Hi all,
after i got all my network set up and running.
i found this alert
may i know how to stop this ? or this is a common occurrence ?
Please mark this as solved,
once I disabled the API services no more funny msgs.
Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices…
Hi Anav,
I will share the export file soon.
Thank you
Thanks Anav, i’ve attached the config. please help with the advice on the config.
review.rsc (6.4 KB)
one more thing, anyone can advise ?
i’m following this instruction to securing the mac-server
https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
i can’t add the local interface
such as the example given in the link
/tool mac-server
disable 0;
add interface=local;
when I check in winbox GUI, there isn’t an option for add
only have the attached options
how should i add only for the 2nd port access ?
You have no firewall rules so if there isnt any other device inbetween this hex should not be connected to the internet.
Also not sure why you have a bridge as its only used for one etherport?? What is the purpose of your bridge??
Interface list is made from the winbox interface List settings, You have to select the box around the word LISTS on the same line as the + symbol to create a new one.
Oh dear, how should I add the firewall rule is the basic one from wiki mikrotik is ok?
Or is there a default firewall rule config I can load up?
The bridge is created following mikrotik wiki, when I connect using Mac. Should I remove this bridge?
i’m following this guide
https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration
Ok, i’ll fiddle around with the + in the list
Hi Anav,
I’ve added some fw rules from https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router#IPv4_firewall_to_a_router
for ip4 only tho as i disabled ip6 so i didn’t set any fw rules on ip6.
i’ve attached the config, any advice is very much appreciated.
fwreview.rsc (10.8 KB)
Unless you intend on using the MT app with your router, then this setting can be set to NONE.
/interface detect-internet
set detect-interface-list=all
The one thing I would do is remove the bridge as it really serves no purpose here.
You have four independent subnets each assigned to a port and thus the use of bridge is not required (nor do you use vlans).
However, there is nothing wrong with the current setup as it will work so you dont have to do anything just a suggestion.
More importantly is the firewall rules and the rest… so will look now.
(1) Remove this stuff, it can be very CPU intensive and with https traffic being the norm, not as effective as it use to be. Its advanced config programming that one should avoid until you understand it.
/ip firewall layer7-protocol
add name=youtube regexp=“^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.c
om|s.ytmig.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|google
video.com|youtu.be|youtubekids.com).*$”
(2) I dont usually do all the list of firewall addresses etc, but no harm in that, not to much bloat so to speak.
I would add this rule in the input chain Just before the ICMP allow rule, it seems to be missing.
add action=drop chain=input comment=“Drop invalid” connection-state=invalid
(3) I personally dont like providing all your SUBNETS full access to the router. Only the admin needs full access to the router.
So if there is only one subnet the admin will use to access and configure the router, that is the only subnet that should have full access to the router.
The other subnets should at least have access to the services provided by the router that they may be using (which they get now because you gave them full access).
Typically its just DNS services (some have NTP services as well).
So recommend the following idea.
Add this rule in front of the existing rule (otherwise you may lock yourself out due to the drop all rule you have at the end of the input chain - great rule but disable it while making these changes and then turn it back on to be on the safe side… When done and happy you can remove the old rule and re-enable the drop all rule.
add action=accept chain=input comment=“Allow ADMIN to Router” log-prefix=
AdminAccess in-interface-list=ServicePortOnly (AND OPTIONAL ----> ) src-address-list=authorized
Basically here we limit full access to the router to your interface list entry of serviceportonly and if you want to limit that further only to the IP addresses of the admins devices.
desktop, laptop, ipad, smartphone etc (statically set in the dhcp leases) that is up to you.
(4) By the way I noted that one subnet, didnt get full access to the router, which means it would not be getting proper dns services from the router either.
To fix that and to provide the necessary services to the subnets no longer with full access you need the following rules..
dd action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=udp
If you dont want DVR to have DNS services, then my suggestion is to remove it from the AllLan list…
(5) Now we get to the horror show of your forward chain…egads butt ugly. Lets clean it up simplify!!!
Reduce it to this:
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
add action=allow comment=“Allow internet traffic” in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment=“Allow port forwarding” connection-nat-state=dstnat
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment=“Drop all else!”
Thats all you need and the drop all else rule drops all other traffic (not already allowed LAN 2 LAN, LAN 2 WAN, WAN 2 LAN) . Without the drop all rule at the end, all the subnets could find each other because the router will route them at L3 and its a very efficient way of doing this vice stating all the subnets have to block traffic from each other in a larger number of rules!!.
However you do have all the firewall addresses and had a few more rules (that I dont use) but will see where they may fit.
Okay only one rule really applies, and that is to block Just before allowing internet traffic from your subnets, to block any requests from those subnets that are to non public IPs.
