I'm setting up CHR but the ruleset plus policy routing (which I don't know how to do), tunneling stuff, IDS/IPS and reverse proxy is so complicated (and basic, i.e; tunneling) that I' used a couple of pfSense instances chained in front of it instead with static rules to avoid NAT.
If I delete all the rules, remind me, will I get locked out or (frighteningly) defaulted in?
I'm a little confused because I cannot connect from the mobile app neither with the L3 nor the L2 addresses and I'm supposed to have a rule allowing all RFC1918-sourced traffic on all internal interfaces --or-- all interfaces since the firewall is not on the edge anymore. I'd use a network switch to route and call it a day but none of my switches route IPv6, which I want to add afterwards. :(
Does the firewall need to NAT if I'd wanted to use the captive portal in the future? It's not that important though, pfSense can handle it too but I'm curious about Mikrotik's portal API.