Hello all,
New to Mikrotik and confused on firewall rules. By default does RouterOS 6.45.9 block traffic between VLANS? I've seen posts saying yes and others saying to use a firewall rule. I want to use my HapAC2 as the DNS/DHCP server for both VLANS with VLAN 100 only allowed access to the internet. I plan on replacing my current router with this one and want to iron out any issues before switching.
EDIT: I setup VLAN 100 on eth2 but my laptop is getting assigned an IP address on the bridge network (10.10.10.1 where I want most of devices).
I read that I have to set up a firewall rule for port 53 when making remote requests. Is this firewall rule/ordering correct? Should the port 53 rule get moved all the way to top?
Full config...appreciate any feedback:
https://pastebin.com/eiXi7E4Q
/ip dhcp-server network
add address=10.10.10.0/24 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 dns-server=1.1.1.1 gateway=10.10.20.1
/ip dns
set allow-remote-requests=yes servers=1.1.1.1
/ip dns static
add address=10.10.10.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="defconf: drop ICMP edit" in-interface-list=WAN log=yes protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=input comment="block remote DNS " dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block remote DNS" dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN