Sun May 14, 2023 5:53 pm
If you want help in the future, provide the complete config, (minus router serial#, any public WANIP info, keys etc.) many parts work in conjunction so showing a snippet is often useless.
As for input chain, its quite simple what you need to do..
ROUTER Device
/ip firewall filter
{Input Chain}
(default rules)
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment="defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
(admin rules)
add action=accept chain=input src-address-list=Admin
add action=accept chain=input comment="Allow LAN DNS queries-UDP" \ {and NTP *** services if required etc}
dst-port=53,123*** in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow LAN DNS queries - TCP" \
dst-port=53 in-interface-list=LAN protocol=tcp
add action=drop chain=input comment="drop all else"
Where the firewall address list is comprised of all IPs the admin may be coming from: wired PC, wifi laptop, wifi ipad etc... plus remoting in lets say wireguard.
Only the admin needs complete access, users only need specific services.
If its a switch behind a router............. no firewall rules are needed, but you should have a management LAN or VLAN, and all smart devices get their IP from this Subnet.
Lets say the management subnet is 192.168.88.0/24 vlan88 and the switch has an IP of 192.168.88.88
Sorry I only speak ROS
SWITCH Device
/interface bridge
add ingress-filtering=no name=bridgegym vlan-filtering=yes
/interface ethernet
set [ find default-name=ether2 ] name=emergaccess
/interface vlan
add interface=bridgegym name=homeVlan vlan-id=88 { mandatory, management vlan must be identified in /interface vlan - do not put any other vlans here!! }
/interface list
add name=management
/interface bridge port
add bridge=bridgegym ingress-filtering=yes interface=ether1
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=homeWLan pvid=12
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=HVAC_WLAN pvid=49
add bridge=bridgegym frame-types=admit-only-untagged-and-priority-tagged interface=mediaWlan pvid=40
/ip neighbor discovery-settings
set discover-interface-list=management
/interface bridge vlan
add bridge=bridgegym tagged=ether1,bridgegym untagged=homeWLan vlan-ids=12
add bridge=bridgegym tagged=ether1 untagged=mediaWlan vlan-ids=40
add bridge=bridgegym tagged=ether1 untagged=HVAC_WLAN vlan-ids=49
/interface list member
add interface=homeVlan list=management
add interface=emergaccess list=management
/ip address
add address=192.168.88.88/24 interface=homeVlan network=192.168.88.0 comment="IP on trusted subnet"
add address=192.168.36.1/24 interface=emergaccess network=192.168.36.0 comment="ether2 access off bridge"
/ip dns
set allow-remote-requests=yes servers=192.168.88.1 { Note: Done so all dns requests use trusted subnet }
add disabled=no dst-address=0.0.0.0/0 gateway=192.168.88.1 comment="ensures route avail through trusted subnet gateway"
/system ntp client
set enabled=yes
/system ntp client servers
add address=192.168.88.1
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=management
(ignore off bridge that is what I use to config devices when using bridges)