if possible I'd like to get some feedback and tips regarding my current firewall setting.
LAN is either 5, which is empty but used to access the RouterBoard in cases something happened.
VLAN includes 4 VLAN-IDs 1 (Default), 10 (Main), 20 (Guest), 30 (VoIP). For the moment only 10 and 20 is in real use. An Unifi AC Point spans via multi-SSID two Wifi network separate by Vlan ID 10 and 20 for home use and guests.
WAN is the PPPoe client which is physically connected to either 1.
Would be great to get some input, if I'm on the right track or if I need to start over again. Thank you very much.
Code: Select all
# jul/11/2021 17:53:01 by RouterOS 6.46.5
# model = RB750Gr3
#
# FIREWALL Rules
#
# INPUT Chain
#
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="defconf: accept all coming from LAN" in-interface-list=LAN log-prefix=LAN
add action=drop chain=input comment="defconf: drop and log all not coming from VLAN" in-interface-list=!VLAN
#
# FORWARD Chain
#
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop and log invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="drop tries to reach not public addresses from VLAN" dst-address-list=not_in_internet in-interface-list=VLAN log=yes log-prefix=!public_from_LAN \
out-interface-list=!VLAN
add action=drop chain=forward comment="defconf: drop and log all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN log=yes log-prefix=\
WAN_!DSTNATed
add action=drop chain=forward comment="drop incoming from internet which is not public IP" in-interface-list=WAN log=yes log-prefix=!public src-address-list=not_in_internet
#
# NAT masqerade
#
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN
#
# Adresses NOT in internet
#
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet