Community discussions

 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Inter Vlan communication and inter network communication issue

Mon Jun 03, 2019 9:04 am

hello. I am relatively new to RouterOS. Recently I have been working on some Mikrotik devices. my problem is I am setting up a basic network with:
> CCR1036-12G-4S - OS 6.24
> single DHCP WAN in for internet
> multiple VLANS on ether12
> an external network connection to ether4 and ether5

Code: Select all


/interface bonding
add mode=balance-xor name=vlantrunck slaves=ether11,ether12\
transmit-hash-policy=layer-2-and-3

/interface vlan
add interface=vlantrunck name=VLAN99 vlan-id=99
/ip address
add address=192.168.99.1/24 interface=VLAN99

/interface vlan
add interface=vlantrunck name=vlan1 vlan-id=10
add interface=vlantrunck name=vlan2 vlan-id=20
add interface=vlantrunck name=vlan3 vlan-id=30
add interface=vlantrunck name=vlan4 vlan-id=40
add interface=vlantrunck name=vlan5 vlan-id=50


/ip address
add address=192.168.10.1/24 interface=vlan1
add address=192.168.20.1/24 interface=vlan2
add address=192.168.30.1/24 interface=vlan3
add address=192.168.40.1/24 interface=vlan4
add address=192.168.50.1/24 interface=vlan5

/ip pool
add name=vlan1_pool ranges=192.168.20.100-192.168.20.200
add name=vlan2_pool ranges=192.168.30.100-192.168.30.200
add name=vlan3_pool ranges=192.168.40.20-192.168.40.250
add name=vlan4_pool ranges=192.168.50.10-192.168.50.150
/ip dhcp-server
add address-pool=vlan1_pool disabled=no interface=IT120 name=IT120_DHCP
add address-pool=vlan2_pool disabled=no interface=EXECUTIVE130 name=EXECUTIVE130_DHCP
add address-pool=vlan3_pool disabled=no interface=STAFF140 name=STAFF140_DHCP
add address-pool=vlan4_pool disabled=no interface=WIFI150 name=WIFI150_DHCP
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip firewall nat
add action=masquerade chain=srcnat out-interface=wan
I have used interface bonding for vlan. however now I want to setup some basic communication rules as follows:
> full access from Vlan2 to all other Vlans
> some specified access between other vlans

how do i communicate between Vlan2 to all other vlans with full access?
is interface bonding the way to do vlans on ccr?
if I upgrade CCR os from 6.2 to 6.4 will any configuration break down?
also is there an example page for CCR like "Manual:CRS1xx/2xx series switches examples" for CRS?

please guide me.
 
mkx
Forum Guru
Forum Guru
Posts: 2252
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter Vlan communication and inter network communication issue  [SOLVED]

Mon Jun 03, 2019 11:50 am

Upgrade from 6.24 to 6.44 shouldn't break your config ... major changes were on bridge implementation and you're not using bridge ... at least not in the config code shown.

In general communication between VLANs should go via L3 (IP routing). It could go via L2 (ethernet switching) but this defeats the purpose of segmenting network in VLANs. You actually have all necessary things set up for full communication between all VLANs ... unless you have some firewall filtering set up (/ip firewall filter) which is not shown in the config code shown.

CCR is a full router and doesn't have any switching features (all interfaces are wired directly to device's main CPU). Hence there are no special HW-based features ... normal configuration guidelines apply.
BR,
Metod
 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Re: Inter Vlan communication and inter network communication issue

Mon Jun 03, 2019 1:04 pm

Upgrade from 6.24 to 6.44 shouldn't break your config ... major changes were on bridge implementation and you're not using bridge ... at least not in the config code shown.

In general communication between VLANs should go via L3 (IP routing). It could go via L2 (ethernet switching) but this defeats the purpose of segmenting network in VLANs. You actually have all necessary things set up for full communication between all VLANs ... unless you have some firewall filtering set up (/ip firewall filter) which is not shown in the config code shown.

CCR is a full router and doesn't have any switching features (all interfaces are wired directly to device's main CPU). Hence there are no special HW-based features ... normal configuration guidelines apply.
Thankyou.
I have some bridge connections. A simple bridge with two interface ports. Bridge used as a gateway to connect to a different network.
I am assuming with the upgrade the old method of bridge will also work?

Sent from my SM-G965F using Tapatalk

 
mkx
Forum Guru
Forum Guru
Posts: 2252
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter Vlan communication and inter network communication issue

Mon Jun 03, 2019 2:04 pm

Actually ... the basic bridge functionality did not change with ROS 6.41 ... previously it was not needed for pure ethernet switching (if device had switch chip) and did not have any VLAN awareness. On CCRs one had to use bridge to create an L2 domain just the way it can be done with modern ROS.
So probably upgrade won't break your setup. If you want to get some more educated guess from this forum, post complete oputput of command /export hide-sensitive (redact public IP address(es) before posting).
BR,
Metod
 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Re: Inter Vlan communication and inter network communication issue

Wed Jun 05, 2019 12:25 am

After going through the full configuration in text after exporting, I think I am starting to get whats happening. thank you for the help.
But here is the output with which inter vlan communication failed. will try something and get back.
any help, suggestion or improvement is appriciated.
Over existing configuration making changes.

