When my OpenVPN client (phone) connects to rp1, I see a lot of invalid forward drops in my firewall. This happens if connections don’t have a proper connection state. Dropping them is an okay thing to do and is my intention. But they’re not supposed to be invalid. So I suspect I have a network configuration error that causes this. I suspect in either the static routes on rt1/rt2 or in the forwarding on rt2. Can someone double check to find my mistake? I haven’t got wiser with trail and error so far.
I have the following network:
The static routes on rt1:
Routes on rt2:
[user@rt2] > /ipv6 route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o - ospf, b - bgp, U - unreachable
# DST-ADDRESS GATEWAY DISTANCE
0 ADC 2001:1234:abcd:10::/64 br0 0
1 ADC 2001:1234:abcd:11::/64 management 0
2 ADC 2001:1234:abcd:12::/64 replication 0
3 ADC 2001:1234:abcd:13::/64 public 0
The OpenVPN connection listens on the public interface (eth0.13) and assigns clients an IP on the management interface (eth0.11).
Routes on rp1:
[user@rp1 ~]$ ip -6 route
::1 dev lo proto kernel metric 256 pref medium
2001:1234:abcd:1::/64 dev eth0 proto kernel metric 256 expires 4562sec pref medium
2001:1234:abcd:11::7 dev tun0 metric 1024 pref medium
2001:1234:abcd:11::/64 dev eth0.11 proto kernel metric 256 pref medium
2001:1234:abcd:11::/64 dev tun0 proto kernel metric 256 pref medium
2001:1234:abcd:12::/64 dev eth0.12 proto kernel metric 256 pref medium
2001:1234:abcd:13::/64 dev eth0.13 proto kernel metric 256 pref medium
fd00::/64 dev eth0 proto kernel metric 256 expires 3943sec pref medium
fe80::/64 dev eth0 proto kernel metric 256 pref medium
fe80::/64 dev eth0.11 proto kernel metric 256 pref medium
fe80::/64 dev eth0.12 proto kernel metric 256 pref medium
fe80::/64 dev eth0.13 proto kernel metric 256 pref medium
fe80::/64 dev tun0 proto kernel metric 256 pref medium
default via fe80::7eff:4dff:fe57:a1f3 dev eth0 proto ra metric 1024 expires 1791sec hoplimit 255 pref medium
nftables firewall configuration on rp1:
flush ruleset
define port_ssh = { 22, 900 }
define port_lmtp = 24
define port_smtp_relay = 25
define port_dns = 53
define port_http = 80
define port_snmp = 161
define port_snmp_trap = 162
define port_https = 443
define port_dhcpv6 = 546
define port_smtp_submission = 587
define port_imaps = 993
define port_vpn = 1194
define port_sasl = 2222
define port_pacemaker = 2224
define port_mysql = 3308
define port_gluster = { 24007, 24008 }
define port_gluster_brick = { 49152-49155 }
define service_mail = { $port_smtp_relay, $port_smtp_submission, $port_imaps }
define service_snmp = { $port_snmp, $port_snmp_trap }
define service_web = { $port_http, $port_https }
define service_gluster = { $port_gluster, $port_gluster_brick }
define int_native = "eth0"
define int_management = "eth0.11"
define int_replication = "eth0.12"
define int_public = "eth0.13"
define int_vpn = { "tun0", "tun1", "tun2" }
define ipv6_subnet_native = 2001:1234:abcd:1::/64
define ipv6_subnet_management = 2001:1234:abcd:11::/64
define ipv6_subnet_replication = 2001:1234:abcd:12::/64
define ipv6_subnet_public = 2001:1234:abcd:13::/64
define ipv4_subnet_native = 172.27.10.0/24
define ipv4_subnet_management = 172.27.11.0/24
define ipv4_subnet_replication = 172.27.12.0/24
define ipv4_subnet_public = 172.27.13.0/24
define ipv4_rfc3964 = {
::0.0.0.0/96, # IPv4 compatible
::ffff:0.0.0.0/96, # IPv4 mapped
2002:0000::/24, # 0.0.0.0/8 (the system has no address assigned yet)
2002:0a00::/24, # 10.0.0.0/8 (private class A (RFC 1918))
2002:7f00::/24, # 127.0.0.0/8 (loopback)
2002:ac10::/28, # 172.16.0.0/12 (private class B (RFC 1918))
2002:c0a8::/32, # 192.168.0.0/16 (private class C (RFC 1918))
2002:a9fe::/32, # 169.254.0.0/16 (IANA Assigned DHCP link-local)
2002:e000::/19, # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
}
# 172.16.0.0/12, # private class B (RFC 1918)"
define bogon = {
0.0.0.0/8, # self-identification (RFC 3330)"
10.0.0.0/8, # private class A (RFC 1918)"
127.0.0.0/8, # loopback (RFC 3330)"
