I moved from post below from beginner basics to here since it got no replies there
Obviously I deleted original post to not have duplicates Thank you for your help
Hi, I will install in a few days a new rb2011 as a home router, and I looked into its setup.
Most stuff should be already ok in the default settings, but I’ve read default setup doesn’t have rules on the forward chain, so I’ve looked a bit into firewalling
I’d like to have a simple firewall (the less I write, the less I write wrong stuff) and found one here on the forums, and I modified it a bit.
Since the rules were duplicated I jumped from input and forward to one chain only (am I wrong doing this?), I removed icmp from WAN, and I set bridge-local as interface name.
Specifying in-interface, I don’t need to write LAN ip addresses, correct? #Router and internal network protection, no internal servers, LAN is friendly
#http://forum.mikrotik.com/t/firewall-rules/69251/1 jumping to mainrules chain, not allowing icmp, bridge-local as in-interface
add chain=mainrules action=drop connection-state=invalid comment=“Block invalid connections”
add chain=mainrules action=accept connection-state=new in-interface=bridge-local comment=“Allow access to router and Internet only from LAN”
add chain=mainrules action=accept connection-state=established comment=“Allow established connections”
add chain=mainrules action=accept connection-state=related comment=“Allow related connections”
add chain=mainrules action=drop comment="drop everything else"Then, I’ll have some ip cams…
May I just use, separately from the above firewall, something like the basic example of the wiki, obviously changing ip and ports?
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234Then, I’ll have to setup many other things, but that will be a separate post
Personally I would leave the chains separate. And yes you can use that DST-NAT… but you also need to allow it on your forward chain if you use a default drop.
If that wasn’t your question then clarify it a bit…
but you also need to allow it on your forward chain if you use a default drop
Sorry, I don't understand...
I thought that inserting NAT rule would automatically open port in firewall...
If I use dst-nat for port 1234, should I manually open that port in firewall?
Can you provide me an example?
Sorry for dumb questions, but I'll have little time to test my setup in the real world, so I need to "be prepared"
you should also create allow rules before the drop rule for the system that needs to be access from the outside.
Keep in mind that dst-nat will occur before filter, so your filter should contain the dst-nat rule to-address IP.
...
chain=forward action=accept protocol=tcp dst-address=192.168.1.3 dst-port=22 in-interface=
So:
Router and internal network protection, no internal servers, LAN is friendly
Ok, so with these rules I’m just blocking everything incoming, directed to router or to LAN machines, except for the camera exceptions I’ll add… Shortly speaking, are these rules enough to protect my own network or should I look elsewhere?
Thank you for your help