - you should get an IP address. Check that you can access your router before anything else.

Why do you even own a router?
It looks like your more concerned with blocking traffic vice creating rules to allow only needed traffic. Might as well not bother using the internet.
Looks like bloatware…
Focus on needed traffic and at the end of each chain simply put drop rule for everything else.
Then get rid of all other drop rules or blacklist rules etc…
Keep it simple and one will have far less issues as one creates less errors and one more easily spots errors.
99% of folks do not go to the extreme ruleset you have created.

Thanks for looking at my config.

I removed the DMZ and Wireguard and the VLANs. Now the config should look a bit more uncomplicated.
However the outside traffic is listed in my log but isn’t fowarded to the internal systems.

Maybe I do not understand the firewall rules completly and this cause the errors I get.
But the default behaviour is a sequence of starting at the top most item and going down in each list follwoing. Hence a drop rule after every exception will block the next exception from my understanding. Or am I completly wrong?

Once I enable “detect internet” again, the connection from outside is again possible.
The current settings which work for it

detect-interface-list: static
lan-interface-list: LAN
wan-interface-list: WAN
internet-interface-list: WAN

I wonder why a strange setting which is likely to cause abnormal behaviour is blocking traffic and apparently necessary for it.

Can you export a fresh config and post the file (as attachment or in code tag)?

On a properly configured device detect-internet either:
a) does nothing
or
b) may - in some cases - create isssues

on a configuration like yours it may actually do something useful (i.e. allow connection from the outside, this is actually the reason why the good Mikrotik guys made it) but at the same time it is a symptom that your device is not properly configured.

It is not very useful, when you change something, that you describe that something without posting the new, complete configuration (and PLEASE, learn to enclose it in “code” tags, see the instructions here: http://forum.mikrotik.com/t/forum-rules/173010/1 )

The point is that:

1. we don’t trust your report
2. even if we trusted you , you may accidentally wrongly describe something or omit something that you have done in the meantime.

Something that you might want to consider is that the default set of rules in /ip firewall filter (for SoHo devices) that you can find here as a reference:
http://forum.mikrotik.com/t/buying-rb1100ahx4-dude-edition-questions-about-firewall/148996/4
consists of 11 (eleven) rules.
Mikrotik publishes the results of tests made with 25 (twentyfive) rules in /ip firewall filter.
And it is rare to see configurations posted on the forum with more.

The ones you posted (that are a subset of the ones you actually have) are (if I have counted them correctly) 191 (onehundredandninetynine).

I would suspect that you are overdoing it.
Or maybe your connection was too d@mn fast and you needed to find a way to slow it down.

And of course. JFYI:
http://forum.mikrotik.com/t/the-twelve-rules-of-mikrotik-club/182164/1

here it is:

# 2025-05-12 17:53:54 by RouterOS 7.16.2
# software id = UCYE-VK1K
#
# model = RB3011UiAS
# serial number = E7E60FD836A5
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] disabled=yes name=DMZ
set [ find default-name=ether1 ] mtu=1504 name=Stadtwerke
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add comment=bittorrent name=bitorrent regexp=" ^(\\x13bittorrent protocol|azve\
    r\\x01\$|get /scrape\\\?info_hash=get /announce\\\?info_has\
    \nh=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\
    "
add name=js regexp="/\\/c\\/version.js\$/g"
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/system logging action
add disk-file-name=logg name=logfiless target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=static internet-interface-list=WAN \
    lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Stadtwerke list=WAN
add interface=ether2 list=LAN
add interface=*10 list=LAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.10.5/24 interface=*10 name=ifurz4 public-key=\
    "FPBmZgAClxZ8sB0ViS4YQbZYwOdzZ2n+0ujEXK9U/HY="
/ip address
add address=a.b.c.d/24 comment=defconf interface=ether2 network=\
    192.168.0.0
add address=91.136.133.54/24 interface=Stadtwerke network=91.136.133.0
/ip dhcp-client
add comment=defconf disabled=yes interface=Stadtwerke
/ip dhcp-server
add address-pool=pool-vpn disabled=yes interface=bridge lease-time=10m name=\
    defconf
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1,internal IP
/ip dns static
add address=a.b.c.d comment=defconf name=router.lan type=A


