Hello Forums,
I have been researching and researching and I have to say. I have falling for MikroTik and its RouterBoards. I have fallen for them so hard, I am dumping my Buffalo WZR-HP-AG300H. Before I make the jump, I want to try and get the board that I am using setup to best I can for home/WISP use. The WISP use will not be for reselling but for my own use in a small town. I do home/office visits and take with me a NetBook for troubleshooting or downloading drivers. Before I go much more in details on what my plans our with this setup, let me provide some info on what I have.
RB600A installed 6.0rc6 (Yes, I know it is EOL)
wlan1 - Ubiquiti SR2
wlan2 - Ubiquiti SR5 (disabled, plan to use for PTP station)
ether1 - WAN
ether 2 & 3 - Bridged
bridge1 - wlan1, ether 2 & 3
ether1 will be public facing so I need the most security that I can get on it. I have been victim of DDoS before and it sucks. (long story on that one)
bridge1 will server DHCP and NATed.
I do have a FTP server running locally.
Any tips or tricks that you may have or recommendations are greatly welcomed.
I have provided below some of what I have set for the Firewall > Filter
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; allow internet connection to client
chain=forward action=accept dst-address=192.168.0.0/24 in-interface=ether1
out-interface=bridge1
1 ;;; detect and drop port scan connections
chain=input action=drop protocol=tcp psd=21,3s,3,1 in-interface=ether1
2 ;;; suppress DoS attack
chain=input action=tarpit protocol=tcp src-address-list=black_list
in-interface=ether1 connection-limit=3,32
3 ;;; detect DoS attack
chain=input action=add-src-to-address-list protocol=tcp
address-list=black_list address-list-timeout=1d in-interface=ether1
connection-limit=10,32
4 ;;; allow ICMP (Ping)
chain=input action=accept protocol=icmp in-interface=ether1
5 ;;; allow DNS traffic
chain=input action=accept protocol=udp in-interface=ether1 src-port=53
Here is the output of Firewall NAT
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; pat outside
chain=srcnat action=masquerade src-address=192.168.0.0/24
dst-address=0.0.0.0/0 out-interface=ether1
1 X ;;; Forward to 192.168.0.254
chain=dstnat action=dst-nat to-addresses=192.168.0.254 to-ports=20-21
protocol=tcp dst-address=192.168.0.254 dst-port=20-21
2 X chain=dstnat action=dst-nat to-addresses=192.168.0.254
to-ports=50000-51000 protocol=tcp dst-address=192.168.0.254
dst-port=50000-51000
3 X chain=dstnat action=dst-nat to-addresses=192.168.0.254 to-ports=3389
protocol=tcp dst-address=192.168.0.254 dst-port=3389