InterVLAN routing & ICMP (no response found!) -- solved I think

Hi,
I’m a beginner in networking, learning a lot everyday and I have managed to split my network into multiple VLANs on a RB5009 alone with ether1 to ether7 in a single bridge, ether8 being used as an emergency interface kept out of the bridge in case I mess things up.

The vlans are :
VLAN42 : management (192.168.42.0/24)
VLAN100 : trusted (192.168.100.0/24)
VLAN200 : untrusted (192.168.200.0/24)

Things seem to be working fine, I have separated VLANs through firewall rules yet I am still able to ping any machine… or am I ?

Now I want to add my Proxmox host, a single NIC intel NUC on which I have set its network configuration like so :

iface eno1 inet manual

auto vmbr0.42
iface vmbr0.42 inet static
        address 192.168.42.5/24
        gateway 192.168.42.1

auto vmbr0
iface vmbr0 inet static
        bridge-ports eno1
        bridge-stp off
        bridge-fd 0
        bridge-vlan-aware yes
        bridge-vids 2-4094

This configuration works, I can now connect on the proxmox host from my VLAN100 machines.

BUT now I can’t ping 192.168.100.10 (my workstation) from 192.168.42.5.

I have so many questions, but first :

• Why do I see the ping coming on ether1 with src 192.168.42.5 (VLAN100)
• Is a hybrid port (which I’m trying to do with ether6 here) the right solution for me to be able to set Proxmox host in VLAN42 and later set Proxmox guests in VLAN500 ?

Ultimately what I want is Proxmox host on VLAN42, Proxmox guests on VLAN500, but when then I’m confused because I don’t understand why Proxmox doesn’t receive ping response from 192.168.100.10 even though it’s not blocked by the firewall and now I’m not sure I understood anything.

Here is the relevant RB5009 config

# 2023-12-08 14:12:56 by RouterOS 7.12.1
# software id = 8RFV-15RQ
#
# model = RB5009UG+S+
/interface bridge
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no name=br-wan
add admin-mac=xx:xx:xx:xx:xx:xx auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
	
/interface ethernet
set [ find default-name=ether1 ] comment="Workstation"
set [ find default-name=ether6 ] comment="Proxmox"
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=2.5G-baseT

/interface vlan
add interface=bridge name=vlan42-management 		vlan-id=42
add interface=bridge name=vlan100-trusted 		vlan-id=100
add interface=bridge name=vlan200-untrusted 		vlan-id=200

/interface list
add name=WAN
add name=LAN
add name=TRUSTED
add name=VLAN
	
/ip pool
add name=pool_lan ranges=192.168.10.10-192.168.10.254
add name=pool_vlan42-management ranges=192.168.42.10-192.168.42.254
add name=pool_vlan100-trusted ranges=192.168.100.10-192.168.100.254
add name=pool_vlan200-untrusted ranges=192.168.200.10-192.168.200.254

/ip dhcp-server
add address-pool=pool_vlan100-trusted interface=vlan100-trusted name=\
    dhcp-vlan100
add address-pool=pool_vlan200-untrusted interface=vlan200-untrusted name=\
    dhcp-vlan200
add address-pool=pool_vlan42-management interface=vlan42-management name=\
    dhcp-vlan42
	
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
    log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 \
    out-interface=vlan832-internet passthrough=yes
	
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6 pvid=42
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=200

/interface bridge vlan
add bridge=bridge tagged=bridge,ether6	vlan-ids=42
add bridge=bridge tagged=bridge 	vlan-ids=100
add bridge=bridge tagged=bridge		vlan-ids=200

/interface list member
add interface=vlan42-management list=VLAN
add interface=vlan100-trusted list=VLAN
add interface=vlan200-untrusted list=VLAN
add interface=vlan100-trusted list=TRUSTED


/ip address
add address=192.168.42.1/24  interface=vlan42-management network=192.168.42.0
add address=192.168.100.1/24 interface=vlan100-trusted 	 network=192.168.100.0
add address=192.168.200.1/24 interface=vlan200-untrusted network=192.168.200.0

