Hello everyone, just got my Hex S today!
I think I've sorted out the basic configuration but can't seem to get the firewall rules down. I've used @anav's default rules and as soon as I input them my connections never complete. Without them the internet works fine. Some guidance is highly appreciated. Here's my bootstrap config - ignore lines with >>
>> Create LAN
/interface bridge add name=bridge0
/interface bridge port add interface=ether1 bridge=bridge0
/interface bridge port add interface=ether2 bridge=bridge0
/interface bridge port add interface=ether3 bridge=bridge0
/interface bridge port add interface=ether4 bridge=bridge0
/ip address add address=10.10.10.3/24 interface=bridge0
/interface list add name=LAN include=static comment="Local Area Network"
/interface list member add interface=bridge0 list=LAN
>> Create WAN
/interface list add name=WAN include=static comment="Wide Area Network"
/interface list member add interface=ether5 list=WAN
/ip address add address=192.168.0.60/24 interface=ether5
/ip route add gateway=192.168.0.1
/ip dns set servers=10.10.10.4
>> Setup Security
/system identity set name=HexS
/user set 0 password="******"
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN
/tool mac-server ping set enabled=no
/ip service disable telnet,ftp,api,api-ssl
/ip service set winbox address=10.10.10.0/24
/ip service set ssh address=10.10.10.0/24
/ip service set www address=10.10.10.0/24
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip ssh set strong-crypto=yes
>> Configure Firewall
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="drop invalid"
add chain=input action=accept protocol=icmp comment="accept ICMP"
add chain=input action=accept dst-address=127.0.0.1 comment="accept to local loopback (for CAPsMAN)"
add chain=input action=drop in-interface-list=!LAN comment="drop all not coming from LAN"
add chain=forward action=accept ipsec-policy=in,ipsec comment="accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="drop all from WAN not DSTNATed"
>> Configure NAT
/ip firewall nat add chain=srcnat out-interface-list=WAN action=masquerade
Thank you!!