Request config sanity check

gabacho4 · Sat Oct 16, 2021 8:21 pm

Hello all,

I am completely new to Mikrotik but am really enjoying my RB5009. The look, the form factor, the performance....all great. I have previously worked with PfSense and Vyos and have worked to replicate the network functionality that I had with those platforms. HOWEVER, Mikrotik does things a little differently and (as I am learning) there is far less hand holding on many fronts. With that in mind, I was hoping a more seasoned and experienced user would be able to review my config and alert me if there are any blaring deficiencies with my firewall rules etc. I think I'm good but so does everyone else that gets hacked.

I removed the DHCP server lease section as no one needs to have all my MAC addresses.

I'm happy to consider any other advise people have to make my config more efficient or fast. I'm sure there are inefficiencies in there. Thanks in advance!

# oct/16/2021 20:12:07 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface list
add include=all name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip firewall layer7-protocol
add name=ZainKuwait regexp="^.+kw.zain.com.*\$"
/ip pool
add name=LAN-DHCP ranges=10.20.2.100-10.20.2.254
add name=kids-DHCP ranges=10.20.20.100-10.20.20.254
add name=cameras-DHCP ranges=10.20.40.2-10.20.40.254
add name=DMZ-DHCP ranges=10.20.80.2-10.20.80.254
/ip dhcp-server
add address-pool=LAN-DHCP interface=ether2 lease-time=5m name=LAN
add address-pool=kids-DHCP interface=ether3 lease-time=5m name=Kids
add address-pool=cameras-DHCP interface=ether4 lease-time=5m name=Cameras
add address-pool=DMZ-DHCP interface=ether5 lease-time=5m name=DMZ
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Utah list=WAN
add interface=ether1 list=WAN
add interface=Mullvad list=WAN
add interface="Remote Access Wireguard" list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=utah.yawidy.com endpoint-port=\
    51822 interface=Utah persistent-keepalive=30s public-key=\
    "UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=89.45.224.210 endpoint-port=\
    51820 interface=Mullvad persistent-keepalive=30s public-key=\
    "J8QaV8tZyFBrb9atVg3mI2Vb3/DtWVJSHFYSrdy6w2w="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
    public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.172.48 interface=Mullvad network=10.64.172.48
add address=10.20.40.1/24 interface=ether4 network=10.20.40.0
add address=10.20.80.1/24 interface=ether5 network=10.20.80.0
add address=10.20.20.1/24 interface=ether3 network=10.20.20.0
add address=10.20.2.1/24 comment=LAN interface=ether2 network=10.20.2.0
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no

/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
    gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
    gateway=10.20.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.40.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.20.10 comment="Kids Phones" list="Kids Phones"
add address=10.20.20.11 list="Kids Phones"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.80.0/24 comment=DMZ list=DMZ
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
    "Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.20.2.58 list=Sonos
add address=10.20.2.59 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input connection-state=invalid
add action=accept chain=input comment="allow ICMP" in-interface=ether1 \
    protocol=icmp
add action=accept chain=input comment="allow ICMP" in-interface=Utah \
    protocol=icmp
add action=accept chain=input comment="allow SSH" connection-state=new \
    dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Remote Access Wireguard" \
    connection-state=new dst-port=51820 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="block everything else" \
    in-interface-list=WAN log-prefix=INVALID_INPUT
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related in-interface-list=LAN \
    out-interface-list=WAN
add action=drop chain=forward connection-state=invalid log-prefix=\
    INVALID_ESTABLISHED
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=accept chain=forward comment="Remote Access Wireguard" \
    dst-address-list="Local Subnets" log-prefix=remote_inbound src-address=\
    10.103.103.0/24
add action=accept chain=forward dst-address=10.103.103.0/24 log-prefix=\
    remote_inbound src-address-list="Local Subnets"
add action=accept chain=forward comment=Streaming connection-mark="" \
    log-prefix=local out-interface=Utah src-address-list=Streaming
add action=accept chain=forward connection-mark="" dst-address-list=Streaming \
    in-interface=Utah log-prefix=local
add action=add-dst-to-address-list address-list=Zain address-list-timeout=3d \
    chain=forward comment="LAN firewall" in-interface=ether2 layer7-protocol=\
    ZainKuwait
add action=accept chain=forward dst-address-list="Kids Network" in-interface=\
    ether2 log-prefix=local src-address-list="Local Trusted Network"
add action=accept chain=forward dst-address-list=Cameras in-interface=ether2 \
    log-prefix=local src-address-list="Local Trusted Network"
add action=accept chain=forward dst-address-list="Utah Subnets" in-interface=\
    ether2 src-address-list="Local Trusted Network"
add action=reject chain=forward dst-address-list=DMZ in-interface=ether2 \
    reject-with=icmp-network-unreachable src-address-list=\
    "Local Trusted Network"
add action=accept chain=forward in-interface=ether2 src-address-list=\
    "Local Trusted Network"
add action=accept chain=forward comment="Kids network firewall" dst-address=\
    10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp src-address-list=\
    "Kids Network"
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=ether3 protocol=tcp src-address-list="Kids Network"
add action=reject chain=forward dst-address-list="Local Trusted Network" \
    in-interface=ether3 reject-with=icmp-admin-prohibited src-address-list=\
    "Kids Network"
add action=reject chain=forward dst-address-list=Cameras in-interface=ether3 \
    reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=reject chain=forward dst-address-list=DMZ in-interface=ether3 \
    reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
    ether3 log-prefix=kids reject-with=icmp-admin-prohibited \
    src-address-list="Kids Network"
add action=accept chain=forward in-interface=ether3 src-address-list=\
    "Kids Network" time=5h-20h15m,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward in-interface=ether3 log-prefix=kids_blocked \
    reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.2.10 dst-port=7400-7600 in-interface=ether4 protocol=tcp \
    src-address-list=Cameras
add action=accept chain=forward dst-address=10.20.2.10 dst-port=7400-7600 \
    in-interface=ether4 protocol=udp src-address-list=Cameras
add action=reject chain=forward dst-address-list="Local Trusted Network" \
    in-interface=ether4 reject-with=icmp-network-unreachable \
    src-address-list=Cameras
add action=reject chain=forward dst-address-list="Kids Network" in-interface=\
    ether4 reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward dst-address-list=DMZ in-interface=ether4 \
    reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
    ether4 reject-with=icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward in-interface=ether4 log=yes log-prefix=\
    NoCameraOUT reject-with=icmp-admin-prohibited src-address-list=Cameras
add action=reject chain=forward comment="DMZ firewall" dst-address-list=\
    "Local Trusted Network" in-interface=ether5 reject-with=\
    icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list=Cameras in-interface=ether5 \
    reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list="Kids Network" in-interface=\
    ether5 reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=reject chain=forward dst-address-list="Utah Subnets" in-interface=\
    ether5 reject-with=icmp-admin-prohibited src-address-list=DMZ
add action=accept chain=forward in-interface=ether5 src-address-list=DMZ
/ip firewall mangle
add action=mark-routing chain=prerouting comment="Kuwait Zain main routing" \
    dst-address-list=Zain new-routing-mark=main passthrough=no
add action=mark-routing chain=prerouting comment="local to local routing" \
    dst-address-list="Local Subnets" new-routing-mark=main passthrough=no \
    src-address-list="Local Subnets"
add action=mark-routing chain=prerouting comment=PiHole new-routing-mark=main \
    passthrough=no src-address=10.20.2.6
add action=mark-routing chain=prerouting comment="Sonos Mangle PBR" \
    new-routing-mark=main passthrough=no src-address-list=Sonos
add action=mark-routing chain=prerouting comment="Utah subnets" \
    dst-address-list="Utah Subnets" new-routing-mark=Utah passthrough=no \
    src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting comment="Streaming via Utah PBR" \
    new-routing-mark=Utah passthrough=no src-address-list=Streaming
add action=mark-routing chain=prerouting comment="MullvadMangle PBR" \
    new-routing-mark=Mullvad passthrough=no src-address-list=\
    "Local Trusted Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether1 \
    src-address-list="Local Subnets"
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
    Mullvad src-address-list="Local Subnets"
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
    routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah pref-src="" \
    routing-table=Utah scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah@main \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=10.10.10.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.30.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=10.20.2.0/24
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/system clock
set time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp client servers
add address=time.nist.gov
/system package update
set channel=development
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no
/tool romon
set enabled=yes