Code: Select all

add address=10.1.11.2 list=unrestricted
add address=10.1.3.0/24 comment=Exec list=unrestricted
add address=10.1.4.0/24 list=unrestricted
add address=10.1.11.0/24 comment=ICTU list=unrestricted
add address=172.23.0.240 comment=Switches list=switches
add address=172.23.0.241 list=switches
add address=172.23.0.242 list=switches
add address=172.23.0.243 list=switches
add address=172.23.0.244 list=switches
add address=172.23.0.245 list=switches
add address=10.1.11.3 list=unrestricted
add address=a.b.c.132 list=netmap-wan
add address=10.a.b.0/24 comment="External subs" list=exm
/ip firewall filter
add action=jump chain=input comment="Sanity Check" jump-target=sanity-check
add action=jump chain=forward comment="Sanity Check Forward" jump-target=sanity-check
add action=jump chain=forward connection-state=new jump-target=sanity-check
add action=jump chain=forward connection-state=established jump-target=sanity-check
add action=jump chain=forward connection-state=related jump-target=sanity-check
add action=jump chain=forward connection-state=invalid jump-target=drop
add action=jump chain=sanity-check comment="Deny illegal NAT traversal" jump-target=drop packet-mark=\
nat-traversal
add action=jump chain=sanity-check comment="DDoS Chain" connection-state=new jump-target=detect-ddos \
src-address-list=!local-addr
add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s
add action=return chain=detect-ddos src-address-list=local-addr
add action=add-dst-to-address-list address-list=DDoSed address-list-timeout=1w chain=detect-ddos
add action=add-src-to-address-list address-list=DDoSer address-list-timeout=1w chain=detect-ddos
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
comment="Detect Port Scan" protocol=tcp psd=20,3s,3,1 src-address-list=!local-addr
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
fragment=yes protocol=tcp psd=20,3s,3,1 src-address-list=!local-addr
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
protocol=tcp psd=25,3s,32774,7 src-address-list=!local-addr
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
fragment=yes protocol=tcp psd=25,3s,32774,7 src-address-list=!local-addr
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
comment="Block TCP Xmas scan" protocol=tcp src-address-list=!local-addr tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
comment="Block TCP Null scan" protocol=tcp src-address-list=!local-addr tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w chain=sanity-check \
comment=Portscanners-to-list protocol=tcp psd=21,3s,3,1 src-address-list=!local-addr
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w10h chain=\
sanity-check comment="NMAP FIN Stealth scan" protocol=tcp src-address-list=!local-addr tcp-flags=\
fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list=portscanners address-list-timeout=10h chain=sanity-check \
comment="SYN/FIN scan" protocol=tcp src-address-list=!local-addr tcp-flags=fin,syn
add action=add-src-to-address-list address-list=portscanners address-list-timeout=10h chain=sanity-check \
comment="SYN/RST scan" protocol=tcp src-address-list=!local-addr tcp-flags=syn,rst
add action=add-src-to-address-list address-list=portscanners address-list-timeout=2w10h chain=\
sanity-check comment="FIN/PSH/URG scan" protocol=tcp src-address-list=!local-addr tcp-flags=\
fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list=portscanners address-list-timeout=10h chain=sanity-check \
comment="ALL/ALL scan" protocol=tcp src-address-list=!local-addr tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list=portscanners address-list-timeout=10h chain=sanity-check \
comment="NMAP NULL scan" protocol=tcp src-address-list=!local-addr tcp-flags=\
!fin,!syn,!rst,!psh,!ack,!urg
add action=jump chain=sanity-check comment="Drop TCP SYN+FIN" jump-target=drop protocol=tcp tcp-flags=\
fin,syn
add action=jump chain=forward comment="Protocol Restrict Rules" jump-target=restrict-tcp protocol=tcp
add action=jump chain=forward jump-target=restrict-udp protocol=udp
add action=jump chain=forward jump-target=restrict-ip
add action=reject chain=restrict-tcp connection-mark=auth
add action=jump chain=restrict-tcp connection-mark=other-tcp jump-target=drop
add action=jump chain=restrict-udp connection-mark=other-udp jump-target=drop
add action=jump chain=restrict-ip connection-mark=other jump-target=drop
add action=jump chain=sanity-check comment="Dropping invalid connections at once" connection-state=\
invalid jump-target=drop
add chain=sanity-check comment="Accepting already established connections" connection-state=established
add chain=sanity-check comment="Also accepting related connections" connection-state=related
add chain=sanity-check comment="Allow local traffic (between router applications)" dst-address-type=local \
src-address-type=local
add action=drop chain=forward disabled=yes dst-address-list="DMZ-1 Services" dst-port=!80 protocol=tcp
add chain=dmz-services comment="DMZ DNS" disabled=yes dst-port=53 protocol=udp
add action=jump chain=sanity-check comment="Allowed services to be accessible from the Internet-Provider" \
in-interface=ether3 jump-target=public-services
add action=drop chain=public-services connection-state=invalid disabled=yes dst-address-list=netmap-wan \
dst-port=80 limit=5,5 protocol=tcp
add chain=public-services comment="DNS (53/TCP)" disabled=yes protocol=tcp src-port=53
add action=drop chain=public-services comment="DNS (53/TCP)" protocol=udp src-port=53
add action=jump chain=sanity-check comment=\
"Drop all traffic that goes to multicast or broadcast addresses" dst-address-type=broadcast,multicast \
jump-target=drop
add action=jump chain=sanity-check comment=\
"Drop all traffic that comes from multicast or broadcast addresses" jump-target=drop \
src-address-type=broadcast,multicast
add action=jump chain=sanity-check comment="Drop illegal destination addresses-Provider" \
dst-address-list=illegal-addr dst-address-type=!local in-interface=!ether3 jump-target=drop
add action=jump chain=sanity-check comment=\
"Drop everything that goes from local interface but not from local address" in-interface=LAN \
jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check in-interface="LAN II" jump-target=drop src-address-list=!local-addr
add action=jump chain=sanity-check comment="Drop illegal source addresses" in-interface=ether3 \
jump-target=drop src-address-list=illegal-addr
add action=jump chain=input comment=\
"Dropping packets not destined to the router itself, including all broadcast traffic" \
dst-address-type=!local jump-target=drop
add action=tarpit chain=sanity-check connection-limit=3,32 disabled=yes in-interface=!LAN protocol=tcp \
src-address-list=blocked-addr
add action=jump chain=sanity-check comment="DDos Detection" connection-state=new disabled=yes \
in-interface=!LAN jump-target=block-ddos
add action=jump chain=sanity-check comment="anti-spam policy" connection-mark=smtp jump-target=\
smtp-first-drop
add action=add-src-to-address-list address-list=approved-smtp chain=smtp-first-drop disabled=yes \
src-address-list=first-smtp
add action=return chain=smtp-first-drop src-address-list=approved-smtp
add action=add-src-to-address-list address-list=first-smtp chain=smtp-first-drop disabled=yes
add action=reject chain=smtp-first-drop
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1d chain=sanity-check \
comment="Detect Dos Attack" connection-limit=10,32 disabled=yes in-interface=!LAN protocol=tcp \
src-address-list=!white-list
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1d chain=sanity-check \
connection-limit=10,32 disabled=yes in-interface="!LAN II" protocol=tcp src-address-list=!white-list
add action=tarpit chain=sanity-check comment="Suppress Dos Attack" connection-limit=3,32 disabled=yes \
in-interface=!LAN protocol=tcp src-address-list=ddoser
add action=tarpit chain=sanity-check connection-limit=3,32 disabled=yes in-interface="!LAN II" protocol=\
tcp src-address-list=ddoser
add action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d chain=sanity-check \
comment="Connection Limiting" connection-limit=32,0 disabled=yes protocol=tcp src-address-list=\
