I always would rather find the answer before posting anything so i won't waste anyone time. So i tried to find the answer and tried a lot of config changes before posting. But unfortunatly i unable to do so. I am using 4 gbit internet at my house 3 vlans and a pcc load balancer. I have 2 manageble switches (1Poe ,1 normal) and only the WAN ports(PPPooe configed statik ip adresses) and SFP+ used on the device. I did config the other LAN ports just in case i have to access specific VLan. I don't have any problems with internet acess , vlan and load balance except i cannot port forward (dstnat or hairpin nat) using this config. Considering PCC or VLan however working can be still misconfigured and might cause problems i am posting the whole config.
I think i might have a routing or srcnat error on my hand (prerouting out error below) but never able to figure it out.
Code: Select all
prerouting: in:Fiber_3 [b]out:(unknown 0)[/b], connection-state:established,snat src-mac d4:c1:c8:97:4f:90, proto TCP (ACK), 149.50.216.206:48721->[Public IP]:52549, NAT 149.50.216.206:48721->([Public IP]:52549->10.1.53.221:52549), len 52
This is my first mikrotik device so please let me have it easy if you see any config errors or problems.
I do have to create VPN tunnels (IKE2 , PPTP and L2TP)in near future. Any advice in config for that is most welcomed as well.
I am highly frasturated atm so thanks in advance for anyone whom even bothered to read the config.
Code: Select all
/interface bridge
add name=Local vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name=LAN1
set [ find default-name=ether2 ] name=LAN2
set [ find default-name=ether3 ] name=LAN3
set [ find default-name=ether4 ] name=LAN4
set [ find default-name=sfp-sfpplus1 ] name=SFP
set [ find default-name=ether5 ] name=WAN1
set [ find default-name=ether6 ] name=WAN2
set [ find default-name=ether7 ] name=WAN3
set [ find default-name=ether8 ] name=WAN4
/interface vlan
add interface=Local name=SmartHome_vLan vlan-id=100
add interface=Local name=Management_vLan vlan-id=1
add interface=Local name=Private_vLan vlan-id=53
add interface=WAN1 name=ISP1 vlan-id=35
add interface=WAN2 name=ISP2 vlan-id=35
add interface=WAN3 name=ISP3 vlan-id=35
add interface=WAN4 name=ISP4 vlan-id=35
/interface pppoe-client
add add-default-route=yes comment="" disabled=no interface=\
ISP1 name=Fiber_1 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
ISP2 name=Fiber_2 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
ISP3 name=Fiber_3 user=[username]
add add-default-route=yes comment="" disabled=no interface=\
ISP4 name=Fiber_4 user=[username]
/interface list
add name=WAN
add name=LAN
add name=Modems
add name=vLans
/ip pool
add name=Private_DHCP_Pool ranges=10.1.53.100-10.1.53.199
add name=Management_DHCP_Pool ranges=10.1.43.100-10.1.43.199
add name=SmartHome_DHCP_Pool ranges=10.1.100.100-10.1.100.199
/ip dhcp-server
add address-pool=Private_DHCP_Pool interface=Private_vLan name=Private_DHCP
add address-pool=Management_DHCP_Pool interface=Management_vLan name=\
Management_DHCP
add address-pool=SmartHome_DHCP_Pool interface=SmartHome_vLan name=\
SmartHome_DHCP
/routing table
add disabled=no fib name=to_WAN1
add disabled=no fib name=to_WAN2
add disabled=no fib name=to_WAN3
add disabled=no fib name=to_WAN4
/interface bridge port
add bridge=Local interface=LAN1 pvid=53
add bridge=Local interface=LAN2 pvid=53
add bridge=Local interface=LAN3
add bridge=Local interface=LAN4 pvid=100
add bridge=Local interface=SFP
/interface bridge vlan
add bridge=Local tagged=SFP,Local untagged=LAN4 vlan-ids=100
add bridge=Local tagged=Local,SFP untagged=LAN1,LAN2 vlan-ids=53
/interface list member
add interface=LAN2 list=LAN
add interface=LAN3 list=LAN
add interface=LAN4 list=LAN
add interface=SFP list=LAN
add interface=Fiber_1 list=Modems
add interface=Fiber_2 list=Modems
add interface=Fiber_3 list=Modems
add interface=Fiber_4 list=Modems
add interface=SmartHome_vLan list=vLans
add interface=Management_vLan list=vLans
add interface=Private_vLan list=vLans
add interface=LAN1 list=WAN
add interface=WAN1 list=LAN
add interface=WAN2 list=LAN
add interface=WAN3 list=LAN
add interface=WAN4 list=LAN
/ip address
add address=10.1.53.1/24 interface=Private_vLan network=10.1.53.0
add address=10.1.43.1/24 interface=Management_vLan network=10.1.43.0
add address=10.1.100.1/24 interface=SmartHome_vLan network=10.1.100.0
/ip arp
add address=10.1.53.53 interface=Private_vLan mac-address=CC:28:AA:CC:75:14
/ip dhcp-client
add interface=Local
/ip dhcp-server network
add address=10.1.43.0/24 gateway=10.1.43.1
add address=10.1.53.0/24 gateway=10.1.53.1
add address=10.1.100.0/24 gateway=10.1.100.1
/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=512 \
servers=8.8.8.8,1.1.1.1
/ip firewall address-list
add address=[ISP1_Static_Adress] list=Internet
add address=[ISP2_Static_Adress] list=Internet
add address=[ISP3_Static_Adress] list=Internet
add address=[ISP4_Static_Adress] list=Internet
/ip firewall filter
