Hi there,
(1) Add ethernet6 to the LAN membership
/interface list member
add interface=ether1 list=WAN
add interface=local list=LAN
ad interface=ether6 list=LAN
(2) Your IP pools are screwed up LOL
From
/ip pool
add name=dhcp_pool0 ranges=11.10.8.1-11.10.10.0,11.10.10.2-11.10.11.254
add name=dhcp ranges=11.10.8.1-11.10.10.0
add name=dhcp_pool2 ranges=11.10.10.2-11.10.10.254
TO
/ip pool
add name=dhcp ranges=11.10
.8.
2-11.10
.8.254
add name=dhcp_pool2 ranges=11.10.10.
2-11.10.10.254
(3) Fix server
From
/ip dhcp-server network
add address=11.10.8.0
/22 dns-server=1.1.1.1 gateway=11.10.
10.1
TO
add address=11.10.8.0/
24 dns-server=1.1.1.1 gateway=11.10.
8.1
(4) Masquerade rule......
a. IF you have a dynamic WANIP the standard is slightly different.
/ip firewall nat
From
add action=masquerade chain=srcnat out-interface=ether1
TO
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
b. If the wanip is static/fixed the best format is
add action-src-nat chain=src-nat out-interface-list=WAN to-addresses=fixed-IP address
Finally we get to the problematic area, people frigging with the default rules when they really shouldnt until they know more.
THIS IS A BIG RED FLAG...
You have made your router vulnerable on the internet..... and is a big NO NO>
Disconnect your router from the internet until fixed up.
Please use the following default rules.
/ip firewall filter
{input chain}
add action=accept chain=input comment="accept established,related untracked" \
connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
protocol=icmp
add add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
{forward chain}
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
.....
THEN we can migrate you from a SAFE initial start, to a better targetted SAFE setup, if you understand what the rules above are doing and the rules below are doing.
/ip firewall filter
add action=accept chain=input comment="Allow Estab-Relat-untrck" \
connection-state=established,related,untracked
add action=drop chain=input comment=Drop
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Authorized_Access" in-interface-list=LAN \
source-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=VLAN protocol=udp
add action=drop chain=input comment="Drop All Else"
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment="Allow Estab & Related" \
connection-state=established,related
add action=accept chain=forward comment="LAN Internet Access" \
connection-state=new in-interface-list=LAN out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \ {disable if not in use}
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment="drop all else"
Note: To create the firewall address list, in the input chain (fourth rule) called [b]'adminaccess'.[/b] Assuming you have statically assigned IP addresses, and looks like:
/ip firewall address-list
add address=IPaddress of your desktop list=adminaccess
add address=IPaddress of your laptop list=adminaccess
add address=IPaddress of your ipad/tablet list=adminaccess
add address=IPaddress of your smartphones list=adminaccess