Hi Anav,Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
Thanks Anav, i've attached the config. please help with the advice on the config.Post your config
/export hide-sensitive file=anynameyouwish if you want the config reviewed for security practices................
I actually used the Mikrotik Mobile apps. quite handy when you want to block youtube on your kids pc at a request. :DUnless you intend on using the MT app with your router, then this setting can be set to NONE.
/interface detect-internet
set detect-interface-list=all
Thanks for the suggestion, I've removed the bridge. I actually wants to remove it since yesterday as it seems not used but i'm not sure on the impact.The one thing I would do is remove the bridge as it really serves no purpose here.
You have four independent subnets each assigned to a port and thus the use of bridge is not required (nor do you use vlans).
However, there is nothing wrong with the current setup as it will work so you dont have to do anything just a suggestion.
Thanks in advance, will wait for your feedback.More importantly is the firewall rules and the rest........ so will look now.
I used this for blocking youtube during my kids study period. or is there another good way to block youtube ?(1) Remove this stuff, it can be very CPU intensive and with https traffic being the norm, not as effective as it use to be. Its advanced config programming that one should avoid until you understand it.
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.c\
om|s.ytmig.com|ytimg.l.google.com|youtube.l.google.com|i.google.com|google\
video.com|youtu.be|youtubekids.com).*\$"
Added(2) I dont usually do all the list of firewall addresses etc, but no harm in that, not to much bloat so to speak.
I would add this rule in the input chain Just before the ICMP allow rule, it seems to be missing.
add action=drop chain=input comment="Drop invalid" connection-state=invalid
yes that is what happen the first time I play around with this router, I got locked out and in panic i resetted the whole thing.(3) I personally dont like providing all your SUBNETS full access to the router. Only the admin needs full access to the router.
So if there is only one subnet the admin will use to access and configure the router, that is the only subnet that should have full access to the router.
The other subnets should at least have access to the services provided by the router that they may be using (which they get now because you gave them full access).
Typically its just DNS services (some have NTP services as well).
So recommend the following idea.
Add this rule in front of the existing rule (otherwise you may lock yourself out due to the drop all rule you have at the end of the input chain - great rule but disable it while making these changes and then turn it back on to be on the safe side............ When done and happy you can remove the old rule and re-enable the drop all rule.
add action=accept chain=input comment="Allow ADMIN to Router" log-prefix=\
AdminAccess in-interface-list=ServicePortOnly (AND OPTIONAL ----> ) src-address-list=authorized
Basically here we limit full access to the router to your interface list entry of serviceportonly and if you want to limit that further only to the IP addresses of the admins devices.
desktop, laptop, ipad, smartphone etc (statically set in the dhcp leases) that is up to you.
Added, may i know where should i priorities this 2 rules ? after ICMP ?(4) By the way I noted that one subnet, didnt get full access to the router, which means it would not be getting proper dns services from the router either.
To fix that and to provide the necessary services to the subnets no longer with full access you need the following rules..
dd action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLAN protocol=udp
If you dont want DVR to have DNS services, then my suggestion is to remove it from the AllLan list.....
Done(5) Now we get to the horror show of your forward chain.....egads butt ugly. Lets clean it up simplify!!!
Reduce it to this:
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
Thats all you need and the drop all else rule drops all other traffic (not already allowed LAN 2 LAN, LAN 2 WAN, WAN 2 LAN) . Without the drop all rule at the end, all the subnets could find each other because the router will route them at L3 and its a very efficient way of doing this vice stating all the subnets have to block traffic from each other in a larger number of rules!!.
ok this last part.similar to below ?
However you do have all the firewall addresses and had a few more rules (that I dont use) but will see where they may fit.
Okay only one rule really applies, and that is to block Just before allowing internet traffic from your subnets, to block any requests from those subnets that are to non public IPs.
The rest are covered by the allow rule for only IPs from AllLAN and by the drop all rule at the end.