anav · Sat Oct 16, 2021 11:08 pm

Yup there are lots of changes required but dont have time to go indepth at the moment.
Didnt see anything dangerous.....
Be forewarned I am a minimalist and strive for cleaner configs.

ConnyMercier · Sun Oct 17, 2021 2:20 am

1. Interface List
Do you really want all interfaces to be menber of "LAN" ?

/interface list
add include=all name=LAN
add name=WAN

2. NAT / Masquerade
Are you sure you don't want to NAT/Masquerade for "Utah"?

3. NAT / Masquerade
If "Utah" should be masqueraded....
You could replace all three NAT-Rules for one.
Exemple :

/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface-list=WAN

gabacho4 · Sun Oct 17, 2021 5:43 am

Yup there are lots of changes required but dont have time to go indepth at the moment.
Didnt see anything dangerous.....
Be forewarned I am a minimalist and strive for cleaner configs.

I welcome your suggestions whenever you get time to put them down. Glad I’m not at immediate risk.

gabacho4 · Sun Oct 17, 2021 5:50 am

1. Interface List
Do you really want all interfaces to be menber of "LAN" ?
Code: Select all
/interface list
add include=all name=LAN
add name=WAN
2. NAT / Masquerade
Are you sure you don't want to NAT/Masquerade for "Utah"?

3. NAT / Masquerade
If "Utah" should be masqueraded....
You could replace all three NAT-Rules for one.
Exemple :
Code: Select all
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface-list=WAN

Great catch on the interface list. I’ll change that right away. As for the Utah connection, as it is a site to site WireGuard connection I do not want to NAT because I like to be able to see which local clients are accessing the tunnel and services on the other end. Only seeing the tunnel address in the logs doesn’t help much for troubleshooting and tracking purposes.

anav · Mon Oct 18, 2021 12:04 am

What seems weird to me is the use of/firewall rules for wireguard.

Typically one has an input chain rule for the listening port and thats it.
If one wants to allow the wireguard interface itself reach the router for admin purposes then there would be a rule for that.
etc...

In this case I am seeing three wireguard peers........
However they do not belong to the WAN interface, so two of them appear misplaced?
There is nothing wrong with adding to them to the LAN interface.

/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Utah list=WAN
add interface=ether1 list=WAN
add interface=Mullvad list=WAN
add interface="Remote Access Wireguard" list=LAN

Q1 - So what was your purpose for adding them here, your thinking ??
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Firewall rules.
Input Chain:

Q2. What is the purpose of changing the default rule allowing ICMP to the two rules you have created, why necessary??

Q3. What is the purpose of the SSH rule...... the standard port is 22 and the router has an SSH service although most people dont recommend using it for access to the router as its not as secure as proper VPN and since you are using wireguard the SSH use does not seem to make sense.

Q4. why is their only one listening port for Wireguard on the input chain there should be three...
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state=new dst-port=51820 in-interface=ether1 protocol=udp

Q5. You are missing the block invalid packets on the input chain default rule.

Q6. So all in all the default rules plus the wireguard listening port rules is all you should have.

Q7. What you dont do well is limit access to the router itself on the LAN side, everyone has full access from the LAN whereas only the admin should have.
If interested in dealing with this let me know.

Q8. Forward chain........................ way way to many reject or drop rules.

WTF abomination rules did you create >>>>>>>>>>>>>>>> youtube ones??
take for example this one.

add action=accept chain=forward comment="accept established,related" \
connection-state=established,related in-interface-list=LAN \
out-interface-list=WAN

It is a mix of a default rule and a standard rule one would make to allow internet traffic,
Once again, you should reset to defaults and start over.

Q9. What is the purpose of this rule............it makes no sense whatsoever..
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state=new in-interface=ether1

Q10. To clarify you wish to provide the remote peer users access to the local subnets, for printer use or whatever.
Which is covered by this rule.
add action=accept chain=forward comment="Remote Access Wireguard" \
dst-address-list="Local Subnets" log-prefix=remote_inbound src-address=\
10.103.103.0/24

I would probably have stated it thusly
add action=accept chain=forward comment="Remote Access Wireguard" \
dst-address-list="Local Subnets" log-prefix=remote_inbound in-interface="Remote Access Wireguard"

But did you really want all local subnet to be able to reach out to peers unsolicited. Is there something the lan users need access to??
add action=accept chain=forward dst-address=10.103.103.0/24 log-prefix=\ {i would have used here: in-interface "Remote Access Wireguard}
remote_inbound src-address-list="Local Subnets"

Q11. Then your firewall forward chain simply gets too complex with many rules etc..
My suggestion is to put a drop all else rule at the end of the forward chain and ONLY stated what traffic is allowed, because everything else will be dropped anyway.

Since you have a large number of requirements, writing them down and creating
a. address lists as you have done (for part of subnet, or for more than one IP, or Ips from different subnets)
b. interfaces (for whole subnets)
To describe the groups makes sense and then use rules to identify what is allowed.

Q12. Why do you have only local subnets getting sourcenat. You are leaving out ether2 and two wireguard interfaces from sourcenat by my count.

Q13. What is the purpose of this......
set www address=10.20.2.0/24

WWW. is not a secure encrypted method and thus should not be open on the router itself.

Q14. Why did you decide to mangle? What was the requirement or what were you unable to do without mangling??

gabacho4 · Mon Oct 18, 2021 7:16 am

Anav - thanks a lot for your very thorough response. I think I will address your questions in chunks rather than at all once just to make sure everything is understood.

In the case of the wireguard rules - I primarily put them to in order to use the counters to verify activity over time. There are also resources that I don't want/need the wireguard clients to have access to (DMZ for example) but your point about defining what access is allowed and denying all else makes a lot of sense. I'll address more in my response to your questions about the forwarding section.

Q1.

I put two of wireguard interfaces in the WAN list because I basically use them as WAN connections. Mullvad is a commercial VPN provider and the Utah connection is one that I use in great part for streaming media. Does it not make sense for those interfaces to be in the WAN list?

Input Chain:

Q2. What is the purpose of changing the default rule allowing ICMP to the two rules you have created, why necessary??

