Hello guys!
Can someone check if my first configuration is good enough and give me some advices what’s wrong? My Mikrotik is connected to Huwawei ONT. I think that on OSD router the internet connection was faster.
backupv2.rsc (7.54 KB)
(1) Other than I dont like your naming convention.
Naming the Bridge “LAN” is very confusing as LAN is already used on the router to describe the LAN writ large (as an interface item). Why not stick with Bridge
Same with naming etherport1 “WAN” , as WAN is already used on the router to describe the WAN writ large (as an interface item). Why not use ISP1
(2) It would appear that VLAN35 is the internet vlan of your provider, and that seems okay!
(3) I see this funky number here as indeed the default entry here is LAN and thus you have confused the router LOL.
set discover-interface-list=*2000011
Highly suggest you change the name of ether1 and the bridge!!!
(4) REMOVE THIS OR DISABLE IT, the ip dhcp client is handled FULLY by the ppppoe settings!!!
/ip dhcp-client
add comment=defconf interface=WAN
(5) I am not convinced you really know what your are doing in firewall rules…
In fact, the smell of bad youtube advice or google advice is all over it. 
Seems you have a router to block stuff and allowed needed traffic is an afterthought.
(6) Where does this mysterious 192.168.2.X subnet come from??
(7) Some work needed on dst nat…
Points 1-4 I will change names and handle it as you said.
-
I am nit convinced also. It was supposted to block anything but the exceptions. I made it with help.mikrotik.com
would you be so kind and help me to fix it? -
The mysterious 192.168.2.x is prepared for l2tp.
-
Same as 5.
No worries… glad to help… just remember avoid any german website that says to use vlan1 for data vlans '=)))
This is your starting point. Focus from hereonin, to adding Traffic that needs to flow.
If you have any issues with interfering traffic, come back here for advice/assistance…
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1
(admin rules)
add action=accept chain=input comment=“l2tp VPN IPSEC” disabled=yes? protocol=ipsec-esp
add action=accept chain=input comment=“l2tp VPN” disabled=yes? dst-port=500,1701,4500 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment= DNS queries-UDP" dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=“DNS queries-TCP” dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment=“DNS for VPN users” dst-port=53 src-address=192.168.2.0/24 protocol=udp
add action=accept chain=input comment=“DNS for VPN users” dst-port=53 src-address=192.168.2.0/24 protocol=tcp
add action=drop chain=input comment=“drop all else”
{forward chain}
(default rules)
add action=accept chain=forward comment=“defconf: accept in ipsec policy” ipsec-policy=in,ipsec
add action=accept chain=forward comment=“defconf: accept out ipsec policy” ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack” connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related, untracked” connection-state=established,related,untracked
add action=drop chain=forward comment=“defconf: drop invalid” connection-state=invalid
(admin rules)
add action=accept chain=forward comment=“allow internet traffic” in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment=“allow remote vpn users to lan” src-address=192.168.2.0/24 out-interface-list=LAN
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
It’s been a while but I didnt have time to finish this configuration.
Now, I have done everything You advised to me. Also, I have configured this router as CAPsMAN.
This is actual config.
/interface bridge
add admin-mac=DC:2C:6E:11:1A:CF arp=proxy-arp auto-mac=no comment=defconf \
name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ISP
/interface vlan
add interface=ISP name=vlan1 vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 \
use-peer-dns=yes user=8yawzo36@webnet24.pl
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no encryption="" name=sec1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country=Poland .mode=ap .ssid=\
Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration.country=Poland .mode=ap .ssid=\
Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
/interface wifiwave2 configuration
add country=Poland disabled=no mode=ap name=cfg5ghz security=sec1 ssid=\
Mikrotik
add country=Poland disabled=no mode=ap name=cfg2ghz security=sec1 ssid=\
Mikrotik
/interface wifiwave2
add configuration=cfg2ghz disabled=no name=cap-wifi1
add configuration=cfg2ghz disabled=no name=cap-wifi4
/ip pool
add name=dhcp ranges=192.168.30.20-192.168.30.59
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=defconf
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether2
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether3
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether4
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether5
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi1
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=WAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=BridgeLAN list=LAN
add interface=ISP list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifiwave2 cap
set caps-man-addresses=192.168.30.1 discovery-interfaces=BridgeLAN
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes interfaces=BridgeLAN package-path="" \
require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg5ghz \
slave-configurations="" supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg2ghz \
supported-bands=2ghz-ax
/ip address
add address=192.168.30.1/24 comment=defconf interface=BridgeLAN network=\