!local-addr
add action=tarpit chain=sanity-check connection-limit=3,32 disabled=yes protocol=tcp src-address-list=\
blocked-addr
add action=jump chain=sanity-check comment="DDos Rules" disabled=yes jump-target=block-ddos \
src-address-list=!local-addr
add action=return chain=block-ddos disabled=yes dst-limit=50,50,src-and-dst-addresses/10s in-interface=\
!LAN src-address-list=!local-addr
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=block-ddos \
disabled=yes src-address-list=!local-addr
add chain=sanity-check comment="Types of Pings (5pac/s)" dst-address-list=local-addr icmp-options=8 \
limit=5,5 protocol=icmp src-address-list=local-addr
add chain=sanity-check icmp-options=8:0 protocol=icmp
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=0 limit=5,5 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=0:0 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=3:0 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=3:1 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=3:3 limit=5,5 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=3:4 limit=5,5 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=4:0 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check comment="Time Exceed (ICMP)" dst-address-list=!local-addr \
icmp-options=11 limit=5,5 protocol=icmp src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=11:0 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check dst-address-list=!local-addr icmp-options=12:0 protocol=icmp \
src-address-list=!local-addr
add action=drop chain=sanity-check comment="Drop everything else (ICMP)" protocol=icmp src-address-list=\
!local-addr
add chain=forward comment="Allow traffic between Local Interfaces" in-interface=LAN out-interface=\
"LAN II"
add action=drop chain=input comment="Block access to winbox" dst-port=8291 protocol=tcp src-address-list=\
!winbox-access
add chain=input comment="Allow The Router to be visible via Neighbor Discovery to WinBox" dst-address=\
255.255.255.255 dst-port=5678 in-interface=LAN protocol=udp src-address-list=winbox-access
add action=jump chain=input comment="Allowed services to be accessible from the local network" \
in-interface=LAN jump-target=local-services
add chain=local-services comment="Winbox (8291/TCP)" dst-port=8291 protocol=tcp src-address-list=\
winbox-access
add chain=local-services comment="DNS (53/UDP/TCP)" dst-port=53 protocol=udp src-address-list=local-addr
add chain=local-services dst-port=53 protocol=tcp
add chain=local-services comment="SSH (22/TCP)" dst-port=22 protocol=tcp src-address-list=winbox-access
add chain=local-services comment="Proxy (3128/TCP)" dst-port=3128 protocol=tcp src-address-list=\
local-addr
add chain=local-services comment=FTP dst-port=21 protocol=tcp src-address-list=winbox-access
add chain=local-services comment="Web Services (TCP/80)" dst-port=80 protocol=tcp src-address-list=\
winbox-access
add action=drop chain=local-services comment="Callbook (TCP/2000)" dst-port=2000 protocol=tcp
add action=drop chain=local-services comment="PPTP (TCP/1723)" dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list=ddoser address-list-timeout=10m chain=block-ddos \
src-address-list=!local-addr
add action=drop chain=block-ddos connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=drop chain=sanity-check comment="Dropping Port Scans & Scanners" in-interface=!LAN \
src-address-list=portscanners
add action=drop chain=sanity-check dst-port=137,139 protocol=tcp src-address-list=!local-addr
add action=drop chain=sanity-check dst-port=445 protocol=tcp src-address-list=!local-addr
add action=drop chain=sanity-check protocol=tcp src-address-list=!local-addr src-port=137,139
add action=drop chain=sanity-check protocol=tcp src-address-list=!local-addr src-port=445
add action=drop chain=sanity-check dst-port=137,139 protocol=udp src-address-list=!local-addr
add action=drop chain=sanity-check dst-port=445 protocol=udp src-address-list=!local-addr
add action=drop chain=sanity-check protocol=udp src-address-list=!local-addr src-port=137,139
add action=drop chain=sanity-check protocol=udp src-address-list=!local-addr src-port=445
add action=drop chain=sanity-check protocol=tcp src-address-list=portscanners
add action=drop chain=sanity-check protocol=udp src-address-list=portscanners
add action=drop chain=local-services comment="Drop Local Services Rule"
add action=drop chain=public-services comment="Drop Public Services Rules" disabled=yes
add action=drop chain=forward comment="External Network Foward Rules Connection State (Drop)" connection-state=invalid \
disabled=yes dst-address-list=ext in-interface=LAN out-interface=EXT-BRR src-address-list=local-addr
add action=drop chain=forward connection-state=invalid disabled=yes dst-address-list=local-addr \
in-interface=EXT-BRR out-interface=LAN src-address-list=ext
add action=drop chain=sanity-check comment=Bloacked-sites disabled=yes dst-address-list=blocked-sites \
src-address-list=!unrestricted
add action=drop chain=sanity-check comment="Protscanner Drop" disabled=yes src-address-list=portscanners
add action=drop chain=sanity-check comment="Content Test Rule" content=www.facebook.com disabled=yes \
protocol=tcp
add action=drop chain=sanity-check content=facebook.com disabled=yes protocol=tcp
add action=reject chain=sanity-check content=youtube protocol=tcp reject-with=tcp-reset
add action=reject chain=sanity-check content=youtube.com protocol=tcp reject-with=tcp-reset
add action=reject chain=sanity-check content=stream protocol=tcp reject-with=tcp-reset
add action=reject chain=sanity-check connection-limit=0,32 connection-rate=0-0 content=ebay.com \
layer7-protocol=ebay protocol=tcp reject-with=tcp-reset
add action=reject chain=sanity-check content=ibay protocol=tcp reject-with=icmp-host-prohibited
add action=drop chain=forward comment="block youtube dns udp" disabled=yes dst-port=53 layer7-protocol=\
*8B limit=0,5 protocol=udp src-address-list=!unrestricted time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=log chain=drop comment="Firewall Log/Debug" disabled=yes log-prefix=drop
add action=log chain=input disabled=yes log-prefix=input
add action=log chain=sanity-check disabled=yes log-prefix=input
add action=drop chain=detect-ddos comment="DDoS Drop Rule" dst-address-list=DDoSed src-address-list=\
DDoSer
add action=jump chain=sanity-check comment="Everything Elese Drop Rule" in-interface=ether3 jump-target=\
drop
add action=jump chain=sanity-check comment="Everything Elese Drop Rule-Provider" in-interface=ether3 \
jump-target=drop
add action=jump chain=sanity-check in-interface="WAN II" jump-target=drop
add action=log chain=sanity-check comment=Loggin disabled=yes
add action=log chain=forward disabled=yes
add action=log chain=drop disabled=yes log-prefix=10.1.0.3
add action=drop chain=drop comment="Drop Rule" disabled=yes in-interface=WAN
add action=drop chain=drop comment="Drop Rule-Dhiraagu" in-interface=ether3
add action=drop chain=drop disabled=yes in-interface="WAN II"
add chain=forward
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" dst-address-list=nat-addr \
in-interface=WAN new-packet-mark=nat-traversal passthrough=no
add action=mark-packet chain=prerouting dst-address-list=nat-addr in-interface="WAN II" new-packet-mark=\
nat-traversal passthrough=no
add action=mark-routing chain=prerouting comment="EXT Live Route" dst-address-list=ext new-routing-mark=\
ext src-address-list=local-addr
add chain=prerouting routing-mark=ext
add action=mark-routing chain=prerouting comment="Web Content Filtering (General)" disabled=yes \
dst-address-list=!bypass_proxy dst-port=80,443 in-interface=LAN new-routing-mark=proxy protocol=tcp \
src-address=10.1.0.3 src-address-list=!unrestricted time=7h40m-14h,sun,mon,tue,wed,thu
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!bypass_proxy dst-port=80,443 \
in-interface=LAN new-routing-mark=proxy protocol=tcp src-address=10.1.0.0/19 src-address-list=\
!unrestricted time=13h-15h,sun,mon,tue,wed,thu
add action=mark-routing chain=prerouting disabled=yes dst-address-list=!bypass_proxy dst-port=80 \