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
add action=drop in-interface-list=AllLAN dst-address-list=not_in_internet
add action=allow comment="Allow internet traffic" in-interface-list=AllLAN out-interface-list=WAN (remember to remove DVR5 from AllLAn if shouldnt have internet)
add action=allow comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
invalid
add action=drop chain=forward comment=\
"block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
yes log-prefix=PortForwardedTraffic
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=\
8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 \
to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
192.168.10.254 to-ports=8000
they work, only on 1 pc, but doesn't work on the the other, which is weird.If the youtube rules work for you by all means, I am surprized they do LOL.
Ok, i've updated the address list to access winbox service as such now only accessible from port 2 and 2 static IP.The problem regarding admin access is that you will need to change the
Tools mac winmac server entry for allowed interface from ServicePortOnly to ALL.
I recommend you reserve access from ServicePortOnly though................
If you do feel the need to access from all subnets, then dont use an interface list entry of ServicePortOnly if you want to be able to access the router from any subnet in the house.
In this case just ensure whatever device you use has a static lease on that subnet and add that to the firewall address list.
So you may have four different IP addresses for your smartphone or laptop for example on the firewall address list
Not sure what you mean if admin access can be reversed??
ok, this should be how it looks. Number 8 rule should already follow your sugestion "(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses."Add the DNS rules just before the block all rule is fine or after icmp as well.
Now to look at config..........................
argg............the order of your rules is now messed up.
For easy reading and less errors typically one has all the input rules grouped together and all the forward rules grouped together.....
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=input comment="default configuration" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=drop chain=input comment="\"Drop invalid\"" connection-state=\
invalid
add action=drop chain=forward comment=\
"block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" \
in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" \
connection-nat-state=dstnat connection-state=new in-interface=1modem log=\
yes log-prefix=PortForwardedTraffic
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" \
connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid \
log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop all else!"
Also,
(1) You still have wide open address lists for subnets to the router vice an actual list of admin Devices IP addresses.
(2) The green block of rules in teh middle should all be moved down as a group just before the last DROP ALL RULE in green. AKA after the invalid rule.
(3) The input chain rule for allowed access to router should be moved down one to below the invalid rule (well see 4 first lol).
(4) The input chain rule for ICMP should be just after the invalid rule and before the allowed access rule.
# jul/20/2021 09:30:02 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall layer7-protocol
add name=youtube regexp="^.+(youtube.com|www.youtube.com|m.youtube.com|ytimg.com|s.ytmig.com|ytimg.l.go\
ogle.com|youtube.l.google.com|i.google.com|googlevideo.com|youtu.be|youtubekids.com).*\$"
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 \
in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 \
in-interface-list=AllLan protocol=udp
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=\
invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow Acces to router - Based on address list" \
src-address-list=allowed_to_router
add action=drop chain=input
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" \
dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan \
out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat \
connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat \
connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless \
out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Drop youtube from Desktop DEHD" disabled=yes layer7-protocol=\
youtube src-address=192.168.0.242
add action=drop chain=forward comment="Drop youtube from Desktop QUNO" disabled=yes layer7-protocol=\
youtube src-address=192.168.8.100
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem \
protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 \
in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
I've added the firewall rules (number 14 in the above post), but it seems something is missing.Okay I missed this before.......
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" \
dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=\
192.168.10.254 to-ports=8000
If you want the wifi network to be able to access the CCTV that is a forward firewall chain rule and stick this just before the drop all rule (assumes the CCTV is on 5DVR)
add chain=input action=accept in-interface=4wireless out-interface=5DVR dst-address= 192.168.10.254 dst-port=8000 protocol=tcp
in other word, yes the DVR is open to the world.The question I have is what protections do you have from accessing the DVR from the outside?
Is there a simple username login? Is it encrypted?
In other words, your CCTV may be open to the world????
