1. Firewall is blocking getting online
2. Hairpin nat not working
3. Firewall is probably not correct
Would like the firewall to:
- block everything that is not allowed
- use the brute force stuff
- separate vlans from router
- forward port 8090, 6767 & 6868 to 192.168.1.26
- allow for pptp vpn
- get hairpin nat working
I have tried to do this but I think some of my logic is off and some of my placement of code is off. If anyone has any input or can point me in the right direction I would really appreciate it. Thank you.
ros code
/interface bridge add comment="Local Bridge" l2mtu=1598 name=bridge-local add comment="Vlan1 Bridge" l2mtu=1594 name=bridge-vlan1 add comment="Vlan2 Bridge" l2mtu=1594 name=bridge-vlan2 /interface ethernet set 0 name=ether1-gateway set 1 name=ether2-local set 2 name=ether3-vlan1 set 3 name=ether4-vlan2 set 4 name=ether5-trunk /interface vlan add interface=bridge-local l2mtu=1594 name=vlan-vlan1-ether5 vlan-id=101 add interface=bridge-local l2mtu=1594 name=vlan-vlan2-ether5 vlan-id=102 /ip pool add name=pool-local ranges=192.168.1.100-192.168.1.254 add name=pool-vlan1 ranges=192.168.2.2-192.168.2.254 add name=pool-vlan2 ranges=192.168.3.2-192.168.3.254 add name=pool-vpn ranges=192.168.10.1-192.168.10.10 /ip dhcp-server add address-pool=pool-local disabled=no interface=bridge-local name=local add address-pool=pool-vlan1 disabled=no interface=bridge-vlan1 name=vlan1 add address-pool=pool-vlan2 disabled=no interface=bridge-vlan2 name=vlan2 /ppp profile set 1 local-address=192.168.1.1 remote-address=pool-vpn /interface bridge port add bridge=bridge-local interface=ether2-local add bridge=bridge-local interface=ether5-trunk add bridge=bridge-vlan1 interface=ether3-vlan1 add bridge=bridge-vlan1 interface=vlan-vlan1-ether5 add bridge=bridge-vlan2 interface=ether4-vlan2 add bridge=bridge-vlan2 interface=vlan-vlan2-ether5 /interface pptp-server server set enabled=yes /ip address add address=192.168.1.1/24 interface=bridge-local add address=192.168.2.1/24 interface=bridge-vlan1 add address=192.168.3.1/24 interface=bridge-vlan2 /ip dhcp-client add comment="default configuration" disabled=no interface=ether1-gateway /ip dhcp-server network add address=192.168.1.0/24 dns-server=192.168.1.1 gateway=192.168.1.1 add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1 add address=192.168.3.0/24 dns-server=192.168.3.1 gateway=192.168.3.1 /ip dns set allow-remote-requests=yes /ip firewall filter add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add chain=input comment=vpn dst-port=1723 protocol=tcp add chain=input comment=vpn protocol=gre add action=drop chain=input comment="default configuration" connection-state=\ invalid disabled=yes in-interface=ether1-gateway add action=jump chain=input disabled=yes in-interface=bridge-vlan1 \ jump-target=input-vlan2 add action=jump chain=input disabled=yes in-interface=bridge-vlan2 \ jump-target=input-vlan2 add chain=input disabled=yes in-interface=bridge-local add action=drop chain=input disabled=yes add chain=forward disabled=yes out-interface=ether1-gateway add action=drop chain=forward disabled=yes add chain=input-vlan2 disabled=yes dst-port=53 protocol=tcp add chain=input-vlan2 disabled=yes dst-port=53 protocol=udp add chain=input-vlan2 disabled=yes dst-port=67 protocol=udp add chain=input-vlan2 disabled=yes dst-port=68 protocol=udp add action=drop chain=input comment="drop ssh brute forcers" disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1m chain=input connection-state=new disabled=yes \ dst-port=22 protocol=tcp /ip firewall nat add action=dst-nat chain=dstnat dst-port=53 protocol=tcp src-address=\ 192.168.3.0/24 to-addresses=208.67.222.222 add action=dst-nat chain=dstnat dst-port=53 protocol=udp src-address=\ 192.168.3.0/24 to-addresses=208.67.222.222 add action=dst-nat chain=dstnat comment="CCTV Port Forward" dst-port=8090 \ in-interface=ether1-gateway protocol=tcp src-port="" to-addresses=\ 192.168.1.26 to-ports=8090 add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.1.26 to-ports=6767 add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \ protocol=tcp to-addresses=192.168.1.26 to-ports=6868 add action=dst-nat chain=dstnat dst-port=6767 in-interface=ether1-gateway \ protocol=udp to-addresses=192.168.1.26 to-ports=6767 add action=dst-nat chain=dstnat dst-port=6868 in-interface=ether1-gateway \ protocol=udp to-addresses=192.168.1.26 to-ports=6868 add action=masquerade chain=srcnat comment="Hairpin Nat" dst-address=\ 192.168.1.26 dst-port=8090 out-interface=ether2-local protocol=tcp \ src-address=192.168.1.0/24 add action=dst-nat chain=dstnat comment="Hairpin Nat" dst-address-type=local \ dst-port=8090 protocol=tcp to-addresses=192.168.1.26 add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway to-addresses=0.0.0.0 /ip neighbor discovery set ether1-gateway disabled=yes set ether3-vlan1 disabled=yes set ether4-vlan2 disabled=yes set bridge-vlan1 disabled=yes set bridge-vlan2 disabled=yes set vlan-vlan1-ether5 disabled=yes set vlan-vlan2-ether5 disabled=yes