i have two Mikrotik Router Boards
1. manage the Internet Connection Firewall on it and Portforwarding for PPTP
Code: Select all
/ip firewall address-list
add address=192.168.2.200-192.168.3.250 list="Block Internet"
add address=192.168.10.1-192.168.15.250 list="Block Local"
add address=10.10.10.2-10.10.10.254 list="Guest Users"
add address=10.10.10.0/24 list="Block Internet Guest"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=accept chain=forward comment="Weiterlkeitung f\FCr ptpp neu" \
dst-address=192.168.1.246 in-interface=lte1 protocol=gre
add action=accept chain=forward dst-address=192.168.1.246 dst-port=1723 \
in-interface=lte1 protocol=tcp
add action=accept chain=forward comment="Weiterlkeitung f\FCr ptpp neu" \
disabled=yes out-interface=lte1 src-address=192.168.1.246
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked log-prefix=Internet
add action=accept chain=input comment="DNS GAST" disabled=yes dst-port=53 \
in-interface=bridge-guest log=yes log-prefix="DNS Gast" protocol=udp \
src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input dst-port=1723 in-interface=lte1 log=yes protocol=\
tcp
add action=accept chain=input comment="Allow TCP to Kassa for GUEST" \
dst-address=192.168.0.95 dst-port=5100 protocol=tcp src-address-list=\
"Guest Users"
add action=accept chain=input comment="Allow UDP to Kassa for GUEST" \
dst-address=192.168.0.95 dst-port=5100 protocol=udp src-address-list=\
"Guest Users"
add action=drop chain=input comment="Block Guest Router Ports" dst-address=\
10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list=\
"Guest Users"
add action=drop chain=input comment="Block Guest to Intern" dst-address=\
192.168.0.0/24 src-address-list="Guest Users"
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN log=yes
add action=reject chain=forward comment="Block Internet" log-prefix=\
"Block Internet" reject-with=icmp-network-unreachable src-address-list=\
"Block Internet"
add action=reject chain=forward comment="Block Internet Guest" log-prefix=\
"Block Internet Guest" reject-with=icmp-network-unreachable \
src-address-list="Block Internet Guest"
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=accept chain=forward comment=\
"FORWARD: skip fasttrack for traffic from guest network" connection-state=\
established,related log-prefix=rolle12 src-address=10.10.10.0/24
add action=accept chain=forward comment=\
"FORWARD: skip fasttrack for traffic from guest network" connection-state=\
established,related dst-address=10.10.10.0/24 log-prefix=rolle12
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related log-prefix=rolle12
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked log-prefix=rolle13
add action=drop chain=forward comment="defconf: drop invalid" connection-state=\
invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \
connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall mangle
add action=change-ttl chain=postrouting comment=\
"Maske f\EF\BF\BDr Subnetze zu Drei" disabled=yes new-ttl=set:65 \
out-interface=lte1 passthrough=yes
add action=mark-connection chain=forward new-connection-mark=all-conn \
passthrough=yes
add action=mark-packet chain=forward connection-mark=all-conn dst-address-list=\
"Guest Users" new-packet-mark=guest-dw-pk passthrough=no
add action=mark-packet chain=forward connection-mark=all-conn new-packet-mark=\
guest-up-pk passthrough=no src-address-list="Guest Users"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=dst-nat chain=dstnat comment="Forward f\FCr CAM Alt" disabled=yes \
dst-port=80 in-interface=lte1 log-prefix=alex2 protocol=tcp to-addresses=\
192.168.0.150 to-ports=8080
add action=dst-nat chain=dstnat comment="Forward f\FCr CAM alt" disabled=yes \
dst-port=80 in-interface=lte1 log-prefix=alex3 protocol=udp to-addresses=\
192.168.0.150 to-ports=8080
add action=dst-nat chain=dstnat in-interface=lte1 protocol=gre to-addresses=\
192.168.1.246
add action=dst-nat chain=dstnat comment="weiterleitung f\FCr ptpp neu" \
dst-port=1723 in-interface=lte1 protocol=tcp to-addresses=192.168.1.246 \
to-ports=1723
add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=\
out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.10.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.10.10.0/24
when i disable the rule drop all not coming from LAN the PPTP worke when active it will block it
Code: Select all
/ip firewall address-list
add address=192.168.0.200-192.168.0.254 list="Block Internet"
add address=192.168.10.1-192.168.15.250 list="Block Local"
add address=10.10.10.2-10.10.10.254 list="Guest Users"
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked log-prefix=Internet
add action=accept chain=input comment="DNS GAST" dst-port=53 in-interface=bridge-guest log=yes log-prefix="DNS Gast" protocol=udp src-address=10.10.10.0/24
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid log=yes
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=input comment="Allow TCP to Kassa for GUEST" dst-address=192.168.0.95 dst-port=5100 protocol=tcp src-address-list="Guest Users"
add action=accept chain=input comment="Allow UDP to Kassa for GUEST" disabled=yes dst-address=192.168.0.95 dst-port=80,8080 protocol=udp src-address-list=\
"Guest Users"
add action=drop chain=input comment="Block Guest Router Ports" dst-address=10.10.10.1 dst-port=80,21,22,23,8291 protocol=tcp src-address-list="Guest Users"
add action=drop chain=input comment="Block Guest to Intern" dst-address=192.168.0.0/24 src-address-list="Guest Users"
add action=accept chain=input connection-nat-state="" in-interface-list=WAN protocol=tcp src-port=1723
add action=accept chain=input connection-nat-state="" in-interface-list=WAN protocol=gre
add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes log-prefix=Outside
add action=reject chain=forward comment="Block Internet" disabled=yes reject-with=icmp-network-unreachable src-address-list="Block Internet"
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="FORWARD: skip fasttrack for traffic from guest network" connection-state=established,related src-address=10.10.10.0/24
add action=accept chain=forward comment="FORWARD: skip fasttrack for traffic from guest network" connection-state=established,related dst-address=10.10.10.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=10.10.10.0/24
best regards and thx for help