192.168.30.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ISP
/ip dhcp-server lease
add address=192.168.30.2 client-id=1:48:a9:8a:e5:be:f8 comment=cAP \
mac-address=48:A9:8A:E5:BE:F8 server=defconf
add address=192.168.30.3 client-id=1:48:a9:8a:cc:3f:10 comment=hAP \
mac-address=48:A9:8A:CC:3F:10 server=defconf
add address=192.168.30.100 client-id=1:ac:b9:2f:21:73:3f comment=NVR \
mac-address=AC:B9:2F:21:73:3F server=defconf
add address=192.168.30.104 client-id=1:24:32:ae:d8:29:64 comment=Cam4 \
mac-address=24:32:AE:D8:29:64 server=defconf
add address=192.168.30.103 client-id=1:24:32:ae:d8:24:f2 comment=Cam3 \
mac-address=24:32:AE:D8:24:F2 server=defconf
add address=192.168.30.102 client-id=1:24:32:ae:d8:27:51 comment=Cam2 \
mac-address=24:32:AE:D8:27:51 server=defconf
add address=192.168.30.101 client-id=1:24:32:ae:d8:25:1a comment=Cam1 \
mac-address=24:32:AE:D8:25:1A server=defconf
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.100 comment=l2tp list=allowed_to_router
add address=192.168.30.10/31 list=allowed_to_modem
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=\
192.168.30.1
add action=accept chain=input comment=CAPsMAN port=5246,5247 protocol=udp
add action=accept chain=input comment="l2tp VPN IPSEC" protocol=ipsec-esp
add action=accept chain=input comment="l2tp VPN" dst-port=500,1701,4500 \
protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="DNS queries-TCP" dst-port=53 \
in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="DNS for VPN users" dst-port=53 \
protocol=udp src-address=192.168.2.0/24
add action=accept chain=input comment="DNS for VPN users" dst-port=53 \
protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related hw-offload=yes
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" \
in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow remote vpn users to lan" \
out-interface-list=LAN src-address=192.168.2.0/24
add action=accept chain=forward comment="port forwarding" \
connection-nat-state=dstnat
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.30.0/24
add action=masquerade chain=srcnat dst-address=!192.168.30.1 src-address=\
192.168.30.0/24 to-addresses=192.168.30.100
add action=dst-nat chain=dstnat dst-address=192.168.30.1 dst-port=8000 \
protocol=tcp to-addresses=192.168.30.100 to-ports=8000
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.2.0/24
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik Filip"
/system leds
set 0 interface=*1 leds=led1,led2,led3,led4,led5 type=\
wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
I have question about firewall drop forward - in your config, there is only drop for invalid forward and there is no drop for remaining forward. You forgot about it or did it on purpose?
Also, can someone tell me if this dstnat rule is good for NVR?
add action=dst-nat chain=dstnat dst-address=192.168.30.1 dst-port=8000 \
protocol=tcp to-addresses=192.168.30.100 to-ports=8000
When dst-address was empty, I could reach NVR from outside, but I wasnt able to reach NVR in different place from inside - despite another ip address and same 8000 port my NVR app was trying to connect NVR inside my router.
First question, the rule you are looking for is already there, its the last rule…’
add action=accept chain=forward comment=“port forwarding” connection-nat-state=dstnat
add action=drop chain=forward comment=“drop all else”
Second question, Your WANIP is not static, (pppoe dynamic).
Thus the format of your port forwarding rule should be for external users
add chain=dstnat action=dst-nat in-interface-list=WAN dst-port=xxxxxx protocol=xy
to-address=serverIP to-ports=(only needed if doing port translation)
However, if you also wish to access the server ( and not by directly accessing the server by its local LANIP ) via the WANIP or domain name dddns…
To do this we have to be cognizant of loopback or hairpin nat and the format of the dst-nat rule changes etc…
https://forum.mikrotik.com/viewtopic.php?t=179343
One other comment/suggestion → ensure you add source-address-list as part of the rule, limiting external server access. This is fully possible by getting the static IPs of external users and if they have dynamic WANIps, then they can use dyndns names which are available for free.
I must have missed last line from your config…
Now it looks like that:
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.100 comment=l2tp list=allowed_to_router
add address=192.168.30.10/31 list=allowed_to_modem
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=192.168.30.1
add action=accept chain=input comment=CAPsMAN port=5246,5247 protocol=udp
add action=accept chain=input comment="l2tp VPN IPSEC" protocol=ipsec-esp
add action=accept chain=input comment="l2tp VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="DNS for VPN users" dst-port=53 protocol=udp src-address=192.168.2.0/24
add action=accept chain=input comment="DNS for VPN users" dst-port=53 protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow remote vpn users to lan" out-interface-list=LAN src-address=192.168.2.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Drop fwall"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=192.168.30.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.30.1 dst-address-type=local to-addresses=192.168.30.100
add action=dst-nat chain=dstnat dst-port=8000 in-interface=ISP1 protocol=tcp to-addresses=192.168.30.100
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.2.0/24
- After adding that line(drop else forward) I didn’t have internet connection. I had to change
add interface=ISP list=WAN
to
add interface=pppoe-out1 list=WAN
Is that correct?
