Dear Experts,
I am expierienced with firewalls, and new to Mikrotik products. VLAN, DHCP set, NAT for Internet setup is working, now i want to define the firewall.
At basic experimenting i have a big problem:
I have a generic FORWARD ACCEPT rule as Rule 0,
a generic INPUT ACCEPTule as Rule 1,
a generic FORWARD DENY as Rule 2.
When i activate Rule 2 -> no Internet, no interlan connection (E.g. 2LAN to VLAN20).
When i deactivate Rule 2, everything is ok?
I dont get it, RULE 0 should be handled first and overrule RULE 3?? Why does then RULE 3 affect ??
export:
# jan/02/1970 01:55:00 by RouterOS 6.43.7
# software id = XXXX
#
# model = RouterBOARD 952Ui-5ac2nD
# serial number = 924908CF1253
/interface ethernet
set [ find default-name=ether1 ] name=1WAN
set [ find default-name=ether2 ] name=2LAN
set [ find default-name=ether3 ] name=3LAN
set [ find default-name=ether4 ] name=4LAN
set [ find default-name=ether5 ] name=5LAN
/interface vlan
add interface=3LAN name=VLAN10 vlan-id=10
add interface=3LAN name=VLAN20 vlan-id=20
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_MAIN ranges=192.168.1.2-192.168.1.10
add name=dhcp_VLAN10 ranges=192.168.10.2
add name=dhcp_VLAN20 ranges=192.168.20.2
/ip dhcp-server
add address-pool=dhcp_MAIN disabled=no interface=2LAN lease-time=23h name=\
dhcpMAIN
add address-pool=dhcp_VLAN10 disabled=no interface=VLAN10 lease-time=23h \
name=dhcpVLAN10
add address-pool=dhcp_VLAN20 disabled=no interface=VLAN20 lease-time=23h \
name=dhcpVLAN20
/interface bridge nat
add action=accept chain=srcnat
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-vlan=yes
/ip address
add address=192.168.1.1/24 interface=2LAN network=192.168.1.0
add address=192.168.20.1/24 interface=VLAN20 network=192.168.20.0
add address=192.168.10.1/24 interface=VLAN10 network=192.168.10.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=1WAN
/ip dhcp-server lease
add address=192.168.1.2 mac-address=60:EB:69:5D:5D:34 server=dhcpMAIN
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=192.167.1.3 gateway=192.167.1.3
add address=192.168.10.0/24 dns-server=192.167.1.3 gateway=192.168.10.1
add address=192.168.20.0/24 dns-server=192.167.1.3 gateway=192.168.20.1
/ip dns
set allow-remote-requests=yes servers=207.67.220.220,208.67.222.222
/ip firewall filter
add action=accept chain=forward connection-state=established,related \
connection-type=""
add action=accept chain=input
add action=drop chain=forward connection-state=\
invalid,established,related,new disabled=yes
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1WAN
/ip service
set www-ssl disabled=no
/system identity
set name=ROUTERFOO
Helpy is appreciated,