I've got the HAP Lite today and got to play with it a bit! I was surprised to see it is so small
but oh man, how many things this little guy could do.
I set it up as my maine router in my office, that is
Huawei ADSL modem put in Bridge mode
- ether1 - WAN
- put a PPPoE client on ether1 (checked Use peer DNS and add default route)
- switched ether2 + ether3 + ether4 by setting ether3 and ether4 as slaves of ether2
- wlan1 and ether2 made into a bridge, bridge1
- set up IP of 192.168.1.1/24 on bridge1
- set up DHCP server on bridge1, with range from .2 - .254, DNS set to 192.168.1.1, additional 18.104.22.168 and 22.214.171.124
- set DNS with Allow Remote Requests to enable caching
- wlan1 configured with security profile, WPA2
Connected ether1 to LAN1 of ADSL modem and fired up, it works 'till this very moment.
Now, I after I read the wiki I am planning into understanding the firewall but I have a few questions, among others
1. What exactly an "established" connection means? What about related, invalid, could you give an example?
I like to know why the following rule would not allow a "hacker" to make a connection to my router
add chain=input connection-state=established comment="Accept established connections"
2.I did set-up some basic rules, like accept on the input chain everything from LAN, drop everything else. As far as I understand, this breaks DNS because router can ask for DNS resolution and when the answer comes back from the external DNS server, it gets dropped, same goes for NTP, ping, cloud, right? So, I set up a rule to allow all UDP, but it doesn't seem to work, same goes for ping, cloud, etc, when the "drop" rule is active.
Here is my firewall export
[admin@MikroTik] /ip firewall> export
# oct/02/2015 22:11:57 by RouterOS 6.25
# software id = UM3I-I1CV
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add chain=input src-address-list=LAN
add chain=input protocol=udp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
I then added a new rule to allow all ICMP on the input chain and I could get ping back to work.
add chain=input protocol=icmp
3. I want to manage my router from the Internet via Winbox, is this rule enough in order to do that?
add chain=input protocol=tcp dst-port=8291 comment="winbox"