I have a Mikrotik router at my house and my Nintendo switch works just fine w/o any NAT rules or UPNP whatsoever.router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80)
nas :192.168.1.100 (i want from 8080,21)
nintendo switch :192.168.1.18 (need DMZ,because have not UPNP)
As normal, ZeroByte had it right, but if you are going to allow internet access to your router, you need to look very seriously at access security. There are several different things that can be implemented, including (but not limited to):router ip:192.168.1.1 (i want maintain the router from port 8728 ,8291,80)
This isn't really useful in today's world. Port scanners also fingerprint the sockets they discover, so even if it's sshd running on port 9147, they'll find and catalog it.Use of non-standard port numbers (for God's sake, don't use port 80),
In your screenshots it appears to be ether1i don't know which is my =MyWanInterfaceName , would yu mind mind me?
That is sort of true. Casual attacks are only looking for the more commonly used ports. Even if a port scanner is trying every port and fingerprinting it (and yes, sophisticated scanners do this as ZeroByte said), it's easy to include a set of filter rules that will block a port scanner from being able to accomplish much. I was reminded of this not long ago when I attempted a port scan on one of my routers at home, and it failed to find most of the ports that should have been open. Then I remoted into the router and sure enough, the filter rules for blocking port scanners showed a large number of dropped packets. Disabled the port scanner blocker rules and ran the port scan again and found exactly the expected open ports (I was happy). Yes, I then remembered to re-enable to port scanner blocker rules .This isn't really useful in today's world. Port scanners also fingerprint the sockets they discover, so even if it's sshd running on port 9147, they'll find and catalog it.Use of non-standard port numbers (for God's sake, don't use port 80),
add action=drop chain=Attack comment=\ "Drop all connections from IPs on the Manual Blacklist" log=yes \ log-prefix="Manual Blacklist" src-address-list="Manual Blacklist" add action=drop chain=Attack comment=\ "Detect and drop TCP port scan connections" protocol=tcp psd=21,3s,3,1 add action=drop chain=Attack comment=\ "Detect and drop UDP port scan connections" protocol=udp psd=21,3s,3,1 add action=return chain=Attack comment=\ "Prevent safe IPs from getting tarpitted." src-address-list=Safe add action=tarpit chain=Attack comment="Suppress DoS attackby tarpitting" \ connection-limit=3,32 protocol=tcp src-address-list=Black_list add action=add-src-to-address-list address-list=Black_list \ address-list-timeout=1d chain=Attack comment="Detect DoS attack" \ connection-limit=10,32 log=yes log-prefix="Black list" protocol=tcp add action=return chain=Attack comment="Return from Attack chain"