(1) Get rid of this.... set to NONE.
/interface detect-internet
set detect-interface-list=all
(2) FIX THIS,
/ip address
add address=192.168.1.1/24 interface=
ether2 network=192.168.1.0
SHOULD BE
/ip address
add address=192.168.1.1/24 interface
=bridge1 network=192.168.1.0
(3) Duplicate rule remove........ (the first rule covers this).
a
dd action=masquerade chain=srcnat comment="default rule" out-interface=\
ether1
(4) Why are you using a whole bunch of netmap rules. Are you mapping public IPs to private IPs??
(5) It appears they are for port forwarding and if so DO NOT USE netmap. USE dstnat!!!
ex.
add action=dst-nat chain=dstnat comment=\
"Radmin port forwarding (from mikrotikwan:48991 to 192.168.1.2:4899" \
dst-port=48991 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.2 \
to-ports=4899
(6) What is this for........
/ip service
set www address=192.168.1.0/24 port=33388
SHOULD BE DISABLED and is a Security RISK.
NO ACCESS TO THE ROUTER ITSELF SHOULD BE DONE FROM THE WAN SIDE. The safe way to access the router is to VPN into the LAN and then access the router.
(7) AND THEN the FW rules..................... A mess!!
SAME ISSUE. You have the default winbox port (which you should change anyway) BEING OPENED UP to the internet and regardless if you a WANIP allowed list is NOT SECURE and a terrible security practice. Have the admin access the router via VPN to be able to modify the config IF NOT ON SITE.
WIPE IT CLEAN START NEW.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment={ADD ANY RULES REQUIRED FOR VPN INPUT PORTS}
add action=accept chain=input comment="Allow ADMIN to Router"=\
AdminAccess src-address-list=adminaccess
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=tcp
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \
connection-state=new dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="Drop All Else"
{NOTE: Only put the last rule (drop all) when the admin access rule is in place!!}
...
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=accept chain=forward comment="ENABLE LAN to WAN" \
in-interface=bridge1 out-interface-list=WAN
add action=accept chain=forward comment="Allow Port Forwarding" \
connection-nat-state=dstnat connection-state=new in-interface-list=WAN
add action=drop chain=forward comment=\
"DROP ALL other FORWARD traffic"