169.254.0.0/16, # link-local (RFC 3330)"
192.168.0.0/16, # private class C (RFC 1918)"
192.0.2.0/24, # test-net 1 (RFC 5737)"
192.88.99.0/24, # 6to4 relay anycast (RFC 3068)"
198.18.0.0/15, # BMWG testing (RFC 6815)"
198.51.100.0/24, # test-net 2 (RFC 5737)"
203.0.113.0/24, # test-net 3 (RFC 5737)"
224.0.0.0/4, # private class D (multicast) (RFC 1112)"
}
table ip nat {
chain nat_prerouting {
type nat hook prerouting priority 100; policy accept;
}
chain nat_postrouting {
type nat hook postrouting priority 100; policy accept;
oifname $int_native ip saddr $ipv4_subnet_management ip daddr != $ipv4_subnet_management counter masquerade
}
}
table inet filter {
chain raw_prerouting {
type filter hook prerouting priority 100; policy accept;
icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept comment "Accept neighbor discovery"
meta nfproto ipv6 fib saddr . iif oif missing log prefix "RPFILTER_DROP: " drop comment "Strict reverse path filtering (RFC 3704)"
}
chain filter_input {
type filter hook input priority 100; policy accept;
ct state invalid drop
meta l4proto ipv6-icmp icmpv6 type echo-request limit rate over 10/second burst 2 packets counter drop comment "Rate-limit ICMP echo-request"
meta l4proto icmp icmp type echo-request limit rate over 10/second burst 2 packets counter drop comment "Rate-limit ICMP echo-request"
ct state established,related accept
iifname "lo" accept
tcp dport $port_ssh counter accept comment "Accept SSH"
iifname { $int_native, $int_vpn } ip6 saddr { $ipv6_subnet_native, $ipv6_subnet_management } ip6 daddr $ipv6_subnet_native ct state new jump native
iifname { $int_native, $int_vpn } ip saddr { $ipv4_subnet_native, $ipv4_subnet_management } ip daddr $ipv4_subnet_native ct state new jump native
iifname { $int_management, $int_vpn } ip6 saddr $ipv6_subnet_management ip6 daddr $ipv6_subnet_management ct state new jump management
iifname { $int_management, $int_vpn } ip saddr $ipv4_subnet_management ip daddr $ipv4_subnet_management ct state new jump management
iifname $int_replication ip6 saddr $ipv6_subnet_replication ip6 daddr $ipv6_subnet_replication ct state new jump replication
iifname $int_replication ip saddr $ipv4_subnet_replication ip daddr $ipv4_subnet_replication ct state new jump replication
iifname $int_public ip6 daddr $ipv6_subnet_public ct state new jump public
iifname $int_public ip daddr $ipv4_subnet_public ct state new jump public
ip6 daddr fe80::/64 udp dport $port_dhcpv6 ct state new accept comment "Accept DHCPv6"
meta l4proto { ipv6-icmp, icmp } counter accept comment "Accept ICMP"
log prefix "INPUT_REJECT: "
counter reject with icmpx type admin-prohibited
}
chain filter_forward {
type filter hook forward priority 100; policy accept;
ct state invalid drop
ct state established,related accept
iifname "lo" accept
iifname "tun*" oifname $int_native ip6 saddr $ipv6_subnet_management ct state new counter accept comment "Accept traffic initiated from VPN to access the Internet"
iifname "tun*" oifname $int_native ip saddr $ipv4_subnet_management ct state new counter accept comment "Accept traffic initiated from VPN to access the Internet"
ip6 daddr $ipv4_rfc3964 log prefix "6TO4_REJECT: " counter reject with icmpv6 type addr-unreachable comment "Reject 6to4 (RFC 3964)"
ip daddr $bogon log prefix "BOGON_REJECT: " counter reject with icmp type host-unreachable comment "Reject bogon"
log prefix "FORWARD_REJECT: "
counter reject with icmpx type admin-prohibited
}
chain filter_output {
type filter hook output priority 100; policy accept;
ct state invalid drop
oifname "lo" accept
ip6 daddr $ipv4_rfc3964 log prefix "6TO4_REJECT: " counter reject with icmpv6 type addr-unreachable comment "Reject 6to4 (RFC 3964)"
}
chain native {
tcp dport $port_ssh counter accept comment "Accept SSH"
tcp dport $service_mail counter accept comment "Accept mail service"
tcp dport $port_dns counter accept comment "Accept DNS"
udp dport $port_dns counter accept comment "Accept DNS"
tcp dport $service_web counter accept comment "Accept web service"
