Thanks for the advise so far.
- do not use Masquerade for any other cases than src-nat on a dynamic address (e.g. typical home router)
instead use a src-nat with (one of your) external address as a to-address.
The main IP range is using src-nat. The two hotspots which have very low usage are using masquarade. There's no particular reason so will change those.
- it looks like you do not completely understand the chain=input and chain=forward difference.
there are many rules on chain=input that make no sense, fortunately many of them disabled. you can clean this up.
even for a dst-nat you don't put things in chain=input, but only in chain=forward.
Are there any specific examples? Most of the rules are from Mikrotik recommendations. I assume the
- when you have one specific path where you want to block a lot of different things, but do not want to bother the
router to do those checks on all traffic, consider putting those rules in a separate chain. put a rule in chain=forward
which matches the input interface (or -list) and then jumps to your custom chain (action=jump jump-target=forward-incoming)
and then put your long list of rules in chain=forward-incoming. this can also make things a lot clearer.
however, in a connection tracking setup that makes less of a difference because you accept established,related immediately.
That's something I hadn't spotted. A lot of the config has been imported from various templates we use. It looks like at some point some of the rules that should be on their own chain have ended up on the input chain. Will get those changed.