/ip dhcp-server lease
add address=192.168.200.10 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-vlan200
add address=192.168.100.10 client-id=1:xx:xx:xx:xx:xx:xx mac-address=xx:xx:xx:xx:xx:xx server=dhcp-vlan100

/ip dhcp-server network
add address=192.168.42.0/24  gateway=192.168.42.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.200.0/24 gateway=192.168.200.1

/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    log=yes log-prefix="local loopback"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
    disabled=yes in-interface-list=!LAN log-prefix=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=invalid
add action=drop chain=forward comment=\
    "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=\
    "WAN !dstnat"
add action=jump chain=input comment="ICMP jumps" jump-target=ICMP log-prefix=\
    ping protocol=icmp
add action=jump chain=forward jump-target=ICMP log=yes log-prefix=ping \
    protocol=icmp
add action=add-src-to-address-list address-list=syn_flooders \
    address-list-timeout=30m chain=input comment="SYN flood" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input log=yes log-prefix="syn flood" src-address-list=\
    syn_flooders
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="Port scan" protocol=tcp psd=\
    21,3s,3,1
add action=drop chain=input log=yes log-prefix="port scan" src-address-list=\
    port_scanners
add action=accept chain=input comment="Router access" in-interface=ether8 \
    src-address-list=emergency
add action=accept chain=input in-interface=vlan100-trusted
add action=drop chain=input disabled=yes dst-port=8291 in-interface-list=\
    !TRUSTED log=yes log-prefix="block winbox" protocol=tcp
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix=bogon
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=Spammers connection-limit=\
    30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward dst-port=25,587 log=yes log-prefix=spammers \
    protocol=tcp src-address-list=spammers
add action=accept chain=input comment="Allow DNS requests from VLAN" \
    dst-port=53 in-interface-list=VLAN log-prefix=DNS protocol=udp
add action=accept chain=forward comment=\
    "Trusted machines can access all VLANs" in-interface-list=TRUSTED \
    out-interface-list=VLAN
add action=accept chain=forward comment="EMERGENCY internet" disabled=yes \
    in-interface-list=TRUSTED out-interface-list=WAN
add action=accept chain=forward comment="TEMP MGMT TO TRUSTED" in-interface=\
    vlan42-management out-interface=vlan100-trusted
add action=accept chain=forward comment="VLAN internet" connection-state=new \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=input comment="Drop everything else # BE CAREFUL HERE" \
    log-prefix="drop everything else"
add action=drop chain=forward log-prefix=drop
add action=accept chain=ICMP comment="ICMP allowed / dropped messages" \
    icmp-options=8:0 limit=1,5:packet log-prefix="echo request" protocol=icmp
add action=accept chain=ICMP icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP icmp-options=12:0 protocol=icmp
add action=drop chain=ICMP log-prefix="drop other ICMPs" protocol=icmp
add action=jump chain=output jump-target=ICMP log-prefix="icmp out" protocol=\
    icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none out-interface-list=WAN

Why do you have a LANPOOL??
Why are you using bridge filters??

This bridge port makes no sense, you set it up as an access port with pvid ( or even a hybrid port ) and yet limit traffic to vlans… illogical!!
/interface bridge port
add bridge=bridge frame-types=admit-only-vlan-tagged interface=ether6 pvid=42
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether1 pvid=100
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged interface=ether7 pvid=200

Why not complete the untagging so its clear to the reader what you are actually doing.
/interface bridge vlan
add bridge=bridge tagged=bridge,ether6 vlan-ids=42
add bridge=bridge tagged=bridge untagged=ether1 vlan-ids=100
add bridge=bridge tagged=bridge untagged=ether7 vlan-ids=200

Why all the BS for ICMP??
Simple default rule in input chain keep it that way,… Get rid of the junk!!
add action=accept chain=input protocol=icmp

Why all the BS for syn flooders?? Get rid of the crap.
What is the purpose of the management subnet at all? It seems you have a trusted network you are allowing full access to the INPUT chain???