# jul/20/2021 23:33:31 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 \
in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
oh well, have to change user name...... :(Seno, one hint:
/interface detect-internet
set detect-interface-list=no
without checking if they are right or not, or something is missing, this is the correct order of the one already written:
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related disabled=yes
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid disabled=yes
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="Allow to router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
duplicated ---> add action=accept chain=input comment="Allow ADMIN to Router" disabled=yes log=yes log-prefix=AdminAccess src-address-list=allowed_to_router
add action=drop chain=input disabled=yes
add action=drop chain=forward comment="Drop youtube from Desktop DEHD" disabled=yes layer7-protocol=youtube src-address=192.168.0.242
add action=drop chain=forward comment="Drop youtube from Desktop QUNO" disabled=yes layer7-protocol=youtube src-address=192.168.8.100
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"
# jul/21/2021 00:05:20 by RouterOS 6.48.3
# software id = XF6Q-13TJ
#
# model = RB750Gr3
# serial number = CC220DD3DF58
/ip firewall address-list
add address=192.168.0.242 list=allowed_to_router
add address=192.168.88.2-192.168.88.254 comment="Service Port IP" list=allowed_to_router
add address=192.168.8.100 list=allowed_to_router
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=drop chain=input
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward comment="Allow port forwarding" connection-nat-state=dstnat connection-state=new in-interface=1modem log=yes log-prefix=PortForwardedTraffic
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new dst-address=192.168.10.254 dst-port=8000 \
in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
add action=drop chain=forward comment="Block Just before allowing internet traffic from your subnets" dst-address-list=not_in_internet in-interface-list=AllLan
add action=accept chain=forward comment="Allow internet traffic" in-interface-list=AllLan out-interface-list=WAN
add action=drop chain=forward comment="Drop all else!"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=1modem
add action=dst-nat chain=dstnat comment="to see cctv from outside" dst-port=8000 in-interface=1modem protocol=tcp to-addresses=192.168.10.254 to-ports=8000
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
it was a veiled suggestion ... correct your post by removing it from the writings and the various exports...oh well, have to change user name...... :(
lol, i am tempted to do that, i turned the detect internet to none. but can't stand open the apps without internet connection status.OP, i dont know if you are actually a thinking being or just copying down stuff and hoping for the best,
Its time you start understanding the config not just copy & paste incorrectly LOL
yep realised it last night, so i've addedHere is your input chain .................what is wrong??
/ip firewall filter
add action=accept chain=input comment="default configuration - Established, Related" connection-state=established,related
add action=drop chain=input comment="\"Drop invalid\"" connection-state=invalid
add action=accept chain=input comment="Allow LAN DNS queries - TCP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" connection-state=new dst-port=53 in-interface-list=AllLan protocol=udp
add action=accept chain=input comment="Allow ICMP" protocol=icmp
add action=drop chain=input comment="Drop Winbox on WAN" dst-port=8291 in-interface=1modem protocol=tcp
add action=drop chain=input
(1) How will you as admin access the router???
Yup missing the input chain rule of accept for your Interface-list or your firewall address list etc...
okay, it's removed. was added previously when i check that there is double drop all rules and one of them i disable :D(2) Why do you have a drop winbox rule?? Hint look at the last rule, it already does this for you!!!! thus not needed.
ok, i've created as you suggested, and put it before the "Block Just before allowing internet traffic from your subnets" and it works.(3) This rule does not belong in the forward chain its a NAT RULE!! (and you already have a nat rule for this traffic!!)
add action=accept chain=forward comment="Allow Wireless to access DVR" connection-nat-state=dstnat connection-state=new \
dst-address=192.168.10.254 dst-port=8000 in-interface=4wireless log=yes log-prefix=WirelessToDVR out-interface=5DVR protocol=tcp
(4) Still not convinced you need a NAT rule to allow the wifi interface access to a single device in the DVR interface, as this is normally just a forward chain rule.
