Code: Select all
add action=drop chain=forward connection-state=new connection-type="" \
dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
ether1
If I disable the forward all rule:
Code: Select all
add action=accept chain=forward connection-state=new in-interface=ether2 \
out-interface=ether1
Complete ruleset:
Code: Select all
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked disabled=yes
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward connection-state=new connection-type="" \
dst-address=192.168.10.140 in-interface=ether2 log=yes out-interface=\
ether1
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="Winbox accept" dst-port=8291 \
in-interface=ether1 protocol=tcp src-address=192.168.10.10-192.168.10.254
add action=accept chain=input connection-state=new dst-port=8291 \
in-interface=ether2 protocol=tcp src-address=192.168.86.2
add action=drop chain=input comment="Drop all NOT coming from Ether1" \
disabled=yes in-interface=!ether1
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
disabled=yes ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
disabled=yes ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=accept chain=forward comment="RDP (Any) to 192.168.86.2" \
connection-state=new dst-address=192.168.86.2 in-interface=ether1 \
out-interface=ether2 protocol=tcp
add action=accept chain=forward connection-state=new in-interface=ether2 \
out-interface=ether1
add action=drop chain=forward comment="Drop New" connection-state=new
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface=ether1