I’m not at all sure if my Firewall is configured great, so I would much appropriate if someone would go though it.
I run dual-stack.
One of the problems I see is that my container is not able to do IPv6 properly…
/container mounts
add dst=/etc/caddy name=caddyetc src=/containers/caddy/etc
add dst=/data/caddy name=caddydata src=/containers/caddy/data
/interface bridge
add frame-types=admit-only-vlan-tagged name=bridge pvid=99 vlan-filtering=yes
add name=docker
/interface ethernet
set [ find default-name=ether1 ] poe-out=off
set [ find default-name=ether3 ] disabled=yes poe-out=off
set [ find default-name=ether4 ] poe-out=off
set [ find default-name=ether5 ] disabled=yes poe-out=off
set [ find default-name=ether6 ] disabled=yes poe-out=off
set [ find default-name=ether7 ] disabled=yes poe-out=off
set [ find default-name=ether8 ] comment="Management BACKUP" poe-out=off
set [ find default-name=sfp-sfpplus1 ] name=fiber-trunk
set [ find default-name=ether2 ] comment="LTE backup" name=wan2 poe-out=off
/interface wireguard
add disabled=yes listen-port=13231 mtu=1420 name=airvpn_de
add listen-port=51821 mtu=1420 name=backdoor
add listen-port=51820 mtu=1420 name=home-vpn
/interface veth
add address=172.16.0.2/24,fd4c:c55e:cd6::2/64 gateway=172.16.0.1 gateway6="" name=veth1
add address=172.16.0.3/24 gateway=172.16.0.1 gateway6="" name=veth2
/interface vlan
add interface=bridge name=IoT vlan-id=50
add interface=bridge name=KubeDev vlan-id=110
add interface=bridge name=KubeProd vlan-id=105
add interface=bridge name=MGMNT vlan-id=99
add interface=bridge name=MainLAN vlan-id=10
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=VLANs
/ipv6 pool
add name=KubeProdULA prefix=fd9d:7a72:44eb:c::/64 prefix-length=64
/queue type
add cake-flowmode=dual-srchost cake-nat=yes kind=cake name=cake-upload
add cake-flowmode=dual-dsthost cake-nat=yes kind=cake name=cake-download
/queue tree
add bucket-size=0.001 max-limit=600M name=download packet-mark=no-mark parent=MainLAN queue=cake-download
add bucket-size=0.001 max-limit=600M name=download-kube packet-mark=no-mark parent=KubeProd queue=cake-download
add bucket-size=0.001 max-limit=100M name=upload packet-mark=no-mark parent=ether1 queue=cake-upload
/routing table
add fib name=airvpn
/routing bgp template
set default disabled=yes routing-table=main
add add-path-out=none address-families=ip,ipv6 as=213021 disabled=no hold-time=1m30s keepalive-time=30s name=better nexthop-choice=default routing-table=main
/system logging action
set 0 memory-lines=100
/container
add envlist=caddy_env interface=veth1 logging=yes mounts=caddyetc,caddydata root-dir=containers/rootfs/caddy workdir=/srv
/container config
set registry-url=https://registry.skysolutions.fi tmpdir=containers/tmp
/container envs
add key=CF_API_TOKEN name=caddy_env value=<snip>
/disk settings
set auto-media-interface=*B auto-media-sharing=yes auto-smb-sharing=yes
/ip smb
set enabled=no
/interface bridge port
add bridge=*B comment=defconf interface=ether8
add bridge=bridge interface=fiber-trunk pvid=99
add bridge=bridge interface=ether4 pvid=10
add bridge=bridge interface=ether5 pvid=10
add bridge=bridge interface=ether3 pvid=110
add bridge=docker interface=veth1
add bridge=docker interface=veth2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/ipv6 settings
set accept-router-advertisements=yes
/interface bridge vlan
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=110
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=105
add bridge=bridge tagged=bridge,fiber-trunk untagged=ether8 vlan-ids=99
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=50
add bridge=bridge tagged=bridge,fiber-trunk vlan-ids=10
/interface list member
add comment=defconf disabled=yes interface=*B list=LAN