in-interface="LAN II" new-routing-mark=proxy protocol=tcp src-address=10.1.0.0/19 src-address-list=\
!bypass_proxy
add action=change-ttl chain=postrouting comment="TTL Mod" disabled=yes new-ttl=set:225 protocol=icmp \
src-address=a.b.c.52
add action=jump chain=prerouting comment="Protocol Marking" connection-state=new jump-target=tcp-services \
protocol=tcp
add action=jump chain=prerouting connection-state=new jump-target=udp-services protocol=udp
add action=jump chain=prerouting connection-state=new jump-target=other-services
add action=mark-connection chain=tcp-services dst-port=20,21 new-connection-mark=ftp passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=22 new-connection-mark=ssh passthrough=no \
protocol=tcp src-port=513,65535
add action=mark-connection chain=tcp-services dst-port=23 new-connection-mark=telnet passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=25 new-connection-mark=smtp passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=53 new-connection-mark=dns passthrough=no \
protocol=tcp src-port=53
add action=mark-connection chain=tcp-services dst-port=53 new-connection-mark=dns passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=80 new-connection-mark=http passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=110 new-connection-mark=pop3 passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=113 new-connection-mark=auth passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=119 new-connection-mark=nntp passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=143 new-connection-mark=imap passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=161,162 new-connection-mark=snmp passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=443 new-connection-mark=https passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=465 new-connection-mark=smtps passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=993 new-connection-mark=imaps passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=995 new-connection-mark=pop3s passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=1723 new-connection-mark=pptp passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=2379 new-connection-mark=kgs passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=3128 new-connection-mark=proxy passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=3389 new-connection-mark=win-ts passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=4242,4243 new-connection-mark=emule passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=1024,65535 new-connection-mark=overnet \
passthrough=no protocol=tcp src-port=4661,4662
add action=mark-connection chain=tcp-services dst-port=1024,65535 new-connection-mark=emule passthrough=\
no protocol=tcp src-port=4711
add action=mark-connection chain=tcp-services dst-port=5900,5901 new-connection-mark=vnc passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=6667,6669 new-connection-mark=irc passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=6881,6889 new-connection-mark=bittorrent \
passthrough=no protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=8080 new-connection-mark=http passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services dst-port=8291 new-connection-mark=winbox passthrough=no \
protocol=tcp src-port=1024,65535
add action=mark-connection chain=tcp-services new-connection-mark=other-tcp passthrough=no protocol=tcp
add action=mark-connection chain=udp-services dst-port=53 new-connection-mark=dns passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=123 new-connection-mark=ntp passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=1701 new-connection-mark=l2tp passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=4665 new-connection-mark=emule passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=4672 new-connection-mark=emule passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=1024,65535 new-connection-mark=emule passthrough=\
no protocol=udp src-port=4672
add action=mark-connection chain=udp-services dst-port=12053 new-connection-mark=overnet passthrough=no \
protocol=udp src-port=1024,65535
add action=mark-connection chain=udp-services dst-port=1024,65535 new-connection-mark=overnet \
passthrough=no protocol=udp src-port=12053
add action=mark-connection chain=udp-services dst-port=1024,65535 new-connection-mark=skype passthrough=\
no protocol=udp src-port=36725
add action=mark-connection chain=udp-services connection-state=new new-connection-mark=other-udp \
passthrough=no protocol=udp
add action=mark-connection chain=other-services icmp-options=8 new-connection-mark=ping passthrough=no \
protocol=icmp
add action=mark-connection chain=other-services new-connection-mark=gre passthrough=no protocol=gre
add action=mark-connection chain=other-services new-connection-mark=other passthrough=no
add action=mark-packet chain=prerouting comment="All P2P" in-interface=ether3 new-packet-mark=all_p2p_in \
p2p=all-p2p passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=all_p2p_out out-interface=ether3 p2p=all-p2p \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" new-packet-mark=all_p2p_in p2p=all-p2p \
passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=all_p2p_out out-interface="WAN II" p2p=all-p2p \
passthrough=no
add action=mark-packet chain=prerouting comment=100bao_p2p in-interface=WAN layer7-protocol=100bao \
new-packet-mark=100bao_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=100bao new-packet-mark=100bao_p2p_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=100bao new-packet-mark=\
100bao_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=100bao new-packet-mark=100bao_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="aim mesenger" in-interface=WAN layer7-protocol=aim \
new-packet-mark=aim_mesanger_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=aim new-packet-mark=aim_mesanger_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=aim new-packet-mark=\
aim_mesanger_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=aim new-packet-mark=aim_mesanger_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=aim_messenger_web in-interface=WAN layer7-protocol=\
aimwebcontent new-packet-mark=aim_mesenger_web_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=aimwebcontent new-packet-mark=\
aim_mesenger_web_out out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=aimwebcontent \
new-packet-mark=aim_mesenger_web_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=aimwebcontent new-packet-mark=\
aim_mesenger_web_out out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=applejuice_p2p in-interface=WAN layer7-protocol=\
applejuice new-packet-mark=applejuice_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=applejuice new-packet-mark=applejuice_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=applejuice new-packet-mark=\
applejuice_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=applejuice new-packet-mark=applejuice_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=ares_p2p in-interface=WAN layer7-protocol=ares \
new-packet-mark=ares_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ares new-packet-mark=ares_p2p_out out-interface=\
WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ares new-packet-mark=\
ares_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ares new-packet-mark=ares_p2p_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=bgp_routing in-interface=ether3 layer7-protocol=bgp \
new-packet-mark=bgp_routing_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=bgp new-packet-mark=bgp_routing_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=bgp new-packet-mark=\
bgp_routing_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=bgp new-packet-mark=bgp_routing_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=bittorent_p2p in-interface=ether3 layer7-protocol=\
bittorrent new-packet-mark=bittorent_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=bittorrent new-packet-mark=bittorent_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=bittorrent new-packet-mark=\
