Sat Dec 29, 2018 8:46 pm
I have a similar setup, one hex, two capACs, no Capsman yet as managing two APs is dirt simple as I use winbox to access all three units.
You seem to be missing an IP firewall filter rule you will need for port forwarding.
I also set my rp filter to loose not strict but cannot remember why.
I recommend you only have one bridge and put your guest access, wired and wireless on a VLAN on the same bridge.
I like allow rules for what is needed and drop everything else at the end of input and forward chains.
After the first input allow rule follow with this (you have one for forward chain but not for input chain):
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
This can be simplified and made more practical
add action=accept chain=input comment="accept access only from LAN" \
in-interface=!WAN src-address=192.168.0.0/24
add action=accept chain=input comment="Allow ADMIN to Router" \
in-interface-list=LAN src-address-list=adminaccess
*** Create a firewall address list of IPs etc that you want to have access to the router (or subnet).
In this regard its easy to change address list entries and not change rules.
What about allowing DNS queries which is standard fare..........
add action=accept chain=input comment="Allow LAN DNS queries-UDP" dst-port=53 \
in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" dst-port=\
53 in-interface-list=LAN protocol=tcp
This last input rule can be made more accurate
add action=drop chain=input comment="defconf: drop all from WAN"
add action=drop chain=input comment="defconf: drop all else"
**** Using IP DNS you can dictate what is being accessed for example,
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,8.8.4.4,208.67.220.220,208.67.222.222
and then for each dhcp-server network-server something like
add address=192.168.0.0/24 comment=HomeLAN_Network dns-server=192.168.0.1 \
gateway=192.168.0.1
{if you want to be really anal you can redirect users no matter what DNS they attempt to use with the following in IP Firewall NAT rules, currently disabled -
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - TCP" disabled=yes dst-port=53 protocol=\
tcp src-address-list=your_choice_of_interfaces
add action=redirect chain=dstnat comment=\
"Force Users to Router for DNS - UDP" disabled=yes dst-port=53 protocol=\
udp src-address-list=your_choice_of_interfaces
On the Forward chain you need to allow LAN to WAN traffic if that is your intent.
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
localBridge log-prefix="ALLOWED LAN 2 WAN TRAFFIC" out-interface-list=WAN \
add action=accept chain=forward comment="ENABLE LAN to WAN" in-interface=\
guestBridge log-prefix="ALLOWED Guest 2 WAN TRAFFIC" out-interface-list=WAN \
*** if you move to one bridge you would still need a VLAN to WAN rule vice guestbridge for in-interface.
To allow DSTNAT rules to work get rid of existing rule
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN
and add:
add action=accept chain=forward comment=\
"Allow Port Forwarding - " connection-nat-state=dstnat
For IPSEC I believe you need these two in the forward chain.
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
You need a drop all else rule at end of forward chain.
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic" log-prefix="FORWARD DROP ALL"
Finally I think your DSTNAT rules with multiple masquerade entries is EFFED!!
Only should have ONE per WAN in general, so the first rule is probably the only one needed.