I just saw, you need to accept ISP’s DNS servers in input. You are currently allowing DNS requests only for LAN.

Thanks mate! Is there a way to do this dynamically, or shall I always strive to add static DNS servers?

I think only with some scripting.

One more thing: do you have any idea, what could cause the ping failures on LAN?

It’s this rule

add action=drop chain=forward comment=" Drop all else forward requests!"

Allow icmp in forward chain without more matchers. Just rule
add action=accept chain=forward protocol=icmp

Thanks!
This sure explains why I couldn’t ping outside clients, but why couldn’t I ping the LAN interface (that should be input chain)?

Dude, I think I got this; could you please check out my new filter rules? (
The filter rules: https://imgur.com/a/pyrbC
A forwad rule for ICMP was added, also two WAN rules for DNS input with a source address list that are my telco’s DNS servers).

I’ll test this live in two days, but if there is a security hole, I wanna know!
Thanks in advance mate!

Tried the config yesterday, failed miserably.
Still unable to ping LAN address, still not forwarding DNS queries.
I wonder if its really not a faulty device now…

Hey there again!

I’ve made some changes based on this wiki article: https://wiki.mikrotik.com/wiki/Basic_universal_firewall_script
I’ll be able to test this tomorrow, but if you guys spot anything wrong here, let me know please!

Here is a screenshot of my filter rules: https://imgur.com/a/U6jNd

And here is the cfg export:

nov/30/2017 18:09:30 by RouterOS 6.39.2

software id = 5IAZ-WMI5

/interface ethernet
set [ find default-name=ether2 ] mac-address=F0:79:59:EB:9B:98 name=
Eth2_WAN1_DIGI
set [ find default-name=ether5 ] name=Eth5_LAN
/ip pool
add name=dhcp_pool1 ranges=192.168.100.2-192.168.255.254
/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 always-broadcast=yes disabled=no
interface=Eth5_LAN lease-time=1w3d name=DHCP_server1
/ip address
add address=192.168.0.1/16 comment=LAN interface=Eth5_LAN network=192.168.0.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=Eth2_WAN1_DIGI
/ip dhcp-server network
add address=192.168.0.0/16 gateway=192.168.0.1 netmask=16
/ip dns
set allow-remote-requests=yes
/ip firewall address-list
add address=192.168.1.24 list=AdminHosts
add address=192.168.3.3 list=AdminHosts
add address=192.168.3.2 list=AdminHosts
add address=192.168.3.1 list=AdminHosts
add address=192.168.3.4 list=AdminHosts
add address=192.168.3.5 list=AdminHosts
add address=192.168.3.6 list=AdminHosts
add address=193.110.57.4 list=DIGI_DNS_SRVRS
add address=193.110.56.8 list=DIGI_DNS_SRVRS
/ip firewall filter
add action=accept chain=input comment=“Accept DNS - UDP” port=53 protocol=udp
src-address-list=DIGI_DNS_SRVRS
add action=accept chain=input comment=“Accept DNS - TCP” port=53 protocol=tcp
src-address-list=DIGI_DNS_SRVRS
add action=accept chain=input comment=“Accept established” connection-state=
established
add action=accept chain=input comment=“Accept to related connections”
connection-state=related
add action=accept chain=input comment=“Allow port 67 UDP (DHCP)” dst-port=67
protocol=udp
add action=accept chain=input comment=“Allow port 67 TCP (DHCP)” dst-port=67
protocol=tcp
add action=accept chain=input comment=“Allow port 68 UDP (DHCP)” dst-port=68
protocol=udp
add action=accept chain=input comment=“Allow port 68 TCP (DHCP)” dst-port=68
protocol=tcp
add action=accept chain=input comment=“Allow ICMP from LAN to router”
in-interface=Eth5_LAN protocol=icmp
add action=accept chain=input comment=
“Allow AdminHosts addresses to access router” in-interface=Eth5_LAN
protocol=tcp src-address-list=AdminHosts
add action=drop chain=input comment=" Drop all else input requests !"
add action=accept chain=forward comment=" Forward packets coming from LAN"
out-interface=Eth2_WAN1_DIGI
add action=fasttrack-connection chain=forward comment=“fasttrack related”
connection-state=established,related
add action=accept chain=forward comment=" fasttrack related"
connection-state=established,related
add action=accept chain=forward comment=“Allow Ping (ICMP) through router)”
in-interface=Eth5_LAN protocol=icmp
add action=drop chain=forward comment=" Drop all else forward requests!"
add action=accept chain=input comment=
“Allow established connections and related packets” connection-state=
established,related disabled=yes in-interface=Eth5_LAN
add action=accept chain=input comment=“Allow port 53 (DNS) UDP from LAN”
disabled=yes dst-port=53 in-interface=Eth5_LAN protocol=udp
add action=accept chain=input comment=“Allow port 53 (DNS) UDP from WAN”
disabled=yes in-interface=Eth2_WAN1_DIGI protocol=udp src-address-list=
DIGI_DNS_SRVRS src-port=53
add action=accept chain=input comment=“Allow port 53 (DNS) TCP LAN” disabled=
yes dst-port=53 in-interface=Eth5_LAN protocol=tcp
add action=accept chain=input comment=“Allow port 53 (DNS) TCP from WAN”
disabled=yes in-interface=Eth2_WAN1_DIGI protocol=tcp src-address-list=
DIGI_DNS_SRVRS src-port=53
/ip firewall nat
add action=masquerade chain=srcnat out-interface=Eth2_WAN1_DIGI
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=2200
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Budapest
/system identity
set name=MF-M-GW
/system logging
add disabled=yes topics=dns
add disabled=yes topics=dhcp
/system ntp client
set enabled=yes server-dns-names=pool.ntp.org,3.hu.pool.ntp.org

*bump

Could it be that this config should work, or that I am missing something very trivial?
Its sortof suspicious that I didn’t get a reply since quite some time now!

ok, i am back again tell me, what is the current status? as before, no DHCP or DNS?
what happened when you disabled the rules and activated them 1-1, anything changed?

Hey there!

The current status can be seen in the OP, I’ve refreshed it with screenshots and a fresh export as well as an updated description.
Again, I’ll be able to test changes next thursday, so if you spot something, I’ll be able to try the changes than.