/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related disabled=yes hw-offload=yes
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked disabled=yes
add action=accept chain=input comment="defconf: accept ICMP after RAW" \
    disabled=yes protocol=icmp
add action=accept chain=input comment="Ping Reply " disabled=yes protocol=\
    icmp
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=tcp
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=udp
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Alllowed Adresslist Blacklist" \
    in-interface=Stadtwerke log=yes log-prefix=allowed_blacklist_foward_ \
    src-address-list=allowed_blacklist
add action=accept chain=forward comment="Update Letsencrypt" disabled=yes \
    dst-address-list=internal IP dst-port=80 in-interface=Stadtwerke log=yes \
    log-prefix=Letsencrypt_update_ protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=output comment="UDP Connect towards ptbtime1.ptb.de" \
    dst-address-list="NTP List" dst-port=123 log-prefix=\
    "UDP Out to ptbtime1.ptb.de" protocol=udp
add action=accept chain=forward connection-nat-state=dstnat connection-state=\
    "" disabled=yes
add action=accept chain=input comment=\
    "acceppt established and related from the router itself" \
    connection-state=established,related in-interface=Stadtwerke
add action=accept chain=forward log-prefix=gateway____ out-interface=\
    Stadtwerke src-address=a.b.c.d
add action=drop chain=input dst-address=91.136.169.187 log=yes protocol=tcp
add action=drop chain=output comment="Login incorrect" content=\
    "530 Login incorrect" dst-limit=1,5,dst-address/1m40s out-interface=\
    Stadtwerke protocol=tcp
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ protocol=tcp src-address-list=black-list
add action=drop chain=forward comment="Adresslist Blacklist" log-prefix=\
    Blacklist___forward protocol=tcp src-address-list=black-list
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Oracle
add action=drop chain=input comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=DGNTEKNO
add action=drop chain=forward comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=DGNTEKNO
add action=drop chain=input comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=Facebook
add action=drop chain=forward comment=DGNTEKNO log-prefix=Blacklist___ \
    src-address-list=Facebook
add action=drop chain=input comment=TENCENT log-prefix=Blacklist___ \
    src-address-list=TENCENT
add action=drop chain=forward comment=TENCENT log-prefix=Blacklist___ \
    src-address-list=TENCENT
add action=drop chain=input comment=PPTECHNOLOGY log-prefix=Blacklist___ \
    src-address-list=PPTECHNOLOGY
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=uCloud.cn
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Changway_AS
add action=drop chain=input comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=privatelayer
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=privatelayer
add action=drop chain=forward comment=PPTECHNOLOGY log-prefix=Blacklist___ \
    src-address-list=PPTECHNOLOGY
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    src-address-list=uCloud.cn
add action=drop chain=forward comment="Private Layer" log-prefix=Blacklist___ \
    out-interface=Stadtwerke src-address-list=Oracle
add action=drop chain=input comment=pfcloud log-prefix=Blacklist___ \
    src-address-list=pfcloud
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Constantmoulin
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Digitalocean_2
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Therecomltd
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ src-address-list=Constantmoulin
add action=drop chain=input src-address-list=alibaba
add action=drop chain=input src-address-list=Hurricane
add action=drop chain=input src-address-list=hostpapa
add action=drop chain=input comment=Retelit src-address-list=Retelit
add action=drop chain=forward comment=Retelit src-address-list=Retelit
add action=drop chain=forward comment=pfcloud src-address-list=pfcloud
add action=drop chain=forward comment="Changeway AS" src-address-list=\
    Changway_AS
add action=drop chain=forward comment="Therefore LTD" src-address-list=\
    Therecomltd
add action=drop chain=forward comment=DigitalOcean src-address-list=\
    Digitalocean_2
add action=drop chain=forward comment=Cloud.ru disabled=yes protocol=tcp \
    src-address-list=cloud.ru
add action=drop chain=forward comment=Cloud.ru disabled=yes dst-address=\
    internal IP in-interface=Stadtwerke protocol=tcp src-address-list=\
    cloud.ru
add action=drop chain=forward comment=Hurricane src-address-list=Hurricane
add action=drop chain=forward src-address-list=alibaba
add action=drop chain=forward src-address-list=hostpapa
add action=drop chain=forward comment="Adresslist Blacklist" dst-address=\
    internal IP in-interface=Stadtwerke log-prefix=Blacklist___ protocol=tcp \
    src-address-list=black-list
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke protocol=tcp src-address-list=windows_update
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=gaza src-port=""
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=digitalocean
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=outbrain
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke protocol=tcp src-address-list=outbrain
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke protocol=tcp src-address-list=Hetzner
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Hetzner
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=leaseweb_f_ protocol=tcp src-address-list=leaseweb
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=leaseweb
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=colocrossing_f_ protocol=tcp src-address-list=\
    colocrossing
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=colocrossing