I created the second ICMP rule to make sure that the remote end of my wireguard site-to-site could ping my local end. However, I realize now that I can change the interface-list to WAN and that will cover both at one time.

Q3. What is the purpose of the SSH rule...... the standard port is 22 and the router has an SSH service although most people dont recommend using it for access to the router as its not as secure as proper VPN and since you are using wireguard the SSH use does not seem to make sense.

The SSH rule is basically for redundant remote access should the need arise. I do not run SSH on the standard port so as to provide some obfuscation and no have my router brute force attacked all day long. I eventually plan to have access by key only versus password.

Q4. why is their only one listening port for Wireguard on the input chain there should be three...
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state=new dst-port=51820 in-interface=ether1 protocol=udp

Only the site-to-site VPN connection requires the listening port. For devices running in client mode, a listening port is not required.

Q5. You are missing the block invalid packets on the input chain default rule.

There is a block invalid packets at the very top of my input rules right under the allow established, related one. I did comment the rule to make it stand out a little better.

Q6. So all in all the default rules plus the wireguard listening port rules is all you should have.

Based on my explanation above, I believe the following is acceptable. Assume this makes sense to you?

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 1    ;;; drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 2    ;;; allow ICMP
      chain=input action=accept protocol=icmp in-interface-list=WAN log=no log-prefix="" 

 3    ;;; allow SSH
      chain=input action=accept connection-state=new protocol=tcp in-interface=ether1 dst-port=55512 log=no log-prefix="" 

 4    ;;; Remote Access Wireguard
      chain=input action=accept connection-state=new protocol=udp in-interface=ether1 dst-port=51820 log=no log-prefix="" 

 5    ;;; block everything else
      chain=input action=drop in-interface-list=WAN log=no log-prefix="INVALID_INPUT"

Q7. What you dont do well is limit access to the router itself on the LAN side, everyone has full access from the LAN whereas only the admin should have.
If interested in dealing with this let me know.

I would definitely be interested in knowing how to do this. I had thought about setting this up but was concerned I'd end up blocking other devices from DHCP, DNS, or NTP.

Let me finish digesting your comments on the FORWARD section and I will get back to you with my thoughts and questions. In the meantime, can you confirm that my INPUT section is in order and also provide me some guidance how to restrict access to the router itself?

Thanks!

gabacho4 · Mon Oct 18, 2021 6:25 pm

Anav - still working on revising my config. I wanted to ask you more about the Mangle question you asked. Based on your question, I assume you are not a fan of using Mangle? I used Mangle as I didn't see a way to do PBR as cleanly as with Mangle. I know I can create route rules but I seem to have to specify individual source IPs rather than a list. Much less convenient in my opinion. I know that Mangle hurts my ability to use fast track but, again, I didn't see a concise manner to accomplish my PBR needs. Can you illustrate how you might do things?

For example, the range 10.20.2.50-10.20.2.60 is my Sonos that should route over main as I don't need it to use a VPN. How would I do that if not using Mangle? How would I make the entire subnet 10.20.2.0/24 go over the Mullvad VPN EXCEPT when the destination is a local subnet?

anav · Mon Oct 18, 2021 7:09 pm

Q1.

I put two of wireguard interfaces in the WAN list because I basically use them as WAN connections. Mullvad is a commercial VPN provider and the Utah connection is one that I use in great part for streaming media. Does it not make sense for those interfaces to be in the WAN list?

NO, they are not WAN inputs, they are LAN constructs for the most part. The only time the INPUT CHAIN is used is for.
a. initial connection on listening port
b. if you wish access to configure router from remote site.

Q2. What is the purpose of changing the default rule allowing ICMP to the two rules you have created, why necessary??

I created the second ICMP rule to make sure that the remote end of my wireguard site-to-site could ping my local end. However, I realize now that I can change the interface-list to WAN and that will cover both at one time.

Leave it default, no need to define wan or lan...........

Q3. What is the purpose of the SSH rule...... the standard port is 22 and the router has an SSH service although most people dont recommend using it for access to the router as its not as secure as proper VPN and since you are using wireguard the SSH use does not seem to make sense.

The SSH rule is basically for redundant remote access should the need arise. I do not run SSH on the standard port so as to provide some obfuscation and no have my router brute force attacked all day long. I eventually plan to have access by key only versus password.

Fair enough I use SSTP (free basic mode) from remotewinbox.com as my backup. But try to use PPTP to SSH or some combo of SSH and port knocking etc..

Q4. why is their only one listening port for Wireguard on the input chain there should be three...
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state=new dst-port=51820 in-interface=ether1 protocol=udp

Only the site-to-site VPN connection requires the listening port. For devices running in client mode, a listening port is not required.
That is confusing?? There has to be a listening port at one end of each wireguard tunnel?
Are you saying on this particular router ONLY the one VPN is acting as server, in other words remote users are coming towards this router and the
other two wireguard connections are peers that are actually headed through the tunnel to a different remote router (or same remote router)??

Q6. So all in all the default rules plus the wireguard listening port rules is all you should have.

Based on my explanation above, I believe the following is acceptable. Assume this makes sense to you?

Flags: X - disabled, I - invalid; D - dynamic 
 0    ;;; accept established,related
      chain=input action=accept connection-state=established,related 

 1    ;;; drop invalid
      chain=input action=drop connection-state=invalid log=no log-prefix="" 

 2    ;;; allow ICMP
      chain=input action=accept protocol=icmp in-interface-list=WAN log=no log-prefix="" 

 3    ;;; allow SSH
      chain=input action=accept connection-state=new protocol=tcp in-interface=ether1 dst-port=55512 log=no log-prefix="" 

 4    ;;; Remote Access Wireguard
      chain=input action=accept connection-state=new protocol=udp in-interface=ether1 dst-port=51820 log=no log-prefix="" 

 5    ;;; block everything else
      chain=input action=drop in-interface-list=WAN log=no log-prefix="INVALID_INPUT"

Yes that is sufficient!! However you will note that ALL TRAFFIC from LAN to ROUTER is permitted.
In my routers I only allow admin access to the router and users to the services they need.
If you are comfortable with your setup thats fine.

Q7. What you dont do well is limit access to the router itself on the LAN side, everyone has full access from the LAN whereas only the admin should have.
If interested in dealing with this let me know.

I would definitely be interested in knowing how to do this. I had thought about setting this up but was concerned I'd end up blocking other devices from DHCP, DNS, or NTP.
Exactly, that is why you add allow rules for DNS (tcp and udp) and NTP for LAN users before the block all rule (not just WAN). DHCP you do not need to worry about as it is not affected by firewall rules.
The catch or warning of this approach is FIRST and FOREMOST you need to ensure the admin rule allowing access is in place BEFORE you put the drop all rule at the end of the input chain otherwise you will lock yourself out of the router.

anav · Mon Oct 18, 2021 7:13 pm

Anav - still working on revising my config. I wanted to ask you more about the Mangle question you asked. Based on your question, I assume you are not a fan of using Mangle? I used Mangle as I didn't see a way to do PBR as cleanly as with Mangle. I know I can create route rules but I seem to have to specify individual source IPs rather than a list. Much less convenient in my opinion. I know that Mangle hurts my ability to use fast track but, again, I didn't see a concise manner to accomplish my PBR needs. Can you illustrate how you might do things?