- Does my nat looks good now? Hairpin nat and port forward to NVR.
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
means that all traffic with specified port is accepted and managed by NAT later? Without this rule, I should open each port in filter tab first. Isnt that “better”?
(1) I would not LOG dropped traffic, will fill up memory with useless junk.
(2) Correct, one has to add the actual WAN interface name to the WAN list for the associated firewall rules that include List=WAN to be effective.
(3) No for port forwarding one only needs the single forward chain rule to, in general allow port forwarding. Its in the destination nat rules where all the details are supplied.
THe rule you quoted is better than the default which blocks internal connections to a server via the WANIP (hairpin), whereas the rule you quoted does not discriminate where the request is comign from.
(4) I am confused as to your sourcenat rules…
First rule: it is not clear on the first rule why you put a source address??
Second rule: I have no idea what this rule is trying to accomplish???
Third rule: Incorrect format for port forwarding in a hairpin nat scenario
Fourth rule: Is the VPN not identified already as an interface or part of WAN or LAN…
Okay.
- Done
- I was wondering, why I had to change
interface=wan
to
interface=pppoe~
for internet to be working.
3. Okay.
4. Yes, it was a littlebit messy. Now it looks like that:
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=\
192.168.30.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8000 protocol=\
tcp to-addresses=192.168.30.100
add action=masquerade chain=srcnat out-interface-list=WAN src-address=\
192.168.2.0/2
1st rule - default masquerade
2nd rule - hairpin nat
3rd rule - port forward to nvr
4th rule - masquerade for l2tp users. l2tp users are not added to any interface. If I disable this rule, I cant browse web while connected (yes, Im aware of firewall rule).
The only thing I would change is your dst nat rule…
From"
add action=dst-nat chain=dstnat dst-address-type=local dst-port=8000 protocol=
tcp to-addresses=192.168.30.100
TO:
add action=dst-nat chain=dstnat dst-address-type=local dst-address=!192.168.30.0/24
dst-port=8000 protocol=tcp to-addresses=192.168.30.100
The reason being is that we want the the router to use the WAN address which is also local AND NOT the subnet address. Easy to do when you only have a single subnet.
The problem with your setup is that the router can choose to use the local subnet or the local WAN. Furthermore any other requests between devices on the LAN on the same port but not related to the server would get sent to the server ( unintended consequences ).
Done!
Can you take a look for whole configuration once again? Should be good now
/interface bridge
add admin-mac=DC:2C:6E:11:1A:CF arp=proxy-arp auto-mac=no comment=defconf name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] name=ISP
/interface vlan
add interface=ISP name=vlan1 vlan-id=35
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1 use-peer-dns=yes user=
/interface list
add name=LAN
add name=WAN
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wifiwave2 security
add authentication-types=wpa2-psk disabled=no encryption="" name=sec1
/interface wifiwave2
set [ find default-name=wifi1 ] configuration.country=Poland .mode=ap .ssid=Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
set [ find default-name=wifi2 ] configuration.country=Poland .mode=ap .ssid=Mikrotik disabled=no security=sec1 security.authentication-types=wpa2-psk
/interface wifiwave2 configuration
add country=Poland disabled=no mode=ap name=cfg5ghz security=sec1 ssid=Mikrotik
add country=Poland disabled=no mode=ap name=cfg2ghz security=sec1 ssid=Mikrotik
/interface wifiwave2
add configuration=cfg2ghz disabled=no name=cap-wifi1
add configuration=cfg2ghz disabled=no name=cap-wifi4
/ip pool
add name=dhcp ranges=192.168.30.20-192.168.30.59
/ip dhcp-server
add address-pool=dhcp interface=BridgeLAN lease-time=10m name=defconf
/routing bgp template
set default disabled=no output.network=bgp-networks
/routing ospf instance
add disabled=no name=default-v2
/routing ospf area
add disabled=yes instance=default-v2 name=backbone-v2
/interface bridge port
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether2
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether3
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether4
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=ether5
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi1
add bridge=BridgeLAN comment=defconf ingress-filtering=no interface=wifi2
/ip neighbor discovery-settings
set discover-interface-list=WAN
/ipv6 settings
set disable-ipv6=yes max-neighbor-entries=8192