}
chain management {
tcp dport $port_ssh counter accept comment "Accept SSH"
tcp dport $service_web counter accept comment "Accept web service"
udp dport $service_snmp counter accept comment "Accept SNMP service"
tcp dport $port_pacemaker counter accept comment "Accept Pacemaker"
}
chain replication {
tcp dport $port_lmtp counter accept comment "Accept LMTP"
tcp dport $port_sasl counter accept comment "Accept SASL"
tcp dport $port_mysql counter accept comment "Accept MySQL"
tcp dport $service_gluster counter accept comment "Accept Gluster"
}
chain public {
tcp dport $service_mail counter accept comment "Accept mail service"
tcp dport $port_dns counter accept comment "Accept DNS"
udp dport $port_dns counter accept comment "Accept DNS"
tcp dport $service_web counter accept comment "Accept web service"
tcp dport $port_vpn counter accept comment "Accept OpenVPN"
udp dport $port_vpn counter accept comment "Accept OpenVPN"
}
}
IPs on rt2:
[user@rt2] > /ipv6 address print
Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local
# ADDRESS FROM-POOL INTERFACE ADVERTISE
0 G 2001:1234:abcd:10::ffff/64 br0 no
1 G 2001:1234:abcd:12::ffff/64 replication no
2 G 2001:1234:abcd:13::ffff/64 public no
3 DL fe80::ce2d:e0ff:fe81:abe/64 replication no
4 DL fe80::ce2d:e0ff:fe81:abe/64 br0 no
5 DL fe80::ce2d:e0ff:fe81:abe/64 management no
6 DL fe80::ce2d:e0ff:fe81:abe/64 public no
7 G 2001:1234:abcd:11::ffff/64 management no
rt2 configuration:
[user@rt2] > /export hide-sensitive
# dec/30/2020 12:20:30 by RouterOS 6.48
# software id = A1GI-TFVF
#
# model = 960PGS
# serial number = 89F90861A06A
/interface bridge
add admin-mac=CC:2D:E0:81:0A:BE auto-mac=no dhcp-snooping=yes ingress-filtering=yes name=br0 protocol-mode=mstp pvid=10 vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] poe-out=forced-on
set [ find default-name=ether3 ] poe-out=forced-on
set [ find default-name=ether4 ] poe-out=forced-on
set [ find default-name=ether5 ] poe-out=forced-on
set [ find default-name=sfp1 ] disabled=yes
/interface vlan
add interface=br0 name=management vlan-id=11
add interface=br0 name=public vlan-id=13
add interface=br0 name=replication vlan-id=12
/interface ethernet switch
set 0 name=sw1
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=external
add name=internal
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/interface bridge port
add bpdu-guard=yes bridge=br0 comment=rp1 edge=yes-discover hw=no ingress-filtering=yes interface=ether2 pvid=10
add bpdu-guard=yes bridge=br0 comment=rp2 edge=yes-discover hw=no ingress-filtering=yes interface=ether3 pvid=10
add bpdu-guard=yes bridge=br0 comment=rp3 edge=yes-discover hw=no ingress-filtering=yes interface=ether4 pvid=10
add bpdu-guard=yes bridge=br0 comment=rp4 edge=yes-discover hw=no ingress-filtering=yes interface=ether5 pvid=10
add bridge=br0 comment=rt1 frame-types=admit-only-untagged-and-priority-tagged hw=no ingress-filtering=yes interface=ether1 pvid=10 trusted=yes
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set rp-filter=strict
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=br0 comment=native untagged=ether1,ether2,ether3,ether4,ether5 vlan-ids=10
add bridge=br0 comment=management tagged=br0,ether2,ether3,ether4,ether5 vlan-ids=11
add bridge=br0 comment=replication tagged=ether2,ether3,ether4,ether5 vlan-ids=12
add bridge=br0 comment=public tagged=ether2,ether3,ether4,ether5,br0 vlan-ids=13
/interface list member
add comment=defconf interface=br0 list=LAN
add comment=defconf interface=ether1 list=WAN
add interface=ether1 list=external
add interface=ether2 list=internal
add interface=ether3 list=internal
add interface=ether4 list=internal
add interface=ether5 list=internal
/ip address
add address=172.27.11.99/24 interface=management network=172.27.11.0
add address=172.27.12.1/24 interface=replication network=172.27.12.0
add address=172.27.13.1/24 interface=public network=172.27.13.0
/ip dhcp-client
add comment=defconf disabled=no interface=br0
/ip firewall address-list