For example, the range 10.20.2.50-10.20.2.60 is my Sonos that should route over main as I don't need it to use a VPN. How would I do that if not using Mangle? How would I make the entire subnet 10.20.2.0/24 go over the Mullvad VPN EXCEPT when the destination is a local subnet?

Probably no way around it.
If you only have a partial subnet that needs special routing, mangling is the way to go. In other words other devices or other users are on the same subnet as the sonos and you cannot separate them................................
As for an entire subnet you can do something in Route Rules.
which alllows definition of src address 192.168.0.0/24 (describes a subnet)
and allows dst address 192.168.2.0/24 (describes a local subnet)

how many subnets go over mullvad ?? if three make three route rules etc.......... so this part mangle can be avoided I think.

gabacho4 · Mon Oct 18, 2021 7:29 pm

Probably no way around it.
If you only have a partial subnet that needs special routing, mangling is the way to go. In other words other devices or other users are on the same subnet as the sonos and you cannot separate them................................
As for an entire subnet you can do something in Route Rules.
which alllows definition of src address 192.168.0.0/24 (describes a subnet)
and allows dst address 192.168.2.0/24 (describes a local subnet)

how many subnets go over mullvad ?? if three make three route rules etc.......... so this part mangle can be avoided I think.

Really appreciate your time and knowledge. So yeah, for the Sonos range, then mangle it is as they are a part of a larger subnet with other users who need to be routed differently.

For the Mullvad, there is only one subnet currently that routes that way, though I might make it two here soon. I tried it just a few minutes ago and, unfortunately, as soon as I put the 10.20.2.0/24 subnet to 0.0.0.0/0 route in place, I lost all access to the router via Winbox or the web interface. So, I assume I need to make another route rule which catches connections from 10.20.2.0/24 to 10.20.2.0/24 and use the main table? That would seem to me to be the fix.

If my understanding is correct, I should most certainly be able to eliminate most/all of the mangle rules. Even for the Sonos I could input rules for each IP. Won't be something I have to do frequently so annoying up front but fine over the long run.

anav · Mon Oct 18, 2021 7:44 pm

If mullvad and Utah are groups of users on this router that are remotely using a remote internet connection,
WHY do you have listening ports for them defined on this router??

Please post your latest config .
/export hide-sensitive file=anynameyouwish

gabacho4 · Mon Oct 18, 2021 7:49 pm

Q1.

NO, they are not WAN inputs, they are LAN constructs for the most part. The only time the INPUT CHAIN is used is for.
a. initial connection on listening port
b. if you wish access to configure router from remote site.

Q2. What is the purpose of changing the default rule allowing ICMP to the two rules you have created, why necessary??

Leave it default, no need to define wan or lan...........

Q3. What is the purpose of the SSH rule...... the standard port is 22 and the router has an SSH service although most people dont recommend using it for access to the router as its not as secure as proper VPN and since you are using wireguard the SSH use does not seem to make sense.

Fair enough I use SSTP (free basic mode) from remotewinbox.com as my backup. But try to use PPTP to SSH or some combo of SSH and port knocking etc..

Q4. why is their only one listening port for Wireguard on the input chain there should be three...
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state=new dst-port=51820 in-interface=ether1 protocol=udp

That is confusing?? There has to be a listening port at one end of each wireguard tunnel?
Are you saying on this particular router ONLY the one VPN is acting as server, in other words remote users are coming towards this router and the
other two wireguard connections are peers that are actually headed through the tunnel to a different remote router (or same remote router)??

Q6. So all in all the default rules plus the wireguard listening port rules is all you should have.

Yes that is sufficient!! However you will note that ALL TRAFFIC from LAN to ROUTER is permitted.
In my routers I only allow admin access to the router and users to the services they need.
If you are comfortable with your setup thats fine.

Q7. What you dont do well is limit access to the router itself on the LAN side, everyone has full access from the LAN whereas only the admin should have.
If interested in dealing with this let me know.

Exactly, that is why you add allow rules for DNS (tcp and udp) and NTP for LAN users before the block all rule (not just WAN). DHCP you do not need to worry about as it is not affected by firewall rules.
The catch or warning of this approach is FIRST and FOREMOST you need to ensure the admin rule allowing access is in place BEFORE you put the drop all rule at the end of the input chain otherwise you will lock yourself out of the router.

Q1. Appreciate the clarification on the INPUT. I feel like an idiot as that should have been a no brainer.
Q2. I've reverted to the default rule
Q3. Thanks for a few more ideas for the backup access!
Q4. You are correct - the remote access to the router VPN is the only one where the router is acting as a server. The Utah and Mullvad have the router acting as a client only. I will eventually get the Utah one updated as a traditional site-to-site has both of the routers able to initiate communication.
Q6 and Q7. I will get the admin only rule in place shortly. I saw an example of how to do this on the Mikrotik help site. Thanks for the warning about NOT putting the drop rule in until I have the access one in place.

Again, thanks a ton for your time and consideration. I am still working away at making the FORWARD rules more succinct. Once I feel like they are as clean as I can figure out how to make them, I'll repost for your thoughts if you're still willing to do so. Thanks again!

gabacho4 · Wed Oct 20, 2021 9:20 pm

Anav, hope you've been well over the past few days. Got busy with life matters and it took me a little longer than I expected to work on some of the config that was outstanding for me. The good news is that I have had a chance to make changes and I think I have made progress toward getting things a little tighter and more secure. Would you be able to give my config a good, thorough review again and point out anything that still needs improvement? The good new is that using route rules (it appears they are processed in order), I was able to disable all my mangle rules and get fasttrack back up and running. The key is avoiding any of the other things (like queues) that breaks it.