add action=accept chain=forward dst-port=32400 in-interface-list=Modems \
protocol=tcp
add action=accept chain=forward comment="Port Forward DstNat'd" \
connection-nat-state=dstnat
add action=accept chain=input comment=\
"Accept established,related connections" connection-state=\
established,related
add action=accept chain=forward comment=\
"Accept established,related connections" connection-state=\
established,related
add action=accept chain=output comment=\
"Accept established,related connections" connection-state=\
established,related
add action=accept chain=input comment=UDP protocol=udp
add action=accept chain=forward comment="Allow LAN DNS queries-UDP" dst-port=\
53 protocol=udp src-address-list="LAN Users"
add action=accept chain=forward comment="Allow LAN DNS queries-TCP" dst-port=\
53 protocol=tcp src-address-list="LAN Users"
add action=jump chain=forward jump-target=tcp protocol=tcp
add action=jump chain=forward jump-target=udp protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 \
protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 \
protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 \
protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=\
tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 \
protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 \
protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=\
udp
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed \
src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
1m chain=block-ddos log=yes
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
1m chain=block-ddos log=yes
add action=drop chain=input comment="ping port scanners" src-address-list=\
"port scanners"
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="Port scanners to list " \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" \
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp \
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp \
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=\
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp \
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" \
address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=\
tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 \
protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=\
tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 \
protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 \
protocol=tcp
add action=drop chain=virus comment=Trinoo dst-port=12667 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27665 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=31335 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=34555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=35555 protocol=udp
add action=drop chain=virus comment=Trinoo dst-port=27444 protocol=tcp
add action=jump chain=forward comment="jump to the virus chain" jump-target=\
virus
add action=drop chain=input comment="invalid connections" connection-state=\
invalid
add action=drop chain=forward comment="invalid connections" connection-state=\
invalid
add action=drop chain=output comment="invalid connections" connection-state=\
invalid
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
bogons
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=Internet
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=Fiber_1 new-connection-mark=WAN1_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=Fiber_2 new-connection-mark=WAN2_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=Fiber_3 new-connection-mark=WAN3_conn
add action=mark-connection chain=prerouting connection-mark=no-mark \
connection-state=new in-interface=Fiber_4 new-connection-mark=WAN4_conn
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2
add action=mark-routing chain=output connection-mark=WAN3_conn \
new-routing-mark=to_WAN3
add action=mark-routing chain=output connection-mark=WAN4_conn \
new-routing-mark=to_WAN4
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Local new-connection-mark=WAN1_conn \
per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Local new-connection-mark=WAN2_conn \
per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Local new-connection-mark=WAN3_conn \
per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=prerouting dst-address-type=!local \
in-interface=Local new-connection-mark=WAN4_conn \
per-connection-classifier=src-address-and-port:4/3
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
in-interface=Local new-routing-mark=to_WAN2
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
in-interface=Local new-routing-mark=to_WAN3
add action=mark-routing chain=prerouting connection-mark=WAN4_conn \
in-interface=Local new-routing-mark=to_WAN4
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN1_conn \
per-connection-classifier=src-address-and-port:4/0
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN2_conn \
per-connection-classifier=src-address-and-port:4/1
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN3_conn \