Not
add action=dst-nat chain=dstnat comment="to see cctv from wireless network" dst-port=8000 in-interface=4wireless protocol=tcp to-addresses=192.168.10.254 to-ports=8000
BUT this
add action=accept chain=forward in-interface=WIFI4 out-interface=DVR5 dst-address=192.168.10.254 (optional to add dst-port and protocol)
/system logging
add prefix=PortForwardedTraffic topics=firewall
remove-this --> add prefix=WirelessToDVR topics=firewall
/ip dhcp-server network
set [find] dns-server=1.1.1.1,8.8.8.8
/interface ethernet
set [ find default-name=ether1 ] name=ether1-modem comment="MAC 74:DA:DA:83:AB:FE"
set [ find default-name=ether2 ] name=ether2-local
set [ find default-name=ether3 ] name=ether3-wired
set [ find default-name=ether4 ] name=ether4-wireless
set [ find default-name=ether5 ] name=ether5-DVR
/interface list
set AllLan name=LAN
/ip pool
set dhcp_pool0 name=pool-local
set dhcp_pool4 name=pool-wired
set dhcp_pool3 name=pool-wireless
set dhcp_pool5 name=pool-DVR
/ip dhcp-server
set dhcp2local name=dhcp-local
set dhcp3wired name=dhcp-wired
set dhcp4wlan name=dhcp-wireless
set dhcp5dvr name=dhcp-DVR
FROM :local inetinterface "1modem" TO :local inetinterface [/int eth get [find default-name=ether1] name]
yep, the ISP is very pick on the mac address that connect to their modem.One question: you are forced to use 74:DA:DA:83:AB:FE as MAC address???
Kewl, have removed WirelessToDVRDuplicate logging, the prefix do not "choice" anything, you simply log two time the same thing. Better remove prefix and set the prefix only on firewall rules:dermawas code
/system logging add prefix=PortForwardedTraffic topics=firewall remove-this --> add prefix=WirelessToDVR topics=firewall
ok, this is done tooprovide everytime two DNS, not all device work correctly with only one... (and use faster 1.1.1.1 DNS)
paste this on terminalCode: Select all/ip dhcp-server network set [find] dns-server=1.1.1.1,8.8.8.8
ok, for this, i'll keep my naming, as it is more familiar to me, but i have added mac address in the comment for the interface.If I can suggest a cosmetic change, is useful when ask help on forum, without made complicated the reading of export:Code: Select all/interface ethernet set [ find default-name=ether1 ] name=ether1-modem comment="MAC 74:DA:DA:83:AB:FE" set [ find default-name=ether2 ] name=ether2-local set [ find default-name=ether3 ] name=ether3-wired set [ find default-name=ether4 ] name=ether4-wireless set [ find default-name=ether5 ] name=ether5-DVR /interface list set AllLan name=LAN /ip pool set dhcp_pool0 name=pool-local set dhcp_pool4 name=pool-wired set dhcp_pool3 name=pool-wireless set dhcp_pool5 name=pool-DVR /ip dhcp-server set dhcp2local name=dhcp-local set dhcp3wired name=dhcp-wired set dhcp4wlan name=dhcp-wireless set dhcp5dvr name=dhcp-DVR
this i'll need find sometime to change it as i want to test first.You can also update the script NO-IP:change code
FROM :local inetinterface "1modem" TO :local inetinterface $[/int eth get [find default-name=ether1] name]
No, is still manual the change for ether1 / 2 / 3 etc., but it works regardless the name you use for ether1.:local inetinterface $[/int eth get [find default-name=ether1] name]
this is automatic?
so it will search ether1 for the inetinterface or if the modem uses ether2 it will change to ether2 also ?
ow ok, got it.No, is still manual the change for ether1 / 2 / 3 etc., but it works regardless the name you use for ether1.:local inetinterface $[/int eth get [find default-name=ether1] name]
this is automatic?
so it will search ether1 for the inetinterface or if the modem uses ether2 it will change to ether2 also ?
This is for the "cosmetic change", the rest of the script is full of errors, but is not this the topic.
# Strip the net mask off the IP address :for i from=( [:len $currentIP] - 1) to=0 do={ :if ( [:pick $currentIP $i] = "/") do={ :set currentIP [:pick $currentIP 0 $i] } }Errors:
# Strip the net mask off the IP address :set currentIP [:pick $currentIP -1 [:find $currentIP "/" -1]]pick currentip from the beginning (-1) to where you first find "/" on currentip [ from the beginning (-1) ]