# oct/20/2021 20:58:18 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface list
add name=LAN
add name=WAN
add name=UtahVPN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-DHCP ranges=10.20.2.100-10.20.2.254
add name=kids-DHCP ranges=10.20.20.100-10.20.20.254
add name=cameras-DHCP ranges=10.20.40.2-10.20.40.254
add name=DMZ-DHCP ranges=10.20.80.2-10.20.80.254
/ip dhcp-server
add address-pool=LAN-DHCP interface=ether2 name=LAN
add address-pool=kids-DHCP interface=ether3 name=Kids
add address-pool=cameras-DHCP interface=ether4 name=Cameras
add address-pool=DMZ-DHCP interface=ether5 name=DMZ
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Utah list=UtahVPN
add interface=ether1 list=WAN
add interface=Mullvad list=WAN
add interface="Remote Access Wireguard" list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=utah.yawidy.com endpoint-port=\
    51822 interface=Utah persistent-keepalive=30s public-key=\
    "UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=89.45.224.210 endpoint-port=\
    51820 interface=Mullvad persistent-keepalive=30s public-key=\
    "J8QaV8tZyFBrb9atVg3mI2Vb3/DtWVJSHFYSrdy6w2w="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
    public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.172.48 interface=Mullvad network=10.64.172.48
add address=10.20.40.1/24 interface=ether4 network=10.20.40.0
add address=10.20.80.1/24 interface=ether5 network=10.20.80.0
add address=10.20.20.1/24 interface=ether3 network=10.20.20.0
add address=10.20.2.1/24 comment=LAN interface=ether2 network=10.20.2.0
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
/ip cloud
set update-time=no
/ip dhcp-client
add interface=ether1 use-peer-dns=no use-peer-ntp=no
/ip dhcp-server network
add address=10.20.2.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.2.1
add address=10.20.20.0/24 dns-server=10.20.2.6 domain=mikrotik.overseas \
    gateway=10.20.20.1
add address=10.20.40.0/24 dns-server=10.20.40.1 domain=mikrotik.overseas \
    gateway=10.20.40.1
add address=10.20.80.0/24 dns-server=10.20.80.1 domain=mikrotik.overseas \
    gateway=10.20.80.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.40.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
    "Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
add address=10.20.80.0/24 comment="DMZ network" list=DMZ
add address=10.10.0.0/16 comment="ALL NETWORKS" list="ALL NETWORKS"
add address=10.20.0.0/16 list="ALL NETWORKS"
add address=10.102.102.0/24 list="ALL NETWORKS"
add address=10.103.103.0/24 list="Management Devices"
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow SSH" connection-state="" \
    dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input connection-state="" dst-port=55512 \
    in-interface=ether2 protocol=tcp src-address-list="Management Devices"
add action=accept chain=input comment="Remote Access Wireguard" \
    connection-state="" dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Site to Site Wireguard" \
    connection-state="" dst-port=51822 in-interface=ether1 protocol=udp
add action=accept chain=input comment=Winbox connection-state="" dst-port=\
    8291 protocol=tcp src-address-list="Management Devices"
add action=accept chain=input comment="HTTP allowed" connection-state="" \
    dst-port=80 protocol=tcp src-address-list="Management Devices"
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
    protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=drop chain=input comment="block everything else" log-prefix=\
    INVALID_INPUT
add action=fasttrack-connection chain=forward comment=\
    "fasttrack for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log-prefix=INVALID_ESTABLISHED
add action=drop chain=forward comment=\
    "drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
    connection-state="" in-interface-list=WAN log-prefix="no nat from wan"
add action=accept chain=forward comment="Remote Access Wireguard" \
    in-interface="Remote Access Wireguard" log-prefix=remote_inbound
add action=accept chain=forward log-prefix=remote_inbound out-interface=\
    "Remote Access Wireguard"
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
    in-interface=ether2 src-address-list="Local Trusted Network"
add action=reject chain=forward in-interface=ether2 reject-with=\
    icmp-network-unreachable src-address-list="Local Trusted Network"
add action=accept chain=forward comment="Kids network firewall" dst-address=\
    10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp src-address-list=\
    "Kids Network"
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=ether3 protocol=tcp src-address-list="Kids Network"
add action=accept chain=forward dst-address-list="Kids Network" in-interface=\
    ether3 log-prefix=kids_blocked src-address-list="Kids Network"
# inactive time
add action=accept chain=forward dst-address-list="!ALL NETWORKS" \
    in-interface=ether3 src-address-list="Kids Network" time=\
    5h-20h,sun,mon,tue,wed,thu,fri,sat
add action=reject chain=forward in-interface=ether3 log-prefix=kids_blocked \
    reject-with=icmp-admin-prohibited src-address-list="Kids Network"
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.2.10 dst-port=7400-7600 in-interface=ether4 protocol=tcp \
    src-address-list=Cameras
add action=accept chain=forward dst-address=10.20.2.10 dst-port=7400-7600 \
    in-interface=ether4 protocol=udp src-address-list=Cameras
add action=reject chain=forward in-interface=ether4 reject-with=\
    icmp-network-unreachable src-address-list=Cameras
add action=accept chain=forward comment="DMZ firewall" dst-address-list=\
    "!ALL NETWORKS" in-interface=ether5 src-address-list=DMZ
add action=reject chain=forward in-interface=ether5 reject-with=\
    icmp-admin-prohibited src-address-list=DMZ
/ip firewall mangle
add action=mark-routing chain=prerouting comment="local network access" \
    disabled=yes dst-address-list="Local Subnets" new-routing-mark=main \
    passthrough=no src-address-list="Local Subnets"
add action=mark-routing chain=prerouting comment=PiHole disabled=yes \
    new-routing-mark=main passthrough=no src-address=10.20.2.6
add action=mark-routing chain=prerouting comment="Sonos Mangle PBR" disabled=\
    yes new-routing-mark=main passthrough=no src-address-list=Sonos
add action=mark-routing chain=prerouting comment="Utah subnets" disabled=yes \
    dst-address-list="Utah Subnets" new-routing-mark=Utah passthrough=no \
    src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting comment="Streaming via Utah PBR" \
    disabled=yes new-routing-mark=Utah passthrough=no src-address-list=\
    Streaming
add action=mark-routing chain=prerouting comment="MullvadMangle PBR" \
    disabled=yes new-routing-mark=Mullvad passthrough=no src-address-list=\
    "Local Trusted Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether1 \
    src-address-list="Local Subnets"
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
    Mullvad src-address-list="Local Subnets"
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
    routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah pref-src="" \
    routing-table=Utah scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah@main \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=10.10.10.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.30.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup disabled=no dst-address=10.103.103.0/24 src-address=\
    10.20.0.0/16 table=main
add action=lookup disabled=no dst-address=10.20.0.0/16 src-address=\
    10.20.0.0/16 table=main
add action=lookup disabled=no src-address=10.20.2.6/32 table=main
add action=lookup disabled=no src-address=10.20.2.50/32 table=main
add action=lookup disabled=no src-address=10.20.2.51/32 table=main
add action=lookup disabled=no src-address=10.20.2.52/32 table=main
add action=lookup disabled=no src-address=10.20.2.53/32 table=main
add action=lookup disabled=no src-address=10.20.2.54/32 table=main
add action=lookup disabled=no src-address=10.20.2.55/32 table=main
add action=lookup disabled=no src-address=10.20.2.56/32 table=main
add action=lookup disabled=no src-address=10.20.2.57/32 table=main
add action=lookup-only-in-table disabled=no dst-address=10.10.0.0/16 \
    src-address=10.20.2.0/24 table=Utah
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    10.20.2.3/32 table=Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.4/32 table=\
    Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.7/32 table=\
    Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.8/32 table=\
    Utah
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    10.20.2.9/32 table=Utah
add action=lookup-only-in-table disabled=no src-address=10.20.20.30/32 table=\
    Utah
add action=lookup-only-in-table disabled=no src-address=10.20.20.31/32 table=\
    Utah
add action=lookup disabled=no src-address=10.20.2.0/24 table=Mullvad
/system clock
set time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=0.pool.ntp.org
/system package update
set channel=development
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no

anav · Wed Oct 20, 2021 11:22 pm

(1) As stated before MULLVAD is NOT a WAN interface. Its a LAN interface directly connected to a VPN provider, vice your own remote router.
All the traffic from the LAN interface to the VPN provider will go out to the internet. To put it bluntly, no firewall rules from/to WAN affect this interface directly.
add interface=Mullvad list=WAN
add interface=Mullvad list=LAN

(2) Not sure what is on the other end of the Remote Wireguard connection, but am I right to assume the RB5009 in this case is the SERVER and its for incoming connections primarily for you to remote access the RB5009 from either cellphone or other router??