bittorent_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=bittorrent new-packet-mark=bittorent_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=bittoren-1t_p2p in-interface=WAN layer7-protocol=\
Bittorrent-1 new-packet-mark=bittorent_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=Bittorrent-1 new-packet-mark=bittorent_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=Bittorrent-1 \
new-packet-mark=bittorent_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=Bittorrent-1 new-packet-mark=bittorent_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=dhcp in-interface=ether3 layer7-protocol=dhcp \
new-packet-mark=dhcp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=dhcp new-packet-mark=dhcp_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=dhcp new-packet-mark=\
dhcp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=dhcp new-packet-mark=dhcp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Direct Connect - P2P filesharing " in-interface=WAN \
layer7-protocol=directconnect new-packet-mark=DC_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=directconnect new-packet-mark=DC_p2p_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=directconnect \
new-packet-mark=DC_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=directconnect new-packet-mark=DC_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="DNS - Domain Name System " in-interface=ether3 \
layer7-protocol=dns new-packet-mark=DNS_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=dns new-packet-mark=DNS_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=dns new-packet-mark=DNS_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=dns new-packet-mark=DNS_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="eDonkey2000 - P2P filesharing " in-interface=ether3 \
layer7-protocol=edonkey new-packet-mark=edonkey_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=edonkey new-packet-mark=edonkey_p2p_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=edonkey new-packet-mark=\
edonkey_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=edonkey new-packet-mark=edonkey_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=\
"FastTrack - P2P filesharing (Kazaa, Morpheus, iMesh, Grokster, etc)" in-interface=ether3 \
layer7-protocol=fasttrack new-packet-mark=fasttrack_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=fasttrack new-packet-mark=fasttrack_p2p_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=fasttrack new-packet-mark=\
fasttrack_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=fasttrack new-packet-mark=fasttrack_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="FTP - File Transfer Protocol " in-interface=ether3 \
layer7-protocol=ftp new-packet-mark=ftp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ftp new-packet-mark=ftp_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ftp new-packet-mark=ftp_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ftp new-packet-mark=ftp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="GnucleusLAN - LAN-only P2P " in-interface=WAN \
layer7-protocol=gnucleuslan new-packet-mark=gnu_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=gnucleuslan new-packet-mark=gnu_p2p_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=gnucleuslan \
new-packet-mark=gnu_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=gnucleuslan new-packet-mark=gnu_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Gnutella - P2P filesharing" in-interface=WAN \
layer7-protocol=gnutella new-packet-mark=gnutella_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=gnutella new-packet-mark=gnutella_p2p_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=gnutella new-packet-mark=\
gnutella_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=gnutella new-packet-mark=gnutella_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="GoBoogy - a Korean P2P protocol" in-interface=ether3 \
layer7-protocol=goboogy new-packet-mark=gobogy_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=goboogy new-packet-mark=gobogy_p2p_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=goboogy new-packet-mark=\
gobogy_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=goboogy new-packet-mark=gobogy_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="H.323 - Voice over IP" in-interface=WAN layer7-protocol=\
h323 new-packet-mark=h323_voiceoverip_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=h323 new-packet-mark=h323_voiceoverip_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=h323 new-packet-mark=\
h323_voiceoverip_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=h323 new-packet-mark=h323_voiceoverip_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="RTSP tunneled within HTTP" in-interface=ether3 \
layer7-protocol=http-rtsp new-packet-mark=httprtsp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=http-rtsp new-packet-mark=httprtsp_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=http-rtsp new-packet-mark=\
httprtsp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=http-rtsp new-packet-mark=httprtsp_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="www HyperText Transfer Protocol " in-interface=ether3 \
layer7-protocol=http new-packet-mark=http_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=http new-packet-mark=http_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=http new-packet-mark=\
http_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=http new-packet-mark=http_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Ident - Identification Protocol - RFC 1413" \
in-interface=WAN layer7-protocol=ident new-packet-mark=ident_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ident new-packet-mark=ident_out out-interface=\
WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ident new-packet-mark=\
ident_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ident new-packet-mark=ident_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=\
"IMAP - Internet Message Access Protocol (A common e-mail protocol)" in-interface=ether3 \
layer7-protocol=imap new-packet-mark=imap_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=imap new-packet-mark=imap_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=imap new-packet-mark=\
imap_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=imap new-packet-mark=imap_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=\
"iMesh - the native protocol of iMesh, a P2P application " in-interface=ether3 layer7-protocol=imesh \
new-packet-mark=imesh_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=imesh new-packet-mark=imesh_p2p_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=imesh new-packet-mark=\
imesh_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=imesh new-packet-mark=imesh_p2p_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="IRC - Internet Relay Chat" in-interface=ether3 \
layer7-protocol=irc new-packet-mark=irc_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=irc new-packet-mark=irc_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=irc new-packet-mark=irc_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=irc new-packet-mark=irc_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="KuGoo - a Chinese P2P program " in-interface=ether3 \
layer7-protocol=kugoo new-packet-mark=koogo_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=kugoo new-packet-mark=koogo_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=kugoo new-packet-mark=\
koogo_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=kugoo new-packet-mark=koogo_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="MSN (Micosoft Network) Messenger file transfers " \
in-interface=WAN layer7-protocol=msn-filetransfer new-packet-mark=msnfile_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=msn-filetransfer new-packet-mark=msnfile_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=msn-filetransfer \
new-packet-mark=msnfile_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=msn-filetransfer new-packet-mark=msnfile_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="MSN Messenger " in-interface=ether3 layer7-protocol=\