add interface=bridge list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=wan2 list=WAN
add interface=ether1 list=WAN
add interface=MainLAN list=LAN
add interface=KubeDev list=LAN
add interface=KubeProd list=LAN
add interface=IoT list=LAN
add interface=KubeDev list=VLANs
add interface=KubeProd list=VLANs
add interface=IoT list=VLANs
add interface=MainLAN list=VLANs
add interface=MGMNT list=LAN
add interface=docker list=VLANs
/ip cloud
set ddns-enabled=yes
/ip cloud advanced
set use-local-address=yes
/ipv6 route
add disabled=no distance=1 dst-address=::/0 gateway=fe80::213:2%ether1 routing-table=main suppress-hw-offload=no
/ipv6 address
add address=fd9d:7a72:44eb:e::1 interface=IoT
add address=fd9d:7a72:44eb:d::1 interface=KubeDev
add address=fd9d:7a72:44eb:c::1 interface=KubeProd
add address=fd9d:7a72:44eb:a::1 interface=MainLAN
add from-pool=delegated-wan interface=MainLAN
add address=::f61e:57ff:fe51:88f4 eui-64=yes from-pool=delegated-wan interface=KubeDev
add address=fd1a:c3f5:de32::1 advertise=no interface=home-vpn
add address=fd7d:76ee:e68f:a993:53b5:93b3:953b:176d/128 advertise=no interface=airvpn_de
add address=fd4c:c55e:cd6::1 advertise=no interface=docker
/ipv6 dhcp-client
add interface=ether1 pool-name=delegated-wan rapid-commit=no request=address,prefix use-interface-duid=yes use-peer-dns=no
/ipv6 dhcp-server
add address-pool=KubeProdULA interface=KubeProd name=k8s-prod prefix-pool=KubeProdULA
/ipv6 firewall address-list
add address=::/128 comment="defconf: unspecified address" list=bad_ipv6
add address=::1/128 comment="defconf: lo" list=bad_ipv6
add address=fec0::/10 comment="defconf: site-local" list=bad_ipv6
add address=::ffff:0.0.0.0/96 comment="defconf: ipv4-mapped" list=bad_ipv6
add address=::/96 comment="defconf: ipv4 compat" list=bad_ipv6
add address=100::/64 comment="defconf: discard only " list=bad_ipv6
add address=2001:db8::/32 comment="defconf: documentation" list=bad_ipv6
add address=2001:10::/28 comment="defconf: ORCHID" list=bad_ipv6
add address=3ffe::/16 comment="defconf: 6bone" list=bad_ipv6
add address=2001:67c:1be8:2::/64 list=backdoor-addr-v6
add address=fd9d:7a72:44eb:a::/64 list=k8s_ula
add address=fd9d:7a72:44eb:c::/64 list=k8s_ula
add address=fc00::/7 comment="ULA range" list=bad_ipv6
add address=fd9d:7a72:44eb:e::/64 list=IoT_IPv6
/ipv6 firewall filter
add action=accept chain=input dst-port=179 in-interface-list=VLANs protocol=tcp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=input comment="defconf: accept UDP traceroute" dst-port=33434-33534 protocol=udp
add action=accept chain=input comment="defconf: accept DHCPv6-Client prefix delegation." dst-port=546 protocol=udp
add action=accept chain=input comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=input comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=input comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=input comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=input comment="defconf: accept UDP traceroute" port=33434-33534 protocol=udp
add action=drop chain=input comment="defconf: drop everything else not coming from LAN" in-interface-list=!VLANs log=yes
add action=passthrough chain=input disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp
add action=drop chain=input disabled=yes dst-port=8291 in-interface-list=WAN protocol=tcp
add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=forward comment="Allow IoT range to be accessed" dst-address-list=IoT_IPv6 log=yes log-prefix="IoT v6:"
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop packets with bad src ipv6" disabled=yes log=yes out-interface-list=!WAN src-address-list=bad_ipv6
add action=drop chain=forward comment="defconf: drop packets with bad dst ipv6" disabled=yes dst-address-list=bad_ipv6 out-interface-list=!WAN
