add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
Flags: X - disabled, I - invalid; D - dynamic
0 ;;; defconf: accept established,related,untracked
chain=input action=accept connection-state=established,related,untracked
1 ;;; defconf: drop invalid
chain=input action=drop connection-state=invalid
2 X ;;; defconf: accept ICMP
chain=input action=accept protocol=icmp log=no log-prefix=""
3 ;;; defconf: accept to local loopback (for CAPsMAN)
chain=input action=accept dst-address=127.0.0.1
4 ;;; defconf: drop all not coming from LAN
chain=input action=drop in-interface-list=!LAN
5 ;;; defconf: accept in ipsec policy
chain=forward action=accept ipsec-policy=in,ipsec
6 ;;; defconf: accept out ipsec policy
chain=forward action=accept ipsec-policy=out,ipsec
7 ;;; defconf: accept established,related, untracked
chain=forward action=accept connection-state=established,related,untracked
8 ;;; defconf: drop invalid
chain=forward action=drop connection-state=invalid
9 ;;; defconf: drop all from WAN not DSTNATed
chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
/ip firewall filter
add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked
add chain=input action=drop connection-state=invalid
add chain=input action=accept protocol=icmp log=no log-prefix=""
add chain=input action=accept dst-address=127.0.0.1
add chain=input action=drop in-interface-list=!LAN
add chain=forward action=accept ipsec-policy=in,ipsec
add chain=forward action=accept ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related
add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked
add chain=forward action=drop connection-state=invalid
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
Thankyou so much @own3r1138 I will add those fresh next chance i get.In the screenshot, you have at least 13 filter rules. Now you have less than that. What is going on?
Code: Select all/ip firewall filter add action=accept chain=input comment="Established, Related, Untracked" connection-state=established,related,untracked add chain=input action=drop connection-state=invalid add chain=input action=accept protocol=icmp log=no log-prefix="" add chain=input action=accept dst-address=127.0.0.1 add chain=input action=drop in-interface-list=!LAN add chain=forward action=accept ipsec-policy=in,ipsec add chain=forward action=accept ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment=FastTrack connection-state=established,related add action=accept chain=forward comment="Established, Related, Untracked" connection-state=established,related,untracked add chain=forward action=drop connection-state=invalid add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN
I think the best thing to do now is export my config and add those.I see, so the order in post #12 is okay if you wish to use it.
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" disabled=yes \
protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN