Thu Nov 26, 2020 11:08 pm
Q1: What about the other interfaces, hard to know what they are intended for without a diagram or definition...........
/interface bridge
add name=bridge-LAN protocol-mode=none vlan-filtering=yes
/interface ethernet
set [ find default-name=combo1 ] name=WAN
set [ find default-name=ether7 ] name=ether7_Management
Q2. Typically I dont use ingress filtering on untagged access ports but I guess there is no harm and probably better security just not sure. So what I gather only etherports 1 is a trunk port headed for a smart device that can read vlan tags, and the rest are going to 'dumb devices'
/interface bridge port
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether2 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-vlan-tagged ingress-filtering=yes interface=ether1
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether3 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether4 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether5 \
pvid=10
add bridge=bridge-LAN frame-types=admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=ether6 \
pvid=10
Q3. Why none. Its best to use your mngmnt vlan here so that to ensure the device is discoverable by winbox for example.
/ip neighbor discovery-settings
set discover-interface-list=none
Q4. I prefer to stated untagged ports (2,3,4,5,6) for vlan-id=10 , just so I can understand the config but not necessary........... what you have is fine.
/interface bridge vlan
add bridge=bridge-LAN tagged=bridge-LAN,ether1 vlan-ids=20
add bridge=bridge-LAN tagged=bridge-LAN,ether1 untagged=???? vlan-ids=10
The rest is commentary on your Firewall Rules. I am a minimalist and thus consider what you have is slightly bloated.
/ip firewall address-list
add address=0.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=172.16.0.0/12 comment=RFC6890 list=not_in_internet
add address=192.168.0.0/16 comment=RFC6890 list=not_in_internet
add address=10.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=169.254.0.0/16 comment=RFC6890 list=not_in_internet
add address=127.0.0.0/8 comment=RFC6890 list=not_in_internet
add address=224.0.0.0/4 comment=Multicast list=not_in_internet
add address=198.18.0.0/15 comment=RFC6890 list=not_in_internet
add address=192.0.0.0/24 comment=RFC6890 list=not_in_internet
add address=192.0.2.0/24 comment=RFC6890 list=not_in_internet
add address=198.51.100.0/24 comment=RFC6890 list=not_in_internet
add address=203.0.113.0/24 comment=RFC6890 list=not_in_internet
add address=100.64.0.0/10 comment=RFC6890 list=not_in_internet
add address=240.0.0.0/4 comment=RFC6890 list=not_in_internet
add address=192.88.99.0/24 comment="6to4 relay Anycast [RFC 3068]" list=not_in_internet
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment="Drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface=WAN log=yes log-prefix=!NAT
add action=drop chain=forward comment="Drop incoming from internet which is not public IP" in-interface=WAN log=yes \
log-prefix=!public src-address-list=not_in_internet
add action=drop chain=forward comment="Drop tries to reach not public addresses from LAN" dst-address-list=\
not_in_internet in-interface=bridge-LAN log=yes log-prefix=!public_from_LAN out-interface=!bridge-LAN
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.1.0/24
add action=drop chain=forward comment="Drop packets from LAN that do not have LAN IP" in-interface=bridge-LAN log=\
yes log-prefix=LAN_!LAN src-address=!192.168.2.0/24
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=accept chain=input comment=allowed_to_router1 src-address-list=allowed_to_router1
add action=accept chain=input protocol=icmp
add action=drop chain=input
add action=accept chain=input comment=allowed_to_router2 src-address-list=allowed_to_router2
Here is what I would shorten it to!!
/ip firewall address-list
add address=adminlaptop list=adminaccess
add address=admindesktop list=adminaccess
add address=adminipad list=adminaccess
note these two rules, have good intent but best accomplished by interfaces. I use firewall address lists for sub selections of interfaces or single IPs across subnets etc........... Not bad what you do here but I prefer interfaces for entire subnets!! Further, and to the point, the entire set of LAN users trusted or otherwise DO NOT and should not need FULL access to the router. Only the specific services required should be permitted.
add address=192.168.1.2-192.168.1.254 list=allowed_to_router1
add address=192.168.2.2-192.168.2.254 list=allowed_to_router2
ALSO it drives me bonkers when people mix input chain (to the router) and forward chain (through the router) in the config. YOu are THE FIRST ever to put the Forward chain in order in front of the input chain. SO THANKYOU, at least they are not mixed up and which comes first really doesnt matter.
The rules with no change or included in small italics
/ip firewall filter
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related" connection-state=established,related
add action=drop chain=forward comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN [assumes all lan users need internet access]
**** add any other allow rules required, admin to dmz vlan for example, or perhaps dmz folks need access to a shared printer on the regular vlan****
add action=accept chain=forward in-interface=vlan10 out-interface=vlan20
add action=accept chain=forward comment="allow port forwarding" \ [becomes an optional rule you can disable until you need port forwarding]
connection-nat-state=dstnat connection-state=new in-interface=WAN
add action=drop chain=forward comment='drop all else' (one simple rule to drop all other not allowed/defined traffic above)
[input chain]
add action=accept chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input comment="Drop invalid" connection-state=invalid log=yes log-prefix=invalid
add action=accept chain=input protocol=icmp
add action=accept chain=input comment="allowed admin to router" \
in-interface=vlan10 src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input
For completeness.........
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
add name=Mngmt
/interface list member
add comment=defconf interface=ether?? list=WAN
add interface=vlan10 list=LAN
add interface=vlan20 list=LAN
add interface=vlan10 list=Mngmt
So for example......
ip neighbor discovery-settings
set discover-interface-list=Mngmt
Last edited by
anav on Tue Dec 01, 2020 5:01 am, edited 1 time in total.