msnmessenger new-packet-mark=msn_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=msnmessenger new-packet-mark=msn_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=msnmessenger \
new-packet-mark=msn_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=msnmessenger new-packet-mark=msn_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="MUTE - P2P filesharing " in-interface=WAN \
layer7-protocol=mute new-packet-mark=mute_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=mute new-packet-mark=mute_p2p_out out-interface=\
WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=mute new-packet-mark=\
mute_p2p_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=mute new-packet-mark=mute_p2p_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Napster - P2P filesharing" in-interface=WAN \
layer7-protocol=napster new-packet-mark=napster_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=napster new-packet-mark=napster_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=napster new-packet-mark=\
napster_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=napster new-packet-mark=napster_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="NetBIOS - Network Basic Input Output System" \
in-interface=ether3 layer7-protocol=netbios new-packet-mark=netbios_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=netbios new-packet-mark=netbios_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=netbios new-packet-mark=\
netbios_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=netbios new-packet-mark=netbios_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="NNTP - Network News Transfer Protocol " in-interface=\
ether3 layer7-protocol=nntp new-packet-mark=nntp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=nntp new-packet-mark=nntp_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=nntp new-packet-mark=\
nntp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=nntp new-packet-mark=nntp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="SNTP - (Simple) Network Time Protocol " in-interface=\
ether3 layer7-protocol=ntp new-packet-mark=ntp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ntp new-packet-mark=ntp_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ntp new-packet-mark=ntp_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ntp new-packet-mark=ntp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Remote Administrator - remote desktop for MS Windows" \
in-interface=ether3 layer7-protocol=radmin new-packet-mark=radmin_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=radmin new-packet-mark=radmin_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=radmin new-packet-mark=\
radmin_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=radmin new-packet-mark=radmin_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=\
"Remote Desktop Protocol (used in Windows Terminal Services)" in-interface=WAN layer7-protocol=rdp \
new-packet-mark=rdp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=rdp new-packet-mark=rdp_out out-interface=WAN \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=rdp new-packet-mark=rdp_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=rdp new-packet-mark=rdp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="RTSP - Real Time Streaming Protocol " in-interface=WAN \
layer7-protocol=rtsp new-packet-mark=rtsp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=rtsp new-packet-mark=rtsp_out out-interface=WAN \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=rtsp new-packet-mark=\
rtsp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=rtsp new-packet-mark=rtsp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="SIP - Session Initiation Protocol - Internet telephony " \
in-interface=ether3 layer7-protocol=sip new-packet-mark=sip_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=sip new-packet-mark=sip_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=sip new-packet-mark=sip_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=sip new-packet-mark=sip_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Skype to phone - UDP voice call " in-interface=ether3 \
layer7-protocol=skypeout new-packet-mark=skypeout_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=skypeout new-packet-mark=skypeout_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=skypeout new-packet-mark=\
skypeout_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=skypeout new-packet-mark=skypeout_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Skype to Skype - UDP voice call " in-interface=ether3 \
layer7-protocol=skypetoskype new-packet-mark=skype2skype_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=skypetoskype new-packet-mark=skype2skype_out \
out-interface=ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=skypetoskype \
new-packet-mark=skype2skype_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=skypetoskype new-packet-mark=skype2skype_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="POP3 - Post Office Protocol version 3" in-interface=\
ether3 layer7-protocol=pop3 new-packet-mark=pop3_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=pop3 new-packet-mark=pop3_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=pop3 new-packet-mark=\
pop3_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=pop3 new-packet-mark=pop3_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="SMTP - Simple Mail Transfer Protocol " in-interface=\
ether3 layer7-protocol=smtp new-packet-mark=smtp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=smtp new-packet-mark=smtp_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=smtp new-packet-mark=\
smtp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=smtp new-packet-mark=smtp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="SNMP - Simple Network Management Protocol " \
in-interface=ether3 layer7-protocol=snmp new-packet-mark=snmp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=snmp new-packet-mark=snmp_out out-interface=\
ether3 passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=snmp new-packet-mark=\
snmp_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=snmp new-packet-mark=snmp_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Soulseek - P2P filesharing " in-interface=WAN \
layer7-protocol=soulseek new-packet-mark=soulsek_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=soulseek new-packet-mark=soulsek_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=soulseek new-packet-mark=\
soulsek_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=soulseek new-packet-mark=soulsek_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="SSH - Secure SHell" in-interface=ether3 layer7-protocol=\
ssh new-packet-mark=ssh_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ssh new-packet-mark=ssh_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ssh new-packet-mark=ssh_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ssh new-packet-mark=ssh_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=\
"SSL and TLS - Secure Socket Layer / Transport Layer Security " in-interface=ether3 layer7-protocol=\
ssl new-packet-mark=ssl_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ssl new-packet-mark=ssl_out out-interface=ether3 \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=ssl new-packet-mark=ssl_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=ssl new-packet-mark=ssl_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment=vnc in-interface=WAN layer7-protocol=vnc new-packet-mark=\
vnc_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=vnc new-packet-mark=vnc_out out-interface=WAN \
passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=vnc new-packet-mark=vnc_in \
passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=vnc new-packet-mark=vnc_out out-interface=\
"WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="TeamSpeak - VoIP application " in-interface=WAN \
layer7-protocol=teamspeak new-packet-mark=teamspeak_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=teamspeak new-packet-mark=teamspeak_out \
out-interface=WAN passthrough=no
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=teamspeak new-packet-mark=\
