Dear ANAV, believe me, i now how little is my knowledge … and one of my favorite source is your posts.
I know I’m wrong somewhere and that’s why I turned to you guys for help. I did not at start with configurations because it was easier for me to start the topic with general information and already now I received confirmation that it can be done as I thought. Now I’ve given myself time to build a new lab that can throw out configurations
Everyday i try to find new pieces of wisdom and you help me a lot.
SERVER config:
/interface bridge
auto-mac=yes name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no name=ether9-WAN
/interface wireguard
add listen-port=55555 mtu=1420 name=WG_Server_Host
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.101.1-10.100.101.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=BridgeLAN name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN disabled=yes interface=ether9-WAN
add bridge=BridgeLAN interface=ether1
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=ether6
add bridge=BridgeLAN interface=ether7
add bridge=BridgeLAN interface=ether8
/interface list member
add interface=ether9-WAN list=WAN
/interface wireguard peers
add allowed-address=10.1.1.0/26,10.100.101.0/24,10.100.102.0/24 endpoint-port=55555 interface=\
WG_Server_Host public-key="q6gOq9ez2inS01vWLW5LuyCFFTqCvuCu4RC0GrfPTRc="
add allowed-address=10.1.1.0/26,10.100.101.0/24,10.100.103.1/24 endpoint-port=55555 interface=\
WG_Server_Host persistent-keepalive=10s public-key=\
"6UIYMm2wsx6DRWoAQaRd+vYmtuYeTIUy3JlkohGEBko="
add allowed-address=10.1.1.0/26,10.100.101.1/24,10.100.104.0/24 endpoint-port=55555 interface=\
WG_Server_Host persistent-keepalive=10s public-key=\
"Eu9c01ZR7w4+e8pksbzAd+nSJCqQrQMXxPCyuHKdr0c="
/ip address
add address=10.100.101.1/24 interface=BridgeLAN network=10.100.101.0
add address=10.1.1.1/26 interface=WG_Server_Host network=10.1.1.0
/ip dhcp-client
add interface=ether9-WAN
/ip dhcp-server network
add address=10.100.101.0/24 gateway=10.100.101.0
/ip firewall filter
add action=accept chain=input src-address-list=Remote_Access
add action=drop chain=input comment="Block DNS Request on INCOMING WAN INTERFACE port 53" dst-port=\
53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=\
established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" \
connection-state=established,related,untracked
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=IPSec-ESP protocol=ipsec-esp
add action=accept chain=output comment=IPSec-ESP protocol=ipsec-esp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface=ether9-WAN
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="" address-list-timeout=2w chain=input comment=\
"ALL/ALL scan" protocol=tcp src-address-list="Port scanners" tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input \
comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" in-interface-list=WAN log=yes \
log-prefix="Drop port scanners" src-address-list="Port scanners"
add action=drop chain=input comment="ftp brute forcers" dst-port=21 in-interface-list=WAN protocol=\
tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="530 Login incorrect" content="530 Login incorrect" \
dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output \
comment="530 Login incorrect" content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="ssh brute forcers" dst-port=22 in-interface-list=WAN protocol=\
tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input \
connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input \
connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input \
connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input \
connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop Black_list" in-interface-list=WAN protocol=tcp \
src-address-list=Black_list
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 in-interface-list=WAN \
protocol=tcp src-address-list=telnet_black_list
add action=add-src-to-address-list address-list=telnet_black_list address-list-timeout=1d chain=\
input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=\
telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input \
connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=\
telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input \
connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=\
telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input \
connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=50 dst-address=10.100.102.0/24 gateway=WG_Server_Host routing-table=main \
scope=10 suppress-hw-offload=no
add disabled=no distance=50 dst-address=10.100.103.0/24 gateway=WG_Server_Host pref-src="" \
routing-table=main scope=10 suppress-hw-offload=no target-scope=10
add disabled=no distance=50 dst-address=10.100.104.0/24 gateway=WG_Server_Host pref-src="" \
routing-table=main scope=10 suppress-hw-offload=no target-scope=10
/system identity
set name=MikroTik_1
HOST_1 config:
/interface bridge
add name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] disable-running-check=no
set [ find default-name=ether11 ] disable-running-check=no
/interface wireguard