add address=172.27.10.0/24 list=native
add address=172.27.11.0/24 list=management
add address=172.27.12.0/24 list=replication
add address=172.27.13.0/24 list=public
add address=0.0.0.0/8 comment="self-identification (RFC 3330)" list=bogon
add address=10.0.0.0/8 comment="private class A (RFC 1918)" list=bogon
add address=127.0.0.0/8 comment="loopback (RFC 3330)" list=bogon
add address=172.16.0.0/12 comment="private class B (RFC 1918)" disabled=yes list=bogon
add address=169.254.0.0/16 comment="link-local (RFC 3330)" disabled=yes list=bogon
add address=192.168.0.0/16 comment="private class C (RFC 1918)" list=bogon
add address=192.0.2.0/24 comment="test-net 1 (RFC 5737)" list=bogon
add address=192.88.99.0/24 comment="6to4 relay anycast (RFC 3068)" list=bogon
add address=198.18.0.0/15 comment="BMWG testing (RFC 6815)" list=bogon
add address=198.51.100.0/24 comment="test-net 2 (RFC 5737)" list=bogon
add address=203.0.113.0/24 comment="test-net 3 (RFC 5737)" list=bogon
add address=224.0.0.0/4 comment="private class D (multicast) (RFC 1112)" list=bogon
/ip firewall filter
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="accept established, related, untracked (external -> internal)" connection-state=established,related,untracked
add action=accept chain=forward comment="accept new (internal -> external)" connection-state=new dst-address-list=!bogon in-bridge-port-list=internal out-bridge-port-list=external
add action=accept chain=input comment="accept ssh (native) (remove later)" connection-state=new dst-address-list=native dst-port=22,900,4443 in-interface=br0 protocol=tcp
add action=accept chain=input comment="accept ssh (management) (remove later)" connection-state=new dst-address-list=management dst-port=22,900,4443 in-interface=management protocol=tcp
add action=accept chain=forward comment="accept ssh (forward) (remove later)" connection-state=new dst-port=22,900,4443 protocol=tcp
add action=jump chain=forward comment="jump to native rules" connection-state=new in-bridge-port-list=internal jump-target=native out-bridge-port-list=internal src-address-list=native
add action=jump chain=forward comment="jump to management rules" connection-state=new dst-address-list=management in-bridge-port-list=internal jump-target=management out-bridge-port-list=internal src-address-list=management
add action=jump chain=forward comment="jump to replication rules" connection-state=new dst-address-list=replication in-bridge-port-list=internal jump-target=replication out-bridge-port-list=internal src-address-list=replication
add action=jump chain=forward comment="jump to public rules" connection-state=new dst-address-list=public in-bridge-port-list=external jump-target=public out-bridge-port-list=internal
add action=accept chain=forward comment="accept dns (external -> internal)" connection-state=new dst-port=1024-65535 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=53
add action=accept chain=forward comment="accept dhcp (external -> internal)" connection-state=new dst-port=68 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=67
add action=accept chain=forward comment="accept vpn" dst-port=1194 protocol=tcp
add action=accept chain=forward comment="accept vpn" dst-port=1194 protocol=udp
add action=accept chain=native comment="accept ssh (remove later)" dst-port=22,900,4443 protocol=tcp
add action=accept chain=native comment="accept pacemaker (remove later)" dst-port=2224 protocol=tcp
add action=accept chain=native comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53,853 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53,853 protocol=udp
add action=accept chain=native comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept ssh" dst-port=22,900,4443 protocol=tcp
add action=accept chain=management comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept snmp, snmp trap" dst-port=161,162 protocol=udp
add action=accept chain=management comment="accept pacemaker" dst-port=2224 protocol=tcp
add action=accept chain=replication comment="accept lmtp" dst-port=24 protocol=tcp