/interface list member
add interface=BridgeLAN list=LAN
add interface=pppoe-out1 list=WAN
/interface ovpn-server server
set auth=sha1,md5
/interface wifiwave2 cap
set caps-man-addresses=192.168.30.1 discovery-interfaces=BridgeLAN
/interface wifiwave2 capsman
set ca-certificate=auto enabled=yes interfaces=BridgeLAN package-path="" require-peer-certificate=no upgrade-policy=none
/interface wifiwave2 provisioning
add action=create-dynamic-enabled disabled=no master-configuration=cfg5ghz slave-configurations="" supported-bands=5ghz-ax
add action=create-enabled disabled=no master-configuration=cfg2ghz supported-bands=2ghz-ax
/ip address
add address=192.168.30.1/24 comment=defconf interface=BridgeLAN network=192.168.30.0
/ip dhcp-client
add comment=defconf disabled=yes interface=ISP
/ip dhcp-server lease
add address=192.168.30.2 client-id=1:48:a9:8a:e5:be:f8 comment=cAP mac-address=48:A9:8A:E5:BE:F8 server=defconf
add address=192.168.30.3 client-id=1:48:a9:8a:cc:3f:10 comment=hAP mac-address=48:A9:8A:CC:3F:10 server=defconf
add address=192.168.30.100 client-id=1:ac:b9:2f:21:73:3f comment=NVR mac-address=AC:B9:2F:21:73:3F server=defconf
add address=192.168.30.104 client-id=1:24:32:ae:d8:29:64 comment=Cam4 mac-address=24:32:AE:D8:29:64 server=defconf
add address=192.168.30.103 client-id=1:24:32:ae:d8:24:f2 comment=Cam3 mac-address=24:32:AE:D8:24:F2 server=defconf
add address=192.168.30.102 client-id=1:24:32:ae:d8:27:51 comment=Cam2 mac-address=24:32:AE:D8:27:51 server=defconf
add address=192.168.30.101 client-id=1:24:32:ae:d8:25:1a comment=Cam1 mac-address=24:32:AE:D8:25:1A server=defconf
/ip dhcp-server network
add address=192.168.30.0/24 comment=defconf gateway=192.168.30.1 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.30.1 comment=defconf name=router.lan
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 list=allowed_to_router
add address=192.168.2.2-192.168.2.100 comment=l2tp list=allowed_to_router
add address=192.168.30.10/31 list=allowed_to_modem
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=192.168.30.1
add action=accept chain=input comment=CAPsMAN port=5246,5247 protocol=udp
add action=accept chain=input comment="l2tp VPN IPSEC" protocol=ipsec-esp
add action=accept chain=input comment="l2tp VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="DNS queries-TCP" dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="DNS for VPN users" dst-port=53 protocol=udp src-address=192.168.2.0/24
add action=accept chain=input comment="DNS for VPN users" dst-port=53 protocol=tcp src-address=192.168.2.0/24
add action=drop chain=input comment="drop all else"
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="allow internet traffic" in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="allow remote vpn users to lan" out-interface-list=LAN src-address=192.168.2.0/24
add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
add action=drop chain=forward comment="drop all else" log=yes log-prefix="Drop fwall"
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat dst-address=192.168.30.0/24 src-address=192.168.30.0/24
add action=dst-nat chain=dstnat dst-address=!192.168.30.0/24 dst-address-type=local dst-port=8000 protocol=tcp to-addresses=192.168.30.100
add action=masquerade chain=srcnat out-interface-list=WAN src-address=192.168.2.0/24
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/system clock
set time-zone-name=Europe/Warsaw
/system identity
set name="MikroTik Filip"
/system leds
set 0 interface=*1 leds=led1,led2,led3,led4,led5 type=wireless-signal-strength
set 1 leds=poe-led type=poe-out
/system note
set show-at-login=no
/tool mac-server
set allowed-interface-list=WAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN
(1) Change this to LAN
/ip neighbor discovery-settings
set discover-interface-list=WAN
(2) This rule should only be for those authorized to change the config!!!
add action=accept chain=input src-address-list=allowed_to_router
BUT you have…
/ip firewall address-list
add address=192.168.30.2-192.168.30.254 list=allowed_to_router { EVERYONE ON THE BRIDGE SUBNET } ???
add address=192.168.2.2-192.168.2.100 comment=l2tp list=allowed_to_router { EVERYONE ON THE VPN SUBNET } ???
suggest it should be paired down.
/ip firewall address-list
add address=192.168.30.AB list=allowed_to_router comment=“admin desktop-wired”
add address=192.168.30.GH list=allowed_to_router comment=“admin laptop-wifi”
add address=192.168.30.XY list=allowed_to_router comment=“admin smartphone-wifi”
add address=192.168.2.Z list=allowed_to_router comment=“remote admin vpn IP”"
(3) This should be set to NONE
/tool mac-server
set allowed-interface-list=WAN
(4) This should be set to LAN
/tool mac-server mac-winbox
set allowed-interface-list=WAN