(3) Bit confused on the two associated input chain rules..]
add action=accept chain=input comment="allow SSH" connection-state="" \
dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input connection-state="" dst-port=55512 \
in-interface=ether2 protocol=tcp src-address-list="Management Devices"

The first seems to say allow the SSH connection on port 55512 from the WAN
The second says allow access to port 55512 from ether2 but only from a controlled firewall address list.
This seems reasonable as you want the admin to be able to access the router via SSH service.

:::WHY NOT simply allow THE ADMIN full access to the router??
add action=accept chain=input in-interface=ether2 source-address-list="Management Devices"\

Then this rule is not needed.
add action=accept chain=input comment=Winbox connection-state="" dst-port=\
8291 protocol=tcp src-address-list="Management Devices"

Then this rule is not needed, although why you would want http access for anything is beyond me????? (SSH, Winbox etc access to the router, but never plain http!!)
add action=accept chain=input comment="HTTP allowed" connection-state="" \
dst-port=80 protocol=tcp src-address-list="Management Devices"

(4) One of these rules doesnt make sense yet because your router is not a server for it.
add action=accept chain=input comment="Remote Access Wireguard" \
connection-state="" dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Site to Site Wireguard" \
connection-state="" dst-port=51822 in-interface=ether1 protocol=udp

(5) When I see unecessary drop rules I recommend the drop all else rule at the end of the forward chain
so this rule will not be required. Also your text isnt quite accurate as to what the rule does, but not important.
add action=drop chain=forward comment=\
"drop access to clients behind NAT from WAN" connection-nat-state=!dstnat \
connection-state="" in-interface-list=WAN log-prefix="no nat from wan"

(6) This is an open ended rule just so you understand which basically allows the remote user assuming you as admin access to everything wan, lan etc........
add action=accept chain=forward comment="Remote Access Wireguard" \
in-interface="Remote Access Wireguard" log-prefix=remote_inbound

(7) I FAIL to see the purpose of this rule and do not think its needed.
add action=accept chain=forward log-prefix=remote_inbound out-interface=\
"Remote Access Wireguard"

(8) This rule is overly complex. The source address list and ether2 are the SAME THING, so you dont need to state the source address list here.
This rule states you want ether2 to access both WAN and all LAN except DMZ network.
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
in-interface=ether2 src-address-list="Local Trusted Network"

(9) This rule I do not understand at all perhaps you can explain it??
add action=reject chain=forward in-interface=ether2 reject-with=\
icmp-network-unreachable src-address-list="Local Trusted Network"

(10) Another example of overly complex, Source-address list Kids Network is the same as ether 3 and thus not required. If fact most of the kids rules have this issue!
add action=accept chain=forward comment="Kids network firewall" dst-address=\
10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp src-address-list=\
"Kids Network"
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
in-interface=ether3 protocol=tcp src-address-list="Kids Network"
add action=accept chain=forward dst-address-list="Kids Network" in-interface=\
ether3 log-prefix=kids_blocked src-address-list="Kids Network"

(11) Please explain the reason behind the rule above in RED. Makes no sense to me??

(12) Purpose of this rule???? Shouldnt be required with a drop all rule at the end..............
add action=reject chain=forward in-interface=ether3 log-prefix=kids_blocked \
reject-with=icmp-admin-prohibited src-address-list="Kids Network"

(13) SAME OVERLY COMPLEX with cameras, same for dmz and ether 5 etc...........
Plus dont get the reject rules.......... (always better to drop than to reject by the way). INany case these reject rules dont make sense.

add action=reject chain=forward in-interface=ether4 reject-with=\
icmp-network-unreachable src-address-list=Cameras
add action=reject chain=forward in-interface=ether5 reject-with=\
icmp-admin-prohibited src-address-list=DMZ

(14) Missing drop all else rule at end!!

Busy will have to do the IP routes another time.

PS

(15) What is the purpose of this source nat rule.......
/ip firewall nat
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
Mullvad src-address-list="Local Subnets"

gabacho4 · Thu Oct 21, 2021 12:16 am

Anav - you're a beast! OK here goes:

EDIT: I realized that I missed a few of the rules where I had the src interface and src address list specified. Those have been corrected despite the config below.

(1) fixed

(2) you are correct. The remote access wireguard gets me access from anywhere. The site-to-site one gets me access from the Utah location and vice versa.

(3) You are correct! "This seems reasonable as you want the admin to be able to access the router via SSH service."

I made your recommended change. It makes a ton of sense to me now that it's been pointed out. Sorry, my mind is still wrapping itself around things. As for the http access - I am only using it as another backup access should I dork something up. I don't plan on leaving it enabled once I am confident I won't do something stupid and hurt my ability to access the router.

(4) both of these are needed. 1 is for the remote access vpn with the 5009 functioning in a server role. The other is needed for a true site-to-site wireguard vpn connection versus a client-to-site configuration. This enables either side to initiate connectivity.

(5) deleted and this makes absolute sense now. I had misunderstood the "drop all rule at the end" guidance you gave.

(6) Correct - user of the remote access vpn will only be me, the admin.

(7) deleted

(8) fixed

(9) this was my pathetic attempt at making a drop all rule except I was thinking I needed to do it for each interface. Now I realize I only need to specify what is allowed on each interface and then drop ALL other activity in the forward chain.

(10) fixed

(11) This was my attempt to assure that devices on the kids network could speak to each other as my kids will play LAN-limited games on their devices. I believe intra-subnet traffic is allowed by default unless otherwise denied so the rule makes no sense. It is deleted now.

(12) deleted

(13) corrected

(14) DONE

(15) NAT rule is to allow local networks to transit Mullvad VPN based on PBR. I assume I can drop the source address list and then PBR will route as I tell it to?

I've attached the most current firewall config for you.