Why do you have a LANPOOL??
Why are you using bridge filters??

The LANPOOL is some leftover of the default configuration.
I am using bridge filter because my ISP (Orange, France) requires its customers to set priority 6 on DHCP requests.

This bridge port makes no sense, you set it up as an access port with pvid ( or even a hybrid port ) and yet limit traffic to vlans… illogical!!

I was thinking an hybrid port was what I needed but as I think about it I think I’m wrong. I just need the host to be on VLAN42 and its guests to be on VLAN500.
It’s not clear to me whether the traffic coming out of the Proxmox host should be tagged or not.
I was thinking yes it needs to be tagged, then I can add a rule that allows vlan42 to vlan100, see it works, remove it, see it not work.
Then I’m thinking maybe the traffic needs to be untagged, but if it’s untagged, I cannot use in-interfaces to create firewall rules and allow interVLAN communication ?
How is this even interVLAN if it’s untagged ? As you can see I’m still far from understanding what I’m doing.

Why not complete the untagging so its clear to the reader what you are actually doing.

ether1 and ether7 are untagged in Winbox just as you added in green, but the /export didn’t include them.

Why all the BS for ICMP??

Agreed… I followed https://help.mikrotik.com/docs/display/ROS/Building+Your+First+Firewall but I see zero packets on SYN flood and don’t really see the point in dropping some ICMP messages.

What is the purpose of the management subnet at all? It seems you have a trusted network you are allowing full access to the INPUT chain???

Well it makes things easier for me to access the router from my computer but when things will be setup I’ll narrow down this rule to my machine only, or a jump host that has access to the management VLAN.
The purpose of this is to have the Proxmox host, virtual OPNsense and the RB5009 on it. Maybe this is not how it’s intended to be used ? It’s all quite new to me.

Here’s a diagram of what I’m trying to do :

Sorry @anav to interrupt, one question for OP, did you check that your NIC supports VLANs ?

Interrupt away LOL.

To the OP. it not a matter of deciding how to config it, its you getting clarity on the requirements.

a. Identify all the user(s)/device(s) and groups of users/devices including the admin
b. Identify all the traffic the above users and devices need to execute.

With that clarity and the network diagram to detail the connectivity expected and devices in the mix, a plan and config can be devised.
So once you know what traffic is required, come back and let us know.

++++++++++++++++++++++++++++++++++++++++++++++++++++

In general:

1. Management VLAN is where all devices get their IP address from ( smart devices that can read vlan tags )
2. Trusted VLAN, a group of users, that are using good practices and can be somewhat trusted.
3. Non-trusted, everything else, any media boxes, IOT devices, guests etc…
4. sometimes 1 and 2 can be the same thing
5. Only the admin should havve access to 1.
6. When mgmt and trusted are the same subnet, use source address to delineate the admins local devices (fixed dhcp leases) and any remote vpn connectivity as the only user with full access on the input chain, the rest of the users typically only need DNS services on the input c hain

First of all, thank you very much for your answers, it gave me food for thought and it was very useful.

I did solve my ping problem : Windows firewall in its default config blocks ping from different subnets. Ahem..

Then there are my requirements and how I did set them up.

For the users/devices :

• Router (and future switches) go on VLAN42 (Management)
• Workstation currently alone on VLAN100 (Trusted)
• Servers (Proxmox, Portainer, internal DNS and whatnot) are on VLAN50 (Core)
• Externally exposed services go on VLAN1010 (External). Currently, there is only nginx and two game servers
• All the rest (TV, phones and whatnot) go on VLAN200 (Untrusted)

Now for the rules :

• VLAN100 can access all the other VLANs

• My workstation (192.168.100.10) is the only machine allowed to connect on the router, along with the emergency ether8

• Other VLANs can access hosts on their VLAN and they have access to internet via the WAN interface list

• VLANs have access to DNS via the router

• WAN requests are dropped except for the 2 dst-nat rules on ports 80 and 25565 that redirect to an nginx instance.
  Would you recommend adding another firewall in between instead of directly forwarding to nginx ?