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=ohve_f_ protocol=tcp src-address-list=OHV
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=OHV
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=M247
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=M274_forward_ protocol=tcp src-address-list=M247
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Linode
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=Linode_forward_ protocol=tcp src-address-list=\
    Linode
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=hostplus_russia
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=namecheap
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=namecheap
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=godaddy
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=godaddy1
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=godaddy
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke log-prefix=namecheap_ protocol=tcp src-address-list=godaddy1
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=ponynet
add action=drop chain=forward disabled=yes dst-address=internal IP \
    in-interface=Stadtwerke log-prefix=namecheap_ protocol=tcp \
    src-address-list=ponynet
add action=drop chain=input in-interface=Stadtwerke log=yes log-prefix=\
    Romania_block_ protocol=tcp src-address-list=Romania
add action=drop chain=forward dst-address=internal IP in-interface=\
    Stadtwerke port=25,443 protocol=tcp src-address-list=Romania
add action=drop chain=forward in-interface=Stadtwerke protocol=tcp \
    src-address-list=Scalsways
add action=drop chain=input in-interface=Stadtwerke protocol=tcp \
    src-address-list=Scalsways
add action=drop chain=input comment=CountryBlocks in-interface=Stadtwerke \
    log-prefix=Country_IN_ src-address-list=CountryIPBlocks
add action=drop chain=forward comment=CountryBlocks in-interface=Stadtwerke \
    log-prefix=Country_FORWARD_ src-address-list=CountryIPBlocks
add action=drop chain=input comment="anti Ping Flood" in-interface=Stadtwerke \
    limit=2,2:packet protocol=icmp
add action=drop chain=input comment="drop icmp in general" in-interface=\
    Stadtwerke protocol=icmp
add action=accept chain=forward comment="allow port forwarding" \
    connection-nat-state=dstnat disabled=yes
add action=log chain=input disabled=yes log=yes
add action=accept chain=forward comment="Router raus" disabled=yes \
    src-address=a.b.c.d
add action=log chain=forward disabled=yes dst-address=internal IP dst-port=\
    80 protocol=tcp
add action=log chain=forward disabled=yes dst-address=internal IP dst-port=\
    25 protocol=tcp
add action=log chain=forward disabled=yes dst-address=internal IP dst-port=\
    443 in-interface=Stadtwerke log-prefix=HTTPS_yxxy_ protocol=tcp
add action=accept chain=forward comment=CGI disabled=yes protocol=tcp \
    src-address-list=CGI
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
    protocol=icmp
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new disabled=yes in-interface-list=WAN
add action=fasttrack-connection chain=forward comment="Fasttrack TCP DNS" \
    disabled=yes dst-port=53 hw-offload=yes protocol=tcp
add action=fasttrack-connection chain=forward comment="Fasttrack UDP DNS" \
    disabled=yes dst-port=53 hw-offload=yes protocol=udp
add action=drop chain=input comment=miscellanious disabled=yes \
    src-address-list=miscellanious
add action=drop chain=input comment="Drop UDP Port 17" disabled=yes \
    in-interface=Stadtwerke protocol=udp src-address-list=variable
add action=tarpit chain=input comment="Tarpit SSH" connection-limit=5,32 \
    disabled=yes dst-port=5017 protocol=tcp
add action=accept chain=input comment="ping accepted" disabled=yes \
    in-interface=Stadtwerke limit=1,5:packet protocol=icmp
add action=log chain=forward disabled=yes log=yes log-prefix=Felix__ \
    src-address=192.168.0.36
add action=accept chain=input comment="icmp Echo reply" disabled=yes \
    icmp-options=0:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp echo request" disabled=yes \
    icmp-options=8:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp time exceeded" disabled=yes \
    icmp-options=11:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=input comment="icmp dest unreachable" disabled=yes \
    icmp-options=3:0-255 in-interface=Stadtwerke protocol=icmp
add action=accept chain=forward comment="Proxy Port 60941" disabled=yes \
    dst-address=63.161.104.189 log=yes out-interface-list=all src-address=\
    some IP
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=104.223.135.178 log=yes protocol=tcp src-address=\
    some IP
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=51.79.50.31 log=yes protocol=tcp src-address=some IP
add action=accept chain=forward comment="Proxy ETKA" disabled=yes \
    dst-address=158.69.118.135 log=yes protocol=tcp src-address=some IP
add action=accept chain=forward disabled=yes dst-address=13.93.140.77 \
    src-address=some IP
add action=accept chain=forward disabled=yes log=yes log-prefix=Main_out_ \
    out-interface=all-ethernet protocol=tcp
add action=drop chain=forward disabled=yes dst-address=a.b.c.d \
    src-address=192.168.0.111
add action=drop chain=forward comment=\
    "Drop all traffic from WIN7 virtual machine (110)" disabled=yes \
    dst-address-list=!windows_update log=yes log-prefix=Win7__drop_110_ \
    src-address=192.168.0.110
add action=accept chain=forward disabled=yes dst-address=189.113.1.234 log=\
    yes protocol=tcp src-address=some IP
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ETKA83  (113)" \
    log-prefix=113_gen_ src-address=some IP
add action=drop chain=forward comment="Windows 7" log-prefix=113_gen_ \
    src-address=192.168.0.118
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ODIS  (114)" \