# oct/21/2021 00:14:43 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number =
/ip firewall address-list
add address=10.20.2.0/24 comment="Local Subnets" list="Local Subnets"
add address=10.10.1.0/24 comment="Utah Subnets" list="Utah Subnets"
add address=10.10.10.0/24 list="Utah Subnets"
add address=10.10.30.0/24 list="Utah Subnets"
add address=10.10.50.0/24 list="Utah Subnets"
add address=10.20.20.0/24 list="Local Subnets"
add address=10.20.40.0/24 list="Local Subnets"
add address=10.20.80.0/24 list="Local Subnets"
add address=10.20.20.10 comment="Kids Devices" list=KidsDevices
add address=10.20.20.11 list=KidsDevices
add address=10.20.20.22 list=KidsDevices
add address=10.20.20.23 list=KidsDevices
add address=10.20.20.20 list=KidsDevices
add address=10.20.20.21 list=KidsDevices
add address=10.20.20.22 comment="Kids Laptops" list="Kids Laptops"
add address=10.20.20.23 list="Kids Laptops"
add address=10.20.2.50 comment=Sonos list=Sonos
add address=10.20.2.3 comment=Streaming list=Streaming
add address=192.168.88.0/24 list="Local Subnets"
add address=10.20.40.0/24 comment=Cameras list=Cameras
add address=10.20.20.0/24 comment="Kids Network" list="Kids Network"
add address=10.20.2.0/24 comment="Local Trusted Subnet" list=\
    "Local Trusted Network"
add address=10.20.2.4 list=Streaming
add address=10.20.2.8 list=Streaming
add address=10.20.2.9 list=Streaming
add address=10.20.2.51 list=Sonos
add address=10.20.2.52 list=Sonos
add address=10.20.2.53 list=Sonos
add address=10.20.2.54 list=Sonos
add address=10.20.2.55 list=Sonos
add address=10.20.2.56 list=Sonos
add address=10.20.2.57 list=Sonos
add address=10.102.102.0/24 comment="Utah Wireguard" list="Utah Wireguard"
add address=10.20.20.30 list=Streaming
add address=10.20.20.31 list=Streaming
add address=10.20.2.7 list=Streaming
add address=10.103.103.0/24 list="Local Subnets"
add address=10.20.2.70 comment="Management devices" list="Management Devices"
add address=10.20.2.71 list="Management Devices"
add address=10.20.2.72 list="Management Devices"
add address=10.20.2.73 list="Management Devices"
add address=10.20.80.0/24 comment="DMZ network" list=DMZ
add address=10.10.0.0/16 comment="ALL NETWORKS" list="ALL NETWORKS"
add address=10.20.0.0/16 list="ALL NETWORKS"
add address=10.102.102.0/24 list="ALL NETWORKS"
add address=10.103.103.0/24 list="Management Devices"
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow SSH" connection-state="" \
    dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow admin to router" \
    connection-state="" in-interface=ether2 src-address-list=\
    "Management Devices"
add action=accept chain=input comment="Remote Access Wireguard" \
    connection-state="" dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Site to Site Wireguard" \
    connection-state="" dst-port=51822 in-interface=ether1 protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
    protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=LAN \
    protocol=udp
add action=drop chain=input comment="block everything else" log-prefix=\
    INVALID_INPUT
add action=fasttrack-connection chain=forward comment=\
    "fasttrack for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log-prefix=INVALID_ESTABLISHED
add action=accept chain=forward comment="Remote Access Wireguard" \
    in-interface="Remote Access Wireguard" log-prefix=remote_inbound
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
    in-interface=ether2
add action=accept chain=forward comment="Kids network firewall" dst-address=\
    10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=ether3 protocol=tcp
# inactive time
add action=accept chain=forward dst-address-list="!ALL NETWORKS" \
    in-interface=ether3 src-address-list="Kids Network" time=\
    5h-20h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.2.10 dst-port=7400-7600 in-interface=ether4 protocol=tcp \
    src-address-list=Cameras
add action=accept chain=forward dst-address=10.20.2.10 dst-port=7400-7600 \
    in-interface=ether4 protocol=udp src-address-list=Cameras
add action=accept chain=forward comment="DMZ firewall" dst-address-list=\
    "!ALL NETWORKS" in-interface=ether5
add action=drop chain=forward comment="Drop all forward"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="local network access" \
    disabled=yes dst-address-list="Local Subnets" new-routing-mark=main \
    passthrough=no src-address-list="Local Subnets"
add action=mark-routing chain=prerouting comment=PiHole disabled=yes \
    new-routing-mark=main passthrough=no src-address=10.20.2.6
add action=mark-routing chain=prerouting comment="Sonos Mangle PBR" disabled=\
    yes new-routing-mark=main passthrough=no src-address-list=Sonos
add action=mark-routing chain=prerouting comment="Utah subnets" disabled=yes \
    dst-address-list="Utah Subnets" new-routing-mark=Utah passthrough=no \
    src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting comment="Streaming via Utah PBR" \
    disabled=yes new-routing-mark=Utah passthrough=no src-address-list=\
    Streaming
add action=mark-routing chain=prerouting comment="MullvadMangle PBR" \
    disabled=yes new-routing-mark=Mullvad passthrough=no src-address-list=\
    "Local Trusted Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether1
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
    Mullvad

anav · Thu Oct 21, 2021 4:16 pm

Okay got it, UTAH is a two way VPN construct. MULLVAN is to a VPN provider and remote is for incoming admin config of the router.

What is not clear to me is who is using the Mulvad VPN?

The reason I question the second sourcenat rule is that I dont think its needed.
Its not a wan interface link although apparently one can use source nat for all kinds of funky things, but on top of that, the VPN provider will do its own NAT and attach its public IP to your outgoing traffic (yes it will doing nat for your).

Anyway for me to better understand this ..........did you mean that the mulvan link has its own single IP address and thus you want all users going through this to be asssigned the mulvad single IP (like a public IP) and then when the traffic returns the router will put the IP back to the local LANIP that was natted on the way out???

If so that is interesting use of NAT, but again not sure its necessary. Answers to the questions above will help figure it out. I am learning as we go here.

gabacho4 · Thu Oct 21, 2021 4:19 pm

Okay got it, UTAH is a two way VPN construct. MULLVAN is to a VPN provider and remote is for incoming admin config of the router.

That is correct. Sorry if I wasn’t clear before. And thank you for all your help. I’m glad to consider anything else you might think or see that could be improved. Also welcome your thoughts on the route rules. Everything is working as I expect it to so I’m either all good or lucky.

anav · Thu Oct 21, 2021 4:27 pm

Well it wasnt the complete config I dont think, no interface lists etc....... but dont see anything untoward.
Still some efficiency items in firewall rules. camera interface is same as source list so duplicated like the kids source address list, but this is minor.

I cannot review mangle, allergic you know, and didnt see any IP routers information but if it works!!!