• Everything else is dropped

Here is how I configured it, everything seems to be working fine, I hope there’s no blatant mistakes.

From my understanding, ether6 now acts as an hybrid port, transporting VLAN50 and VLAN1010 to the host.
Any untagged traffic coming into ether6 will be tagged 50 because untagged traffic is automatically assigned PVID configured on the port.
Is that correct ?

Sorry I kept the ping/syn flood BS, I actually like the detail for now.

# 2023-12-12 23:48:43 by RouterOS 7.12.1
# model = RB5009UG+S+

/interface bridge
add admin-mac=redacted auto-mac=no name=br-wan
add admin-mac=redacted auto-mac=no comment=defconf name=bridge \
    protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ]
set [ find default-name=ether2 ]
set [ find default-name=ether3 ]
set [ find default-name=ether4 ]
set [ find default-name=ether5 ]
set [ find default-name=ether6 ]
set [ find default-name=ether8 ]
set [ find default-name=sfp-sfpplus1 ] auto-negotiation=no speed=2.5G-baseT
/interface vlan
add comment=management interface=bridge name=vlan42-management vlan-id=42
add comment=trusted interface=bridge name=vlan100-trusted vlan-id=100
add comment=untrusted interface=bridge name=vlan200-untrusted vlan-id=200
add comment="Internet ONT" interface=sfp-sfpplus1 loop-protect-disable-time=\
    0s loop-protect-send-interval=1s name=vlan832-internet vlan-id=832
add comment=external interface=bridge name=vlan1010-external vlan-id=1010
/interface list
add name=WAN
add name=TRUSTED
add name=VLAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client option
add code=60 name=vendor-class-identifier value=redacted
add code=77 name=userclass value="redacted"
add code=90 name=authsend value="redacted"
/ip pool
add name=pool_vlan42-management ranges=192.168.42.10-192.168.42.254
add name=pool_vlan100-trusted ranges=192.168.100.10-192.168.100.254
add name=pool_vlan200-untrusted ranges=192.168.200.10-192.168.200.254
add name=pool_vlan1010-external ranges=10.0.10.10-10.0.10.254
add name=pool_vlan50-core ranges=192.168.50.10-192.168.50.254
/ip dhcp-server
add address-pool=pool_vlan100-trusted interface=vlan100-trusted lease-time=\
    12h name=dhcp-vlan100
add address-pool=pool_vlan200-untrusted interface=vlan200-untrusted \
    lease-time=12h name=dhcp-vlan200
add address-pool=pool_vlan42-management interface=vlan42-management \
    lease-time=12h name=dhcp-vlan42
add address-pool=pool_vlan1010-external interface=vlan1010-external \
    lease-time=12h name=dhcp-vlan1010
add address-pool=pool_vlan50-core interface=vlan50-core lease-time=12h name=\
    dhcp-vlan50
/interface bridge filter
add action=set-priority chain=output dst-port=67 ip-protocol=udp log=yes \
    log-prefix="Set CoS6 on DHCP request" mac-protocol=ip new-priority=6 \
    out-interface=vlan832-internet passthrough=yes
/interface bridge port
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether2 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether3 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether4 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether5 pvid=200
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether1 pvid=100
add bridge=br-wan comment="DHCP with CoS6 are filtered and sent here" \
    interface=vlan832-internet
add bridge=bridge interface=ether6 pvid=50
add bridge=bridge frame-types=admit-only-untagged-and-priority-tagged \
    interface=ether7 pvid=200
/ip neighbor discovery-settings
set discover-interface-list=TRUSTED
/interface bridge vlan
add bridge=bridge comment=management tagged=bridge vlan-ids=42
add bridge=bridge comment=trusted tagged=bridge vlan-ids=100
add bridge=bridge comment=untrusted tagged=bridge vlan-ids=200
add bridge=bridge comment=external.com tagged=bridge,ether6 vlan-ids=1010
add bridge=bridge comment=core tagged=bridge,ether6 vlan-ids=50
/interface list member
add interface=br-wan list=WAN
add interface=ether8 list=TRUSTED
add interface=vlan42-management list=VLAN
add interface=vlan100-trusted list=VLAN
add interface=vlan200-untrusted list=VLAN
add interface=vlan100-trusted list=TRUSTED
add interface=vlan1010-external list=VLAN
add interface=vlan50-core list=VLAN
/ip address
add address=192.168.8.1/24 comment="emergency port" interface=ether8 network=\
    192.168.8.0
add address=192.168.42.1/24 comment=management interface=vlan42-management \
    network=192.168.42.0
add address=192.168.100.1/24 comment=trusted interface=vlan100-trusted \
    network=192.168.100.0
add address=192.168.200.1/24 comment=untrusted interface=vlan200-untrusted \
    network=192.168.200.0
add address=192.168.1.1/24 interface=ether7 network=192.168.1.0
add address=10.0.10.1/24 comment=external interface=vlan1010-external \
    network=10.0.10.0
add address=192.168.50.1/24 comment=core interface=vlan50-core network=\
    192.168.50.0
/ip dhcp-client
add comment="Orange public IPv4" dhcp-options=\
    hostname,clientid,authsend,userclass,vendor-class-identifier interface=\
    br-wan script="{\
    \n    :if (\$bound=1) do={\
    \n        foreach option,value in=\$\"lease-options\" do={\
    \n            :if (\$option=\"125\") do={\
    \n                :log debug \"IPv4: Found [\$value]\";\
    \n                :global class [:pick \$value 11];\
    \n                :log debug \"Extracted [\$class]\";\
    \n                :if (\$class=\"\\00\") do={\
    \n                    :log info \"IPv4: ISP network is OK\";\
    \n                };\
    \n                :if (\$class=\"\\01\") do={\
    \n                    :log error \"IPv4: Technical blacklist\";\
    \n                };\
    \n                :if (\$class=\"\\02\") do={\
    \n                    :log error \"IPv4: Auth or encoding failure\";\
    \n                };\
    \n                :if (\$class=\"\\03\") do={\
    \n                    :log error \"IPv4: Account or service probably termi\
    nated\";\
    \n                };\
    \n                :if (\$class=\"\\04\") do={\
    \n                    :log error \"IPv4: Invoice payment problem.\";\
    \n                };\
    \n                :if (\$class=\"\\99\") do={\
    \n                    :log error \"IPv4: CoS & DSCP issue.\";\
    \n                };\
    \n            }\
    \n        }\
    \n    }\
    \n}" use-peer-dns=no