add listen-port=55555 mtu=1420 name=WG_Host1_Server
/disk
set slot1 slot=slot1
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.102.2-10.100.102.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=BridgeLAN name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN disabled=yes interface=ether11
add bridge=BridgeLAN interface=ether1
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=ether6
add bridge=BridgeLAN interface=ether7
add bridge=BridgeLAN interface=ether8
add bridge=BridgeLAN interface=ether9
add bridge=BridgeLAN interface=ether10
/interface list member
add interface=ether11 list=WAN
/interface wireguard peers
add allowed-address=10.1.1.0/26,10.100.101.0/24,10.100.102.1/24 endpoint-address=10.11.20.50 endpoint-port=55555 interface=\
WG_Host1_Server persistent-keepalive=10s public-key="3OLElWXWqYXQZ4xonwrh/j0pHyDZKZBewaN9qnoMBUQ="
/ip address
add address=10.100.102.1/24 interface=BridgeLAN network=10.100.102.0
add address=10.1.1.2/26 interface=WG_Host1_Server network=10.1.1.0
/ip dhcp-client
add interface=ether11
/ip dhcp-server network
add address=10.100.102.0/24 gateway=10.100.102.1
/ip firewall filter
add action=accept chain=input src-address-list=Remote_Access
add action=drop chain=input comment="Block DNS Request on INCOMING WAN INTERFACE port 53" dst-port=53 in-interface-list=WAN \
protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=IPSec-ESP protocol=ipsec-esp
add action=accept chain=output comment=IPSec-ESP protocol=ipsec-esp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat connection-state=new \
in-interface-list=WAN
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment=\
"Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment=\
"NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" \
protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" \
protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" \
protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp \
src-address-list="Port scanners" tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" \
protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" in-interface-list=WAN log=yes log-prefix="Drop port scanners" \
src-address-list="Port scanners"
add action=drop chain=input comment="ftp brute forcers" dst-port=21 in-interface-list=WAN protocol=tcp src-address-list=\
ftp_blacklist
add action=accept chain=output comment="530 Login incorrect" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m \
protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="530 Login incorrect" \
content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="ssh brute forcers" dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=\
ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=\
22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=22 \
in-interface-list=WAN protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=22 \
in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop Black_list" in-interface-list=WAN protocol=tcp src-address-list=Black_list
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=\
telnet_black_list
add action=add-src-to-address-list address-list=telnet_black_list address-list-timeout=1d chain=input connection-state=new \
dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
in-interface-list=WAN protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
in-interface-list=WAN protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 \
in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system identity
set name=MikroTik_2
HOST_2 config:
/interface bridge
add name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] disable-running-check=no
set [ find default-name=ether11 ] disable-running-check=no
/interface wireguard
add listen-port=55555 mtu=1420 name=WG_Host2_Server
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.103.2-10.100.103.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=BridgeLAN name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN disabled=yes interface=ether11
add bridge=BridgeLAN interface=ether1
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=ether6
add bridge=BridgeLAN interface=ether7
add bridge=BridgeLAN interface=ether8
add bridge=BridgeLAN interface=ether9
add bridge=BridgeLAN interface=ether10
/interface list member
add interface=ether11 list=WAN
/interface wireguard peers
add allowed-address=10.1.1.0/26,10.100.101.0/24,10.100.103.1/24 endpoint-address=10.11.20.50 endpoint-port=55555 interface=WG_Host2_Server persistent-keepalive=10s public-key="3OLElWXWqYXQZ4xonwrh/j0pHyDZKZBewaN9qnoMBUQ="
/ip address
add address=10.100.103.1/24 interface=BridgeLAN network=10.100.103.0
add address=10.1.1.3/26 interface=WG_Host2_Server network=10.1.1.0
/ip dhcp-client
add interface=ether11
/ip dhcp-server network
add address=10.100.103.0/24 gateway=10.100.103.1
/ip firewall filter
add action=accept chain=input src-address-list=Remote_Access
add action=drop chain=input comment="Block DNS Request on INCOMING WAN INTERFACE port 53" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=IPSec-ESP protocol=ipsec-esp