    log-prefix=114_ src-address=192.168.0.114
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 (116)" \
    dst-address-list=!windows_update log-prefix=116_WInUpdate_ src-address=\
    192.168.0.116
add action=drop chain=forward comment=\
    "Drop all traffic from this virtual machine Win10 ODIS  (114)" disabled=\
    yes dst-address-list=!windows_update log-prefix=116_WInUpdate_ \
    src-address=some IP
add action=drop chain=forward comment=\
    "Drop all traffic from virtual machine (94)" src-address=192.168.0.94
add action=drop chain=forward comment=MS_BLOCK dst-address-list=\
    block_commercial log-prefix=MS_BLOCK_ src-address=192.168.0.110
add action=drop chain=forward comment=saveDB disabled=yes dst-address-list=\
    !windows_update log=yes log-prefix=64_ src-address=192.168.0.64
add action=drop chain=output comment="VW Win7 ETKA" disabled=yes log=yes \
    log-prefix=O_110_ out-interface=Stadtwerke src-address=192.168.0.110
add action=drop chain=output comment="WIN98 VM" dst-address-list=\
    windows_update src-address=192.168.0.111
add action=drop chain=output comment=Emotet dst-port=449 log=yes log-prefix=\
    Emotet_ protocol=tcp
add action=accept chain=input disabled=yes dst-port=80 in-interface=\
    Stadtwerke log-prefix=80_input_ protocol=tcp
add action=accept chain=input disabled=yes dst-port=443 in-interface=\
    Stadtwerke log=yes log-prefix=443_input_ protocol=tcp
add action=log chain=forward disabled=yes log=yes log-prefix=114_ protocol=\
    tcp src-address=192.168.0.114
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.36
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.119
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.141
add action=log chain=output disabled=yes protocol=tcp src-address=\
    91.136.133.54
add action=accept chain=forward disabled=yes log=yes src-address=\
    192.168.0.250
add action=log chain=forward disabled=yes src-address=192.168.0.250
add action=accept chain=forward disabled=yes log=yes src-address=192.168.0.17
add action=log chain=forward disabled=yes dst-address=internal IP dst-port=\
    25 in-interface=Stadtwerke log=yes protocol=tcp
add action=log chain=forward disabled=yes dst-address=internal IP dst-port=\
    587 in-interface=Stadtwerke log=yes protocol=tcp
add action=log chain=forward disabled=yes out-interface=Stadtwerke protocol=\
    tcp src-address=192.168.0.15
add action=log chain=forward disabled=yes dst-port=2476 in-interface=\
    Stadtwerke out-interface=all-ethernet protocol=tcp
add action=accept chain=forward comment=ltspice.analog.com disabled=yes \
    dst-address=23.196.235.45 log=yes protocol=tcp src-address=some IP
add action=accept chain=forward comment=ltspice.analog.com disabled=yes \
    dst-address=23.206.18.229 protocol=tcp src-address=some IP
add action=accept chain=forward comment="BWI CLient" disabled=yes log-prefix=\
    BWI_ src-address=192.168.0.11
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=!LAN_
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN packet-mark=""
add action=dst-nat chain=dstnat comment="Dovecot access on server" dst-port=\
    993 in-interface=Stadtwerke protocol=tcp to-addresses=internal IP \
    to-ports=993
add action=dst-nat chain=dstnat comment="smtps on mailserver" dst-port=587 \
    in-interface=Stadtwerke log-prefix=587_ protocol=tcp to-addresses=\
    internal IP
add action=dst-nat chain=dstnat comment="stmp port on xyyx" dst-port=25 \
    in-interface=Stadtwerke in-interface-list=WAN log=yes log-prefix=25_ \
    protocol=tcp to-addresses=internal IP to-ports=25
add action=dst-nat chain=dstnat comment="letsencrypt update" dst-port=80 \
    in-interface=Stadtwerke log=yes log-prefix=NAT_80_ protocol=tcp \
    to-addresses=internal IP to-ports=80
add action=dst-nat chain=dstnat comment="https webserver " dst-port=443 \
    in-interface=Stadtwerke log=yes log-prefix=HTTP___ protocol=tcp src-port=\
    "" to-addresses=internal IP to-ports=443
add action=dst-nat chain=dstnat comment="HG1500 UDP SIP Traffic" disabled=yes \
    dst-port=5060 in-interface=Stadtwerke protocol=udp to-addresses=\
    192.168.0.79 to-ports=5060
add action=dst-nat chain=dstnat comment="SSH Port" disabled=yes dst-port=\
    18729 in-interface=Stadtwerke log=yes protocol=tcp to-addresses=\
    internal IP to-ports=22
add action=dst-nat chain=dstnat disabled=yes protocol=udp to-addresses=\
    192.168.10.1 to-ports=14856
add action=src-nat chain=srcnat disabled=yes in-interface=Stadtwerke \
    protocol=tcp to-addresses=0.0.0.0
add action=accept chain=dstnat disabled=yes dst-port=18730 log=yes \
    log-prefix=Wiregurd_ protocol=udp
/ip firewall raw
add action=accept chain=prerouting dst-address-list=allowed_russia
add action=accept chain=prerouting dst-address-list=allowed_blacklist
add action=drop chain=prerouting dst-address=internal IP dst-port=80 \
    protocol=tcp
add action=drop chain=prerouting disabled=yes src-address-list=\
    CountryIPBlocks
add action=drop chain=prerouting disabled=yes in-interface=Stadtwerke \
    src-address-list=godaddy
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=91.136.133.53
add disabled=no distance=1 dst-address=0.0.0.0/128 gateway="" routing-table=\
    main scope=30 target-scope=10
/ip service
set www-ssl certificate=Webfig disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/ipv6 address
add address=::ffff:a.b.c.d interface=ether2
/lcd
set backlight-timeout=15m default-screen=stats-all
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=gateway002
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.53.103.108
add address=192.53.103.104
/system package update
set channel=long-term
/system routerboard reset-button
set enabled=yes
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool traffic-monitor
add interface=Stadtwerke name=In_Stadtwerke threshold=10 traffic=received

