Am I missing a firewall rule?
Code: Select all
add action=drop chain=input comment="Drop Ping from WAN" in-interface=ether1-WAN protocol=icmp
add action=accept chain=input comment="defconf: accept ICMP" log-prefix=icmp protocol=icmp
add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input comment="defconf: drop all from WAN" in-interface=ether1-WAN log-prefix=\
"drop all from wan - input"
add action=drop chain=forward dst-address=192.168.100.0/24 in-interface=vlan10_Guest
add action=drop chain=forward out-interface=vlan10_Guest src-address=192.168.100.0/24
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=forward comment="defconf: accept established,related" connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log-prefix="drop invalid"
add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1-WAN log-prefix="drop from wan not dstnated"
add action=drop chain=forward comment="drop all inter-VLAN traffic" in-interface=all-vlan out-interface=all-vlan
