Hi,
Love using Mikrotik defaults however I’m not a fan of this default DROP rule (below) - I am thinking of separating the rule out such that I can have an explicit DROP at the end to provide more clarity.
add action=drop chain=forward comment=“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface-list=WAN
Into
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all other forward”
Just looking for a sanity check on this . . .
/ip firewall filter
add action=drop chain=input comment=“drop invalid” connection-state=invalid
add action=drop chain=forward comment=“drop invalid” connection-state=invalid
add action=accept chain=input comment=“accept established,related” connection-state=established,related
add action=accept chain=forward comment=“accept established,related” connection-state=established,related
add action=fasttrack-connection chain=forward comment=fasttrack connection-state=established,related hw-offload=yes
add action=accept chain=forward in-interface-list=LAN
add action=accept chain=input in-interface-list=LAN
add action=accept chain=forward connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all other forward”
add action=drop chain=input comment=“drop all other input”