Perfect.

(and PLEASE, learn to enclose it in “code” tags, see the instructions here: > http://forum.mikrotik.com/t/forum-rules/173010/1 > )

(configuration posted in code tags are easier to scroll and the board parser does a good work in colorizing the text so that commands, strings, etc. are highlighted)

Your link for code tags isn’t valid anymore…

Well, it works from here.

Anyway, edit your previous post.
Add before the configuration this:
[ code ]
without the spaces
and after the configuration this:
[ / code ]
again without the spaces.

Now as attachment
config1.rsc (24.3 KB)

You have a couple *'s (asterisks) in your configuration

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Stadtwerke list=WAN
add interface=ether2 list=LAN
add interface=*10 list=LAN

and:

/interface wireguard peers
add allowed-address=192.168.10.5/24 interface=*10 name=ifurz4 public-key=\
    "FPBmZgAClxZ8sB0ViS4YQbZYwOdzZ2n+0ujEXK9U/HY="

so wireguard cannot work.

What is this route for?

/ip route
...
add disabled=no distance=1 dst-address=0.0.0.0/128 gateway="" routing-table=\
    main scope=30 target-scope=10

I see that many of your firewall rules are disabled so they are essentially “noise” when reviewing a configuration.

And an additional advice, firewall rules are taken into consideration from top to bottom WITHIN a SAME chain, so it is considered good practice to group them by chain (first all input, then all forward, then all …) this way it is much easier to understand what they do, at the time you write/add a firewall rule it is perfectly clear to you what it does and why you added it, but when you need/want to review them having all chains mixed up makes it much more difficult to follow the reasoning that originated them.

1. Set all of this to none, its known to cause all sorts of weird issues.
   /interface detect-internet
   set detect-interface-list=static internet-interface-list=WAN
   lan-interface-list=LAN wan-interface-list=WAN

2. If ether2 is on the bridge there is no need for this entry…
   add interface=ether2 list=LAN

If ether2 is not supposed to be on the bridge then you need to remove this rule:
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2
internal-path-cost=10 path-cost=10

PICK ONE LOL.

3. You have not identified a wireguard interface ???

4. You do not have an address entry for the bridge, but you do have one for ether2.

5. You have no address assigned for wireguard

6. Your dhcp server for the bridge is disabled.

7. I hope you are not posting your real public IP address, if so go back to your posts and change them to something else or just put x.x.x.x

8. Your firewall rules are crap and bloated including any layer7 rules for bit torrenting.

9. Hosting servers is asking to be hacked and singled out by bots,
   you are much better off figuring out who your friends are and then have them wireguard into your router and then give them access through firewall rules to the servers they need.
   OR
   Use zerotier to connect friends to your servers.

No one these days hosts gaming servers or the like as its to hard protect properly and often your ISP shuts you down for misuse or spam type issues.

10. Why trying to dstnat for wireguard..

IN SUMMARY, the config is an incoherent mess. Not that unusual, when one starts with no plan and it gets out of control.
The best thing to do is review facts.

a. identify your users,devices (external internal and admin)
b. identify the traffic they need.
c. draw a network diagram

WIth that information, help can be provided towards a coherent config and KISS firewall structure.

Just for the sake of confirming it - can you check that the default route on your servers is the router’s IP address (192.168.0.253 IIRC)?

Yes it is

I followed your advices and change a lot of thing.

• bound internal ip address on bridge
• removed any vlan
• layer 7 stuff removed
• sorted my firewall rules and removed some useless

Furthermore I read the other thread with firewall rules for 6.x and 7.x and implemented it.

But the source IP of any incoming systeme is still replaced by the router internal IP.

current config:

# 2025-05-13 09:36:06 by RouterOS 7.16.2
# software id = UCYE-VK1K
#
# model = RB3011UiAS
# serial number = E7E60FD836A5
/interface bridge
add admin-mac=xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    port-cost-mode=short
/interface ethernet
set [ find default-name=ether10 ] disabled=yes name=DMZ
set [ find default-name=ether1 ] mtu=1504 name=Stadtwerke
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip smb users
set [ find default=yes ] disabled=yes
/port
set 0 name=serial0
/system logging action
add disk-file-name=logg name=logfiless target=disk
/interface bridge port
add bridge=bridge comment=defconf ingress-filtering=no interface=ether2 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether3 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether4 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether5 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether6 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether7 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether8 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=ether9 \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=DMZ \
    internal-path-cost=10 path-cost=10
add bridge=bridge comment=defconf ingress-filtering=no interface=sfp1 \
    internal-path-cost=10 path-cost=10
/ip firewall connection tracking
set udp-timeout=10s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ip settings
set max-neighbor-entries=8192
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface detect-internet
set detect-interface-list=static internet-interface-list=WAN \
    lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=Stadtwerke list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wireguard peers
add allowed-address=192.168.10.5/24 interface=*10 name=ifurz4 public-key=\
    "FPBmZgAClxZ8sB0ViS4YQbZYwOdzZ2n+0ujEXK9U/HY="
/ip address
add address="int IP" comment=defconf interface=bridge network=\
    "int network"
add address="ex IP" interface=Stadtwerke network=91.136.133.0
/ip dhcp-client
add comment=defconf disabled=yes interface=Stadtwerke
/ip dhcp-server
add address-pool=pool-vpn disabled=yes interface=bridge lease-time=10m name=\
    defconf
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,1.1.1.1
/ip dns static
add address="IP router" comment=defconf name=router.lan type=A
/ip firewall address-list
/ip firewall filter
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=input comment=\
    "acceppt established and related from the router itself" \
    connection-state=established,related in-interface=Stadtwerke
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid
add action=drop chain=input comment="anti Ping Flood" in-interface=Stadtwerke \
    limit=2,2:packet protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    in-interface-list=!LAN log-prefix=!LAN_
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=accept chain=forward comment="Alllowed Adresslist Blacklist" \
    in-interface=Stadtwerke log=yes log-prefix=allowed_blacklist_foward_ \
    src-address-list=allowed_blacklist
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=accept chain=forward log-prefix=gateway____ out-interface=\
    Stadtwerke src-address="router ip"
	add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=tcp
add action=accept chain=output comment="DNS TCP" dst-port=53 protocol=udp
add action=accept chain=output comment="Router Output" protocol=tcp \
    src-address="some IP"
add action=accept chain=output comment="Router Output" protocol=icmp \
    src-address="some IP"
add action=accept chain=forward comment="Update Letsencrypt" disabled=yes \
    dst-address-list="server ip" dst-port=80 in-interface=Stadtwerke log=yes \
    log-prefix=Letsencrypt_update_ protocol=tcp
add action=accept chain=output comment="UDP Connect towards ptbtime1.ptb.de" \
    dst-address-list="NTP List" dst-port=123 log-prefix=\
    "UDP Out to ptbtime1.ptb.de" protocol=udp
add action=drop chain=output comment="Login incorrect" content=\
    "530 Login incorrect" dst-limit=1,5,dst-address/1m40s out-interface=\
    Stadtwerke protocol=tcp
add action=drop chain=input comment="Adresslist Blacklist" log-prefix=\
    Blacklist___ protocol=tcp src-address-list=black-list
add action=drop chain=forward comment="Adresslist Blacklist" log-prefix=\
    Blacklist___forward protocol=tcp src-address-list=black-list
add action=accept chain=forward disabled=yes log=yes log-prefix=Main_out_ \
    out-interface=all-ethernet protocol=tcp
/ip ipsec profile
set [ find default=yes ] dpd-interval=2m dpd-maximum-failures=5
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway="gateway IP"
/ip service
set www-ssl certificate=Webfig disabled=no
/ip smb shares
set [ find default=yes ] directory=/pub
/lcd
set backlight-timeout=15m default-screen=stats-all
/routing bfd configuration
add disabled=no
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=gateway002
/system note
set show-at-login=no
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.53.103.108
add address=192.53.103.104
/system package update
set channel=long-term
/system routerboard reset-button
set enabled=yes