add action=accept chain=replication comment="accept sasl" dst-port=2222 protocol=tcp
add action=accept chain=replication comment="accept mysql" dst-port=3308 protocol=tcp
add action=accept chain=replication comment="accept gluster" dst-port=24007-24009,49152-49155 protocol=tcp
add action=accept chain=public comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=udp
add action=accept chain=public comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="accept icmp" protocol=icmp
add action=accept chain=forward comment="accept broadcast" dst-address-type=broadcast
add action=accept chain=forward comment="accept multicast" dst-address-type=multicast
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept to local loopback (for capsman)" dst-address=127.0.0.1
add action=accept chain=input comment="accept icmp" protocol=icmp
add action=accept chain=input comment="accept broadcast" dst-address-type=broadcast
add action=accept chain=input comment="accept multicast" dst-address-type=multicast
add action=reject chain=input log=yes reject-with=icmp-admin-prohibited
add action=reject chain=forward log=yes reject-with=icmp-admin-prohibited
add action=drop chain=output connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=output
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh port=900
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ipv6 address
add address=2001:1234:abcd:10::ffff advertise=no interface=br0
add address=2001:1234:abcd:12::ffff advertise=no interface=replication
add address=2001:1234:abcd:13::ffff advertise=no interface=public
add address=2001:1234:abcd:11::ffff advertise=no interface=management
/ipv6 firewall address-list
add address=::/96 comment="IPv4 compatible" list=ipv4_rfc3964
add address=::ffff:0.0.0.0/96 comment="IPv4 mapped" list=ipv4_rfc3964
add address=2002::/24 comment="0.0.0.0/8 (the system has no address assigned yet)" list=ipv4_rfc3964
add address=2002:a00::/24 comment="10.0.0.0/8 (private class A (RFC 1918))" list=ipv4_rfc3964
add address=2002:7f00::/24 comment="127.0.0.0/8 (loopback)" list=ipv4_rfc3964
add address=2002:ac10::/28 comment="172.16.0.0/12 (private class B (RFC 1918))" list=ipv4_rfc3964
add address=2002:c0a8::/32 comment="192.168.0.0/16 (private class C (RFC 1918))" list=ipv4_rfc3964
add address=2002:a9fe::/32 comment="169.254.0.0/16 (IANA Assigned DHCP link-local)" list=ipv4_rfc3964
add address=2002:e000::/19 comment="224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)" list=ipv4_rfc3964
add address=2001:1234:abcd:10::/64 list=native
add address=2001:1234:abcd:11::/64 list=management
add address=2001:1234:abcd:12::/64 list=replication
add address=2001:1234:abcd:13::/64 list=public
/ipv6 firewall filter
add action=drop chain=forward comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="accept established, related, untracked (external -> internal)" connection-state=established,related,untracked
add action=accept chain=forward comment="accept new (internal -> external)" connection-state=new dst-address-list=!ipv4_rfc3964 in-bridge-port-list=internal out-bridge-port-list=external
add action=accept chain=input comment="accept ssh (native) (remove later)" connection-state=new dst-address-list=native dst-port=22,900,4443 in-interface=br0 protocol=tcp
add action=accept chain=input comment="accept ssh (management) (remove later)" connection-state=new dst-address-list=management dst-port=22,900,4443 in-interface=management protocol=tcp
add action=jump chain=forward comment="jump to native rules" connection-state=new dst-address-list=native in-bridge-port-list=internal jump-target=native out-bridge-port-list=internal src-address-list=native
add action=jump chain=forward comment="jump to management rules" connection-state=new dst-address-list=management in-bridge-port-list=internal jump-target=management out-bridge-port-list=internal src-address-list=management