add action=drop chain=forward comment="defconf: rfc4890 drop hop-limit=5" disabled=yes hop-limit=equal:5 protocol=icmpv6
add action=accept chain=forward comment="defconf: accept ICMPv6" protocol=icmpv6
add action=accept chain=forward comment="defconf: accept HIP" protocol=139
add action=accept chain=forward comment="defconf: accept IKE" dst-port=500,4500 protocol=udp
add action=accept chain=forward comment="defconf: accept ipsec AH" protocol=ipsec-ah
add action=accept chain=forward comment="defconf: accept ipsec ESP" protocol=ipsec-esp
add action=accept chain=forward comment="defconf: accept all that matches ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward disabled=yes dst-address=2001:<snip>:45a:213d::4443/128 dst-port=80 in-interface-list=WAN protocol=tcp
add action=accept chain=forward disabled=yes dst-address=2001:<snip>:45a:213d::4443/128 dst-port=443 in-interface-list=WAN log=yes protocol=tcp
add action=accept chain=forward disabled=yes dst-address=2001:<snip>:45a:213d::443/128 dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward disabled=yes dst-address=2001:<snip>:45a:211d::20/128 dst-port=443 in-interface-list=WAN protocol=tcp
add action=accept chain=forward dst-address=fd4c:c55e:cd6::2/128 in-interface-list=WAN
add action=drop chain=forward comment="Drop all from WAN not DSTNATed" connection-nat-state=!srcnat,dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop everything else not coming from LAN" in-interface-list=!LAN log=yes
add action=accept chain=output comment="Allow outgoing BGP traffic" dst-port=179 protocol=tcp
/ipv6 firewall mangle
add action=change-mss chain=forward new-mss=clamp-to-pmtu protocol=tcp tcp-flags=syn
/ipv6 firewall nat
add action=dst-nat chain=dstnat comment="Forward to Tik Caddy" dst-address-list=WANs dst-port=443 in-interface-list=WAN protocol=tcp to-address=fd4c:c55e:cd6::2/128 to-ports=443
add action=dst-nat chain=dstnat comment="Forward to Tik Caddy" dst-port=80 in-interface-list=WAN protocol=tcp to-address=fd4c:c55e:cd6::2/128 to-ports=80
add action=dst-nat chain=dstnat disabled=yes dst-port=443 in-interface-list=WAN protocol=tcp to-address=fd9d:7a72:44eb:a:211:32ff:fec6:fed5/128 to-ports=443
add action=dst-nat chain=dstnat disabled=yes dst-port=80 in-interface-list=WAN protocol=tcp to-address=2001:<snip>:45a:213d::4443/128 to-ports=80
add action=dst-nat chain=dstnat comment=Bittorrent disabled=yes dst-port=57427 in-interface-list=WAN protocol=tcp to-address=2001:<snip>:16fd:962d::202/128 to-ports=57427
add action=masquerade chain=srcnat comment="K8S ULA nat out" log-prefix="k8s: " out-interface=ether1 src-address-list=k8s_ula
add action=masquerade chain=srcnat comment="Container ULA out" log=yes out-interface=ether1 src-address=fd4c:c55e:cd6::/64
add action=dst-nat chain=dstnat comment=Factorio dst-port=31497 in-interface-list=WAN protocol=udp to-address=fded:687e:c3bf::200/128 to-ports=31497
add action=masquerade chain=srcnat dst-address=2001:67c:1be8:2::/64 out-interface=backdoor to-address=2001:67c:1be8:2::/64
/ipv6 nd
set [ find default=yes ] disabled=yes dns=:: hop-limit=64
add advertise-mac-address=no dns=fd9d:7a72:44eb:c::1 hop-limit=3 interface=KubeProd managed-address-configuration=yes ra-interval=10s-1m40s ra-preference=high
add advertise-mac-address=no dns=fd9d:7a72:44eb:e::1 hop-limit=64 interface=IoT managed-address-configuration=yes ra-interval=30s-5m ra-preference=high
add advertise-mac-address=no dns=fd9d:7a72:44eb:a::1 hop-limit=64 interface=MainLAN ra-interval=30s-1m40s ra-preference=high
add advertise-mac-address=no dns=fd9d:7a72:44eb:d::1 hop-limit=64 interface=KubeDev managed-address-configuration=yes ra-interval=30s-1m40s
/ipv6 nd prefix default
set valid-lifetime=1w