Hi
I am using an RB2011 in station-pseudobridge mode as an access point to a Wireless WAN, it creates WAN1 interface for this connection.
I then have WAN2 which provides the wifi SSID for my machines to access, and traffic is routed to WAN1 and out to the internet and is working fine.
because WAN1 is in slave mode, this means that I cannot add WAN1 interface in any of the firewalling at all (it refuses on account of WAN1 being in slave mode)
so I have to do all the Firewalling on Bridge1 interface (which has WAN1 as the only member. all other interfaces and WAN2 are on a seperate LAN side bridge)
I want to drop all inbound traffic and avoid any hack attacks. to this effect I have used the following code in the Firewall but am uncertain if it is going to work, as the Bridge in/out might be considered differently to a WAN1 interface. can anyone advise if this is the best way to do it, or alternative methods. so far I am seeing zero traffic hitting this code line, and it is at the top of the firewall chain.
add action=drop chain=forward comment="Drop anything inbound on bridge1 that is not DSTNAT'ed" connection-nat-state=!dstnat connection-state=new in-interface=bridge1 log=yes log-prefix=WAN-Bridge1_drop