/ip dhcp-server network
add address=10.0.10.0/24 comment=\
    "Manually set DNS to override Proxmox host settings" dns-server=10.0.10.1 \
    gateway=10.0.10.1 netmask=24
add address=192.168.42.0/24 gateway=192.168.42.1
add address=192.168.50.0/24 gateway=192.168.50.1
add address=192.168.100.0/24 gateway=192.168.100.1
add address=192.168.200.0/24 gateway=192.168.200.1
/ip dns
set allow-remote-requests=yes servers=9.9.9.9,149.112.112.112 use-doh-server=\
    https://dns.quad9.net/dns-query verify-doh-cert=yes
/ip dns static
add address=10.0.10.10 match-subdomain=yes name=sub.mydomain.com
add address=10.0.10.10 name=mydomain.com
/ip firewall address-list
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=bogons
add address=127.0.0.0/16 comment="Loopback [RFC 3330]" list=bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=bogons
add address=224.0.0.0/4 comment="MC, Class D, IANA" disabled=yes list=bogons
add address=192.168.8.0/24 comment="Emergency access" list=emergency
/ip firewall filter
add action=accept chain=input comment=\
    "defconf: accept established,related,untracked" connection-state=\
    established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
    invalid log-prefix=invalid
add action=accept chain=input comment=\
    "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 \
    log=yes log-prefix="local loopback"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
    ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
    ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
    connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
    "defconf: accept established,related, untracked" connection-state=\
    established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid log-prefix=invalid
add action=jump chain=input comment="ICMP jumps" jump-target=ICMP log-prefix=\
    ping protocol=icmp
add action=jump chain=forward jump-target=ICMP log-prefix=ping protocol=icmp
add action=add-src-to-address-list address-list=syn_flooders \
    address-list-timeout=30m chain=input comment="SYN flood" \
    connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input log=yes log-prefix="syn flood" src-address-list=\
    syn_flooders
add action=add-src-to-address-list address-list=port_scanners \
    address-list-timeout=1w chain=input comment="Port scan" protocol=tcp psd=\
    21,3s,3,1
add action=drop chain=input log=yes log-prefix="port scan" src-address-list=\
    port_scanners

