The only things I changed afterwards is installing a VPN server, adding a guest vlan and block all traffic from guest vlan .
Another problem I can't solve is how to block all guest vlan traffic to the router itself (Winbox/web/etc.).
This is my config:
Code: Select all
0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough
1 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp
2 ;;; defconf: accept established,related chain=input action=accept connection-state=established,related
3 ;;; L2TP VPN chain=input action=accept protocol=udp dst-port=500 log=no log-prefix=""
4 chain=input action=accept protocol=udp dst-port=1701 log=no log-prefix=""
5 chain=input action=accept protocol=udp dst-port=4500 port="" log=no log-prefix=""
6 ;;; defconf: drop all from WAN chain=input action=drop in-interface=WAN
7 ;;; defconf: fasttrack chain=forward action=fasttrack-connection connection-state=established,related
8 ;;; drop guest vlan to defconf chain=forward action=drop in-interface=vlan-guest out-interface=!WAN log=no log-prefix=""
9 ;;; defconf: accept established,related chain=forward action=accept connection-state=established,related
10 ;;; defconf: drop invalid chain=forward action=drop connection-state=invalid
11 ;;; defconf: drop all from WAN not DSTNATed chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface=WAN
Code: Select all
0 ;;; defconf: masquerade chain=srcnat action=masquerade out-interface=WAN
1 chain=dstnat action=dst-nat to-addresses=192.168.50.10 to-ports=22 protocol=tcp in-interface=WAN dst-port=50022 log=no log-prefix=""
2 ;;; masq. vpn traffic chain=srcnat action=masquerade src-address=0.89.168.192-255.89.168.192