teamspeak_in passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=teamspeak new-packet-mark=teamspeak_out \
out-interface="WAN II" passthrough=no
add action=mark-packet chain=prerouting comment="Everything else that remains" in-interface=ether3 \
new-packet-mark=remaining_in passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=remaining_out out-interface=ether3 passthrough=\
no
add action=mark-packet chain=prerouting in-interface="WAN II" new-packet-mark=remaining_in passthrough=no
add action=mark-packet chain=postrouting new-packet-mark=remaining_out out-interface="WAN II" \
passthrough=no
add action=mark-packet chain=prerouting comment=MSN_Filetransfer in-interface=WAN layer7-protocol=\
MSN_filetransfer new-packet-mark=MSN_filetransfer_in
add action=mark-packet chain=postrouting layer7-protocol=MSN_filetransfer new-packet-mark=\
MSN_filetransfer_out out-interface=WAN
add action=mark-packet chain=prerouting in-interface="WAN II" layer7-protocol=MSN_filetransfer \
new-packet-mark=MSN_filetransfer_in
add action=mark-packet chain=postrouting layer7-protocol=MSN_filetransfer new-packet-mark=\
MSN_filetransfer_out out-interface="WAN II"
add action=mark-packet chain=prerouting comment=Youtube layer7-protocol=youtube new-packet-mark=\
youtube_in
add action=mark-packet chain=postrouting layer7-protocol=youtube new-packet-mark=youtube_out
add action=mark-packet chain=prerouting comment="Tor (Onion Router)" layer7-protocol=tor new-packet-mark=\
tor_in
add action=mark-packet chain=postrouting layer7-protocol=tor new-packet-mark=tor_out
add action=mark-packet chain=prerouting comment=Youtube_240p layer7-protocol=Youtube_240p \
new-packet-mark=Limit_YouTube passthrough=no
add action=mark-connection chain=prerouting comment=avi_down layer7-protocol=ext_avi new-connection-mark=\
avi_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=avi_down new-packet-mark=avi passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=flv_down layer7-protocol=ext_flv new-connection-mark=\
flv_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=flv_down new-packet-mark=flv passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mkv_down layer7-protocol=ext_mkv new-connection-mark=\
mkv_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mkv_down new-packet-mark=mkv passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mov_down layer7-protocol=ext_mov new-connection-mark=\
"mov DOWNS" protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mov_down new-packet-mark=mov passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mp3_down layer7-protocol=ext_mp3 new-connection-mark=\
mp3_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mp3_down new-packet-mark=mp3 passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mp4_down layer7-protocol=ext_mp4 new-connection-mark=\
mp4_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mp4_down new-packet-mark=mp4 passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mpeg_down layer7-protocol=ext_mpeg \
new-connection-mark=mpeg_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mpeg_down new-packet-mark=mpeg passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=mpg_down layer7-protocol=ext_mpg new-connection-mark=\
mpg_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=mpg_down new-packet-mark=mpg passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=ram_down layer7-protocol=ext_ram new-connection-mark=\
ram_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=ram_down new-packet-mark=ram passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=rm_down layer7-protocol=ext_rm new-connection-mark=\
rm_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=rm_down new-packet-mark=rm passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=rmvb_down layer7-protocol=ext_rmvb \
new-connection-mark=rmvb_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=rmvb_down new-packet-mark=rmvb passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=wav_down layer7-protocol=ext_wav new-connection-mark=\
wav_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=wav_down new-packet-mark=wav passthrough=no \
protocol=tcp
add action=mark-packet chain=postrouting connection-mark=wma_down new-packet-mark=wma passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=wmv_down layer7-protocol=ext_wmv new-connection-mark=\
wmv_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=wmv_down new-packet-mark=wmv passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=rar_down layer7-protocol=ext_rar new-connection-mark=\
rar_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=rar_down new-packet-mark=vcd passthrough=no \
protocol=tcp
add action=mark-connection chain=prerouting comment=vcd_down layer7-protocol=ext_vcd new-connection-mark=\
vcd_down protocol=tcp
add action=mark-packet chain=postrouting connection-mark=vcd_down new-packet-mark=vcd passthrough=no \
protocol=tcp
add chain=prerouting comment="EXT Direct Route" disabled=yes dst-address-list=bypass_proxy in-interface=\
LAN src-address-list=local-addr
add action=mark-routing chain=prerouting comment="EXT Live Route" disabled=yes dst-address-list=ext \
new-routing-mark=ext-rt
add chain=prerouting disabled=yes dst-address-list=ext routing-mark=ext-rt
add action=mark-packet chain=prerouting comment="Squid Packet Mark" disabled=yes dscp=12 new-packet-mark=\
HITS passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat comment="EXT Network NAT" dst-address-list=ext out-interface=EXT-BRR \
src-address=10.1.0.0/19 to-addresses=10.12.78.0/24
add action=masquerade chain=srcnat comment="EXT Network NAT wifi" dst-address-list=ext out-interface=\
EXT-BRR src-address=192.168.15.0/24 to-addresses=10.12.78.0/24
add chain=srcnat comment="Proxy Redirection" disabled=yes dst-address-list=!bypass_proxy dst-port=80,443 \
protocol=tcp src-address=10.1.0.66 src-address-list=!unrestricted time=7h40m-14h,sun,mon,tue,wed,thu \
to-ports=3128
add action=src-nat chain=srcnat comment="Provider NET" out-interface=ether3 src-address=10.1.0.0/19 \
src-address-list=!no_internet to-addresses=a.b.c.130
add action=src-nat chain=srcnat comment="Provider-Wifi Hosts" out-interface=ether3 src-address=\
192.168.15.0/24 to-addresses=a.b.c.131
add action=src-nat chain=srcnat comment="Provider-Wifi Hosts" out-interface=ether3 src-address=172.23.0.3 \
to-addresses=a.b.c.131
add action=masquerade chain=srcnat comment="wifi to local network" dst-address=10.1.0.0/19 src-address=\
192.168.15.0/24
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-administrator=**** cache-path=**** max-cache-size=none \
max-client-connections=1000 max-fresh-time=2d max-server-connections=1000 port=3128 \
serialize-connections=yes src-address=10.1.0.1
/ip proxy access
add action=deny dst-host=*.youtube.*
/ip route
add comment="EXT Routes" distance=1 gateway=10.12.78.10 routing-mark=ext
add comment="Provider GW" distance=1 gateway=a.b.c.129
add distance=1 dst-address=192.168.15.0/24 gateway=192.168.100.1
/ip service
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no
/lcd
set backlight-timeout=5m color-scheme=dark default-screen=stats-all read-only-mode=yes touch-screen=\
disabled
/lcd pin
set pin-number=3128
/lcd interface
set sfp1 disabled=yes
set sfp2 disabled=yes
set sfp3 disabled=yes
set sfp4 disabled=yes
set ether3 disabled=yes
set CF disabled=yes
set ether5 disabled=yes
set BCK disabled=yes
set EXT-LP disabled=yes
set ether11 disabled=yes
set ether12 disabled=yes
/lcd screen
set 3 disabled=yes
set 5 disabled=yes
/system clock
set time-zone-name=Indian
/system clock manual
set dst-end="jan/01/2013 00:00:00" dst-start="jan/01/2013 00:00:00" time-zone=+05:30
/system identity
set name=Core-gw
/system ntp client
set enabled=yes primary-ntp=e.f.g.h secondary-ntp=i.j.k.l
/system routerboard settings
set cpu-frequency=1200MHz memory-frequency=1066DDR
/system watchdog
set automatic-supout=no watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool graphing interface
add interface=ether3
add interface=EXT-BRR
add interface=LAN
/tool traffic-monitor
add interface=ether3 name=tmon1 threshold=0
[admin@Core-gw] >
Then doing the following configuration

Code: Select all

/interface bonding
add mode=balance-xor name=vlantrunck slaves=ether11,ether12\
transmit-hash-policy=layer-2-and-3

/interface vlan
add interface=vlantrunck name=VLAN99 vlan-id=99
/ip address
add address=192.168.99.1/24 interface=VLAN99

/interface vlan
add interface=vlantrunck name=vlan1 vlan-id=10
add interface=vlantrunck name=vlan2 vlan-id=20
add interface=vlantrunck name=vlan3 vlan-id=30
add interface=vlantrunck name=vlan4 vlan-id=40
add interface=vlantrunck name=vlan5 vlan-id=50

/interface
ethernet disable ether3

/ip address
disable [find address="10.1.0.1/19"]
add address=10.1.0.1/19 interface=vlan1
add address=192.168.20.1/24 interface=vlan2
add address=192.168.30.1/24 interface=vlan3
add address=192.168.40.1/24 interface=vlan4
add address=192.168.50.1/24 interface=vlan5
add address=192.168.100.100/24 interface=ether5


/ip pool
add name=vlan2_pool ranges=192.168.20.100-192.168.20.200
add name=vlan3_pool ranges=192.168.30.100-192.168.30.200
add name=vlan4_pool ranges=192.168.40.20-192.168.40.250
add name=vlan5_pool ranges=192.168.50.10-192.168.50.150
/ip dhcp-server
add address-pool=vlan2_pool disabled=no interface=vlan2 name=vlan2_DHCP
add address-pool=vlan3_pool disabled=no interface=vlan3 name=vlan3_DHCP
add address-pool=vlan4_pool disabled=no interface=vlan4 name=vlan4_DHCP
add address-pool=vlan5_pool disabled=no interface=vlan5 name=vlan5_DHCP
/ip dhcp-server network
add address=192.168.20.0/24 dns-server=192.168.20.1 gateway=192.168.20.1
add address=192.168.30.0/24 dns-server=192.168.30.1 gateway=192.168.30.1
add address=192.168.40.0/24 dns-server=192.168.40.1 gateway=192.168.40.1
add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether5
So at this point wan,wan II,ether3 will have nothing on them. configuring ether5 for internet.
at this point cannot ping a host in vlan1 from a host in vlan2
 
mkx
Forum Guru
Forum Guru
Posts: 2252
Joined: Thu Mar 03, 2016 10:23 pm

Re: Inter Vlan communication and inter network communication issue

Wed Jun 05, 2019 1:34 pm

Your firewall filter list is a huge haystack and, honestly, I don't have a will to look for the pin in it.

If PCs can receive IP settings from CCR's DHCP server, then basic VLAN is done correctly.

One check to perform: can you ping router from any of those VLANed PCs? I'm not sure if the outcome really helps ... the problem can be anywhere ... in routing (with mangling), in firewall filter lists, ... And even if you can't ping router from PCs it can still be problem in firewall filter rules.
BR,
Metod
 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Re: Inter Vlan communication and inter network communication issue

Wed Jun 05, 2019 10:04 pm

Your firewall filter list is a huge haystack and, honestly, I don't have a will to look for the pin in it.

If PCs can receive IP settings from CCR's DHCP server, then basic VLAN is done correctly.

One check to perform: can you ping router from any of those VLANed PCs? I'm not sure if the outcome really helps ... the problem can be anywhere ... in routing (with mangling), in firewall filter lists, ... And even if you can't ping router from PCs it can still be problem in firewall filter rules.
All the pc can ping router.

I think its because of the firewall rules. Didn't cross my mind to check everything after exporting and grouping them. Will get it solved and update.
Thankyou verymuch for the help

Sent from my SM-G965F using Tapatalk

 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Inter Vlan communication and inter network communication issue

Thu Jun 06, 2019 3:25 pm

I would add that most of what you have is not needed.
Simply use firewall rules that state what is allowed and then at the end of the input chain and forward chain
make drop all rules.

Done............
Then monitor traffic and if there is a specific source or type of traffic that you feel is hampering the router then address it specifically.
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Re: Inter Vlan communication and inter network communication issue

Sat Jun 08, 2019 6:15 pm

I would add that most of what you have is not needed.
Simply use firewall rules that state what is allowed and then at the end of the input chain and forward chain
make drop all rules.

Done............
Then monitor traffic and if there is a specific source or type of traffic that you feel is hampering the router then address it specifically.
Sure. I will most probably do this. Thankyou for the help.
Slowly building up something since i have to reduce downtime considering the router is in production and some many services shared to external network.

Sent from my SM-G965F using Tapatalk

 
DavidClark
just joined
Topic Author
Posts: 7
Joined: Sun Jun 02, 2019 8:25 pm

Re: Inter Vlan communication and inter network communication issue

Sun Jun 09, 2019 10:19 pm

@mkx thankyou for the help. It seems the problem in firewall. Firewall a mess. Have been able to solve the issue. Configuration good up and running. Now cleaning the firewall as recommended by @anav and to meet my requirements.
 
anav
Forum Guru
Forum Guru
Posts: 2716
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: Inter Vlan communication and inter network communication issue

Mon Jun 10, 2019 4:38 am

@mkx thankyou for the help. It seems the problem in firewall. Firewall a mess. Have been able to solve the issue. Configuration good up and running. Now cleaning the firewall as recommended by @anav and to meet my requirements.
That is good news!!
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)

Who is online

Users browsing this forum: No registered users and 12 guests