add action=accept chain=input comment="Router access" in-interface=ether8 \
    src-address-list=emergency
add action=accept chain=input in-interface=vlan100-trusted src-address=\
    192.168.100.10

add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    bogons log=yes log-prefix=bogon
add action=add-src-to-address-list address-list=spammers \
    address-list-timeout=3h chain=forward comment=Spammers connection-limit=\
    30,32 dst-port=25,587 limit=30/1m,0:packet protocol=tcp
add action=drop chain=forward dst-port=25,587 log=yes log-prefix=spammers \
    protocol=tcp src-address-list=spammers
add action=accept chain=forward comment="Accept WAN DSTNATed" \
    connection-nat-state=dstnat connection-state=new in-interface-list=WAN \
    log-prefix="WAN dstnat"
add action=accept chain=input comment="Allow DNS requests from VLAN" \
    dst-port=53 in-interface-list=VLAN log-prefix=DNS protocol=udp
add action=accept chain=forward comment=\
    "Trusted machines can access all VLANs" in-interface-list=TRUSTED \
    out-interface-list=VLAN
add action=accept chain=forward comment="VLAN internet" connection-state=new \
    in-interface-list=VLAN out-interface-list=WAN
add action=drop chain=input comment="Drop everything else # BE CAREFUL HERE" \
    log-prefix="drop everything else"
add action=drop chain=forward log-prefix=drop
add action=jump chain=output jump-target=ICMP log-prefix=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo Request" icmp-options=8:0 limit=\
    1,5:packet log-prefix="echo request" protocol=icmp
add action=accept chain=ICMP comment="Echo Reply" icmp-options=0:0 protocol=\
    icmp
add action=accept chain=ICMP comment="Host/Net Unreachable" icmp-options=\
    3:0-1 protocol=icmp
add action=accept chain=ICMP comment="Host Unreachable Fragmentation Needed" \
    icmp-options=3:4 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 \
    protocol=icmp
add action=accept chain=ICMP comment="Bad Parameter" icmp-options=12:0 \
    protocol=icmp
add action=drop chain=ICMP log-prefix="drop other ICMPs" protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
    ipsec-policy=out,none log-prefix=masquerade out-interface-list=WAN
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=\
    WAN log=yes log-prefix=nginx protocol=tcp to-addresses=10.0.10.10 \
    to-ports=80
add action=dst-nat chain=dstnat dst-port=25565 in-interface-list=WAN \
    log-prefix=minecraft protocol=tcp to-addresses=10.0.10.10 to-ports=25565
/ip service
set telnet disabled=yes
set ftp address=192.168.8.0/24,192.168.100.0/24
set www disabled=yes
set ssh address=192.168.8.0/24,192.168.100.0/24
set api disabled=yes
set winbox address=192.168.8.0/24,192.168.100.0/24
set api-ssl disabled=yes

/system clock
set time-zone-name=Europe/Paris
/system note
set show-at-login=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=TRUSTED
/tool mac-server mac-winbox
set allowed-interface-list=TRUSTED