gabacho4 · Thu Oct 21, 2021 4:36 pm

full config minus a few sections that aren't relevant to our conversation

# oct/21/2021 16:33:25 by RouterOS 7.1rc4
# software id = 7ZLE-935S
#
# model = RB5009UG+S+
# serial number = 
/interface wireguard
add listen-port=30752 mtu=1420 name=Mullvad
add listen-port=51820 mtu=1420 name="Remote Access Wireguard"
add listen-port=51822 mtu=1420 name=Utah
/interface list
add name=LAN
add name=WAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=LAN-DHCP ranges=10.20.2.100-10.20.2.254
add name=kids-DHCP ranges=10.20.20.100-10.20.20.254
add name=cameras-DHCP ranges=10.20.40.2-10.20.40.254
add name=DMZ-DHCP ranges=10.20.80.2-10.20.80.254
/ip dhcp-server
add address-pool=LAN-DHCP interface=ether2 lease-time=8h name=LAN
add address-pool=kids-DHCP interface=ether3 lease-time=8h name=Kids
add address-pool=cameras-DHCP interface=ether4 lease-time=8h name=Cameras
add address-pool=DMZ-DHCP interface=ether5 lease-time=8h name=DMZ
/routing table
add disabled=no fib name=Utah
add disabled=no fib name=Mullvad
/interface detect-internet
set detect-interface-list=all lan-interface-list=LAN wan-interface-list=WAN
/interface list member
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=Utah list=LAN
add interface=ether1 list=WAN
add interface=Mullvad list=LAN
add interface="Remote Access Wireguard" list=LAN
/interface wireguard peers
add allowed-address=0.0.0.0/0 endpoint-address=utah.yawidy.com endpoint-port=\
    51822 interface=Utah persistent-keepalive=30s public-key=\
    "UOKuHFY1WhC6b2beXIQGmivsFuXtqY9g8KNd6eC5qTc="
add allowed-address=0.0.0.0/0 endpoint-address=89.45.224.210 endpoint-port=\
    51820 interface=Mullvad persistent-keepalive=30s public-key=\
    "J8QaV8tZyFBrb9atVg3mI2Vb3/DtWVJSHFYSrdy6w2w="
add allowed-address=10.103.103.2/32 interface="Remote Access Wireguard" \
    public-key="S0v2v7bRuzOnzcuC35IOTqEoq7TFXZAeLuXMcqgneC0="
/ip address
add address=10.102.102.2 interface=Utah network=10.102.102.1
add address=10.64.172.48 interface=Mullvad network=10.64.172.48
add address=10.20.40.1/24 interface=ether4 network=10.20.40.0
add address=10.20.80.1/24 interface=ether5 network=10.20.80.0
add address=10.20.20.1/24 interface=ether3 network=10.20.20.0
add address=10.20.2.1/24 comment=LAN interface=ether2 network=10.20.2.0
add address=10.103.103.1/24 interface="Remote Access Wireguard" network=\
    10.103.103.0
/ip firewall filter
add action=accept chain=input comment="accept established,related" \
    connection-state=established,related
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="allow ICMP" protocol=icmp
add action=accept chain=input comment="allow SSH" connection-state="" \
    dst-port=55512 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow admin to router" \
    connection-state="" in-interface=ether2 src-address-list=\
    "Management Devices"
add action=accept chain=input comment="Remote Access Wireguard" \
    connection-state="" dst-port=51820 in-interface=ether1 protocol=udp
add action=accept chain=input comment="Site to Site Wireguard" \
    connection-state="" dst-port=51822 in-interface=ether1 protocol=udp
add action=accept chain=input comment=DNS dst-port=53 in-interface-list=LAN \
    protocol=tcp
add action=accept chain=input dst-port=53 in-interface-list=LAN protocol=udp
add action=accept chain=input comment=NTP dst-port=123 in-interface-list=LAN \
    protocol=udp
add action=drop chain=input comment="block everything else" log-prefix=\
    INVALID_INPUT
add action=fasttrack-connection chain=forward comment=\
    "fasttrack for established,related" connection-state=established,related \
    hw-offload=yes
add action=accept chain=forward comment="accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid \
    log-prefix=INVALID_ESTABLISHED
add action=accept chain=forward comment="Remote Access Wireguard" \
    in-interface="Remote Access Wireguard" log-prefix=remote_inbound
add action=accept chain=forward comment="LAN firewall" dst-address-list=!DMZ \
    in-interface=ether2
add action=accept chain=forward comment="Kids network firewall" dst-address=\
    10.20.2.6 dst-port=53 in-interface=ether3 protocol=udp
add action=accept chain=forward dst-address=10.20.2.6 dst-port=53 \
    in-interface=ether3 protocol=tcp
add action=accept chain=forward dst-address-list="!KIDS NO ACCESS" \
    in-interface=ether3 time=5h-20h,sun,mon,tue,wed,thu,fri,sat
add action=accept chain=forward comment="Cameras firewall" dst-address=\
    10.20.2.10 dst-port=7400-7600 in-interface=ether4 protocol=tcp
add action=accept chain=forward dst-address=10.20.2.10 dst-port=7400-7600 \
    in-interface=ether4 protocol=udp
add action=accept chain=forward comment="DMZ firewall" dst-address-list=\
    "!ALL NETWORKS" in-interface=ether5
add action=drop chain=forward comment="Drop all forward"
/ip firewall mangle
add action=mark-routing chain=prerouting comment="local network access" \
    disabled=yes dst-address-list="Local Subnets" new-routing-mark=main \
    passthrough=no src-address-list="Local Subnets"
add action=mark-routing chain=prerouting comment=PiHole disabled=yes \
    new-routing-mark=main passthrough=no src-address=10.20.2.6
add action=mark-routing chain=prerouting comment="Sonos Mangle PBR" disabled=\
    yes new-routing-mark=main passthrough=no src-address-list=Sonos
add action=mark-routing chain=prerouting comment="Utah subnets" disabled=yes \
    dst-address-list="Utah Subnets" new-routing-mark=Utah passthrough=no \
    src-address-list="Local Trusted Network"
add action=mark-routing chain=prerouting comment="Streaming via Utah PBR" \
    disabled=yes new-routing-mark=Utah passthrough=no src-address-list=\
    Streaming
add action=mark-routing chain=prerouting comment="MullvadMangle PBR" \
    disabled=yes new-routing-mark=Mullvad passthrough=no src-address-list=\
    "Local Trusted Network"
/ip firewall nat
add action=masquerade chain=srcnat comment="WAN NAT" out-interface=ether1
add action=masquerade chain=srcnat comment="Mullvad NAT" out-interface=\
    Mullvad
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Mullvad pref-src="" \
    routing-table=Mullvad scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=Utah pref-src="" \
    routing-table=Utah scope=30 suppress-hw-offload=no target-scope=10
add disabled=no distance=1 dst-address=10.10.1.0/24 gateway=Utah@main \
    pref-src="" routing-table=main scope=30 suppress-hw-offload=no \
    target-scope=10
add disabled=no dst-address=10.10.10.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.30.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
add disabled=no dst-address=10.10.50.0/24 gateway=Utah routing-table=main \
    suppress-hw-offload=no
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=55512
set api disabled=yes
set winbox address=10.20.0.0/16,10.103.103.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/routing rule
add action=lookup disabled=no dst-address=10.103.103.0/24 src-address=\
    10.20.0.0/16 table=main
add action=lookup disabled=no dst-address=10.20.0.0/16 src-address=\
    10.20.0.0/16 table=main
add action=lookup disabled=no src-address=10.20.2.6/32 table=main
add action=lookup disabled=no src-address=10.20.2.50/32 table=main
add action=lookup disabled=no src-address=10.20.2.51/32 table=main
add action=lookup disabled=no src-address=10.20.2.52/32 table=main
add action=lookup disabled=no src-address=10.20.2.53/32 table=main
add action=lookup disabled=no src-address=10.20.2.54/32 table=main
add action=lookup disabled=no src-address=10.20.2.55/32 table=main
add action=lookup disabled=no src-address=10.20.2.56/32 table=main
add action=lookup disabled=no src-address=10.20.2.57/32 table=main
add action=lookup-only-in-table disabled=no dst-address=10.10.0.0/16 \
    src-address=10.20.2.0/24 table=Utah
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    10.20.2.3/32 table=Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.4/32 table=\
    Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.7/32 table=\
    Utah
add action=lookup disabled=no dst-address="" src-address=10.20.2.8/32 table=\
    Utah
add action=lookup-only-in-table disabled=no dst-address="" src-address=\
    10.20.2.9/32 table=Utah
add action=lookup-only-in-table disabled=no src-address=10.20.20.30/32 table=\
    Utah
add action=lookup-only-in-table disabled=no src-address=10.20.20.31/32 table=\
    Utah
add action=lookup disabled=no src-address=10.20.2.0/24 table=Mullvad
/system clock
set time-zone-name=Asia/Kuwait
/system identity
set name=RB5009overseas
/system ntp client
set enabled=yes
/system ntp server
set enabled=yes manycast=yes multicast=yes
/system ntp client servers
add address=1.pool.ntp.org
add address=2.pool.ntp.org
add address=3.pool.ntp.org
add address=0.pool.ntp.org
/system package update
set channel=development
/system routerboard settings
set silent-boot=yes
/tool bandwidth-server
set enabled=no

Request config sanity check

Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Re: Request config sanity check

Who is online