The rest are covered by the allow rule for only IPs from AllLAN and by the drop all rule at the end.
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
add action=drop in-interface-list=AllLAN dst-address-list=not_in_internet
add action=allow comment=“Allow internet traffic” in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment=“Allow port forwarding” connection-nat-state=dstnat
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment=“Drop all else!”
I actually used the Mikrotik Mobile apps. quite handy when you want to block youtube on your kids pc at a request. 
you are referring to this https://play.google.com/store/apps/details?id=com.mikrotik.android.tikapp&hl=en&gl=US right ?
Thanks for the suggestion, I’ve removed the bridge. I actually wants to remove it since yesterday as it seems not used but i’m not sure on the impact.
Thanks in advance, will wait for your feedback.
Yes, that is the correct link, but I have to go wash my hands now, as I am an IPHONE user LOL.
The bridge removal is fine.
When to use bridge, but dont use vlans - when two or more ports are using the same DHCP settings then using the bridge is effective in grouping ports for L2 separation from ports and subnets off the bridge. Keep in mind that all subnets require L3 firewall separation including vlans and this is accomplished on the forward chain of firewall rules (in our case the last rule block all else does this for us).
I used this for blocking youtube during my kids study period. or is there another good way to block youtube ?
Added
yes that is what happen the first time I play around with this router, I got locked out and in panic i resetted the whole thing.
my general idea for this is so I can manage the router, wherever i am in the house covered by the wlan, using my laptop, or mikrotik android apps.
(just a little control freak), is the access for admin access can be reversed ? i.e. i ensure to have my devices ip as static in both wired & wireless and list only that ip that can have admin access
Added, may i know where should i priorities this 2 rules ? after ICMP ?
Done
add action=allow comment=“Allow internet traffic” in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment=“Allow port forwarding” connection-nat-state=dstnat
i can’t find action=allow, so i assume action=accept ?
all the previous drop rules is gone
i’m still including dvr in allLan as it needs internet for us to check
ok this last part.similar to below ?
i’ve attached complete export as well
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
invalid
add action=drop chain=forward comment=\
"block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
yes log-prefix=PortForwardedTraffic
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=\
8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 \
to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
192.168.10.254 to-ports=8000
noted on the bridge and thanks, apple fanboy LOL
fwreview2nd.rsc (10.2 KB)
If the youtube rules work for you by all means, I am surprized they do LOL.
The problem regarding admin access is that you will need to change the
Tools mac winmac server entry for allowed interface from ServicePortOnly to ALL.
I recommend you reserve access from ServicePortOnly though…
If you do feel the need to access from all subnets, then dont use an interface list entry of ServicePortOnly if you want to be able to access the router from any subnet in the house.
In this case just ensure whatever device you use has a static lease on that subnet and add that to the firewall address list.
So you may have four different IP addresses for your smartphone or laptop for example on the firewall address list
Not sure what you mean if admin access can be reversed??
Add the DNS rules just before the block all rule is fine or after icmp as well.
Now to look at config…
argg…the order of your rules is now messed up.
For easy reading and less errors typically one has all the input rules grouped together and all the forward rules grouped together…
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack
connection-state=established,related
add action=accept chain=input comment=“default configuration”
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment=“"Drop invalid"” connection-state=
invalid
add action=drop chain=forward comment=
“block Just before allowing internet traffic from your subnets”
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment=“Allow internet traffic”
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment=“Allow port forwarding”
connection-nat-state=dstnat connection-state=new in-interface=1modem log=
yes log-prefix=PortForwardedTraffic
add action=accept chain=input comment=“Allow LAN DNS queries - TCP”
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP”
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment=“Established, Related”
connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid
log=yes log-prefix=invalid
add action=drop chain=forward comment=“Drop all else!”
Also,
(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses.
(2) The green block of rules in teh middle should all be moved down as a group just before the last DROP ALL RULE in green. AKA after the invalid rule.
(3) The input chain rule for allowed access to router should be moved down one to below the invalid rule (well see 4 first lol).
(4) The input chain rule for ICMP should be just after the invalid rule and before the allowed access rule.
Okay I missed this before…
add action=dst-nat chain=dstnat comment=“to see cctv from wireless network”
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=
192.168.10.254 to-ports=8000
If you want the wifi network to be able to access the CCTV that is a forward firewall chain rule and stick this just before the drop all rule (assumes the CCTV is on 5DVR)
add chain=input action=accept in-interface=4wireless out-interface=5DVR dst-address= 192.168.10.254 dst-port=8000 protocol=tcp
The question I have is what protections do you have from accessing the DVR from the outside?
Is there a simple username login? Is it encrypted?
In other words, your CCTV may be open to the world???
they work, only on 1 pc, but doesn’t work on the the other, which is weird.
I’ve make a post of it here http://forum.mikrotik.com/t/youtube-block-works-for-1-pc-but-not-working-for-other-pc/150524/1
Ok, i’ve updated the address list to access winbox service as such
now only accessible from port 2 and 2 static IP.
ok, this should be how it looks.
Number 8 rule should already follow your sugestion “(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses.”
number 3 and number 6 seems similar, only different in input & forward, should 3 move to 6 and delete 6 ?
please cmiiw, but rule number 2 & 10 is the same, so number 2 should be deleted ?
Number 9 is also i think not needed ? this drop everything that is input, similar to drop everything else in number 17.
exported firewall as below
jul/20/2021 09:30:02 by RouterOS 6.48.3
software id = XF6Q-13TJ
model = RB750Gr3
serial number = CC220DD3DF58
/ip firewall layer7-protocol
add name=youtube regexp=“^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytmig.com|ytimg.l.go
ogle.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be|youtubekids.com).*$”
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment=“Service Port IP” list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment=“6to4 relay Anycast [RFC 3068]” list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=input comment=“default configuration” connection-state=established,related
add action=drop chain=input comment=“"Drop invalid"” connection-state=invalid
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” connection-state=new dst-port=53
in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” connection-state=new dst-port=53
in-interface-list=AllLan protocol=udp
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow Acces to router - Based on address list”
src-address-list=allowed_to_router
add action=drop chain=input
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Block Just before allowing internet traffic from your subnets”
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment=“Allow internet traffic” in-interface-list=AllLan
out-interface-list=WAN
add action=accept chain=forward comment=“Allow port forwarding” connection-nat-state=dstnat
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment=“Allow Wireless to access DVR” connection-nat-state=dstnat
connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless
out-interface=5DVR protocol=tcp
add action=drop chain=forward comment=“Drop youtube from Desktop DEHD” disabled=yes layer7-protocol=
youtube src-address=192.168.0.242
add action=drop chain=forward comment=“Drop youtube from Desktop QUNO” disabled=yes layer7-protocol=
youtube src-address=192.168.8.100
add action=drop chain=forward comment=“Drop all else!”
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment=“to see cctv from outside” dst-port=8000 in-interface=1modem
protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment=“to see cctv from wireless network” dst-port=8000
in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
I’ve added the firewall rules (number 14 in the above post), but it seems something is missing.
I cannot see the camera through the hikvision apps from wireless lan but I am able to see from hikvision app from mobile network (outside network)
in other word, yes the DVR is open to the world.
but strangely i cannot access the DVR web menu from outside network using public ip or no-ip dns which i set up for the dvr.
the dvr is only accessible from hikvision mobile apps using the no-ip dns.
after fiddling around with the firewall sequence for “allowing wireless to access dvr” from 14 to 11
now able to see the camera from wireless network. and have added a new firewall rule to drop winbox attemp from internet
Please lemme know of your feedback on this fw setup, export file is attached.
if it’s looks good i’ll remove the disabled ones.
fwreview3.rsc (11.2 KB)
not going to comment until you fix the order of rules.
you have added more lines that are not correct or at least Ive never seen, such as forward chain dst nat rule which I dont understand…
ok, I’ve cleaned up the firewall list rule
the code export as below.
# jul/20/2021 23:33:31 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 \
in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
just curious, which one you haven’t seen ?
dermawas, one hint:
/interface detect-internet
set detect-interface-list=none
without checking if they are right or not, or something is missing, this is the correct order of the one already written:
/ip firewall filter
add action=accept chain=input comment=“default configuration - Established, Related” connection-state=established,related disabled=yes
add action=drop chain=input comment=“"Drop invalid"” connection-state=invalid disabled=yes
add action=accept chain=input comment=“Allow LAN DNS queries-UDP” connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment=“Allow LAN DNS queries - TCP” connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment=“Allow to router” disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
duplicated —> add action=accept chain=input comment=“Allow ADMIN to Router” disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
add action=drop chain=input disabled=yes
add action=drop chain=forward comment=“Drop youtube from Desktop DEHD” disabled=yes layer7-protocol=youtube src-address=192.168.0.242
add action=drop chain=forward comment=“Drop youtube from Desktop QUNO” disabled=yes layer7-protocol=youtube src-address=192.168.8.100
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment=“Established, Related” connection-state=established,related
add action=drop chain=forward comment=“Drop invalid” connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment=“Allow port forwarding” connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment=“Allow Wireless to access DVR” connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment=“Block Just before allowing internet traffic from your subnets” dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment=“Allow internet traffic” in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment=“Drop all else!”