add action=jump chain=forward comment="jump to replication rules" connection-state=new dst-address-list=replication in-bridge-port-list=internal jump-target=replication out-bridge-port-list=internal src-address-list=replication
add action=jump chain=forward comment="jump to public rules" connection-state=new dst-address-list=public in-bridge-port-list=external jump-target=public out-bridge-port-list=internal
add action=accept chain=forward comment="accept dns (external -> internal)" connection-state=new dst-port=1024-65535 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=53
add action=accept chain=forward comment="accept dhcp (external -> internal)" connection-state=new dst-port=68 in-bridge-port-list=external out-bridge-port-list=internal protocol=udp src-port=67
add action=accept chain=forward comment="accept vpn" dst-port=1194 protocol=tcp
add action=accept chain=forward comment="accept vpn" dst-port=1194 protocol=udp
add action=accept chain=native comment="accept ssh (remove later)" dst-port=22,900,4443 protocol=tcp
add action=accept chain=native comment="accept pacemaker (remove later)" dst-port=2224 protocol=tcp
add action=accept chain=native comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53,853 protocol=tcp
add action=accept chain=native comment="accept dns" dst-port=53,853 protocol=udp
add action=accept chain=native comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept ssh" dst-port=22,900,4443 protocol=tcp
add action=accept chain=management comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=management comment="accept snmp, snmp trap" dst-port=161,162 protocol=udp
add action=accept chain=management comment="accept pacemaker" dst-port=2224 protocol=tcp
add action=accept chain=replication comment="accept lmtp" dst-port=24 protocol=tcp
add action=accept chain=replication comment="accept sasl" dst-port=2222 protocol=tcp
add action=accept chain=replication comment="accept mysql" dst-port=3308 protocol=tcp
add action=accept chain=replication comment="accept gluster" dst-port=24007-24009,49152-49155 protocol=tcp
add action=accept chain=public comment="accept mail relay, submission, imaps" dst-port=25,587,993 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=tcp
add action=accept chain=public comment="accept dns" dst-port=53 protocol=udp
add action=accept chain=public comment="accept http, https" dst-port=80,443 protocol=tcp
add action=accept chain=forward comment="accept icmpv6" protocol=icmpv6
add action=accept chain=forward comment="accept multicast" dst-address-type=multicast
add action=drop chain=input comment="drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="accept established, related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="accept to local loopback (for capsman)" dst-address=::1/128
add action=accept chain=input comment="accept icmpv6" protocol=icmpv6
add action=accept chain=input comment="accept multicast" dst-address-type=multicast
add action=reject chain=input log=yes reject-with=icmp-admin-prohibited
add action=reject chain=forward log=yes reject-with=icmp-admin-prohibited
add action=drop chain=output connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=output
/system clock
set time-zone-name=Europe/Amsterdam
/system identity
set name=rt2
/system note
set note="UNAUTHORIZED ACCESS TO THIS NETWORK IS PROHIBITED"
/system ntp client
set enabled=yes primary-ntp=172.27.10.2 secondary-ntp=172.27.10.3
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
Firewall logs on Mikrotik when OpenVPN client is connected:
12:51:10 firewall,info invalid forward: in:br0(ether1) out:management, src-mac 7c:ff:4d:57:a1:f3, proto TCP (SYN,ACK), [2001:888:2000:9a:face:b00c:0:a7]:443->[2001:985:ba48:11::7]:47360, len 40
12:51:11 firewall,info invalid forward: in:br0(ether1) out:management, src-mac 7c:ff:4d:57:a1:f3, proto TCP (SYN,ACK), [2a03:2880:f045:12:face:b00c:0:2]:443->[2001:985:ba48:11::7]:44618, len 40
12:51:11 firewall,info invalid forward: in:br0(ether1) out:management, src-mac 7c:ff:4d:57:a1:f3, proto TCP (SYN,ACK), [2a03:2880:f006:21:face:b00c:0:3]:443->[2001:985:ba48:11::7]:40680, len 40