I had purchased my first MikroTik Routerboard and made upgrade it to RouterOS v. 6.4. Yesterday I configured it first time. I can see that PPPoE connection is up but ping to any IP from the router is not possible neither from PCs in LAN. During the router configuration I used a manuals from wiki.mikrotik.com website. I think that my firewall rules was configured incorrect. I'm asking experts to look at my config is shown below and correct me if I made a mistake. Moreover this may be usefully for others routers' owners to configure a common firewall rules.
Thank you in advance. Looking forward to get an answer and solve this issue.
Code: Select all
/interface ethernet
set 0 auto-negotiation=no comment=WAN
set 1 auto-negotiation=no comment=LAN
set 2 auto-negotiation=no master-port=ether2
set 3 auto-negotiation=no master-port=ether2
set 4 auto-negotiation=no master-port=ether2
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=disabled name=pppoe-out \
password=*** use-peer-dns=yes user=***
/interface wireless
set 0 l2mtu=2290
/ip neighbor discovery
set ether1 comment=WAN
set ether2 comment=LAN
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=DHCP_POOL ranges=1.10.10.5-1.10.10.30
/ip dhcp-server
add address-pool=DHCP_POOL disabled=no interface=ether2 name=DHCP
/ip address
add address=1.10.10.1/27 interface=ether2 network=1.10.10.0
/ip dhcp-client
add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=1.10.10.0/27 dns-server=8.8.8.8,8.8.4.4 gateway=1.10.10.1
/ip firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Accept related connection packets" connection-state=related
add chain=input comment="Allow access to router from LAN" in-interface=!ether1 src-address=1.10.10.0/27
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid
add action=drop chain=input comment="Drop ICMP" protocol=icmp
add action=drop chain=input comment="Drop everything else"
add action=drop chain=input comment="Detect and drop port scan connections" protocol=tcp psd=21,3s,3,1
add action=tarpit chain=input comment="Suppress DoS attack" connection-limit=3,32 protocol=tcp \
src-address-list=black_list
add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment=\
"Detect DoS attack" connection-limit=10,32 protocol=tcp
add action=drop chain=forward comment="Drop invalid connections" connection-state=invalid protocol=tcp
add chain=forward comment="Allow already established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=224.0.0.0/3
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=jump chain=forward jump-target=icmp protocol=icmp
add action=drop chain=tcp comment="Deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="Deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="Deny CIFS" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="Deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="Deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="Deny Back Oriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="Deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=tcp comment="Deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=udp comment="Deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="Deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="Deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="Deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="Deny Back Oriffice" dst-port=3133 protocol=udp
add chain=icmp comment="Echo reply" icmp-options=0:0 protocol=icmp
add chain=icmp comment="Net unreachable" icmp-options=3:0 protocol=icmp
add chain=icmp comment="Host unreachable" icmp-options=3:1 protocol=icmp
add chain=icmp comment="Host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add chain=icmp comment="Allow source quench" icmp-options=4:0 protocol=icmp
add chain=icmp comment="Allow echo request" icmp-options=8:0 protocol=icmp
add chain=icmp comment="Allow time exceed" icmp-options=11:0 protocol=icmp
add chain=icmp comment="Allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="Deny all other types"
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1 src-address=1.10.10.0/27
/ip service
set telnet disabled=yes
set ftp disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system leds
set 0 interface=wlan1