Awesome good plan… the concept of identifying users and traffic needed is that it helps formulate a decent plan and with a decent diagram and config with known context can be provided more readily.

1. Since ether10 is disabled, the one that holds the DMZ, I would suggest not including it on the bridge or perhaps you turn it off and on for some reason…?

2. Still missing a wireguard interface definition…

• are you connecting to some third party server
  OR
• are you providing a self hosted wireguard server?? { I am assuming this one as you have not communicated such facts }

3. If its a local wireguard service, then suggest add wireguard interface ( once you make it, to the LAN interface list )
   Wireguard peer is incorrect if its describing a remote device ( laptop, or smartphone etc) that you may be using to connect to the router.

4. MISSING
   [b_]ip dhcp-server_ [/b]for bridge users ???
   [b_]ip dhcp-server network_ [/b]for bridge users ???

5. Mixing up forward and input chain, making reading the config and spotting errors more difficult. Keep chains together. No need for output rules…
   KISS

/ip firewall filter
{ default rules to keep }
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“LAN to router” in-interface-list=LAN
add action=drop chain=input comment=“drop all else” { ensure you insert this rule here, and last of all rules }
+++++++++++++++++++++++++++++++++
{ default rules to keep }
add action=accept chain=forward ipsec-policy=in,ipsec
add action=accept chain=forward ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward connection-state=established,related
add action=accept chain=forward connection-state=established,related,untracked
add action=drop chain=forward connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=accept chain=forward comment=“remote wg to LAN” in-interface=wginterface-NAME out-interface=bridge
add action=drop chain=forward commment=“drop all else”

6. MISSING NAT
   /ip firewall nat
   add chain=srcnat action=masquerade out-interface=Stadtwerke
   add chain=dstnat action=dst-nat dst-address=WANIP dst-port=80 protocol=tcp to-address=x.x.x.x ( the lan IP of the server )

Clearly the evidence and your statements are in contradiction.
You didnt remove wireguard as the peer settings were still there.
You didnt remove ether10 DMZ as you named it from the bridge it was still there etc.
Without a clear set of requirements, which you keep changing or informing in dribs and drabs, I am unable to help further, as I am not savvy also in output chain rules.
Perhaps others will have more skills!