NO PROBLEM WITH FIREWALL, THE PROBLEM IS NAT AND IT IS SOLVED!!
Hi Sir
I have setup a router starting from a blank setup as following:
Code: Select all
/interface list
add name=wan1
add name=wan2
add name=lan
/ip pool add name=lanPool ranges=192.168.9.100-192.168.9.250
/ip dhcp-server add address-pool=lanPool disabled=no interface=bridge lease-time=1w10m10s name=dhcpLan
/ip dhcp-server network add address=192.168.9.0/24 dns-server=1.1.1.1 gateway=192.168.9.1
/interface bridge port
add bridge=bridge interface=ether3
add bridge=bridge interface=ether4
add bridge=bridge interface=ether5
/interface list member
add interface=ether1 list=wan1
add interface=ether2 list=wan2
add interface=bridge list=lan
/ip dns set servers=1.1.1.1,1.0.0.1
/ip address
add address=172.24.127.2/24 interface=ether1 network=172.24.127.0
add address=172.23.127.2/24 interface=ether2 network=172.23.127.0
add address=192.168.9.1/24 interface=bridge network=192.168.9.0
/ip route
add distance=1 gateway=172.24.127.1
add distance=1 dst-address=201.93.14.0/24 gateway=172.23.127.1
/ip firewall filter
add action=accept chain=input comment="rbMT" connection-state=established,related,untracked
add action=drop chain=input comment="rbMT" connection-state=invalid
add action=drop chain=input comment="deny all - LAN" in-interface-list=!lan
add action=accept chain=forward comment="byPass from wan2" in-interface-list=wan2
add action=accept chain=forward comment="rbMT" ipsec-policy=in,ipsec
add action=accept chain=forward comment="rbMT" ipsec-policy=out,ipsec
add action=fasttrack-connection comment="rbMT" chain=forward connection-state=established,related
add action=accept chain=forward comment="rbMT" connection-state=established,related,untracked
add action=drop chain=forward comment="rbMT" connection-state=invalid
add action=drop chain=forward comment="deny all - nat" connection-nat-state=!dstnat connection-state=new in-interface-list=wan1
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=wan1
add action=masquerade chain=srcnat out-interface-list=wan2
with this setup, we can trace route to network 201.93.14.0 without problems, but there is something that is filtering data that come from that network because some apps in the lan are not working.
I would appreciate your answer thank you!!!