add action=accept chain=output comment=IPSec-ESP protocol=ipsec-esp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp src-address-list="Port scanners" tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" in-interface-list=WAN log=yes log-prefix="Drop port scanners" src-address-list="Port scanners"
add action=drop chain=input comment="ftp brute forcers" dst-port=21 in-interface-list=WAN protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="530 Login incorrect" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="530 Login incorrect" content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="ssh brute forcers" dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop Black_list" in-interface-list=WAN protocol=tcp src-address-list=Black_list
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_black_list
add action=add-src-to-address-list address-list=telnet_black_list address-list-timeout=1d chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/system identity
set name=MikroTik_3
HOST_3 config:
/interface bridge
add name=BridgeLAN
/interface ethernet
set [ find default-name=ether1 ] disable-running-check=no
set [ find default-name=ether2 ] disable-running-check=no
set [ find default-name=ether3 ] disable-running-check=no
set [ find default-name=ether4 ] disable-running-check=no
set [ find default-name=ether5 ] disable-running-check=no
set [ find default-name=ether6 ] disable-running-check=no
set [ find default-name=ether7 ] disable-running-check=no
set [ find default-name=ether8 ] disable-running-check=no
set [ find default-name=ether9 ] disable-running-check=no
set [ find default-name=ether10 ] disable-running-check=no
set [ find default-name=ether11 ] disable-running-check=no
/interface wireguard
add listen-port=55555 mtu=1420 name=WG_Host3_Server
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=10.100.104.2-10.100.104.254
/ip dhcp-server
add address-pool=dhcp_pool0 interface=BridgeLAN name=dhcp1
/port
set 0 name=serial0
/interface bridge port
add bridge=BridgeLAN disabled=yes interface=ether11
add bridge=BridgeLAN interface=ether1
add bridge=BridgeLAN interface=ether2
add bridge=BridgeLAN interface=ether3
add bridge=BridgeLAN interface=ether4
add bridge=BridgeLAN interface=ether5
add bridge=BridgeLAN interface=ether6
add bridge=BridgeLAN interface=ether7
add bridge=BridgeLAN interface=ether8
add bridge=BridgeLAN interface=ether9
add bridge=BridgeLAN interface=ether10
/interface list member
add interface=ether11 list=WAN
/interface wireguard peers
add allowed-address=10.1.1.0/26,10.100.101.0/24,10.100.104.0/24 endpoint-address=10.11.20.50 endpoint-port=55555 interface=WG_Host3_Server persistent-keepalive=10s public-key="3OLElWXWqYXQZ4xonwrh/j0pHyDZKZBewaN9qnoMBUQ="
/ip address
add address=10.100.104.1/24 interface=BridgeLAN network=10.100.104.0
add address=10.1.1.4/26 interface=WG_Host3_Server network=10.1.1.0
/ip dhcp-client
add interface=ether11
/ip dhcp-server network
add address=10.100.104.0/24 gateway=10.100.104.1
/ip firewall filter
add action=accept chain=input src-address-list=Remote_Access
add action=drop chain=input comment="Block DNS Request on INCOMING WAN INTERFACE port 53" dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=drop chain=forward dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related hw-offload=yes
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=accept chain=input comment="PPTP VPN" dst-port=1723 protocol=tcp
add action=accept chain=input comment="L2TP VPN" dst-port=500,1701,4500 protocol=udp
add action=accept chain=input comment=IPSec-ESP protocol=ipsec-esp
add action=accept chain=output comment=IPSec-ESP protocol=ipsec-esp
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=forward comment="Allow Port Forwarding" connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="Port scanners to list" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp src-address-list="Port scanners" tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Dropping port scanners" in-interface-list=WAN log=yes log-prefix="Drop port scanners" src-address-list="Port scanners"
add action=drop chain=input comment="ftp brute forcers" dst-port=21 in-interface-list=WAN protocol=tcp src-address-list=ftp_blacklist
add action=accept chain=output comment="530 Login incorrect" content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="530 Login incorrect" content="530 Login incorrect" protocol=tcp
add action=drop chain=input comment="ssh brute forcers" dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 in-interface-list=WAN protocol=tcp
add action=drop chain=input comment="drop Black_list" in-interface-list=WAN protocol=tcp src-address-list=Black_list
add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_black_list
add action=add-src-to-address-list address-list=telnet_black_list address-list-timeout=1d chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=23 in-interface-list=WAN protocol=tcp
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip route
add disabled=no distance=50 dst-address=10.100.101.0/24 gateway=WG_Host3_Server routing-table=main scope=10 suppress-hw-offload=no
/system identity
set name=MikroTik_4