per-connection-classifier=src-address-and-port:4/2
add action=mark-connection chain=output connection-mark=no-mark \
connection-state=new new-connection-mark=WAN4_conn \
per-connection-classifier=src-address-and-port:4/3
/ip firewall nat
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
out-interface-list=Modems protocol=tcp src-port=32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
out-interface=Fiber_1 out-interface-list=Modems protocol=tcp src-port=\
32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
out-interface=Fiber_2 out-interface-list=Modems protocol=tcp src-port=\
32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
out-interface=Fiber_3 out-interface-list=Modems protocol=tcp src-port=\
32400
add action=accept chain=srcnat disabled=yes dst-address-type=!local \
out-interface=Fiber_4 out-interface-list=Modems protocol=tcp src-port=\
32400
add action=masquerade chain=srcnat out-interface=Fiber_1
add action=masquerade chain=srcnat out-interface=Fiber_2
add action=masquerade chain=srcnat out-interface=Fiber_3
add action=masquerade chain=srcnat out-interface=Fiber_4
add action=dst-nat chain=dstnat dst-port=32400 in-interface-list=Modems \
protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
Fiber_2 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
Fiber_3 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
add action=dst-nat chain=dstnat disabled=yes dst-port=32400 in-interface=\
Fiber_4 protocol=tcp to-addresses=10.1.53.221 to-ports=32400
/ip firewall raw
add action=drop chain=prerouting comment=Worm-Infected-p445 src-address-list=\
Worm-Infected-p445
add action=drop chain=prerouting comment="Drop all DNS request from Internet" \
dst-port=53 in-interface-list=WAN protocol=tcp
add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=\
udp
add action=drop chain=prerouting comment=\
"TCP invalid combination of flags attack (7 rules)" protocol=tcp \
tcp-flags=!fin,!syn,!rst,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,syn
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,!ack
add action=drop chain=prerouting protocol=tcp tcp-flags=fin,urg
add action=drop chain=prerouting protocol=tcp tcp-flags=syn,rst
add action=drop chain=prerouting protocol=tcp tcp-flags=rst,urg
add action=drop chain=prerouting comment="TCP Port 0 attack (2 rules)" \
protocol=tcp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=tcp
add action=drop chain=prerouting comment="UDP Port 0 attack (2 rules)" \
protocol=udp src-port=0
add action=drop chain=prerouting dst-port=0 protocol=udp
add action=drop chain=prerouting comment=\
"Protecting device crash when size > 1024" packet-size=1025-1600 \
protocol=icmp
add action=drop chain=prerouting comment="ICMP large packet attack" \
packet-size=1601-65535 protocol=icmp
add action=drop chain=prerouting comment="ICMP fragmentation attack" \
fragment=yes protocol=icmp
add action=drop chain=prerouting comment="SYN fragmented attack" fragment=yes \
protocol=tcp tcp-flags=syn
add action=drop chain=prerouting comment=\
"Fragment attack Interface Protection" dst-address-list="LAN Users" \
fragment=yes
add action=drop chain=prerouting comment="IP option loose-source-routing" \
ipv4-options=loose-source-routing
add action=drop chain=prerouting comment="IP option strict-source-routing" \
ipv4-options=strict-source-routing
add action=drop chain=prerouting comment="IP option record-route" \
ipv4-options=record-route
add action=drop chain=prerouting comment="IP option router-alert" \
ipv4-options=router-alert
add action=drop chain=prerouting comment="IP option timestamp" ipv4-options=\
timestamp
add action=drop chain=prerouting comment=\
"IP options left, except IP Stream used by the IGMP protocol" \
ipv4-options=any protocol=!igmp
add action=accept chain=prerouting protocol=icmp
add action=accept chain=prerouting protocol=igmp
add action=accept chain=prerouting protocol=tcp
add action=accept chain=prerouting protocol=udp
add action=accept chain=prerouting protocol=gre
add action=log chain=prerouting log=yes log-prefix="Not TCP protocol" \
protocol=!tcp
add action=drop chain=prerouting comment="Unused protocol protection" \
protocol=!tcp
/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
Fiber_1 routing-table=to_WAN1 scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
Fiber_2 routing-table=to_WAN2 scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
Fiber_3 routing-table=to_WAN3 scope=30 suppress-hw-offload=no \
target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=\
Fiber_4 routing-table=to_WAN4 scope=30 suppress-hw-offload=no \
target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Fiber_1 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=2 dst-address=0.0.0.0/0 gateway=Fiber_2 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=3 dst-address=0.0.0.0/0 gateway=Fiber_3 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=4 dst-address=0.0.0.0/0 gateway=Fiber_4 \
routing-table=main scope=30 suppress-hw-offload=no target-scope=10