When upgrade already how to configure the firewall for more protecting for LAN and router.

Setup is dangerous because firewall is virtually non-existant, not protecting neither router itself nor LAN. Setup is dangerous because router is running ancient version of ROS (5.4). Setup is slow because it's got queues set up which are CPU intensive and your device is no speed monster.


My suggestion: netinstall router with recent version of ROS (long-term 6.46.7 should be fine), reset configuration to factory default, upgrade routerboot as well (/system routerboard upgrade after new ROS boots up). Then start off customizing router, but keep default config as a very decent starting point (don't just follow some random youtube tutorial, those are mostly useless or plain wrong).

This is not default setup, it seems that it was transferred over from old config. You have to reset it to factory default. Log in via WebFix (using web browser), click "Quick Set" button top right, then click "Reset configuration" in lower right area. Reboot device (if it doesn't do it itself). Then test performance again.

The problem with current config is that firewall is actually set up (even though only to protect router itself), but for that, connection tracking runs and connection tracking is pretty CPU intensive operation. In ROS there exists a feature called "fast track" which causes most packets to bypass most of firewall processing, but it's not enabled in your setup. You could enable it (it's simple to do it, but not trivial), but as you would really benefit from full default configuration, I strongly advise you to do factory reset before we move further.
After you do reset to factory defaults, study firewall rules to get acquainted to the philosophy ... before you set up NAT rules. While you could verbatim copy-paste current NAT rule, they (both) are not most effective. You'll notice that new default heavily uses interface lists ... if your WAN interface (pppoe-client) does not land in WAN interface list, add it manually. Which will make your personal src-nat rule redundant because the default rule will cover it. Similarly dst-nat rule could be rewritten to use in-interface-list instead of dst-address ... but that depends on whether you want to access your wlan camera through WAN IP also from LAN. If you want that, then your current dst-nat rule is just fine.

For now the firewall only have one rules default, it's correct ?

MMIPS for 750G, Long term version.

MMIPS for 750G, Long term version.

MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE.

The /system routerboard settings set cpu-frequency=150MHz will be reducing the performance, it should be several times greater by default.

Not sure if the default configuration is correct, herewith the default firewall rules:

Code: Select all

/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN

For now the firewall only have one rules default, it's correct ?

No it is not correct - although I have no idea why MT would not include the default firewalls on new releases even for old equipment.

Did you use netinstall to work with the latest long term version of firmware?
OLD 750 unit is MIPSBE
Newer 750Gr3 is MMIPS

Probably time to upgrade your equipment that thing you have is ancient.

According to product brochure, "native" CPU frequency is 680MHz. If it's not set to that value, change it (/system routerboard set cpu-frequency=680MHz). Before doing it, you may want to check current setting (/system resource print) to see if changing it to default is likely to improve things much.

You have a very different wan connection.
dont see the pppoe interface defined but here is what I would do.

/interface list member
add interface=WUM-Unifi list=WAN
add interface=ether1 list=wan
add interface=vlan.500 list=wan
add interface=pppoe interface (if there is one) list=wan

Then you can do this more easily.
From
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat out-interface=WUM-Unifi
To
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN

Can you confirm that all your port forwarding works as desired??